feat(schema): Add AWS::Serverless::Function.Auth (#373)

* function api auth * resource policy * add tests Co-authored-by: stephen.raymond <[email protected]>
awslabs · Jun 20, 2021 · fc2877f · fc2877f
1 parent 9b8c84c
commit fc2877f
Show file tree

Hide file tree

Showing 7 changed files with 493 additions and 3 deletions.
diff --git a/cloudformation/serverless/aws-serverless-function_apievent.go b/cloudformation/serverless/aws-serverless-function_apievent.go
@@ -8,6 +8,11 @@ import (
 // See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
 type Function_ApiEvent struct {
 
+	// Auth AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
+	Auth *Function_Auth `json:"Auth,omitempty"`
+
 	// Method AWS CloudFormation Property
 	// Required: true
 	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api

diff --git a/cloudformation/serverless/aws-serverless-function_auth.go b/cloudformation/serverless/aws-serverless-function_auth.go
@@ -0,0 +1,50 @@
+package serverless
+
+import (
+	"github.com/awslabs/goformation/v4/cloudformation/policies"
+)
+
+// Function_Auth AWS CloudFormation Resource (AWS::Serverless::Function.Auth)
+// See: https://github.com/aws/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+type Function_Auth struct {
+
+	// ApiKeyRequired AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	ApiKeyRequired bool `json:"ApiKeyRequired,omitempty"`
+
+	// AuthorizationScopes AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	AuthorizationScopes []string `json:"AuthorizationScopes,omitempty"`
+
+	// Authorizer AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	Authorizer string `json:"Authorizer,omitempty"`
+
+	// ResourcePolicy AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	ResourcePolicy *Function_AuthResourcePolicy `json:"ResourcePolicy,omitempty"`
+
+	// AWSCloudFormationDeletionPolicy represents a CloudFormation DeletionPolicy
+	AWSCloudFormationDeletionPolicy policies.DeletionPolicy `json:"-"`
+
+	// AWSCloudFormationUpdateReplacePolicy represents a CloudFormation UpdateReplacePolicy
+	AWSCloudFormationUpdateReplacePolicy policies.UpdateReplacePolicy `json:"-"`
+
+	// AWSCloudFormationDependsOn stores the logical ID of the resources to be created before this resource
+	AWSCloudFormationDependsOn []string `json:"-"`
+
+	// AWSCloudFormationMetadata stores structured data associated with this resource
+	AWSCloudFormationMetadata map[string]interface{} `json:"-"`
+
+	// AWSCloudFormationCondition stores the logical ID of the condition that must be satisfied for this resource to be created
+	AWSCloudFormationCondition string `json:"-"`
+}
+
+// AWSCloudFormationType returns the AWS CloudFormation resource type
+func (r *Function_Auth) AWSCloudFormationType() string {
+	return "AWS::Serverless::Function.Auth"
+}
diff --git a/cloudformation/serverless/aws-serverless-function_authresourcepolicy.go b/cloudformation/serverless/aws-serverless-function_authresourcepolicy.go
@@ -0,0 +1,85 @@
+package serverless
+
+import (
+	"github.com/awslabs/goformation/v4/cloudformation/policies"
+)
+
+// Function_AuthResourcePolicy AWS CloudFormation Resource (AWS::Serverless::Function.AuthResourcePolicy)
+// See: https://github.com/aws/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+type Function_AuthResourcePolicy struct {
+
+	// AwsAccountBlacklist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	AwsAccountBlacklist []string `json:"AwsAccountBlacklist,omitempty"`
+
+	// AwsAccountWhitelist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	AwsAccountWhitelist []string `json:"AwsAccountWhitelist,omitempty"`
+
+	// CustomStatements AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	CustomStatements []interface{} `json:"CustomStatements,omitempty"`
+
+	// IntrinsicVpcBlacklist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	IntrinsicVpcBlacklist []string `json:"IntrinsicVpcBlacklist,omitempty"`
+
+	// IntrinsicVpcWhitelist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	IntrinsicVpcWhitelist []string `json:"IntrinsicVpcWhitelist,omitempty"`
+
+	// IntrinsicVpceBlacklist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	IntrinsicVpceBlacklist []string `json:"IntrinsicVpceBlacklist,omitempty"`
+
+	// IntrinsicVpceWhitelist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	IntrinsicVpceWhitelist []string `json:"IntrinsicVpceWhitelist,omitempty"`
+
