feat(acm): validated certificate can use existing Role (#3785)

Allow specifying an existing Role for the Validated Certificate,
to remove the dependency on `iam:CreateRole`.

Fixes #3519, but needs implementation of #3753 for maximum usefulness.

Author: rix0rrr

packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts

@@ -23,6 +23,13 @@ export interface DnsValidatedCertificateProps extends CertificateProps {
      * @default the region the stack is deployed in.
      */
     readonly region?: string;
+
+    /**
+     * Role to use for the custom resource that creates the validated certificate
+     *
+     * @default - A new role will be created
+     */
+    readonly customResourceRole?: iam.IRole;
 }
 
 /**
@@ -55,7 +62,8 @@ export class DnsValidatedCertificate extends cdk.Resource implements ICertificat
             code: lambda.Code.fromAsset(path.resolve(__dirname, '..', 'lambda-packages', 'dns_validated_certificate_handler', 'lib')),
             handler: 'index.certificateRequestHandler',
             runtime: lambda.Runtime.NODEJS_8_10,
-            timeout: cdk.Duration.minutes(15)
+            timeout: cdk.Duration.minutes(15),
+            role: props.customResourceRole
         });
         requestorFunction.addToRolePolicy(new iam.PolicyStatement({
             actions: ['acm:RequestCertificate', 'acm:DescribeCertificate', 'acm:DeleteCertificate'],
@@ -74,7 +82,7 @@ export class DnsValidatedCertificate extends cdk.Resource implements ICertificat
             provider: cfn.CustomResourceProvider.lambda(requestorFunction),
             properties: {
                 DomainName: props.domainName,
-                SubjectAlternativeNames: cdk.Lazy.listValue({ produce: () => props.subjectAlternativeNames}, { omitEmpty: true}),
+                SubjectAlternativeNames: cdk.Lazy.listValue({ produce: () => props.subjectAlternativeNames }, { omitEmpty: true }),
                 HostedZoneId: this.hostedZoneId,
                 Region: props.region,
             }

packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts

@@ -1,4 +1,5 @@
 import { expect, haveResource } from '@aws-cdk/assert';
+import iam = require('@aws-cdk/aws-iam');
 import { HostedZone, PublicHostedZone } from '@aws-cdk/aws-route53';
 import { App, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
@@ -154,4 +155,30 @@ export = {
 
     test.done();
   },
+
+  'works with imported role'(test: Test) {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'Stack', {
+      env: { account: '12345678', region: 'us-blue-5' },
+    });
+    const helloDotComZone = new PublicHostedZone(stack, 'HelloDotCom', {
+      zoneName: 'hello.com'
+    });
+    const role = iam.Role.fromRoleArn(stack, 'Role', 'arn:aws:iam::account-id:role/role-name');
+
+    // WHEN
+    new DnsValidatedCertificate(stack, 'Cert', {
+      domainName: 'hello.com',
+      hostedZone: helloDotComZone,
+      customResourceRole: role
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::Lambda::Function', {
+      Role: 'arn:aws:iam::account-id:role/role-name'
+    }));
+
+    test.done();
+  },
 };