fix: Ensure function principals are named.

Author: tjholm

pkg/codeconfig/codeconfig.go

@@ -218,8 +218,15 @@ func (c *codeConfig) apiSpec(api string) (*openapi3.T, error) {
 // collectOne - Collects information about a function for a nitric stack
 // handler - the specific handler for the application
 func (c *codeConfig) collectOne(handler string) error {
-	fun := NewFunction()
-	srv := NewServer(fun)
+	rt, err := runtime.NewRunTimeFromHandler(handler)
+	if err != nil {
+		return errors.WithMessage(err, "error getting the runtime from handler "+handler)
+	}
+
+	name := rt.ContainerName()
+	fun := NewFunction(name)
+
+	srv := NewServer(name, fun)
 	grpcSrv := grpc.NewServer()
 
 	v1.RegisterResourceServiceServer(grpcSrv, srv)
@@ -246,11 +253,6 @@ func (c *codeConfig) collectOne(handler string) error {
 		return errors.WithMessage(err, "error discovering container engine")
 	}
 
-	rt, err := runtime.NewRunTimeFromHandler(handler)
-	if err != nil {
-		return errors.WithMessage(err, "error getting the runtime from handler "+handler)
-	}
-
 	opts, err := rt.LaunchOptsForFunctionCollect(c.initialStack.Dir)
 	if err != nil {
 		return err
@@ -344,11 +346,6 @@ func (c *codeConfig) ToStack() (*stack.Stack, error) {
 
 	errs := utils.NewErrorList()
 	for handler, f := range c.functions {
-		rt, err := runtime.NewRunTimeFromHandler(handler)
-		if err != nil {
-			return nil, err
-		}
-
 		topicTriggers := make([]string, 0, len(f.subscriptions)+len(f.schedules))
 
 		for k := range f.apis {
@@ -433,14 +430,14 @@ func (c *codeConfig) ToStack() (*stack.Stack, error) {
 			}
 		}
 
-		f, ok := s.Functions[rt.ContainerName()]
+		fun, ok := s.Functions[f.name]
 		if !ok {
-			f = stack.FunctionFromHandler(handler, s.Dir)
+			fun = stack.FunctionFromHandler(handler, s.Dir)
 		}
-		f.ComputeUnit.Triggers = stack.Triggers{
+		fun.ComputeUnit.Triggers = stack.Triggers{
 			Topics: topicTriggers,
 		}
-		s.Functions[rt.ContainerName()] = f
+		s.Functions[f.name] = fun
 	}
 
 	return s, errs.Aggregate()

pkg/codeconfig/function.go

@@ -81,6 +81,7 @@ func (a *Api) AddWorker(worker *pb.ApiWorker) error {
 
 // FunctionDependencies - Stores information about a Nitric Function, and it's dependencies
 type FunctionDependencies struct {
+	name          string
 	apis          map[string]*Api
 	subscriptions map[string]*pb.SubscriptionWorker
 	schedules     map[string]*pb.ScheduleWorker
@@ -96,6 +97,13 @@ type FunctionDependencies struct {
 func (a *FunctionDependencies) AddPolicy(p *pb.PolicyResource) {
 	a.lock.Lock()
 	defer a.lock.Unlock()
+	for _, p := range p.Principals {
+		// If provided a blank function principal assume its for this function
+		if p.Type == pb.ResourceType_Function && p.Name == "" {
+			p.Name = a.name
+		}
+	}
+
 	a.policies = append(a.policies, p)
 }
 
@@ -167,8 +175,9 @@ func (a *FunctionDependencies) AddQueue(name string, q *pb.QueueResource) {
 }
 