+	// IpRangeBlacklist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	IpRangeBlacklist []string `json:"IpRangeBlacklist,omitempty"`
+
+	// IpRangeWhitelist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	IpRangeWhitelist []string `json:"IpRangeWhitelist,omitempty"`
+
+	// SourceVpcBlacklist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	SourceVpcBlacklist []string `json:"SourceVpcBlacklist,omitempty"`
+
+	// SourceVpcWhitelist AWS CloudFormation Property
+	// Required: false
+	// See: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object
+	SourceVpcWhitelist []string `json:"SourceVpcWhitelist,omitempty"`
+
+	// AWSCloudFormationDeletionPolicy represents a CloudFormation DeletionPolicy
+	AWSCloudFormationDeletionPolicy policies.DeletionPolicy `json:"-"`
+
+	// AWSCloudFormationUpdateReplacePolicy represents a CloudFormation UpdateReplacePolicy
+	AWSCloudFormationUpdateReplacePolicy policies.UpdateReplacePolicy `json:"-"`
+
+	// AWSCloudFormationDependsOn stores the logical ID of the resources to be created before this resource
+	AWSCloudFormationDependsOn []string `json:"-"`
+
+	// AWSCloudFormationMetadata stores structured data associated with this resource
+	AWSCloudFormationMetadata map[string]interface{} `json:"-"`
+
+	// AWSCloudFormationCondition stores the logical ID of the condition that must be satisfied for this resource to be created
+	AWSCloudFormationCondition string `json:"-"`
+}
+
+// AWSCloudFormationType returns the AWS CloudFormation resource type
+func (r *Function_AuthResourcePolicy) AWSCloudFormationType() string {
+	return "AWS::Serverless::Function.AuthResourcePolicy"
+}
diff --git a/generate/sam-2016-10-31.json b/generate/sam-2016-10-31.json
@@ -1029,6 +1029,124 @@
                     "Required": false,
                     "PrimitiveType": "String",
                     "UpdateType": "Immutable"
+                },
+                "Auth": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api",
+                    "Required": false,
+                    "Type": "Auth",
+                    "UpdateType": "Immutable"
+                }
+            }
+        },
+        "AWS::Serverless::Function.Auth": {
+            "Documentation": "https://github.com/aws/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+            "Properties": {
+                "Authorizer": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "PrimitiveType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "AuthorizationScopes": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "ApiKeyRequired": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "PrimitiveType": "Boolean",
+                    "UpdateType": "Immutable"
+                },
+                "ResourcePolicy": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "AuthResourcePolicy",
+                    "UpdateType": "Immutable"
+                }
+            }
+        },
+        "AWS::Serverless::Function.AuthResourcePolicy": {
+            "Documentation": "https://github.com/aws/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+            "Properties": {
+                "CustomStatements": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "Map",
+                    "UpdateType": "Immutable"
+                },
+                "AwsAccountBlacklist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "AwsAccountWhitelist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "IntrinsicVpcBlacklist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "IntrinsicVpcWhitelist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "IntrinsicVpceBlacklist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "IntrinsicVpceWhitelist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "IpRangeBlacklist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "IpRangeWhitelist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "SourceVpcBlacklist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
+                },
+                "SourceVpcWhitelist": {
+                    "Documentation": "https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#function-auth-object",
+                    "Required": false,
+                    "Type": "List",
+                    "PrimitiveItemType": "String",
+                    "UpdateType": "Immutable"
                 }
             }
         },

diff --git a/goformation_test.go b/goformation_test.go
@@ -1,9 +1,8 @@
 package goformation_test
 
 import (
-	"fmt"
-
 	"encoding/json"
+	"fmt"
 
