Skip to content

fix: propagate condition to sqs queue policy for sqssubscription #1798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Dec 2, 2020
Merged

fix: propagate condition to sqs queue policy for sqssubscription #1798

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
df914bd
fix: propagate condition to sqs queue policy for sqssubscription
hawflau Nov 14, 2020
e14f2e6
Update unit test for function_event_conditions
hawflau Nov 14, 2020
115ff09
Update black commands in Makefile to check only .py files
hawflau Nov 14, 2020
94f1fcf
Update test with one more SNS event source with sqsSubscription set
hawflau Nov 14, 2020
da90834
Revert "Update black commands in Makefile to check only .py files"
hawflau Nov 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ test:
pytest --cov samtranslator --cov-report term-missing --cov-fail-under 95 tests

black:
black setup.py samtranslator/* tests/* bin/*.py
black setup.py samtranslator/**/*.py tests/**/*.py bin/*.py

black-check:
black --check setup.py samtranslator/* tests/* bin/*.py
black --check setup.py samtranslator/**/*.py tests/**/*.py bin/*.py

# Command to run everytime you make changes to verify everything works
dev: test
Expand Down
11 changes: 8 additions & 3 deletions samtranslator/model/eventsources/push.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -407,7 +407,7 @@ def to_cloudformation(self, **kwargs):
queue_arn = queue.get_runtime_attr("arn")
queue_url = queue.get_runtime_attr("queue_url")

queue_policy = self._inject_sqs_queue_policy(self.Topic, queue_arn, queue_url)
queue_policy = self._inject_sqs_queue_policy(self.Topic, queue_arn, queue_url, function.resource_attributes)
subscription = self._inject_subscription(
"sqs", queue_arn, self.Topic, self.Region, self.FilterPolicy, function.resource_attributes
)
Expand All @@ -430,7 +430,9 @@ def to_cloudformation(self, **kwargs):
batch_size = self.SqsSubscription.get("BatchSize", None)
enabled = self.SqsSubscription.get("Enabled", None)

queue_policy = self._inject_sqs_queue_policy(self.Topic, queue_arn, queue_url, queue_policy_logical_id)
queue_policy = self._inject_sqs_queue_policy(
self.Topic, queue_arn, queue_url, function.resource_attributes, queue_policy_logical_id
)
subscription = self._inject_subscription(
"sqs", queue_arn, self.Topic, self.Region, self.FilterPolicy, function.resource_attributes
)
Expand Down Expand Up @@ -466,8 +468,11 @@ def _inject_sqs_event_source_mapping(self, function, role, queue_arn, batch_size
event_source.Enabled = enabled or True
return event_source.to_cloudformation(function=function, role=role)

def _inject_sqs_queue_policy(self, topic_arn, queue_arn, queue_url, logical_id=None):
def _inject_sqs_queue_policy(self, topic_arn, queue_arn, queue_url, resource_attributes, logical_id=None):
policy = SQSQueuePolicy(logical_id or self.logical_id + "QueuePolicy")
if CONDITION in resource_attributes:
policy.set_resource_attribute(CONDITION, resource_attributes[CONDITION])

policy.PolicyDocument = SQSQueuePolicies.sns_topic_send_message_role_policy(topic_arn, queue_arn)
policy.Queues = [queue_url]
return policy
Expand Down
20 changes: 20 additions & 0 deletions tests/translator/input/function_event_conditions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,22 @@ Resources:
Topic:
Ref: Notifications

SNSTopicWithSQSSubscription:
Type: SNS
Properties:
Topic:
Ref: Notifications
SqsSubscription:
QueueArn: !GetAtt Queue.Arn
QueueUrl: !Ref Queue

AnotherSNSWithSQSSubscription:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer a more descriptive name to immediately figure out what is the difference between this one and the one above, what each of them tests.

