├── .eslintignore ├── .eslintrc.js ├── .gitignore ├── .npmrc ├── .prettierignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── COPYRIGHT ├── LICENSE ├── README.md ├── README_EN.md ├── docs └── configure.md ├── package.json ├── prettier.config.js ├── serverless.js └── utils.js /.eslintignore: -------------------------------------------------------------------------------- 1 | coverage 2 | dist 3 | node_modules -------------------------------------------------------------------------------- /.eslintrc.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | root: true, 3 | extends: ['prettier'], 4 | plugins: ['import', 'prettier'], 5 | env: { 6 | es6: true, 7 | jest: true, 8 | node: true 9 | }, 10 | parser: 'babel-eslint', 11 | parserOptions: { 12 | ecmaVersion: 2018, 13 | sourceType: 'module', 14 | ecmaFeatures: { 15 | jsx: true 16 | } 17 | }, 18 | globals: { 19 | on: true // for the Socket file 20 | }, 21 | rules: { 22 | 'array-bracket-spacing': [ 23 | 'error', 24 | 'never', 25 | { 26 | objectsInArrays: false, 27 | arraysInArrays: false 28 | } 29 | ], 30 | 'arrow-parens': ['error', 'always'], 31 | 'arrow-spacing': ['error', { before: true, after: true }], 32 | 'comma-dangle': ['error', 'never'], 33 | curly: 'error', 34 | 'eol-last': 'error', 35 | 'func-names': 'off', 36 | 'id-length': [ 37 | 'error', 38 | { 39 | min: 2, 40 | max: 50, 41 | properties: 'never', 42 | exceptions: ['e', 'i', 'n', 't', 'x', 'y', 'z', '_', '$'] 43 | } 44 | ], 45 | 'no-alert': 'error', 46 | 'no-console': 'error', 47 | 'no-const-assign': 'error', 48 | 'no-else-return': 'error', 49 | 'no-empty': 'off', 50 | 'no-shadow': 'error', 51 | 'no-undef': 'error', 52 | 'no-unused-vars': 'error', 53 | 'no-use-before-define': 'error', 54 | 'no-useless-constructor': 'error', 55 | 'object-curly-newline': 'off', 56 | 'object-shorthand': 'off', 57 | 'prefer-const': 'error', 58 | 'prefer-destructuring': ['error', { object: true, array: false }], 59 | quotes: [ 60 | 'error', 61 | 'single', 62 | { 63 | allowTemplateLiterals: true, 64 | avoidEscape: true 65 | } 66 | ], 67 | semi: ['error', 'never'], 68 | 'spaced-comment': 'error', 69 | strict: ['error', 'never'], 70 | 'prettier/prettier': 'error' 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | *.sublime-project 3 | *.sublime-workspace 4 | *.log 5 | .serverless 6 | v8-compile-cache-* 7 | jest/* 8 | coverage 9 | .serverlessUnzipped 10 | node_modules 11 | .vscode/ 12 | .eslintcache 13 | dist 14 | .idea 15 | build/ 16 | .env* 17 | env.js 18 | package-lock.json 19 | test 20 | -------------------------------------------------------------------------------- /.npmrc: -------------------------------------------------------------------------------- 1 | package-lock=false 2 | -------------------------------------------------------------------------------- /.prettierignore: -------------------------------------------------------------------------------- 1 | coverage 2 | dist 3 | node_modules -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting our team at **hello@serverless.com**. As an alternative 59 | feel free to reach out to any of us personally. All 60 | complaints will be reviewed and investigated and will result in a response that 61 | is deemed necessary and appropriate to the circumstances. The project team is 62 | obligated to maintain confidentiality with regard to the reporter of an incident. 63 | Further details of specific enforcement policies may be posted separately. 64 | 65 | Project maintainers who do not follow or enforce the Code of Conduct in good 66 | faith may face temporary or permanent repercussions as determined by other 67 | members of the project's leadership. 