feat: allow the specification of a custom IAM role for scheduled events

serverless-operations · Mar 28, 2019 · f5362f4 · f5362f4
1 parent 1a7da96
commit f5362f4
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -579,6 +579,17 @@ events:
       rate: rate(2 hours)
 ```
 
+## Scheduled Events IAM Role
+
+By default, the plugin will create a new IAM role that allows AWS Events to start your state machine. Note that this role is different then the role assumed by the state machine. You can specify your own role instead (it must allow `events.amazonaws.com` to assume it, and it must be able to run `states:StartExecution` on your state machine):
+
+```yaml
+events:
+  - schedule:
+      rate: rate(2 hours)
+      role: arn:aws:iam::xxxxxxxx:role/yourRole
+
+
 ### CloudWatch Event
 ## Simple event definition
 

diff --git a/lib/deploy/events/schedule/compileScheduledEvents.js b/lib/deploy/events/schedule/compileScheduledEvents.js
@@ -95,11 +95,17 @@ module.exports = {
                     ${InputPath ? `"InputPath": "${InputPath}",` : ''}
                     "Arn": { "Ref": "${stateMachineLogicalId}" },
                     "Id": "${scheduleId}",
-                    "RoleArn": {
-                      "Fn::GetAtt": [
-                        "${scheduleIamRoleLogicalId}",
-                        "Arn"
-                      ]
+                    "RoleArn": ${
+                      event.schedule.role ?
+                        JSON.stringify(event.schedule.role) :
+                        `
+                          {
+                            "Fn::GetAtt": [
+                              "${scheduleIamRoleLogicalId}",
+                              "Arn"
+                            ]
+                          }
+                        `
                     }
                   }]
                 }
@@ -149,7 +155,7 @@ module.exports = {
               [scheduleLogicalId]: JSON.parse(scheduleTemplate),
             };
 
-            const newPermissionObject = {
+            const newPermissionObject = event.schedule.role ? {} : {
               [scheduleIamRoleLogicalId]: JSON.parse(iamRoleTemplate),
             };
 

diff --git a/lib/deploy/events/schedule/compileScheduledEvents.test.js b/lib/deploy/events/schedule/compileScheduledEvents.test.js
@@ -309,6 +309,36 @@ describe('#httpValidate()', () => {
       expect(() => serverlessStepFunctions.compileScheduledEvents()).to.throw(Error);
     });
 
+    it('should respect role variable', () => {
+      serverlessStepFunctions.serverless.service.stepFunctions = {
+        stateMachines: {
+          first: {
+            events: [
+              {
+                schedule: {
+                  rate: 'rate(10 minutes)',
+                  enabled: false,
+                  role: 'arn:aws:iam::000000000000:role/test-role',
+                },
+              },
+            ],
+          },
+        },
+      };
+
+      serverlessStepFunctions.compileScheduledEvents();
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources
+        .FirstScheduleToStepFunctionsRole
+      ).to.equal(undefined);
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources.FirstStepFunctionsEventsRuleSchedule1
+        .Properties.Targets[0].RoleArn
+      ).to.equal('arn:aws:iam::000000000000:role/test-role');
+    });
+
     it('should not create corresponding resources when scheduled events are not given', () => {
       serverlessStepFunctions.serverless.service.stepFunctions = {
         stateMachines: {