Merge pull request #186 from campus-explorer/scheduled-events-custom-iam-role

theburningmonk · web-flow · commit 346a7b784331 · 2019-03-29T00:03:14.000+01:00
feat: allow the specification of a custom IAM role for scheduled events
diff --git a/README.md b/README.md
@@ -579,6 +579,17 @@ events:
       rate: rate(2 hours)
 ```
 
+## Scheduled Events IAM Role
+
+By default, the plugin will create a new IAM role that allows AWS Events to start your state machine. Note that this role is different than the role assumed by the state machine. You can specify your own role instead (it must allow `events.amazonaws.com` to assume it, and it must be able to run `states:StartExecution` on your state machine):
+
+```yaml
+events:
+  - schedule:
+      rate: rate(2 hours)
+      role: arn:aws:iam::xxxxxxxx:role/yourRole
+
+
 ### CloudWatch Event
 ## Simple event definition
 
diff --git a/lib/deploy/events/schedule/compileScheduledEvents.js b/lib/deploy/events/schedule/compileScheduledEvents.js
@@ -82,6 +82,17 @@ module.exports = {
             const scheduleId = this.getScheduleId(stateMachineName);
             const policyName = this.getSchedulePolicyName(stateMachineName);
 
+            const roleArn = event.schedule.role ?
+              JSON.stringify(event.schedule.role) :
+              `
+                {
+                  "Fn::GetAtt": [
+                    "${scheduleIamRoleLogicalId}",
+                    "Arn"
+                  ]
+                }
+              `;
+
             const scheduleTemplate = `
               {
                 "Type": "AWS::Events::Rule",
@@ -95,12 +106,7 @@ module.exports = {
                     ${InputPath ? `"InputPath": "${InputPath}",` : ''}
                     "Arn": { "Ref": "${stateMachineLogicalId}" },
                     "Id": "${scheduleId}",
-                    "RoleArn": {
-                      "Fn::GetAtt": [
-                        "${scheduleIamRoleLogicalId}",
-                        "Arn"
-                      ]
-                    }
+                    "RoleArn": ${roleArn}
                   }]
                 }
               }
@@ -149,7 +155,7 @@ module.exports = {
               [scheduleLogicalId]: JSON.parse(scheduleTemplate),
             };
 
-            const newPermissionObject = {
+            const newPermissionObject = event.schedule.role ? {} : {
               [scheduleIamRoleLogicalId]: JSON.parse(iamRoleTemplate),
             };
 
diff --git a/lib/deploy/events/schedule/compileScheduledEvents.test.js b/lib/deploy/events/schedule/compileScheduledEvents.test.js
@@ -309,6 +309,36 @@ describe('#httpValidate()', () => {
       expect(() => serverlessStepFunctions.compileScheduledEvents()).to.throw(Error);
     });
 
+    it('should respect role variable', () => {
+      serverlessStepFunctions.serverless.service.stepFunctions = {
+        stateMachines: {
+          first: {
+            events: [
+              {
+                schedule: {
+                  rate: 'rate(10 minutes)',
+                  enabled: false,
+                  role: 'arn:aws:iam::000000000000:role/test-role',
+                },
+              },
+            ],
+          },
+        },
+      };
+
+      serverlessStepFunctions.compileScheduledEvents();
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources
+        .FirstScheduleToStepFunctionsRole
+      ).to.equal(undefined);
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources.FirstStepFunctionsEventsRuleSchedule1
+        .Properties.Targets[0].RoleArn
+      ).to.equal('arn:aws:iam::000000000000:role/test-role');
+    });
+
     it('should not create corresponding resources when scheduled events are not given', () => {
       serverlessStepFunctions.serverless.service.stepFunctions = {
         stateMachines: {