68 | 69 | ## Attribution 70 | 71 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 72 | available at [http://contributor-covenant.org/version/1/4][version] 73 | 74 | [homepage]: http://contributor-covenant.org 75 | [version]: http://contributor-covenant.org/version/1/4/ 76 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | When contributing to this repository, please first discuss the change you wish to make via issue, 4 | email, or any other method with the owners of this repository before making a change. 5 | 6 | Please note we have a [code of conduct](./CODE_OF_CONDUCT.md), please follow it in all your interactions with the project. 7 | -------------------------------------------------------------------------------- /COPYRIGHT: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019 Serverless, Inc. https://serverless.com 2 | 3 | Serverless Components may be freely distributed under the Apache 2.0 license. 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | https://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | Copyright 2018 Serverless, Inc. 179 | 180 | Licensed under the Apache License, Version 2.0 (the "License"); 181 | you may not use this file except in compliance with the License. 182 | You may obtain a copy of the License at 183 | 184 | https://www.apache.org/licenses/LICENSE-2.0 185 | 186 | Unless required by applicable law or agreed to in writing, software 187 | distributed under the License is distributed on an "AS IS" BASIS, 188 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 189 | See the License for the specific language governing permissions and 190 | limitations under the License. 191 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 腾讯云访问管理CAM-role组件 2 | 3 |   4 | 5 | * [请点击这里查看英文版部署文档](./README_EN.md) 6 | 7 | ## 简介 8 | 该组件是serverless-tencent组件库中的基础组件之一。通过访问管理CAM-role组件,可以快速,方便的创建,配置和管理腾讯云的CAM角色 9 | 10 | ## 快速开始 11 | 12 | 通过CAM-role组件,对一个CAM的角色进行完整的创建,配置,部署和删除等操作。支持命令如下: 13 | 14 | 1. [安装](#1-安装) 15 | 2. [创建](#2-创建) 16 | 3. [配置](#3-配置) 17 | 4. [部署](#4-部署) 18 | 4. [移除](#5-移除) 19 | 20 | ### 1. 安装 21 | 22 | 通过npm安装serverless 23 | 24 | ```console 25 | $ npm install -g serverless 26 | ``` 27 | 28 | ### 2. 创建 29 | 30 | 本地创建 `serverless.yml` 和 `.env` 两个文件 31 | 32 | ```console 33 | $ touch serverless.yml 34 | $ touch .env # 腾讯云的配置信息 35 | ``` 36 | 37 | 在 `.env` 文件中配置腾讯云的APPID,SecretId和SecretKey信息并保存 38 | 39 | 如果没有腾讯云账号,可以在此[注册新账号](https://cloud.tencent.com/register)。 40 | 41 | 如果已有腾讯云账号,可以在[API密钥管理 42 | ](https://console.cloud.tencent.com/cam/capi)中获取`APPID`, `SecretId` 和`SecretKey`. 43 | 44 | ``` 45 | # .env 46 | TENCENT_SECRET_ID=123 47 | TENCENT_SECRET_KEY=123 48 | ``` 49 | 50 | ### 3. 配置 51 | 52 | 在serverless.yml中进行如下配置 53 | 54 | ```yml 55 | # serverless.yml 56 | 57 | # serverless.yml 58 | 59 | myRole: 60 | component: "@serverless/tencent-cam-role" 61 | inputs: 62 | roleName: QCS_SCFExcuteRole 63 | service: 64 | - scf.qcloud.com 65 | - cos.qcloud.com 66 | policy: 67 | policyName: 68 | - QCloudResourceFullAccess 69 | - QcloudAccessForCDNRole 70 | ``` 71 | 72 | 73 | * [点击此处查看配置文档](https://github.com/serverless-tencent/tencent-cam-role/blob/master/docs/configure.md) 74 | 75 | 76 | ### 4. 部署 77 | 78 | 通过如下命令进行部署,并查看部署过程中的信息 79 | 80 | ```shell 81 | $ sls --debug 82 | 83 | DEBUG ─ Resolving the template's static variables. 84 | DEBUG ─ Collecting components from the template. 85 | DEBUG ─ Downloading any NPM components found in the template. 86 | DEBUG ─ Analyzing the template's components dependencies. 87 | DEBUG ─ Creating the template's components graph. 88 | DEBUG ─ Syncing template state. 89 | DEBUG ─ Executing the template's components graph. 90 | DEBUG ─ Syncing role c0hhdv-qt9mh6xj in region ap-guangzhou. 91 | DEBUG ─ Updating policy for role c0hhdv-qt9mh6xj. 92 | DEBUG ─ Saved state for role c0hhdv-qt9mh6xj. 93 | DEBUG ─ Role c0hhdv-qt9mh6xj was successfully deployed to region ap-guangzhou. 