 // NewFunction - creates a new Nitric Function, ready to register handlers and dependencies.
-func NewFunction() *FunctionDependencies {
+func NewFunction(name string) *FunctionDependencies {
 	return &FunctionDependencies{
+		name:          name,
 		apis:          make(map[string]*Api),
 		subscriptions: make(map[string]*pb.SubscriptionWorker),
 		schedules:     make(map[string]*pb.ScheduleWorker),

pkg/codeconfig/server.go

@@ -26,6 +26,7 @@ import (
 )
 
 type Server struct {
+	name     string
 	function *FunctionDependencies
 	pb.UnimplementedFaasServiceServer
 	pb.UnimplementedResourceServiceServer
@@ -84,8 +85,9 @@ func (s *Server) Declare(ctx context.Context, req *pb.ResourceDeclareRequest) (*
 }
 
 // NewServer - Creates a new deployment server
-func NewServer(function *FunctionDependencies) *Server {
+func NewServer(name string, function *FunctionDependencies) *Server {
 	return &Server{
+		name:     name,
 		function: function,
 	}
 }

pkg/provider/pulumi/aws/aws.go

@@ -120,7 +120,12 @@ func (a *awsProvider) Deploy(ctx *pulumi.Context) error {
 
 	topics := map[string]*sns.Topic{}
 	for k := range a.s.Topics {
-		topics[k], err = sns.NewTopic(ctx, k, &sns.TopicArgs{Tags: commonTags(ctx, k)})
+		topics[k], err = sns.NewTopic(ctx, k, &sns.TopicArgs{
+			// FIXME: Autonaming of topics disabled until improvements to
+			// nitric topic name discovery is made for SNS topics.
+			Name: pulumi.StringPtr(k),
+			Tags: commonTags(ctx, k),
+		})
 		if err != nil {
 			return errors.WithMessage(err, "sns topic "+k)
 		}
@@ -146,8 +151,9 @@ func (a *awsProvider) Deploy(ctx *pulumi.Context) error {
 		}
 	}
 
+	collections := map[string]*dynamodb.Table{}
 	for k := range a.s.Collections {
-		_, err = dynamodb.NewTable(ctx, "mytable", &dynamodb.TableArgs{
+		collections[k], err = dynamodb.NewTable(ctx, k, &dynamodb.TableArgs{
 			Attributes: dynamodb.TableAttributeArray{
 				&dynamodb.TableAttributeArgs{
 					Name: pulumi.String("_pk"),
@@ -243,15 +249,18 @@ func (a *awsProvider) Deploy(ctx *pulumi.Context) error {
 			return err
 		}
 
-		newPolicy(ctx, policyName, &PolicyArgs{
+		if _, err := newPolicy(ctx, policyName, &PolicyArgs{
 			Policy: p,
 			Resources: &StackResources{
-				Topics:  topics,
-				Queues:  queues,
-				Buckets: buckets,
+				Topics:      topics,
+				Queues:      queues,
+				Buckets:     buckets,
+				Collections: collections,
 			},
 			Principals: principalMap,
-		})
+		}); err != nil {
+			return err
+		}
 	}
 
 	return nil

pkg/provider/pulumi/aws/lambda.go

@@ -83,13 +83,19 @@ func newLambda(ctx *pulumi.Context, name string, args *LambdaArgs, opts ...pulum
 		return nil, err
 	}
 
+	// Add resource list permissions
+	// Currently the membrane will use list operations
 	tmpJSON, err = json.Marshal(map[string]interface{}{
 		"Version": "2012-10-17",
 		"Statement": []map[string]interface{}{
 			{
 				"Action": []string{
-					"sns:ConfirmSubscription",
-					"sns:Unsubscribe",
+					// "sns:ConfirmSubscription",
+					// "sns:Unsubscribe",
+					"sns:ListTopics",
+					"sqs:ListQueues",
+					"dynamodb:ListTables",
+					"s3:ListAllMyBuckets",
 				},
 				"Effect":   "Allow",
 				"Resource": "*",
@@ -102,7 +108,7 @@ func newLambda(ctx *pulumi.Context, name string, args *LambdaArgs, opts ...pulum
 
