refactor iam

2023-09-18 14:46:54 -07:00 · 2023-09-18 14:46:54 -07:00 · 12c09b291d
commit 12c09b291d
parent 1014f89d3d
1 changed files with 44 additions and 32 deletions
--- a/src/lambdabuild.zig
+++ b/src/lambdabuild.zig
@ -74,52 +74,64 @@ pub fn configureBuild(b: *std.build.Builder, exe: *std.Build.Step.Compile) !void

    // Deployment
    const deploy_step = b.step("awslambda_deploy", "Deploy the function");
-    var deal_with_iam = true;
-    if (b.args) |args| {
-        for (args) |arg| {
-            if (std.mem.eql(u8, "--role", arg)) {
-                deal_with_iam = false;
-                break;
-            }
-        }
-    }

-    // TODO: Allow custom lambda role names
-    var iam_role: []u8 = &.{};
+    const iam_role_name = b.option(
+        []const u8,
+        "function-role",
+        "IAM role name for function (will create if it does not exist) [lambda_basic_execution]",
+    ) orelse "lambda_basic_execution";
+    var iam_role_arn = b.option(
+        []const u8,
+        "function-arn",
+        "Preexisting IAM role arn for function",
+    );
+
    const iam_step = b.step("awslambda_iam", "Create/Get IAM role for function");
    deploy_step.dependOn(iam_step); // iam_step will either be a noop or all the stuff below
-    if (deal_with_iam) {
-        // if someone adds '-- --role arn...' to the command line, we don't
-        // need to do anything with the iam role. Otherwise, we'll create/
-        // get the IAM role and stick the name in a file in our destination
-        // directory to be used later
-        const iam_role_name_file = b.getInstallPath(.bin, "iam_role_name");
-        iam_role = try std.fmt.allocPrint(b.allocator, "--role $(cat {s})", .{iam_role_name_file});
-        // defer b.allocator.free(iam_role);
-        if (!fileExists(iam_role_name_file)) {
-            // Role get/creation command
+    const iam_role_param: []u8 = blk: {
+        if (iam_role_arn != null)
+            break :blk try std.fmt.allocPrint(b.allocator, "--role {s}", .{iam_role_arn.?});
+
+        if (iam_role_name.len == 0)
+            @panic("Either function-role or function-arn must be specified. function-arn will allow deployment without creating a role");
+
+        // Now we have an iam role name to use, but no iam role arn. Let's go hunting
+        // Once this is done once, we'll have a file with the arn in "cache"
+        // The iam arn will reside in an 'iam_role' file in the bin directory
+
+        // Build system command to create the role if necessary and get the role arn
+        const iam_role_file = b.getInstallPath(.bin, "iam_role");
+
+        if (!fileExists(iam_role_file)) {
+            std.debug.print("file does not exist", .{});
+            // Our cache file does not exist on disk, so we'll create/get the role
+            // arn using the AWS CLI and dump to disk here
            const ifstatement_fmt =
-                \\ if aws iam get-role --role-name lambda_basic_execution 2>&1 |grep -q NoSuchEntity; then aws iam create-role --output text --query Role.Arn --role-name lambda_basic_execution --assume-role-policy-document '{
+                \\ if aws iam get-role --role-name {s} 2>&1 |grep -q NoSuchEntity; then aws iam create-role --output text --query Role.Arn --role-name {s} --assume-role-policy-document '{{
                \\ "Version": "2012-10-17",
                \\ "Statement": [
-                \\   {
+                \\   {{
                \\     "Sid": "",
                \\     "Effect": "Allow",
-                \\     "Principal": {
+                \\     "Principal": {{
                \\       "Service": "lambda.amazonaws.com"
-                \\     },
+                \\     }},
                \\     "Action": "sts:AssumeRole"
-                \\   }
-                \\ ]}' > /dev/null; fi && \
+                \\   }}
+                \\ ]}}' > /dev/null; fi && \
                \\ aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSLambdaExecute --role-name lambda_basic_execution && \
-                \\ aws iam get-role --role-name lambda_basic_execution --query Role.Arn --output text > 
+                \\ aws iam get-role --role-name lambda_basic_execution --query Role.Arn --output text > {s}
            ;
-
-            const ifstatement = try std.mem.concat(b.allocator, u8, &[_][]const u8{ ifstatement_fmt, iam_role_name_file });
-            defer b.allocator.free(ifstatement);
+            const ifstatement = try std.fmt.allocPrint(
+                b.allocator,
+                ifstatement_fmt,
+                .{ iam_role_name, iam_role_name, iam_role_file },
+            );
            iam_step.dependOn(&b.addSystemCommand(&.{ "/bin/sh", "-c", ifstatement }).step);
        }
-    }
+
+        break :blk try std.fmt.allocPrint(b.allocator, "--role \"$(cat {s})\"", .{iam_role_file});
+    };
    const function_name = b.option([]const u8, "function-name", "Function name for Lambda [zig-fn]") orelse "zig-fn";
    const function_name_file = b.getInstallPath(.bin, function_name);
    const ifstatement = "if [ ! -f {s} ] || [ {s} -nt {s} ]; then if aws lambda get-function --function-name {s} 2>&1 |grep -q ResourceNotFoundException; then echo not found > /dev/null; {s}; else echo found > /dev/null; {s}; fi; fi";