94 | DEBUG ─ Deployed role roleId is 4611686018427945536. 95 | 96 | myRole: 97 | roleName: QCS_SCFExcuteRole 98 | description: This is tencent-cam-role component. 99 | roleId: 4611686018427945536 100 | service: 101 | - cos.qcloud.com 102 | - scf.qcloud.com 103 | policy: 104 | policyId: 105 | - 16313162 106 | - 2 107 | policyName: 108 | - QCloudResourceFullAccess 109 | - QcloudAccessForCDNRole 110 | 111 | 17s › myRole › done 112 | 113 | ``` 114 | 115 |   116 | 117 | ### 5. 移除 118 | 119 | ```shell 120 | $ sls remove --debug 121 | 122 | DEBUG ─ Flushing template state and removing all components. 123 | DEBUG ─ Removing role c0hhdv-qt9mh6xj from region ap-guangzhou. 124 | DEBUG ─ Role c0hhdv-qt9mh6xj successfully removed from region ap-guangzhou. 125 | 126 | 1s › myRole › done 127 | 128 | ``` 129 | 130 | 131 | ``` 132 | 133 | ### 还支持哪些组件? 134 | 135 | 可以在 [Serverless Components](https://github.com/serverless/components) repo 中查询更多组件的信息。 136 | 137 | -------------------------------------------------------------------------------- /README_EN.md: -------------------------------------------------------------------------------- 1 | # Tencent-cam-role 2 | 3 |   4 | 5 | - [请点击这里查看中文版部署文档](./README.md) 6 | 7 | Easily provision Tencent CAM roles using [Serverless Components](https://github.com/serverless/components). 8 | 9 |   10 | 11 | 1. [Install](#1-install) 12 | 2. [Create](#2-create) 13 | 3. [Configure](#3-configure) 14 | 4. [Deploy](#4-deploy) 15 | 4. [Remove](#5-remove) 16 | 17 |   18 | 19 | 20 | ### 1. Install 21 | 22 | ```shell 23 | $ npm install -g serverless 24 | ``` 25 | 26 | ### 2. Create 27 | 28 | Just create a `serverless.yml` file 29 | 30 | ```shell 31 | $ touch serverless.yml 32 | $ touch .env # configure your Tencent api keys 33 | ``` 34 | Add the access keys of a [Tencent CAM Role](https://console.cloud.tencent.com/cam/capi) with `AdministratorAccess` in the `.env` file, using this format: 35 | 36 | ``` 37 | # .env 38 | TENCENT_SECRET_ID=XXX 39 | TENCENT_SECRET_KEY=XXX 40 | ``` 41 | * If you don't have a Tencent Cloud account, you could [sign up](https://intl.cloud.tencent.com/register) first. 42 | 43 | ### 3. Configure 44 | 45 | ```yml 46 | # serverless.yml 47 | 48 | myRole: 49 | component: "@serverless/tencent-cam-role" 50 | inputs: 51 | roleName: QCS_SCFExcuteRole 52 | service: 53 | - scf.qcloud.com 54 | - cos.qcloud.com 55 | policy: 56 | policyName: 57 | - QCloudResourceFullAccess 58 | - QcloudAccessForCDNRole 59 | ``` 60 | 61 | * [Click here to view the configuration document](https://github.com/serverless-tencent/tencent-cam-role/blob/master/docs/configure.md) 62 | 63 | 64 | ### 4. Deploy 65 | 66 | ```shell 67 | $ sls --debug 68 | 69 | DEBUG ─ Resolving the template's static variables. 70 | DEBUG ─ Collecting components from the template. 71 | DEBUG ─ Downloading any NPM components found in the template. 72 | DEBUG ─ Analyzing the template's components dependencies. 73 | DEBUG ─ Creating the template's components graph. 74 | DEBUG ─ Syncing template state. 75 | DEBUG ─ Executing the template's components graph. 76 | DEBUG ─ Syncing role c0hhdv-qt9mh6xj in region ap-guangzhou. 77 | DEBUG ─ Updating policy for role c0hhdv-qt9mh6xj. 78 | DEBUG ─ Saved state for role c0hhdv-qt9mh6xj. 79 | DEBUG ─ Role c0hhdv-qt9mh6xj was successfully deployed to region ap-guangzhou. 80 | DEBUG ─ Deployed role roleId is 4611686018427945536. 81 | 82 | myRole: 83 | roleName: QCS_SCFExcuteRole 84 | description: This is tencent-cam-role component. 85 | roleId: 4611686018427945536 86 | service: 87 | - cos.qcloud.com 88 | - scf.qcloud.com 89 | policy: 90 | policyId: 91 | - 16313162 92 | - 2 93 | policyName: 94 | - QCloudResourceFullAccess 95 | - QcloudAccessForCDNRole 96 | 97 | 17s › myRole › done 98 | 99 | ``` 100 | 101 |   102 | 103 | ### 5. Remove 104 | ```shell 105 | $ sls remove --debug 106 | 107 | DEBUG ─ Flushing template state and removing all components. 