 	// TODO: Lock this SNS topics for which this function has pub definitions
 	// FIXME: Limit to known resources
-	_, err = iam.NewRolePolicy(ctx, name+"SNSAccess", &iam.RolePolicyArgs{
+	_, err = iam.NewRolePolicy(ctx, name+"ListAccess", &iam.RolePolicyArgs{
 		Role:   res.Role.ID(),
 		Policy: pulumi.String(tmpJSON),
 	}, pulumi.Parent(res))

pkg/provider/pulumi/aws/policy.go

@@ -1,10 +1,27 @@
+// Copyright Nitric Pty Ltd.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package aws
 
 import (
 	"encoding/json"
 	"fmt"
 
 	v1 "github.com/nitrictech/nitric/pkg/api/nitric/v1"
+	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/dynamodb"
 	iam "github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
 	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/s3"
 	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/sns"
@@ -20,9 +37,10 @@ type Policy struct {
 }
 
 type StackResources struct {
-	Topics  map[string]*sns.Topic
-	Queues  map[string]*sqs.Queue
-	Buckets map[string]*s3.Bucket
+	Topics      map[string]*sns.Topic
+	Queues      map[string]*sqs.Queue
+	Buckets     map[string]*s3.Bucket
+	Collections map[string]*dynamodb.Table
 }
 
 type PrincipalMap = map[v1.ResourceType]map[string]*iam.Role
@@ -37,7 +55,7 @@ type PolicyArgs struct {
 
 var awsActionsMap map[v1.Action][]string = map[v1.Action][]string{
 	v1.Action_BucketFileList: {
-		"s3:ListAllMyBuckets",
+		"s3:ListBuckets",
 		"s3:GetBucketTagging",
 	},
 	v1.Action_BucketFileGet: {
@@ -49,9 +67,10 @@ var awsActionsMap map[v1.Action][]string = map[v1.Action][]string{
 	v1.Action_BucketFileDelete: {
 		"s3:DeleteObject",
 	},
-	v1.Action_TopicList: {
-		"sns:ListTopics",
-	},
+	// XXX: Cannot be applied to single resources
+	// v1.Action_TopicList: {
+	// 	"sns:ListTopics",
+	// },
 	v1.Action_TopicDetail: {
 		"sns:GetTopicAttributes",
 	},
@@ -64,9 +83,10 @@ var awsActionsMap map[v1.Action][]string = map[v1.Action][]string{
 	v1.Action_QueueReceive: {
 		"sqs: ReceiveMessage",
 	},
-	v1.Action_QueueList: {
-		"sqs:ListQueues",
-	},
+	// XXX: Cannot be applied to single resources
+	// v1.Action_QueueList: {
+	// 	"sqs:ListQueues",
+	// },
 	v1.Action_QueueDetail: {
 		"sqs:GetQueueAttributes",
 		"sqs:GetQueueUrl",
@@ -78,6 +98,7 @@ var awsActionsMap map[v1.Action][]string = map[v1.Action][]string{
 	},
 	v1.Action_CollectionDocumentWrite: {
 		"dynamodb:UpdateItem",
+		"dynamodb:PutItem",
 	},
 	v1.Action_CollectionDocumentDelete: {
 		"dynamodb:DeleteItem",
@@ -86,9 +107,10 @@ var awsActionsMap map[v1.Action][]string = map[v1.Action][]string{
 		"dynamodb:Query",
 		"dynamodb:Scan",
 	},
-	v1.Action_CollectionList: {
-		"dynamodb:ListTables",
-	},
+	// XXX: Cannot be applied to single resources
+	// v1.Action_CollectionList: {
+	// 	"dynamodb:ListTables",
+	// },
 }
 
 func actionsToAwsActions(actions []v1.Action) []string {
@@ -97,7 +119,6 @@ func actionsToAwsActions(actions []v1.Action) []string {
 	for _, a := range actions {
 		awsActions = append(awsActions, awsActionsMap[a]...)
 	}
-	// TODO:
 	return awsActions
 }
 
