feat(services): add policy data to lambda

Author: tyler-dunkel

src/services/lambda/data.ts

@@ -9,6 +9,7 @@ import Lambda, {
   GetFunctionConcurrencyRequest,
   GetFunctionConcurrencyResponse,
   ReservedConcurrentExecutions,
+  GetPolicyResponse
 } from 'aws-sdk/clients/lambda'
 import { AWSError } from 'aws-sdk/lib/error'
 import { Config } from 'aws-sdk/lib/config'
@@ -30,6 +31,10 @@ export interface RawAwsLambdaFunction extends FunctionConfiguration {
   Tags?: TagMap
   region: string
   reservedConcurrentExecutions: ReservedConcurrentExecutions
+  PolicyData?: {
+    Policy?: string
+    RevisionId?: string
+  }
 }
 
 const listFunctionsForRegion = async ({
@@ -132,6 +137,28 @@ const getResourceTags = async (lambda: Lambda, arn: string): Promise<TagMap> =>
     }
   })
 
+  const getLambdaPolicy = async (lambda: Lambda, arn: string): Promise<{ Policy?: string; RevisionId?: string }> =>
+  new Promise(resolve => {
+    try {
+      lambda.getPolicy(
+        { FunctionName: arn },
+        (err: AWSError, data: GetPolicyResponse) => {
+          if (err) {
+            errorLog.generateAwsErrorLog({
+              functionName: 'lambda:getPolicy',
+              err,
+            })
+            resolve({})
+          }
+          const { Policy = '', RevisionId = '' } = data || {}
+          resolve({ Policy, RevisionId })
+        }
+      )
+    } catch (error) {
+      resolve({})
+    }
+  })
+
 export default async ({
   regions,
   config,
@@ -171,15 +198,17 @@ export default async ({
     await Promise.all(regionPromises)
     logger.debug(lt.fetchedLambdas(lambdaData.length))
 
-    // get all tags for each Lambda
+    // get all tags and policy for each Lambda
     lambdaData.map(({ FunctionArn: arn, region }, idx) => {
       const lambda = new Lambda({ ...config, region, endpoint })
-      const tagsPromise = new Promise<void>(async resolveTags => {
+      const tagsAndPolicyPromise = new Promise<void>(async resolveData => {
         const envTags: TagMap = await getResourceTags(lambda, arn)
         lambdaData[idx].Tags = envTags
-        resolveTags()
+        const policy = await getLambdaPolicy(lambda, arn)
+        lambdaData[idx].PolicyData = policy
+        resolveData()
       })
-      tagsPromises.push(tagsPromise)
+      tagsPromises.push(tagsAndPolicyPromise)
     })
 
     logger.debug(lt.gettingLambdaTags)

src/services/lambda/format.ts

@@ -3,6 +3,7 @@ import t from '../../properties/translations'
 import { AwsLambda } from '../../types/generated'
 import { formatTagsFromMap } from '../../utils/format'
 import { RawAwsLambdaFunction } from './data'
+import { formatIamJsonPolicy } from '../../utils/format'
 
 /**
  * Lambda
@@ -31,7 +32,11 @@ export default ({
     TracingConfig: tracing = [],
     Version: version,
     reservedConcurrentExecutions: rawReservedConcurrentExecutions,
-    VpcConfig: vpcConfig
+    VpcConfig: vpcConfig,
+    PolicyData: {
+      Policy: policy = '',
+      RevisionId: policyRevisionId = ''
+    }
   } = rawData
   const environmentVariables = []
   const secretNames = [t.pass, t.secret, t.private, t.cert]
@@ -82,6 +87,8 @@ export default ({
     version,
     environmentVariables,
     vpcConfig: formattedVpcConfig,
+    policyRevisionId,
+    policy: formatIamJsonPolicy(policy),
     tags: formatTagsFromMap(Tags),
   }
 }

src/services/lambda/schema.graphql

@@ -17,6 +17,8 @@ type awsLambda @key(fields: "arn") {
   version: String @search(by: [hash, regexp])
   environmentVariables: [awsLambdaEnvironmentVariable]
   vpcConfig: awsLambdaVpcConfig
+  policyRevisionId: String @search(by: [hash, regexp])
+  policy: awsIamJSONPolicy
   tags: [awsRawTag]
   kms: [awsKms] @hasInverse(field: lambda)
   securityGroups: [awsSecurityGroup] @hasInverse(field: lambda)

src/types/generated.ts

@@ -3344,6 +3344,8 @@ export type AwsLambda = {
   kmsKeyArn?: Maybe<Scalars['String']>;
   lastModified?: Maybe<Scalars['String']>;
   memorySize?: Maybe<Scalars['Int']>;
+  policy?: Maybe<AwsIamJsonPolicy>;
+  policyRevisionId?: Maybe<Scalars['String']>;
   region?: Maybe<Scalars['String']>;
   reservedConcurrentExecutions?: Maybe<Scalars['Int']>;
   role?: Maybe<Scalars['String']>;