Add option to disable IAM policy

m9rc1n · m9rc1n · commit 4de11e01cc74 · 2023-05-25T13:36:54.000-07:00
diff --git a/README.md b/README.md
@@ -53,6 +53,7 @@ functions:
           kmsDataKeyReusePeriodSeconds: 600 # optional - AWS default is 300 seconds
           deadLetterMessageRetentionPeriodSeconds: 1209600 # optional - AWS default is 345600 secs (4 days)
           deadLetterQueueEnabled: true # optional - default is true
+          queuePolicyEnabled: true # optional - default is true
           visibilityTimeout: 120 # optional (in seconds) - AWS default is 30 secs
           rawMessageDelivery: true # Optional - default value is true
           enabled: true # Optional - default value is true
diff --git a/lib/serverless-sns-sqs-lambda.ts b/lib/serverless-sns-sqs-lambda.ts
@@ -27,6 +27,7 @@ type Config = {
   deadLetterMessageRetentionPeriodSeconds: number;
   deadLetterQueueEnabled: boolean;
   enabled: boolean;
+  queuePolicyEnabled: boolean;
   fifo: boolean;
   visibilityTimeout: number;
   rawMessageDelivery: boolean;
@@ -131,6 +132,7 @@ const addResource = (
  *             kmsDataKeyReusePeriodSeconds: 600
  *             deadLetterMessageRetentionPeriodSeconds: 1209600
  *             deadLetterQueueEnabled: true
+ *             queuePolicyEnabled: true
  *             visibilityTimeout: 120
  *             rawMessageDelivery: true
  *             enabled: false
@@ -200,6 +202,7 @@ export default class ServerlessSnsSqsLambda {
           maximum: 1209600
         },
         deadLetterQueueEnabled: { type: "boolean" },
+        queuePolicyEnabled: { type: "boolean" },
         rawMessageDelivery: { type: "boolean" },
         enabled: { type: "boolean" },
         fifo: { type: "boolean" },
@@ -315,6 +318,7 @@ Usage
             kmsDataKeyReusePeriodSeconds: 600                # optional - AWS default is 300 seconds
             deadLetterMessageRetentionPeriodSeconds: 1209600 # optional - AWS default is 345600 secs (4 days)
             deadLetterQueueEnabled: true                     # optional - default is enabled
+            queuePolicyEnabled: true                         # optional - default is enabled
             enabled: true                                    # optional - AWS default is true
             fifo: false                                      # optional - AWS default is false
             visibilityTimeout: 30                            # optional - AWS default is 30 seconds
@@ -362,6 +366,10 @@ Usage
         config.deadLetterQueueEnabled !== undefined
           ? config.deadLetterQueueEnabled
           : true,
+      queuePolicyEnabled:
+        config.queuePolicyEnabled !== undefined
+          ? config.queuePolicyEnabled
+          : true,
       enabled: config.enabled,
       fifo: config.fifo !== undefined ? config.fifo : false,
       visibilityTimeout: config.visibilityTimeout,
@@ -600,14 +608,18 @@ Usage
    */
   addLambdaSqsPermissions(
     template,
-    { name, kmsMasterKeyId, deadLetterQueueEnabled }
+    { name, kmsMasterKeyId, deadLetterQueueEnabled, queuePolicyEnabled }
   ) {
     if (template.Resources.IamRoleLambdaExecution === undefined) {
       // The user has set their own custom role ARN so the Serverless generated role is not generated
       // We can safely skip this step because the owner of the custom role ARN is responsible for setting
       // this the relevant policy to allow the lambda to access the queue.
       return;
     }
+    if (!queuePolicyEnabled) {
+      // The user wants to use their own IAM policy and does not want plugin to automatically append to the default one.
+      return;
+    }
     const queues = [{ "Fn::GetAtt": [`${name}Queue`, "Arn"] }];
     if (deadLetterQueueEnabled) {
       queues.push({ "Fn::GetAtt": [`${name}DeadLetterQueue`, "Arn"] });
