Improve IAM role internal handling and resolution

[issea1015]

Closes: #8396

Broken Tests:

{
    "test/unit/lib/plugins/aws/package/compile/events/cloudFront.test.js": [
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should throw an error if the region is not us-east-1",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create corresponding resources when cloudFront events are given",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create different origins for different domains with the same path",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create different origins for the same domains with the same path but different protocols",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create different origins with different ids for different domains in the same function",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should use previous created origin for the same params",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create origins with all values given as an object",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should correctly deep merge arrays with objects",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should throw if more than one cloudfront event with different origins were defined as a default",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should use behavior without PathPattern as a DefaultCacheBehavior",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create DefaultCacheBehavior if non behavior without PathPattern were defined",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create DefaultCacheBehavior if non behavior without PathPattern were defined but isDefaultOrigin flag was set",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should throw if non of the cloudfront event with different origins were defined as a default",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should use previous created behavior for the same params and different event types",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should create behavior with all values given as an object",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should throw if more than one behavior with the same PathPattern",
        "AwsCompileCloudFrontEvents > #compileCloudFrontEvents() > should throw if some of the event type in any behavior is not unique"
    ],
    "test/unit/lib/plugins/aws/package/compile/events/kafka.test.js": [
        "test/unit/lib/plugins/aws/package/compile/events/kafka.test.js > when there are kafka events defined > should update default IAM role with SecretsManager statement"
    ],
    "test/unit/lib/plugins/aws/package/compile/events/msk/index.test.js": [
        "AwsCompileMSKEvents > when there are msk events defined > should update default IAM role with MSK statement"
    ],
    "test/unit/lib/plugins/aws/package/compile/events/rabbitmq.test.js": [
        "test/unit/lib/plugins/aws/package/compile/events/rabbitmq.test.js > when there are rabbitmq events defined > should update default IAM role with DescribeBroker statement",
        "test/unit/lib/plugins/aws/package/compile/events/rabbitmq.test.js > when there are rabbitmq events defined > should update default IAM role with SecretsManager statement"
    ],
    "test/unit/lib/plugins/aws/package/compile/events/sqs.test.js": [
        "AwsCompileSQSEvents > #compileSQSEvents() > should remove all non-alphanumerics from queue names for the resource logical ids",
        "AwsCompileSQSEvents > #compileSQSEvents() > when a queue ARN is given > should create event source mappings when a queue ARN is given",
        "AwsCompileSQSEvents > #compileSQSEvents() > when a queue ARN is given > should allow specifying SQS Queues as CFN reference types",
        "AwsCompileSQSEvents > #compileSQSEvents() > when a queue ARN is given > should add the necessary IAM role statements"
    ],
    "test/unit/lib/plugins/aws/package/compile/events/stream.test.js": [
        "AwsCompileStreamEvents > #compileStreamEvents() > should remove all non-alphanumerics from stream names for the resource logical ids",
        "AwsCompileStreamEvents > #compileStreamEvents() > when a DynamoDB stream ARN is given > should create event source mappings when a DynamoDB stream ARN is given",
        "AwsCompileStreamEvents > #compileStreamEvents() > when a DynamoDB stream ARN is given > should allow specifying DynamoDB and Kinesis streams as CFN reference types",
        "AwsCompileStreamEvents > #compileStreamEvents() > when a DynamoDB stream ARN is given > should allow specifying OnFailure destinations as CFN reference types",
        "AwsCompileStreamEvents > #compileStreamEvents() > when a DynamoDB stream ARN is given > should add the necessary IAM role statements",
        "AwsCompileStreamEvents > #compileStreamEvents() > when a Kinesis stream ARN is given > should create event source mappings when a Kinesis stream ARN is given",
        "AwsCompileStreamEvents > #compileStreamEvents() > when a Kinesis stream ARN is given > should create stream consumer when a Kinesis stream with consumer \"true\" is given",
        "AwsCompileStreamEvents > #compileStreamEvents() > when a Kinesis stream ARN is given > should add the necessary IAM role statements"
    ],
    "test/unit/lib/plugins/aws/package/compile/events/websockets/lib/api.test.js": [
        "#compileApi() > should add the websockets policy"
    ],
    "test/unit/lib/plugins/aws/package/compile/functions.test.js": [
        "AwsCompileFunctions > #compileFunctions() > when using onError config > when IamRoleLambdaExecution is used > should create necessary resources if a SNS arn is provided",
        "AwsCompileFunctions > #compileFunctions() > when using awsKmsKeyArn config > when IamRoleLambdaExecution is used > should create necessary resources if a KMS key arn is provided",
        "AwsCompileFunctions > #compileFunctions() > when using tracing config > when IamRoleLambdaExecution is used > should create necessary resources if a tracing config is provided"
    ]
}

