Skip to content

Commit b8048be

Browse files
jormaecheajormaechea
committed
feat: added support for IAM Permission of tasks that create EventBridge Scheduler Schedules
Resolves #604
1 parent 131827f commit b8048be

File tree

2 files changed

+73
-0
lines changed

2 files changed

+73
-0
lines changed

lib/deploy/stepFunctions/compileIamRole.js

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -561,6 +561,22 @@ function getEventBridgePermissions(state) {
561561
];
562562
}
563563

564+
function getEventBridgeSchedulerPermissions(state) {
565+
const scheduleGroupName = state.Parameters.GroupName;
566+
567+
return [
568+
{
569+
action: 'scheduler:CreateSchedule',
570+
resource: {
571+
'Fn::Sub': [
572+
'arn:${AWS::Partition}:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/${scheduleGroupName}/*',
573+
{ scheduleGroupName },
574+
],
575+
},
576+
},
577+
];
578+
}
579+
564580
function getS3ObjectPermissions(action, state) {
565581
const bucket = state.Parameters.Bucket || '*';
566582
const key = state.Parameters.Key || '*';
@@ -707,6 +723,9 @@ function getIamPermissions(taskStates) {
707723
case 'arn:aws:states:::events:putEvents.waitForTaskToken':
708724
return getEventBridgePermissions(state);
709725

726+
case 'arn:aws:states:::aws-sdk:scheduler:createSchedule':
727+
return getEventBridgeSchedulerPermissions(state);
728+
710729
case 'arn:aws:states:::s3:getObject':
711730
case 'arn:aws:states:::aws-sdk:s3:getObject':
712731
return getS3ObjectPermissions('s3:GetObject', state);

lib/deploy/stepFunctions/compileIamRole.test.js

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3721,6 +3721,60 @@ describe('#compileIamRole', () => {
37213721
},
37223722
]);
37233723
});
3724+
3725+
it('should give event bridge scheduler createSchedule permissions', () => {
3726+
const genStateMachine = id => ({
3727+
id,
3728+
definition: {
3729+
StartAt: 'A',
3730+
States: {
3731+
A: {
3732+
Type: 'Task',
3733+
Resource: 'arn:aws:states:::aws-sdk:scheduler:createSchedule',
3734+
Parameters: {
3735+
ActionAfterCompletion: 'DELETE',
3736+
FlexibleTimeWindow: {
3737+
Mode: 'FLEXIBLE',
3738+
MaximumWindowInMinutes: 5,
3739+
},
3740+
'Name.$': '$$.Execution.Name',
3741+
GroupName: 'MyScheduleGroup',
3742+
ScheduleExpression: 'at("2024-03-04T00:00:00")',
3743+
Target: {
3744+
Arn: 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:MyStateMachine',
3745+
RoleArn: 'arn:aws:iam::${AWS::AccountId}:role/MyIAMRole',
3746+
Input: {
3747+
foo: 'bar',
3748+
},
3749+
},
3750+
},
3751+
End: true,
3752+
},
3753+
},
3754+
},
3755+
});
3756+
3757+
serverless.service.stepFunctions = {
3758+
stateMachines: {
3759+
myStateMachine1: genStateMachine('StateMachine1'),
3760+
},
3761+
};
3762+
3763+
serverlessStepFunctions.compileIamRole();
3764+
const statements = serverlessStepFunctions.serverless.service
3765+
.provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
3766+
.Properties.Policies[0].PolicyDocument.Statement;
3767+
3768+
const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['scheduler:CreateSchedule']));
3769+
expect(eventPermissions[0].Resource).to.has.lengthOf(1);
3770+
expect(eventPermissions[0].Resource).to.deep.eq([{
3771+
'Fn::Sub': [
3772+
'arn:${AWS::Partition}:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/${scheduleGroupName}/*',
3773+
{ scheduleGroupName: 'MyScheduleGroup' },
3774+
],
3775+
}]);
3776+
});
3777+
37243778
it('should handle permissionsBoundary', () => {
37253779
serverless.service.stepFunctions = {
37263780
stateMachines: {

0 commit comments

Comments
 (0)