108 | DEBUG ─ Removing role c0hhdv-qt9mh6xj from region ap-guangzhou. 109 | DEBUG ─ Role c0hhdv-qt9mh6xj successfully removed from region ap-guangzhou. 110 | 111 | 1s › myRole › done 112 | 113 | ``` 114 | 115 | ### New to Components? 116 | 117 | Checkout the [Serverless Components](https://github.com/serverless/components) repo for more information. 118 | -------------------------------------------------------------------------------- /docs/configure.md: -------------------------------------------------------------------------------- 1 | # Configure document 2 | 3 | ## Complete configuration 4 | 5 | ```yml 6 | # serverless.yml 7 | 8 | myRole: 9 | component: "@serverless/tencent-cam-role" 10 | inputs: 11 | roleName: QCS_SCFExcuteRole 12 | description: test 13 | service: 14 | - scf.qcloud.com 15 | - cos.qcloud.com 16 | policy: 17 | policyId: 18 | - 1 19 | - 2 20 | policyName: 21 | - QCloudResourceFullAccess 22 | - QcloudAccessForCDNRole 23 | 24 | ``` 25 | 26 | ## Configuration description 27 | 28 | Main param description 29 | 30 | | Param | Required/Optional | Description | 31 | | -------- | :-----: | :---- | 32 | | roleName | Required | Role name| 33 | | description | Optional | Role description | 34 | | service | Required | Service list | 35 | | [policy](#policy-param-description)| Required | Policy information | 36 | 37 | 38 | ### policy param description 39 | 40 | | Param | Required/Optional | Description | 41 | | -------- | :-----: | :---- | 42 | | policyId | Optional | Policy Id | 43 | | policyName | Optional | Policy name | 44 | 45 | * PolicyId and policyName must exist at least one 46 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "@serverless/tencent-cam-role", 3 | "description": "Tencent Cloud Serverless CAM Role", 4 | "version": "1.6.6", 5 | "main": "./serverless.js", 6 | "publishConfig": { 7 | "access": "public" 8 | }, 9 | "scripts": { 10 | "test": "echo \"Error: no test specified\" && exit 1", 11 | "lint": "eslint . --fix --cache" 12 | }, 13 | "author": "Tencent Cloud, Inc.", 14 | "license": "Apache", 15 | "dependencies": { 16 | "@serverless/core": "^1.0.0", 17 | "tencentcloud-sdk-nodejs": "^3.0.87", 18 | "ramda": "^0.26.1", 19 | "tencent-login": "^0.1.2", 20 | "serverless-tencent-auth-tool": "^1.0.14" 21 | }, 22 | "devDependencies": { 23 | "babel-eslint": "9.0.0", 24 | "eslint": "5.6.0", 25 | "eslint-config-prettier": "^3.6.0", 26 | "eslint-plugin-import": "^2.18.0", 27 | "eslint-plugin-prettier": "^3.0.1", 28 | "prettier": "^1.18.2" 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /prettier.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | arrowParens: 'always', 3 | printWidth: 100, 4 | semi: false, 5 | singleQuote: true, 6 | tabWidth: 2, 7 | trailingComma: 'none' 8 | } 9 | -------------------------------------------------------------------------------- /serverless.js: -------------------------------------------------------------------------------- 1 | const { mergeDeepRight } = require('ramda') 2 | const { Component } = require('@serverless/core') 3 | const tencentcloud = require('tencentcloud-sdk-nodejs') 4 | const tencentAuth = require('serverless-tencent-auth-tool') 5 | const CamClient = tencentcloud.cam.v20190116.Client 6 | const ClientProfile = require('tencentcloud-sdk-nodejs/tencentcloud/common/profile/client_profile.js') 7 | const HttpProfile = require('tencentcloud-sdk-nodejs/tencentcloud/common/profile/http_profile.js') 8 | 9 | const { 10 | createRole, 11 | deleteRole, 12 | getRole, 13 | addRolePolicy, 14 | removeRolePolicy, 15 | updateAssumeRolePolicy, 