feat: allow the specification of a custom IAM role for scheduled events

stevecaldwell77 · stevecaldwell77 · commit f5362f4f5ade · 2019-03-28T13:33:39.000-07:00
diff --git a/README.md b/README.md
@@ -579,6 +579,17 @@ events:
       rate: rate(2 hours)
 ```
 
+## Scheduled Events IAM Role
+
+By default, the plugin will create a new IAM role that allows AWS Events to start your state machine. Note that this role is different then the role assumed by the state machine. You can specify your own role instead (it must allow `events.amazonaws.com` to assume it, and it must be able to run `states:StartExecution` on your state machine):
+
+```yaml
+events:
+  - schedule:
+      rate: rate(2 hours)
+      role: arn:aws:iam::xxxxxxxx:role/yourRole
+
+
 ### CloudWatch Event
 ## Simple event definition
 
diff --git a/lib/deploy/events/schedule/compileScheduledEvents.js b/lib/deploy/events/schedule/compileScheduledEvents.js
@@ -95,11 +95,17 @@ module.exports = {
                     ${InputPath ? `"InputPath": "${InputPath}",` : ''}
                     "Arn": { "Ref": "${stateMachineLogicalId}" },
                     "Id": "${scheduleId}",
-                    "RoleArn": {
-                      "Fn::GetAtt": [
-                        "${scheduleIamRoleLogicalId}",
-                        "Arn"
-                      ]
+                    "RoleArn": ${
+                      event.schedule.role ?
+                        JSON.stringify(event.schedule.role) :
+                        `
+                          {
+                            "Fn::GetAtt": [
+                              "${scheduleIamRoleLogicalId}",
+                              "Arn"
+                            ]
+                          }
+                        `
                     }
                   }]
                 }
@@ -149,7 +155,7 @@ module.exports = {
               [scheduleLogicalId]: JSON.parse(scheduleTemplate),
             };
 
-            const newPermissionObject = {
+            const newPermissionObject = event.schedule.role ? {} : {
               [scheduleIamRoleLogicalId]: JSON.parse(iamRoleTemplate),
             };
 
diff --git a/lib/deploy/events/schedule/compileScheduledEvents.test.js b/lib/deploy/events/schedule/compileScheduledEvents.test.js
@@ -309,6 +309,36 @@ describe('#httpValidate()', () => {
       expect(() => serverlessStepFunctions.compileScheduledEvents()).to.throw(Error);
     });
 
+    it('should respect role variable', () => {
+      serverlessStepFunctions.serverless.service.stepFunctions = {
+        stateMachines: {
+          first: {
+            events: [
+              {
+                schedule: {
+                  rate: 'rate(10 minutes)',
+                  enabled: false,
+                  role: 'arn:aws:iam::000000000000:role/test-role',
+                },
+              },
+            ],
+          },
+        },
+      };
+
+      serverlessStepFunctions.compileScheduledEvents();
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources
+        .FirstScheduleToStepFunctionsRole
+      ).to.equal(undefined);
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources.FirstStepFunctionsEventsRuleSchedule1
+        .Properties.Targets[0].RoleArn
+      ).to.equal('arn:aws:iam::000000000000:role/test-role');
+    });
+
     it('should not create corresponding resources when scheduled events are not given', () => {
       serverlessStepFunctions.serverless.service.stepFunctions = {
         stateMachines: {