Broken Tests - Should be handled in this PR:

• test/unit/lib/plugins/aws/package/compile/events/kafka.test.js
• test/unit/lib/plugins/aws/package/compile/events/msk/index.test.js
• test/unit/lib/plugins/aws/package/compile/events/rabbitmq.test.js

Broken Tests - Should be handled in separate PRs:

• test/unit/lib/plugins/aws/package/compile/events/cloudFront.test.js
• test/unit/lib/plugins/aws/package/compile/events/sqs.test.js
• test/unit/lib/plugins/aws/package/compile/events/stream.test.js
• test/unit/lib/plugins/aws/package/compile/events/websockets/lib/api.test.js
• test/unit/lib/plugins/aws/package/compile/functions.test.js

[medikoo]

Thank you @issea1015, that looks outstanding!

In general it looks very good. I've just proposed some side improvements. Let me know what you think

[codecov]

Codecov Report

Merging #10067 (aa54a80) into master (654c507) will decrease coverage by 72.80%.
The diff coverage is 18.03%.

❗ Current head aa54a80 differs from pull request most recent head 0e3e182. Consider uploading reports for the commit 0e3e182 to get more accurate results

@@             Coverage Diff             @@
##           master   #10067       +/-   ##
===========================================
- Coverage   85.36%   12.56%   -72.81%     
===========================================
  Files         340      335        -5     
  Lines       13990    13610      -380     
===========================================
- Hits        11943     1710    -10233     
- Misses       2047    11900     +9853     

Impacted Files	Coverage Δ
lib/plugins/aws/package/compile/events/activemq.js	0.00% <0.00%> (-100.00%)	⬇️
...b/plugins/aws/package/compile/events/cloudFront.js	3.82% <0.00%> (-93.02%)	⬇️
lib/plugins/aws/package/compile/events/kafka.js	0.00% <0.00%> (-98.62%)	⬇️
...ib/plugins/aws/package/compile/events/msk/index.js	0.00% <0.00%> (-100.00%)	⬇️
lib/plugins/aws/package/compile/events/sqs.js	6.66% <0.00%> (-93.34%)	⬇️
lib/plugins/aws/package/compile/events/stream.js	2.75% <0.00%> (-95.48%)	⬇️
...s/aws/package/compile/events/websockets/lib/api.js	16.66% <0.00%> (-83.34%)	⬇️
lib/plugins/aws/package/compile/functions.js	3.89% <0.00%> (-90.93%)	⬇️
lib/plugins/aws/package/lib/mergeIamTemplates.js	5.88% <0.00%> (-94.12%)	⬇️
lib/plugins/aws/package/lib/utils.js	25.00% <25.00%> (ø)
... and 271 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 654c507...0e3e182. Read the comment docs.

[medikoo]

Thank you @issea1015 it looks very very good. We're getting close :)

Please see my comments and let me know what you think

[issea1015]

@medikoo Thank you for all this walking me through! I've just resolved all threads. Could you take a look again?

[medikoo]

Thank you @issea1015 that looks really good.

Please see my comments, also it appears one of the tests in CIN started to fail (when run individually), have you checked what could be the case?

[issea1015]

Thank you for the review. I've resolved every thread except the test one:

@medikoo Could you let me know what do you mean by "tests in CIN"?