16 | inputsChanged, 17 | fullPolicyId 18 | } = require('./utils') 19 | 20 | const defaults = { 21 | service: ['scf.qcloud.com'], 22 | roleName: 'QCS_SCFExcuteRole', 23 | description: 'This is tencent-cam-role component.', 24 | policy: { 25 | policyId: [], 26 | policyName: [] 27 | }, 28 | region: 'ap-guangzhou' 29 | } 30 | 31 | class TencentCamRole extends Component { 32 | getCamClient(credentials, region) { 33 | // create cam client 34 | 35 | const secret_id = credentials.SecretId 36 | const secret_key = credentials.SecretKey 37 | const cred = new tencentcloud.common.Credential(secret_id, secret_key) 38 | const httpProfile = new HttpProfile() 39 | httpProfile.reqTimeout = 30 40 | const clientProfile = new ClientProfile('HmacSHA256', httpProfile) 41 | return new CamClient(cred, region, clientProfile) 42 | } 43 | 44 | async default(inputs = {}) { 45 | // login 46 | const auth = new tencentAuth() 47 | this.context.credentials.tencent = await auth.doAuth(this.context.credentials.tencent, { 48 | client: 'tencent-cam-role', 49 | remark: inputs.fromClientRemark, 50 | project: this.context.instance ? this.context.instance.id : undefined, 51 | action: 'default' 52 | }) 53 | 54 | inputs = mergeDeepRight(defaults, inputs) 55 | 56 | const cam = this.getCamClient(this.context.credentials.tencent, inputs.region) 57 | cam.sdkVersion = 'ServerlessComponent' 58 | 59 | inputs = await fullPolicyId(cam, inputs) 60 | this.context.status(`Deploying`) 61 | 62 | inputs.name = this.state.name || this.context.resourceId() 63 | 64 | this.context.debug(`Syncing role ${inputs.name} in region ${inputs.region}.`) 65 | const prevRole = await getRole({ cam, ...inputs }) 66 | // If an inline policy, remove roleId 67 | if (inputs.policy.version && inputs.policy.statement) { 68 | if (inputs.policy.roleId) { 69 | delete inputs.policy.roleId 70 | } 71 | } 72 | if (!prevRole) { 73 | this.context.debug(`Creating role ${inputs.name}.`) 74 | this.context.status(`Creating`) 75 | inputs.roleId = await createRole({ cam, ...inputs }) 76 | } else { 77 | inputs.roleId = prevRole.roleId 78 | const changed = await inputsChanged(cam, prevRole, inputs) 79 | const serviceChanged = changed.service 80 | const policyChanged = changed.policy 81 | const { policyList } = changed 82 | if (serviceChanged) { 83 | this.context.status(`Updating`) 84 | this.context.debug(`Updating service for role ${inputs.name}.`) 85 | await updateAssumeRolePolicy({ cam, ...inputs }) 86 | } 87 | if (policyChanged) { 88 | this.context.status(`Updating`) 89 | this.context.debug(`Updating policy for role ${inputs.name}.`) 90 | await removeRolePolicy({ cam, policyList, ...inputs }) 91 | await addRolePolicy({ cam, ...inputs }) 92 | } 93 | } 94 | 95 | // we auto generate unconfigurable names 96 | if (this.state && this.state.roleName) { 97 | const oldRole = await getRole({ cam, ...this.state }) 98 | if (this.state.roleName && this.state.roleName !== inputs.roleName && oldRole) { 99 | this.context.status(`Replacing`) 100 | this.context.debug(`Deleting/Replacing role ${inputs.name}.`) 101 | await deleteRole({ cam, roleName: this.state.roleName }) 102 | } 103 | } 104 | 105 | this.state.name = inputs.name 106 | this.state.roleName = inputs.roleName 107 | this.state.roleDescription = inputs.description 108 | this.state.roleId = inputs.roleId 109 | this.state.service = inputs.service 110 | this.state.policy = inputs.policy 111 | this.state.region = inputs.region 112 | await this.save() 113 | 114 | this.context.debug(`Saved state for role ${inputs.name}.`) 115 | 116 | const outputs = { 117 | roleName: inputs.roleName, 118 | description: inputs.description, 119 | roleId: inputs.roleId, 120 | service: inputs.service, 121 | policy: inputs.policy 122 | } 123 | 124 | this.context.debug(`Role ${inputs.name} was successfully deployed to region ${inputs.region}.