 	"github.com/sanathkr/yaml"
 
@@ -814,7 +813,7 @@ var _ = Describe("Goformation", func() {
 
 	})
 
-	Context("with a YAML template with paramter overrides", func() {
+	Context("with a YAML template with parameter overrides", func() {
 
 		template, err := goformation.OpenWithOptions("test/yaml/aws-serverless-function-env-vars.yaml", &intrinsics.ProcessorOptions{
 			ParameterOverrides: map[string]interface{}{"ExampleParameter": "SomeNewValue"},
@@ -863,6 +862,47 @@ var _ = Describe("Goformation", func() {
 		})
 	})
 
+	Context("with an API event source", func() {
+		event := serverless.Function_Properties{
+			ApiEvent: &serverless.Function_ApiEvent{
+				Auth: &serverless.Function_Auth{
+					ApiKeyRequired:      true,
+					AuthorizationScopes: []string{"scope1", "scope2"},
+					Authorizer:          "aws_iam",
+					ResourcePolicy: &serverless.Function_AuthResourcePolicy{
+						CustomStatements: []interface{}{
+							map[string]interface{}{
+								"Effect":   "Allow",
+								"Action":   "execute-api:*",
+								"Resource": "*",
+							},
+						},
+						AwsAccountBlacklist:    []string{"AwsAccountBlacklistValue"},
+						AwsAccountWhitelist:    []string{"AwsAccountWhitelistValue"},
+						IntrinsicVpcBlacklist:  []string{"IntrinsicVpcBlacklistValue"},
+						IntrinsicVpcWhitelist:  []string{"IntrinsicVpcWhitelistValue"},
+						IntrinsicVpceBlacklist: []string{"IntrinsicVpceBlacklistValue"},
+						IntrinsicVpceWhitelist: []string{"IntrinsicVpceWhitelistValue"},
+						IpRangeBlacklist:       []string{"IpRangeBlacklistValue"},
+						IpRangeWhitelist:       []string{"IpRangeWhitelistValue"},
+						SourceVpcBlacklist:     []string{"SourceVpcBlacklistValue"},
+						SourceVpcWhitelist:     []string{"SourceVpcWhitelistValue"},
+					},
+				},
+				Method:    "MethodValue",
+				Path:      "PathValue",
+				RestApiId: "RestApiIdValue",
+			},
+		}
+
+		It("should marshal properties correctly", func() {
+			expectedString := `{"Auth":{"ApiKeyRequired":true,"AuthorizationScopes":["scope1","scope2"],"Authorizer":"aws_iam","ResourcePolicy":{"AwsAccountBlacklist":["AwsAccountBlacklistValue"],"AwsAccountWhitelist":["AwsAccountWhitelistValue"],"CustomStatements":[{"Action":"execute-api:*","Effect":"Allow","Resource":"*"}],"IntrinsicVpcBlacklist":["IntrinsicVpcBlacklistValue"],"IntrinsicVpcWhitelist":["IntrinsicVpcWhitelistValue"],"IntrinsicVpceBlacklist":["IntrinsicVpceBlacklistValue"],"IntrinsicVpceWhitelist":["IntrinsicVpceWhitelistValue"],"IpRangeBlacklist":["IpRangeBlacklistValue"],"IpRangeWhitelist":["IpRangeWhitelistValue"],"SourceVpcBlacklist":["SourceVpcBlacklistValue"],"SourceVpcWhitelist":["SourceVpcWhitelistValue"]}},"Method":"MethodValue","Path":"PathValue","RestApiId":"RestApiIdValue"}`
+			bytes, err := event.MarshalJSON()
+			Expect(err).To(BeNil())
+			Expect(string(bytes)).To(Equal(expectedString))
+		})
+	})
+
 	Context("with a template that contains a reference to another resource within the template", func() {
 
 		template := &cloudformation.Template{