I listed some broken tests in the description of this PR even though I found much more cases when I ran all unit tests. (When I wrote the description of this PR, I've just run the cases under this dir: "test/unit/lib/plugins/aws/package/")

Nonetheless, all of them seem related to .iamConfig, which is supposed to be prepared once we refactor the tests into the runServerless() way.

So again, @medikoo please let me know what do you mean by "tests in CIN" 🙏

[medikoo]

So again, @medikoo please let me know what do you mean by "tests in CIN" 🙏

@issea1015 Sorry typo sneaked in. I meant tests in CI, so in our GitHub Actions setup. We can see that Isolated unit tests fails: https://github.com/serverless/serverless/pull/10067/checks?check_run_id=3872231717

You should be able to easily reproduce it by running just this single failing test file individually

[issea1015]

Found how this branch is different from master and how it breaks the test

test/unit/lib/plugins/aws/deploy/index.test.js

In this branch, we escape the Resource array having only one item, it makes compiledCfTemplate different from the one built in the master

@medikoo Should I

• keep this escaping logic and update the test?
• or roll this logic back?

[medikoo]

In this branch, we escape the Resource array having only one item, it makes compiledCfTemplate different from the one built in the master

Ok, so if I understand correctly. In new handling, if there's single resource in a policy, we do not wrap it into array for Statement.Resoiurce policy, while it's the case in old version.

I think it's fine to do that, as this I believe introduces determinism. With this PR, single resource will never be wrapped into array.

Concerning tests, it'll be great to refactor it into runServerless variant (if it's not one already)

[issea1015]

I think it's fine to do that, as this I believe introduces determinism. With this PR, single resource will never be wrapped into array.

I believe the same. I updated the failing unit test to align with the changes on IAM role internal handling. Let's see if all other tests running in CI pass or not.

[issea1015]

For future ref. Another test in CI is failed for the same reason to above one. Will fix it in the same way.

• test/unit/lib/plugins/aws/deploy/lib/checkForChanges.test.js:1078:60 - "should skip a deployment with identical hashes and package.artifact targeting .serverless directory"

[issea1015]

For future ref. Other tests in CI are failed for the same reason to above one. Will fix

• test/unit/lib/plugins/aws/package/compile/events/activemq.test.js:81:86 - "when there are activemq events defined" - "should update default IAM role with DescribeBroker statement"
• test/unit/lib/plugins/aws/package/compile/events/activemq.test.js:89:86 - "when there are activemq events defined" - "should update default IAM role with SecretsManager statement"

[issea1015]

I've updated tests-in-CI broken by unwarped Statement.Resoiurce policy.

Now, in CI, we are facing broken tests that are not based on runServerless. As per the issue description, it's time to list up broken tests and to request separate PR per each test file. What do you think? @medikoo

#8396 (comment): Any test file that will host broken tests should be refactored to be based on runServerless (https://github.com/serverless/serverless/tree/master/test#unit-tests), and PR's that refactor each file should be proposed separate (different PR per each test file).

[medikoo]

Now, in CI, we are facing broken tests that are not based on runServerless. As per the issue description, it's time to list up broken tests and to request separate PR per each test file. What do you think? @medikoo

Yes, that how ideally it should've handled. First those tests should be refactored, and having that, we can confirm in this PR, we do not break anything by accident

[jwsloan]

@medikoo Is there any estimate on a timeline for getting this finished up, merged and a release out with it? It solves the exact problem we've run into with dynamo stream permissions getting duplicated in the default role.

Can someone without prior experience of working on this project (like myself) help get those tests refactored?

[medikoo]

@jwsloan in this case we're at the stake of a generous contribution by @issea1015 and ETA is unknown. Still @issea1015 made very impressive progress, and we're leaning towards having that in.

[jwsloan]

@jwsloan in this case we're at the stake of a generous contribution by @issea1015 and ETA is unknown. Still @issea1015 made very impressive progress, and we're leaning towards having that in.

We will patiently await the release that includes this, then. :)

[issea1015]

I've updated the list of broken tests in the PR description. And I've classified the ones that should be handled in this PR and those that should be handled in separate PRs.