Merge pull request #208 from horike37/feature/support_existing_IAM

feat: support iamRole override for HTTP events

Author: horike37

README.md

@@ -315,8 +315,6 @@ stepFunctions:
       definition:
 ```
 
-#### HTTP Endpoint with Extended Options
-
 Here You can define an POST endpoint for the path posts/create.
 
 ```yml
@@ -330,6 +328,22 @@ stepFunctions:
       definition:
 ```
 
+#### HTTP Endpoint with custom IAM Role
+
+The plugin would generate an IAM Role for you by default. However, if you wish to use an IAM role that you have provisioned separately, then you can override the IAM Role like this:
+
+```yml
+stepFunctions:
+  stateMachines:
+    hello:
+      events:
+        - http:
+            path: posts/create
+            method: POST
+            iamRole: arn:aws:iam::<accountId>:role/<roleName>
+      definition:
+```
+
 #### Share API Gateway and API Resources
 
 You can [share the same API Gateway](https://serverless.com/framework/docs/providers/aws/events/apigateway/#share-api-gateway-and-api-resources) between multiple projects by referencing its REST API ID and Root Resource ID in serverless.yml as follows:

lib/deploy/events/apiGateway/iamRole.js

@@ -5,6 +5,15 @@ const path = require('path');
 
 module.exports = {
   compileHttpIamRole() {
+    const needDefaultIamRole = this.pluginhttpValidated.events.some((event) =>
+      // a http event that doesn't specify its own iamRole would need us to
+      // generate a default IAM role
+      _.has(event, 'http') && !_.has(event, 'http.iamRole'));
+
+    if (!needDefaultIamRole) {
+      return BbPromise.resolve();
+    }
+
     const iamRoleApiGatewayToStepFunctionsTemplate =
       JSON.stringify(this.serverless.utils.readFileSync(
       path.join(__dirname,

lib/deploy/events/apiGateway/iamRole.test.js

@@ -31,12 +31,93 @@ describe('#compileHttpIamRole()', () => {
     serverlessStepFunctions = new ServerlessStepFunctions(serverless);
   });
 
-  it('should create a IAM Role resource', () => serverlessStepFunctions
-    .compileHttpIamRole().then(() => {
-      expect(
-        serverlessStepFunctions.serverless.service.provider.compiledCloudFormationTemplate
-          .Resources.ApigatewayToStepFunctionsRole.Type
-      ).to.equal('AWS::IAM::Role');
-    })
-  );
+  it('should create an IAM Role resource when there are no iamRole overrides', () => {
+    serverlessStepFunctions.pluginhttpValidated = {
+      events: [
+        {
+          stateMachineName: 'first',
+          http: {
+            path: 'foo/bar1',
+            method: 'post',
+          },
+        },
+        {
+          stateMachineName: 'first',
+          http: {
+            path: 'foo/bar2',
+            method: 'post',
+            private: true,
+          },
+        },
+      ],
+    };
+
+    serverlessStepFunctions
+      .compileHttpIamRole().then(() => {
+        expect(
+          serverlessStepFunctions.serverless.service.provider.compiledCloudFormationTemplate
+            .Resources.ApigatewayToStepFunctionsRole.Type
+        ).to.equal('AWS::IAM::Role');
+      });
+  });
+
+  it('should create an IAM Role resource when at least one event has no iamRole override', () => {
+    serverlessStepFunctions.pluginhttpValidated = {
+      events: [
+        {
+          stateMachineName: 'first',
+          http: {
+            path: 'foo/bar1',
+            method: 'post',
+          },
+        },
+        {
+          stateMachineName: 'first',
+          http: {
+            path: 'foo/bar2',
+            method: 'post',
+            iamRole: 'arn:aws:iam::12345567890:role/test',
+          },
+        },
+      ],
+    };
+
+    serverlessStepFunctions
+      .compileHttpIamRole().then(() => {
+        expect(
+          serverlessStepFunctions.serverless.service.provider.compiledCloudFormationTemplate
+            .Resources.ApigatewayToStepFunctionsRole.Type
+        ).to.equal('AWS::IAM::Role');
+      });
+  });
+
+  it('should not create an IAM Role resource when all events have iamRole override', () => {
+    serverlessStepFunctions.pluginhttpValidated = {
+      events: [
+        {
+          stateMachineName: 'first',
+          http: {
+            path: 'foo/bar1',
+            method: 'post',
+            iamRole: 'arn:aws:iam::12345567890:role/test1',
+          },
+        },
+        {
+          stateMachineName: 'first',
+          http: {
+            path: 'foo/bar2',
+            method: 'post',
+            iamRole: 'arn:aws:iam::12345567890:role/test2',
+          },
+        },
+      ],
+    };
+
+    serverlessStepFunctions
+      .compileHttpIamRole().then(() => {
+        const resources = serverlessStepFunctions.serverless.service.provider
+          .compiledCloudFormationTemplate.Resources;
+        expect(resources).to.not.haveOwnProperty('ApigatewayToStepFunctionsRole');
+      });
+  });
 });

lib/deploy/events/apiGateway/methods.js

@@ -142,16 +142,18 @@ module.exports = {
   },
 
   getMethodIntegration(stateMachineName, stateMachineObj, http) {
-    const apiToStepFunctionsIamRoleLogicalId = this.getApiToStepFunctionsIamRoleLogicalId();
+    const defaultIamRoleLogicalId = this.getApiToStepFunctionsIamRoleLogicalId();
+    const defaultIamRole = {
+      'Fn::GetAtt': [
+        `${defaultIamRoleLogicalId}`,
+        'Arn',
+      ],
+    };
+    const iamRole = _.get(http, 'iamRole', defaultIamRole);
     const integration = {
       IntegrationHttpMethod: 'POST',
       Type: 'AWS',
-      Credentials: {
-        'Fn::GetAtt': [
-          `${apiToStepFunctionsIamRoleLogicalId}`,
-          'Arn',
-        ],
-      },
+      Credentials: iamRole,
       Uri: {
         'Fn::Join': [
           '',