Use inline policy

Author: ServerlessLife

.github/workflows/main.yml

@@ -5,8 +5,6 @@ on:
     branches: [main]
   push:
     branches: [main]
-  release:
-    types: [created]
 
 permissions:
   id-token: write
@@ -98,7 +96,7 @@ jobs:
         run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Publish to npm
         run: npm publish
         env:

src/infraDeploy.ts

@@ -6,16 +6,15 @@ import {
   PublishLayerVersionCommand,
   UpdateFunctionConfigurationCommand,
   GetFunctionCommand,
+  ListLayersCommand,
 } from "@aws-sdk/client-lambda";
 import {
   IAMClient,
-  CreatePolicyCommand,
-  AttachRolePolicyCommand,
-  GetPolicyCommand,
+  GetRolePolicyCommand,
+  PutRolePolicyCommand,
 } from "@aws-sdk/client-iam";
 import { getDebuggerId, getVersion, moduleDirname } from "./lldebugger.js";
-import { Policy } from "@aws-sdk/client-iam";
-import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
+import { STSClient } from "@aws-sdk/client-sts";
 import * as Functions from "./functions.js";
 import fs from "fs/promises";
 import * as path from "path";
@@ -24,6 +23,19 @@ const lambdaClient = new LambdaClient({});
 const stsClient = new STSClient({});
 const iamClient = new IAMClient({});
 
+const inlinePolicyName = "LambdaLiveDebuggerPolicy";
+
+const policyDocument = {
+  Version: "2012-10-17",
+  Statement: [
+    {
+      Action: "iot:*",
+      Resource: "*",
+      Effect: "Allow",
+    },
+  ],
+};
+
 async function findExistingLayer(layerName: string) {
   const listLayerVersionsCommand = new ListLayerVersionsCommand({
     LayerName: layerName,
@@ -37,7 +49,7 @@ async function findExistingLayer(layerName: string) {
   return undefined;
 }
 
-async function deployLayer(layerName: string) {
+async function deployLayer() {
   const layerDescription = `Lambda Live Debugger Layer version ${await getVersion()}`;
 
   let layerZipPathFullPath = path.join(
@@ -103,6 +115,68 @@ async function deployLayer(layerName: string) {
   return response.LayerVersionArn;
 }
 
+async function deleteLayer() {
+  let nextMarker: string | undefined;
+  do {
+    const layers = await lambdaClient.send(
+      new ListLayersCommand({
+        Marker: nextMarker,
+        MaxItems: 10,
+      })
+    );
+
+    // Filter layers by name
+    const targetLayers =
+      layers.Layers?.filter((layer) => layer.LayerName === layerName) || [];
+
+    for (const layer of targetLayers) {
+      await deleteAllVersionsOfLayer(layer.LayerArn!);
+    }
+
+    nextMarker = layers.NextMarker;
+  } while (nextMarker);
+}
+
+async function deleteAllVersionsOfLayer(layerArn: string): Promise<void> {
+  let nextMarker: string | undefined;
+  do {
+    const versions = await lambdaClient.send(
+      new ListLayerVersionsCommand({
+        LayerName: layerArn,
+        Marker: nextMarker,
+        //MaxItems: 5,
+      })
+    );
+
+    for (const version of versions.LayerVersions || []) {
+      await deleteLayerVersion(layerArn, version.Version!);
+    }
+
+    nextMarker = versions.NextMarker;
+  } while (nextMarker);
+}
+
+async function deleteLayerVersion(
+  layerArn: string,
+  versionNumber: number
+): Promise<void> {
+  try {
+    await lambdaClient.send(
+      new DeleteLayerVersionCommand({
+        LayerName: layerArn,
+        VersionNumber: versionNumber,
+      })
+    );
+    console.log(`Deleted version ${versionNumber} of layer ${layerArn}`);
+  } catch (error) {
+    console.error(
+      `Error deleting version ${versionNumber} of layer ${layerArn}:`,
+      error
+    );
+    throw error;
+  }
+}
+
 async function attachLayerToFunction(
   functionName: string,
   functionId: string,
@@ -143,75 +217,7 @@ async function attachLayerToFunction(
   console.log("Function configuration updated");
 }
 