@@ -116,6 +137,10 @@ func arnForResource(resource *v1.Resource, resources *StackResources) (pulumi.St
 		if q, ok := resources.Queues[resource.Name]; ok {
 			return q.Arn, nil
 		}
+	case v1.ResourceType_Collection:
+		if c, ok := resources.Collections[resource.Name]; ok {
+			return c.Arn, nil
+		}
 	default:
 		return pulumi.StringOutput{}, fmt.Errorf(
 			"invalid resource type: %s. Did you mean to define it as a principal?", resource.Type)
@@ -145,7 +170,7 @@ func newPolicy(ctx *pulumi.Context, name string, args *PolicyArgs, opts ...pulum
 	actions := actionsToAwsActions(args.Policy.Actions)
 
 	// Get Targets
-	targetArns := make([]pulumi.StringOutput, 0, len(args.Policy.Resources))
+	targetArns := make([]interface{}, 0, len(args.Policy.Resources))
 	for _, princ := range args.Policy.Resources {
 		if arn, err := arnForResource(princ, args.Resources); err == nil {
 			targetArns = append(targetArns, arn)
@@ -167,15 +192,38 @@ func newPolicy(ctx *pulumi.Context, name string, args *PolicyArgs, opts ...pulum
 		}
 	}
 
-	policyJson, err := json.Marshal(map[string]interface{}{
-		"Version": "2012-10-17",
-		"Statement": []map[string]interface{}{
-			{
-				"Action":   actions,
-				"Effect":   "Allow",
-				"Resource": targetArns,
+	serialPolicy, err := json.Marshal(args.Policy)
+	if err != nil {
+		return nil, err
+	}
+
+	policyJson := pulumi.All(targetArns...).ApplyT(func(args []interface{}) (string, error) {
+		arns := make([]string, 0, len(args))
+		for _, iArn := range args {
+			arn, ok := iArn.(string)
+			if !ok {
+				return "", fmt.Errorf("input not a string: %T %v", arn, arn)
+			}
+
+			arns = append(arns, arn)
+		}
+
+		jsonb, err := json.Marshal(map[string]interface{}{
+			"Version": "2012-10-17",
+			"Statement": []map[string]interface{}{
+				{
+					"Action":   actions,
+					"Effect":   "Allow",
+					"Resource": arns,
+				},
 			},
-		},
+		})
+
+		if err != nil {
+			return "", err
+		}
+
+		return string(jsonb), nil
 	})
 
 	if err != nil {
@@ -186,10 +234,10 @@ func newPolicy(ctx *pulumi.Context, name string, args *PolicyArgs, opts ...pulum
 	for k, r := range principalRoles {
 		// Role policies require a unique name
 		// Use a hash of the policy document to help create a unique name
-		policyName := fmt.Sprintf("%s-%s", k, md5Hash(policyJson))
+		policyName := fmt.Sprintf("%s-%s", k, md5Hash(serialPolicy))
 		rolePol, err := iam.NewRolePolicy(ctx, policyName, &iam.RolePolicyArgs{
 			Role:   r.ID(),
-			Policy: pulumi.String(policyJson),
+			Policy: policyJson,
 		}, pulumi.Parent(res))
 
 		if err != nil {

pkg/runtime/typescript.go

@@ -100,7 +100,7 @@ func (t *typescript) LaunchOptsForFunctionCollect(runCtx string) (LaunchOpts, er
 	return LaunchOpts{
 		Image:      t.DevImageName(),
 		Entrypoint: strslice.StrSlice{"ts-node"},
-		Cmd:        strslice.StrSlice{"-T " + "/app/" + t.handler},
+		Cmd:        strslice.StrSlice{"-T", "/app/" + t.handler},
 		TargetWD:   "/app",
 		Mounts: []mount.Mount{
 			{