`) 125 | this.context.debug(`Deployed role roleId is ${inputs.roleId}.`) 126 | 127 | return outputs 128 | } 129 | 130 | async remove(inputs = {}) { 131 | const auth = new tencentAuth() 132 | this.context.credentials.tencent = await auth.doAuth(this.context.credentials.tencent, { 133 | client: 'tencent-cam-role', 134 | remark: inputs.fromClientRemark, 135 | project: this.context.instance ? this.context.instance.id : undefined, 136 | action: 'remove' 137 | }) 138 | 139 | this.context.status(`Removing`) 140 | 141 | if (!this.state.name) { 142 | this.context.debug(`Aborting removal. Role name not found in state.`) 143 | return 144 | } 145 | 146 | const cam = this.getCamClient(this.context.credentials.tencent, this.state.region) 147 | cam.sdkVersion = 'ServerlessComponent' 148 | 149 | this.context.debug(`Removing role ${this.state.name} from region ${this.state.region}.`) 150 | await deleteRole({ cam, ...this.state }) 151 | this.context.debug( 152 | `Role ${this.state.name} successfully removed from region ${this.state.region}.` 153 | ) 154 | 155 | const outputs = { 156 | roleName: this.state.roleName, 157 | roleId: this.state.roleId || 'Removed', 158 | service: this.state.service, 159 | policy: this.state.policy 160 | } 161 | 162 | this.state = {} 163 | await this.save() 164 | 165 | return outputs 166 | } 167 | } 168 | 169 | module.exports = TencentCamRole 170 | -------------------------------------------------------------------------------- /utils.js: -------------------------------------------------------------------------------- 1 | const { utils } = require('@serverless/core') 2 | const util = require('util') 3 | const { equals, pick, type } = require('ramda') 4 | const tencentcloud = require('tencentcloud-sdk-nodejs') 5 | const camModels = tencentcloud.cam.v20190116.Models 6 | 7 | const AttachRolePolicyAction = async ({ cam, roleName, policyId }) => { 8 | const req = new camModels.AttachRolePolicyRequest() 9 | const body = { 10 | AttachRoleName: roleName, 11 | PolicyId: policyId 12 | } 13 | req.from_json_string(JSON.stringify(body)) 14 | const handler = util.promisify(cam.AttachRolePolicy.bind(cam)) 15 | try { 16 | await handler(req) 17 | } catch (e) { 18 | throw 'AttachRolePolicyActionError: ' + e 19 | } 20 | } 21 | 22 | const addRolePolicy = async ({ cam, roleName, policyId, policy }) => { 23 | /* 24 | policyId could be one policy or many policies 25 | if policy.policyId is array: 26 | Loop AttachRolePolicyAction 27 | else: 28 | AttachRolePolicyAction 29 | */ 30 | if (type(policy.policyId) === 'Array') { 31 | for (let policyIndex = 0; policyIndex < policy.policyId.length; policyIndex++) { 32 | await utils.sleep(1000) // Prevent overclocking 33 | policyId = policy.policyId[policyIndex] 34 | await AttachRolePolicyAction({ cam, roleName, policyId }) 35 | } 36 | } else { 37 | await AttachRolePolicyAction({ cam, roleName, policyId }) 38 | } 39 | } 40 | 41 | const DetachRolePolicyAction = async ({ cam, roleName, policyId }) => { 42 | const req = new camModels.DetachRolePolicyRequest() 43 | const body = { 44 | PolicyId: policyId, 45 | DetachRoleName: roleName 46 | } 47 | req.from_json_string(JSON.stringify(body)) 48 | const handler = util.promisify(cam.DetachRolePolicy.bind(cam)) 49 | try { 50 | await handler(req) 51 | } catch (e) { 52 | throw 'DetachRolePolicyActionError: ' + e 53 | } 54 | } 55 | 56 | const removeRolePolicy = async ({ cam, roleName, policyId, policyList, policy }) => { 57 | /* 58 | policyId could be one policy or many policies 59 | if policy.policyId is array: 60 | Loop AttachRolePolicyAction 61 | else: 62 | AttachRolePolicyAction 63 | */ 64 | if (type(policy.policyId) === 'Array') { 65 | for (let policyIndex = 0; policyIndex < policyList.length; policyIndex++) { 66 | await utils.sleep(1000) // Prevent overclocking 67 | policyId = policyList[policyIndex] 68 | await DetachRolePolicyAction({ cam, roleName, policyId }) 69 | } 70 | } else { 71 | await DetachRolePolicyAction({ cam, roleName, policyId }) 72 | } 73 | } 74 | 75 | const createRole = async ({ cam, roleName, description, service, policy }) => { 76 | const PolicyDocument = { 77 | version: '2.0', 78 | statement: [ 79 | { 80 | effect: 'allow', 81 | principal: { 82 | service: service 83 | }, 84 | action: 'sts:AssumeRole' 85 | } 86 | ] 87 | } 88 | const req = new camModels.CreateRoleRequest() 89 | const body = { 90 | RoleName: roleName, 91 | PolicyDocument: JSON.stringify(PolicyDocument), 92 | Description: description 93 | } 94 | req.from_json_string(JSON.stringify(body)) 95 | const handler = util.promisify(cam.CreateRole.bind(cam)) 96 | try { 97 | const result = await handler(req) 98 | await addRolePolicy({ cam, roleName, policy }) 99 | return result.RoleId 100 | } catch (e) { 101 | throw 'CreateRoleError: ' + e 102 | } 103 | } 104 | 105 | const deleteRole = async ({ cam, roleName }) => { 106 | const req = new camModels.DeleteRoleRequest() 107 | const body = { RoleName: roleName } 108 | req.from_json_string(JSON.stringify(body)) 109 | const handler = util.promisify(cam.DeleteRole.bind(cam)) 110 | try { 111 | await handler(req) 112 | } catch (e) { 113 | throw 'DeleteRoleError: ' + e 114 | } 115 | } 116 | 117 | const getRole = async ({ cam, roleName }) => { 118 | const req = new camModels.GetRoleRequest() 119 | const body = { RoleName: roleName } 120 | req.from_json_string(JSON.stringify(body)) 121 | const handler = util.promisify(cam.GetRole.bind(cam)) 122 | try { 123 | const result = await handler(req) 124 | return { 125 | roleName: result.RoleInfo.RoleName, 126 | roleId: result.RoleInfo.RoleId, 127 | service: JSON.parse(decodeURIComponent(result.RoleInfo.PolicyDocument)).statement[0].principal 128 | .service 129 | } 130 | } catch (e) { 131 | if (e.message.includes('role not exist')) { 132 | return null 133 | } 134 | throw 'GetRoleError: ' + e 135 | } 136 | } 137 | 138 | const updateAssumeRolePolicy = async ({ cam, service, roleName }) => { 139 | const PolicyDocument = { 140 | version: '2.0', 141 | statement: [ 142 | { 143 | effect: 'allow', 144 | principal: { 145 | service: service 146 | }, 147 | action: 'sts:AssumeRole' 148 | } 149 | ] 150 | } 151 | const req = new camModels.UpdateAssumeRolePolicyRequest() 152 | const body = { 153 | RoleName: roleName, 154 | PolicyDocument: JSON.stringify(PolicyDocument) 155 | } 156 | req.from_json_string(JSON.stringify(body)) 157 | const handler = util.promisify(cam.UpdateAssumeRolePolicy.bind(cam)) 158 | try { 159 | await handler(req) 160 | } catch (e) { 161 | throw 'UpdateAssumeRolePolicyError: ' + e 162 | } 163 | } 164 | 165 | const inputsChanged = async (cam, prevRole, role) => { 166 | const req = new camModels.ListAttachedRolePoliciesRequest() 167 | let pagePolicyCount = 1 168 | let page = 1 169 | let pagePolicyList 170 | const policyIdList = new Array() 171 | let body 172 | while (pagePolicyCount > 0) { 173 | await utils.sleep(500) // Prevent overclocking 174 | body = { 175 | RoleId: prevRole.roleId, 176 | Page: page, 177 | Rp: 200 178 | } 179 | req.from_json_string(JSON.stringify(body)) 180 | const handler = util.promisify(cam.ListAttachedRolePolicies.bind(cam)) 181 | try { 182 | pagePolicyList = await handler(req) 183 | pagePolicyCount = pagePolicyList.List.length 184 | for (let i = 0; i < pagePolicyList.List.length; i++) { 185 | policyIdList.push(pagePolicyList.List[i].PolicyId) 186 | } 187 | } catch (e) { 188 | if (e.message.includes('role not exist')) { 189 | return null 190 | } 191 | throw 