-async function findOrCreatePolicy(): Promise<string> {
-  const version = await getVersion();
-  const policyName = `lambda-live-debugger-policy-v${version.replace(
-    /\./g,
-    "-"
-  )}`;
-
-  let existingPolicy: Policy | undefined;
-
-  try {
-    // get account number
-    const { Account: account } = await stsClient.send(
-      new GetCallerIdentityCommand({})
-    );
-
-    const response = await iamClient.send(
-      new GetPolicyCommand({
-        PolicyArn: `arn:aws:iam::${account}:policy/${policyName}`,
-      })
-    );
-    existingPolicy = response.Policy;
-  } catch (e: any) {
-    if (e.name === "NoSuchEntityException") {
-      // did not find the policy
-    } else {
-      throw e;
-    }
-  }
-
-  if (existingPolicy) {
-    if (!existingPolicy.Arn) {
-      throw new Error(
-        "Failed to retrieve the policy ARN of the existing policy"
-      );
-    }
-    return existingPolicy.Arn;
-  }
-
-  const policyDocument = {
-    Version: "2012-10-17",
-    Statement: [
-      {
-        Action: "iot:*",
-        Resource: "*",
-        Effect: "Allow",
-      },
-    ],
-  };
-
-  // If not found, create a new policy
-  const createPolicyResponse = await iamClient.send(
-    new CreatePolicyCommand({
-      PolicyName: policyName,
-      PolicyDocument: JSON.stringify(policyDocument),
-    })
-  );
-  console.log(`Policy ${policyName} created`);
-
-  if (!createPolicyResponse.Policy?.Arn) {
-    throw new Error("Failed to retrieve the policy ARN of the new policy");
-  }
-
-  return createPolicyResponse.Policy?.Arn;
-}
-
-async function attachPolicyToLambdaRole(
-  functionName: string,
-  policyArn: string
-) {
+async function addPolicyToLambdaRole(functionName: string) {
   // Retrieve the Lambda function's execution role ARN
   const getFunctionResponse = await lambdaClient.send(
     new GetFunctionCommand({
@@ -220,44 +226,78 @@ async function attachPolicyToLambdaRole(
   );
   const roleArn = getFunctionResponse.Configuration?.Role;
   if (!roleArn) {
-    console.error("Failed to retrieve function role ARN");
-    return;
+    throw new Error(
+      `Failed to retrieve the role ARN for function ${functionName}`
+    );
   }
 
   // Extract the role name from the role ARN
   const roleName = roleArn.split("/").pop();
 
-  if (!policyArn || !roleName) {
-    console.error("Failed to proceed without policy ARN or role name");
-    return;
+  if (!roleName) {
+    throw new Error(
+      `Failed to extract role name from role ARN: ${roleArn} for function ${functionName}`
+    );
   }
 
-  // Attach the policy to the role
-  await iamClient.send(
-    new AttachRolePolicyCommand({
-      RoleName: roleName,
-      PolicyArn: policyArn,
-    })
-  );
-  console.log(`Policy attached to Lambda role`);
+  const existingPolicy = getPolicyDocument(roleName);
+
+  let addPolicy: boolean = true;
+
+  // compare existing policy with the new one
+  if (existingPolicy) {
+    if (JSON.stringify(existingPolicy) === JSON.stringify(policyDocument)) {
+      console.log(
+        `Correct policy already attached to the role ${roleName} for function ${functionName}`
+      );
+      addPolicy = false;
+    }
+  }
+
+  if (addPolicy) {
+    // add inline policy to the role using PutRolePolicyCommand
+    await iamClient.send(
+      new PutRolePolicyCommand({
+        RoleName: roleName,
+        PolicyName: inlinePolicyName,
+        PolicyDocument: JSON.stringify(policyDocument),
+      })
+    );
+  }
+}
+
+async function getPolicyDocument(roleName: string) {
+  try {
+    const policy = await iamClient.send(
+      new GetRolePolicyCommand({
+        RoleName: roleName,
+        PolicyName: inlinePolicyName,
+      })
+    );
+
+    return policy.PolicyDocument;
+  } catch (error) {
+    // console.error(
+    //   `Error retrieving policy document for ${inlinePolicyName}:`,
+    //   error
+    // );
+  }
 }
 
 const layerName = "LambdaLiveDebugger"; // Replace with your layer name
 
 export async function deployInfrastructure() {
-  const layerVersionArnPromise = deployLayer(layerName);
-  const policyArnPromise = findOrCreatePolicy();
+  const layerVersionArnPromise = deployLayer();
 
   const layerVersionArn = await layerVersionArnPromise;
-  const policyArn = await policyArnPromise;
 
   const promises: Promise<void>[] = [];
 
   for (const func of Functions.getFunctions()) {
     promises.push(
       attachLayerToFunction(func.functionName, func.functionId, layerVersionArn)
     );
-    promises.push(attachPolicyToLambdaRole(func.functionName, policyArn));
+    promises.push(addPolicyToLambdaRole(func.functionName));
   }
 
   await Promise.all(promises);