Merge pull request #5 from horike37/master

sync

Author: theburningmonk

README.md

@@ -444,7 +444,7 @@ stepFunctions:
 
 #### Customizing request body mapping templates
 
-The plugin generates default body mapping templates for `application/json` and `application/x-www-form-urlencoded` content types. If you'd like to add more content types or customize the default ones, you can do so by including them in `serverless.yml`:
+The plugin generates default body mapping templates for `application/json` and `application/x-www-form-urlencoded` content types. If you'd like to add more content types or customize the default ones, you can do so by including your custom [API Gateway request mapping template](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html) in `serverless.yml` like so:
 
 ```yml
 stepFunctions:
@@ -579,6 +579,17 @@ events:
       rate: rate(2 hours)
 ```
 
+## Scheduled Events IAM Role
+
+By default, the plugin will create a new IAM role that allows AWS Events to start your state machine. Note that this role is different than the role assumed by the state machine. You can specify your own role instead (it must allow `events.amazonaws.com` to assume it, and it must be able to run `states:StartExecution` on your state machine):
+
+```yaml
+events:
+  - schedule:
+      rate: rate(2 hours)
+      role: arn:aws:iam::xxxxxxxx:role/yourRole
+
+
 ### CloudWatch Event
 ## Simple event definition
 

lib/deploy/events/schedule/compileScheduledEvents.js

@@ -82,6 +82,17 @@ module.exports = {
             const scheduleId = this.getScheduleId(stateMachineName);
             const policyName = this.getSchedulePolicyName(stateMachineName);
 
+            const roleArn = event.schedule.role ?
+              JSON.stringify(event.schedule.role) :
+              `
+                {
+                  "Fn::GetAtt": [
+                    "${scheduleIamRoleLogicalId}",
+                    "Arn"
+                  ]
+                }
+              `;
+
             const scheduleTemplate = `
               {
                 "Type": "AWS::Events::Rule",
@@ -95,12 +106,7 @@ module.exports = {
                     ${InputPath ? `"InputPath": "${InputPath}",` : ''}
                     "Arn": { "Ref": "${stateMachineLogicalId}" },
                     "Id": "${scheduleId}",
-                    "RoleArn": {
-                      "Fn::GetAtt": [
-                        "${scheduleIamRoleLogicalId}",
-                        "Arn"
-                      ]
-                    }
+                    "RoleArn": ${roleArn}
                   }]
                 }
               }
@@ -149,7 +155,7 @@ module.exports = {
               [scheduleLogicalId]: JSON.parse(scheduleTemplate),
             };
 
-            const newPermissionObject = {
+            const newPermissionObject = event.schedule.role ? {} : {
               [scheduleIamRoleLogicalId]: JSON.parse(iamRoleTemplate),
             };
 

lib/deploy/events/schedule/compileScheduledEvents.test.js

@@ -309,6 +309,36 @@ describe('#httpValidate()', () => {
       expect(() => serverlessStepFunctions.compileScheduledEvents()).to.throw(Error);
     });
 
+    it('should respect role variable', () => {
+      serverlessStepFunctions.serverless.service.stepFunctions = {
+        stateMachines: {
+          first: {
+            events: [
+              {
+                schedule: {
+                  rate: 'rate(10 minutes)',
+                  enabled: false,
+                  role: 'arn:aws:iam::000000000000:role/test-role',
+                },
+              },
+            ],
+          },
+        },
+      };
+
+      serverlessStepFunctions.compileScheduledEvents();
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources
+        .FirstScheduleToStepFunctionsRole
+      ).to.equal(undefined);
+
+      expect(serverlessStepFunctions.serverless.service
+        .provider.compiledCloudFormationTemplate.Resources.FirstStepFunctionsEventsRuleSchedule1
+        .Properties.Targets[0].RoleArn
+      ).to.equal('arn:aws:iam::000000000000:role/test-role');
+    });
+
     it('should not create corresponding resources when scheduled events are not given', () => {
       serverlessStepFunctions.serverless.service.stepFunctions = {
         stateMachines: {

lib/deploy/stepFunctions/compileIamRole.js

@@ -100,7 +100,7 @@ function getGluePermissions() {
 
 function getEcsPermissions() {
   return [{
-    action: 'ecs:RunTask,ecs:StopTask,ecs:DescribeTasks',
+    action: 'ecs:RunTask,ecs:StopTask,ecs:DescribeTasks,iam:PassRole',
     resource: '*',
   }, {
     action: 'events:PutTargets,events:PutRule,events:DescribeRule',

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -663,7 +663,7 @@ describe('#compileIamRole', () => {
       .Properties.Policies[0].PolicyDocument.Statement;
 
     const ecsPermissions = statements.filter(s =>
-      _.isEqual(s.Action, ['ecs:RunTask', 'ecs:StopTask', 'ecs:DescribeTasks'])
+      _.isEqual(s.Action, ['ecs:RunTask', 'ecs:StopTask', 'ecs:DescribeTasks', 'iam:PassRole'])
     );
     expect(ecsPermissions).to.have.lengthOf(1);
     expect(ecsPermissions[0].Resource).to.equal('*');

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "serverless-step-functions",
-  "version": "1.16.0",
+  "version": "1.17.1",
   "description": "The module is AWS Step Functions plugin for Serverless Framework",
   "main": "lib/index.js",
   "scripts": {