Type: SNS
Properties:
Topic:
Ref: Notifications
SqsSubscription: true

KinesisStream:
Type: Kinesis
Properties:
Expand All @@ -99,3 +115,7 @@ Resources:

Images:
Type: AWS::S3::Bucket

Queue:
Condition: MyCondition
Type: AWS::SQS::Queue
145 changes: 144 additions & 1 deletion tests/translator/output/aws-cn/function_event_conditions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,8 @@
"ManagedPolicyArns": [
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole",
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole"
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole",
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
],
"Tags": [
{
Expand Down Expand Up @@ -459,6 +460,148 @@
"DependsOn": [
"FunctionOneImageBucketPermission"
]
},
"MyAwesomeFunctionSNSTopicWithSQSSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"Endpoint": {
"Fn::GetAtt": [
"Queue",
"Arn"
]
},
"Protocol": "sqs",
"TopicArn": {
"Ref": "Notifications"
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionSNSTopicWithSQSSubscriptionQueuePolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "Queue"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sqs:SendMessage",
"Resource": {
"Fn::GetAtt": [
"Queue",
"Arn"
]
},
"Effect": "Allow",
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Ref": "Notifications"
}
}
},
"Principal": "*"
}
]
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionSNSTopicWithSQSSubscriptionEventSourceMapping": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 10,
"Enabled": true,
"FunctionName": {
"Ref": "MyAwesomeFunctionAliasLive"
},
"EventSourceArn": {
"Fn::GetAtt": [
"Queue",
"Arn"
]
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {}
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionEventSourceMapping": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 10,
"Enabled": true,
"FunctionName": {
"Ref": "MyAwesomeFunctionAliasLive"
},
"EventSourceArn": {
"Fn::GetAtt": [
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
"Arn"
]
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"Endpoint": {
"Fn::GetAtt": [
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
"Arn"
]
},
"Protocol": "sqs",
"TopicArn": {
"Ref": "Notifications"
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueuePolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sqs:SendMessage",
"Resource": {
"Fn::GetAtt": [
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
"Arn"
]
},
"Effect": "Allow",
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Ref": "Notifications"
}
}
},
"Principal": "*"
}
]
}
},
"Condition": "MyCondition"
},
"Queue": {
"Type": "AWS::SQS::Queue",
"Condition": "MyCondition"
}
}
}
145 changes: 144 additions & 1 deletion tests/translator/output/aws-us-gov/function_event_conditions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,8 @@
"ManagedPolicyArns": [
"arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole",
"arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole"
"arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole",
"arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
],
"Tags": [
{
Expand Down Expand Up @@ -459,6 +460,148 @@
"DependsOn": [
"FunctionOneImageBucketPermission"
]
},
"MyAwesomeFunctionSNSTopicWithSQSSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"Endpoint": {
"Fn::GetAtt": [
"Queue",
"Arn"
]
},
"Protocol": "sqs",
"TopicArn": {
"Ref": "Notifications"
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionSNSTopicWithSQSSubscriptionQueuePolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "Queue"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sqs:SendMessage",
"Resource": {
"Fn::GetAtt": [
"Queue",
"Arn"
]
},
"Effect": "Allow",
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Ref": "Notifications"
}
}
},
"Principal": "*"
}
]
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionSNSTopicWithSQSSubscriptionEventSourceMapping": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 10,
"Enabled": true,
"FunctionName": {
"Ref": "MyAwesomeFunctionAliasLive"
},
"EventSourceArn": {
"Fn::GetAtt": [
"Queue",
"Arn"
]
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {}
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionEventSourceMapping": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 10,
"Enabled": true,
"FunctionName": {
"Ref": "MyAwesomeFunctionAliasLive"
},
"EventSourceArn": {
"Fn::GetAtt": [
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
"Arn"
]
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"Endpoint": {
"Fn::GetAtt": [
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
"Arn"
]
},
"Protocol": "sqs",
"TopicArn": {
"Ref": "Notifications"
}
},
"Condition": "MyCondition"
},
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueuePolicy": {
"Type": "AWS::SQS::QueuePolicy",
"Properties": {
"Queues": [
{
"Ref": "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sqs:SendMessage",
"Resource": {
"Fn::GetAtt": [
"MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
"Arn"
]
},
"Effect": "Allow",
"Condition": {
"ArnEquals": {
"aws:SourceArn": {
"Ref": "Notifications"
}
}
},
"Principal": "*"
}
]
}
},
"Condition": "MyCondition"
},
"Queue": {
"Type": "AWS::SQS::Queue",
"Condition": "MyCondition"
}
}
}
Loading