'InputsChangedEError: ' + e 192 | } 193 | page = page + 1 194 | } 195 | 196 | policyIdList.sort() 197 | let rolePolicyId = new Array() 198 | if (type(role.policy.policyId) === 'Array') { 199 | role.policy.policyId.sort() 200 | rolePolicyId = role.policy.policyId 201 | } else { 202 | rolePolicyId.push(role.policy.policyId) 203 | } 204 | 205 | const inputsService = pick(['service'], role) 206 | const prevInputsService = pick(['service'], prevRole) 207 | if (type(inputsService.service) === 'Array') { 208 | inputsService.service.sort() 209 | } 210 | if (type(prevInputsService.service) === 'Array') { 211 | prevInputsService.service.sort() 212 | } 213 | 214 | return { 215 | service: !equals(inputsService, prevInputsService), 216 | policy: !equals(policyIdList, rolePolicyId), 217 | policyList: policyIdList 218 | } 219 | } 220 | 221 | const fullPolicyId = async (cam, inputs) => { 222 | /* 223 | Take the union of policyid and policyname 224 | Inputs: 225 | { 226 | service: [ 'scf.qcloud.com', 'cos.qcloud.com' ], 227 | policy: { 228 | roleName: 'QCS_SCFExcuteRole', 229 | policyId: [ 1, 2, 3 ], 230 | policyName: [ 'QcloudAccessForCDNRole' ] 231 | }, 232 | region: 'ap-guangzhou' 233 | } 234 | */ 235 | const req = new camModels.ListPoliciesRequest() 236 | let body 237 | let handler 238 | let page = 1 239 | let pagePolicList 240 | let pagePolicyCount = 1 241 | const policyIdList = new Array() 242 | const policyNameList = new Array() 243 | 244 | if (!(type(inputs.policy.policyId) === 'Array')) { 245 | const tempPolicyIdArray = new Array() 246 | tempPolicyIdArray.push(inputs.policy.policyId) 247 | inputs.policy.policyId = tempPolicyIdArray 248 | } 249 | if (!(type(inputs.policy.policyName) === 'Array')) { 250 | const tempPolicyNameArray = new Array() 251 | tempPolicyNameArray.push(inputs.policy.policyName) 252 | inputs.policy.policyName = tempPolicyNameArray 253 | } 254 | 255 | // cam could not get policyId through policyName, has not this type api 256 | // so use ListPolicies api to get policy list 257 | while (pagePolicyCount > 0) { 258 | await utils.sleep(500) // Prevent overclocking 259 | body = { 260 | Rp: 200, 261 | Page: page 262 | } 263 | req.from_json_string(JSON.stringify(body)) 264 | handler = util.promisify(cam.ListPolicies.bind(cam)) 265 | try { 266 | // todo reduce complexity 267 | pagePolicList = await handler(req) 268 | pagePolicyCount = pagePolicList.List.length 269 | for (let j = 0; j < pagePolicList.List.length; j++) { 270 | for (let i = 0; i < inputs.policy.policyId.length; i++) { 271 | if (pagePolicList.List[j].PolicyId == inputs.policy.policyId[i]) { 272 | // Skip if policyid already exists 273 | if (policyIdList.indexOf(pagePolicList.List[j].PolicyId) == -1) { 274 | policyIdList.push(pagePolicList.List[j].PolicyId) 275 | policyNameList.push(pagePolicList.List[j].PolicyName) 276 | } 277 | } 278 | } 279 | for (let i = 0; i < inputs.policy.policyName.length; i++) { 280 | if (pagePolicList.List[j].PolicyName == inputs.policy.policyName[i]) { 281 | // Skip if policyid already exists 282 | if (policyIdList.indexOf(pagePolicList.List[j].PolicyId) == -1) { 283 | policyIdList.push(pagePolicList.List[j].PolicyId) 284 | policyNameList.push(pagePolicList.List[j].PolicyName) 285 | } 286 | } 287 | } 288 | } 289 | } catch (e) { 290 | throw 'GetPolicyIdListError: ' + e 291 | } 292 | page = page + 1 293 | } 294 | inputs.policy.policyName = policyNameList 295 | inputs.policy.policyId = policyIdList 296 | return inputs 297 | } 298 | 299 | module.exports = { 300 | createRole, 301 | deleteRole, 302 | getRole, 303 | addRolePolicy, 304 | removeRolePolicy, 305 | updateAssumeRolePolicy, 306 | inputsChanged, 307 | fullPolicyId 308 | } 309 | --------------------------------------------------------------------------------