From 1dff4c532312f6d6e7c0b93d2a80d4e0d082e5e7 Mon Sep 17 00:00:00 2001
From: neil <neil@neils-MacBook-Pro.local>
Date: Fri, 28 Oct 2022 10:11:48 +0800
Subject: [PATCH] ops: implement granular permission configuration per lambda
 function

---
 lambdas/package.json                         |  1 +
 lambdas/serverless.ts                        | 27 ++++++++------------
 lambdas/src/functions/buildPackages/index.ts | 18 ++++++++++++-
 lambdas/src/functions/ipfsUpload/index.ts    | 16 +++++++++++-
 lambdas/yarn.lock                            |  9 ++++++-
 5 files changed, 51 insertions(+), 20 deletions(-)

diff --git a/lambdas/package.json b/lambdas/package.json
index 2fc5286..a3a5a8e 100644
--- a/lambdas/package.json
+++ b/lambdas/package.json
@@ -33,6 +33,7 @@
     "json-schema-to-ts": "^1.5.0",
     "serverless": "^3.0.0",
     "serverless-esbuild": "^1.23.3",
+    "serverless-iam-roles-per-function": "^3.2.0",
     "ts-node": "^10.4.0",
     "tsconfig-paths": "^3.9.0",
     "typescript": "^4.1.3"
diff --git a/lambdas/serverless.ts b/lambdas/serverless.ts
index 6f98e35..8ac80b6 100644
--- a/lambdas/serverless.ts
+++ b/lambdas/serverless.ts
@@ -6,7 +6,10 @@ import ipfsUpload from '@functions/ipfsUpload';
 const serverlessConfiguration: AWS = {
   service: 'lambdas',
   frameworkVersion: '3',
-  plugins: ['serverless-esbuild'],
+  plugins: [
+    'serverless-esbuild',
+    'serverless-iam-roles-per-function'
+  ],
   provider: {
     name: 'aws',
     runtime: 'nodejs14.x',
@@ -22,22 +25,7 @@ const serverlessConfiguration: AWS = {
     iam: {
       deploymentRole: `arn:aws:iam::${process.env.AWS_ACCOUNT_ID || '640264234305'}:role/CloudFormationExecutionRole`,
       role: {
-        statements: [
-          {
-            "Effect": "Allow",
-            "Resource": [
-              "arn:aws:s3:::dist.tea.xyz",
-              "arn:aws:s3:::dist.tea.xyz/*",
-              "arn:aws:s3:::dist.tea.xyz/*/*",
-            ],
-            "Action": [
-                "s3:GetBucketAcl",
-                "s3:List",
-                "s3:ListBucket",
-                "s3:PutObject"
-            ]
-          }
-        ]
+        statements: []
       }
     },
     vpc: {
@@ -67,6 +55,11 @@ const serverlessConfiguration: AWS = {
       platform: 'node',
       concurrency: 10,
     },
+    'serverless-iam-roles-per-function': {
+      // on inherit: try to configure permission per function correctly
+      // TODO: ci/cd puresec-ish auto-auditing permissions
+      defaultInherit: false, 
+    }
   },
 };
 
diff --git a/lambdas/src/functions/buildPackages/index.ts b/lambdas/src/functions/buildPackages/index.ts
index 7573389..c38191f 100644
--- a/lambdas/src/functions/buildPackages/index.ts
+++ b/lambdas/src/functions/buildPackages/index.ts
@@ -10,5 +10,21 @@ export default {
     AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
     ALGOLIA_APP_ID: '${ssm:/algolia/app_id}',
     ALGOLIA_SEARCH_API_KEY: '${ssm:/algolia/search_api_key}',
-  }
+  },
+  iamRoleStatements: [
+    {
+      Effect: 'Allow',
+      Action: [
+        's3:GetBucketAcl',
+        's3:List',
+        's3:ListBucket',
+        's3:PutObject'
+      ],
+      Resource: [
+        "arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
+        "arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
+        "arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
+      ]
+    }
+  ]
 };
diff --git a/lambdas/src/functions/ipfsUpload/index.ts b/lambdas/src/functions/ipfsUpload/index.ts
index e1467a5..71dd67f 100644
--- a/lambdas/src/functions/ipfsUpload/index.ts
+++ b/lambdas/src/functions/ipfsUpload/index.ts
@@ -32,5 +32,19 @@ export default {
   environment: {
     AWS_DIST_BUCKET: '${ssm:AW5_S3_BUCKET}',
     IPFS_IP4_ADDRESS: '${ssm:/ipfs/ip4_address}',
-  }
+  },
+  iamRoleStatements: [
+    {
+      Effect: 'Allow',
+      Action: [
+        's3:GetObject',
+        's3:PutObject',
+      ],
+      Resource: [
+        "arn:aws:s3:::${ssm:AW5_S3_BUCKET}",
+        "arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*",
+        "arn:aws:s3:::${ssm:AW5_S3_BUCKET}/*/*",
+      ]
+    }
+  ]
 };
diff --git a/lambdas/yarn.lock b/lambdas/yarn.lock
index 95c5f0d..0542dda 100644
--- a/lambdas/yarn.lock
+++ b/lambdas/yarn.lock
@@ -2856,7 +2856,7 @@ lodash.union@^4.6.0:
   resolved "https://registry.yarnpkg.com/lodash.union/-/lodash.union-4.6.0.tgz#48bb5088409f16f1821666641c44dd1aaae3cd88"
   integrity sha512-c4pB2CdGrGdjMKYLA+XiRDO7Y0PRQbm/Gzg8qMj+QH+pFVAoTp5sBpO0odL3FjoPCGjK96p6qsP+yQoiLoOBcw==
 
-lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.21:
+lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.20, lodash@^4.17.21:
   version "4.17.21"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
   integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
@@ -3893,6 +3893,13 @@ serverless-esbuild@^1.23.3:
     ramda "^0.27.0"
     semver "^7.3.5"
 
+serverless-iam-roles-per-function@^3.2.0:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/serverless-iam-roles-per-function/-/serverless-iam-roles-per-function-3.2.0.tgz#8bb5f68e73f391ac8ff9809b8e7726e5bafba4c4"
+  integrity sha512-AXmxACHEUsDcFDcv8QNwDgn2L0brRJ7pz/phD3lFB/wQ3TtPJkorC+J7PxgFQbaWIQk15EIlU83BtKXeQoPTAg==
+  dependencies:
+    lodash "^4.17.20"
+
 serverless@^3.0.0:
   version "3.23.0"
   resolved "https://registry.yarnpkg.com/serverless/-/serverless-3.23.0.tgz#407f804d55f3c11212b8e4de4325006b01658f7d"