fix(IAM): Attaching ES policy when no default role given

src/index.ts

@@ -50,7 +50,6 @@ class ServerlessEsLogsPlugin {
   private mergeCustomProviderResources(): void {
     this.serverless.cli.log('ServerlessEsLogsPlugin.mergeCustomProviderResources()');
     const { retentionInDays } = this.custom.esLogs;
-    const { stage, region } = this.options;
     const template = this.serverless.service.provider.compiledCloudFormationTemplate;
 
     // Add cloudwatch subscriptions to firehose for functions' log groups
@@ -62,10 +61,16 @@ class ServerlessEsLogsPlugin {
     }
 
     // Add IAM role for cloudwatch -> elasticsearch lambda
-    _.merge(template.Resources, iamLambdaTemplate);
-
-    // Patch lambda role
-    this.patchLogProcesserRole();
+    if (this.serverless.service.provider.role) {
+      _.merge(template.Resources, iamLambdaTemplate);
+      this.patchLogProcesserRole();
+    } else {
+      // Merge log processor role policies into default role
+      const updatedPolicies = template.Resources.IamRoleLambdaExecution.Properties.Policies.concat(
+        iamLambdaTemplate.ServerlessEsLogsLambdaIAMRole.Properties.Policies,
+      );
+      template.Resources.IamRoleLambdaExecution.Properties.Policies = updatedPolicies;
+    }
   }
 
   private beforeAwsDeployUpdateStack(): void {

test/support/ServerlessBuilder.ts

@@ -50,6 +50,12 @@ export class ServerlessBuilder {
               DependsOn: [],
               Properties: {},
             },
+            IamRoleLambdaExecution: {
+              DependsOn: [],
+              Properties: {
+                Policies: [],
+              },
+            },
           },
         },
         name: 'aws',

test/unit/plugin.test.ts

@@ -134,12 +134,44 @@ describe('serverless-es-logs :: Plugin tests', () => {
         expect(plugin.hooks['aws:package:finalize:mergeCustomProviderResources']).to.exist;
       });
 
-      it('should create an IAM role for the log processer function', () => {
+      it('should create an IAM role for the log processer function if default role specified', () => {
+        serverless.service.provider.role = random.word();
+        plugin = new ServerlessEsLogsPlugin(serverless, options); 
         const template = serverless.service.provider.compiledCloudFormationTemplate;
         plugin.hooks['aws:package:finalize:mergeCustomProviderResources']();
         expect(template.Resources).to.have.property('ServerlessEsLogsLambdaIAMRole');
       });
 
+      it('should append ES policy to generated role if no default role specified', () => {
+        const template = serverless.service.provider.compiledCloudFormationTemplate;
+        plugin.hooks['aws:package:finalize:mergeCustomProviderResources']();
+        expect(template.Resources).to.have.property('IamRoleLambdaExecution');
+        expect(template.Resources.IamRoleLambdaExecution.Properties.Policies).to.have.deep.members([{
+          PolicyDocument: {
+            Statement: [
+              {
+                Action: [
+                  'logs:CreateLogGroup',
+                  'logs:CreateLogStream',
+                  'logs:PutLogEvents',
+                ],
+                Effect: 'Allow',
+                Resource: 'arn:aws:logs:*:*:*',
+              },
+              {
+                Action: 'es:ESHttpPost',
+                Effect: 'Allow',
+                Resource: {
+                  'Fn::Sub': 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/*',
+                },
+              },
+            ],
+            Version: '2012-10-17',
+          },
+          PolicyName: 'cw-to-elasticsearch-policy',
+        }]);
+      });
+
       describe('#addCloudwatchSubscriptions()', () => {
         it('shouldn\'t add any subscriptions or permissions if there are no functions', () => {
           const template = serverless.service.provider.compiledCloudFormationTemplate;