feat(infra): Expose Optional Lambda Execution Role Property [CLK-239123] (#6)

* feat(infra): Expose Lambda execution role property [CLK-239123]

* chore(infra): Add UT to verify role property sets execution role on lambda [CLK-239123]

Author: Justinon

docs/interfaces/UploadProps.md

@@ -10,6 +10,7 @@
 - [fileName](UploadProps.md#filename)
 - [path](UploadProps.md#path)
 - [prune](UploadProps.md#prune)
+- [role](UploadProps.md#role)
 
 ## Properties
 
@@ -50,3 +51,15 @@ Whether or not to clear out the destination directory before uploading.
 **`Default`**
 
 false
+
+___
+
+### role
+
+• `Optional` `Readonly` **role**: `IRole`
+
+Used as the Lambda Execution Role for the BucketDeployment.
+
+**`Default`**
+
+- role is created automatically by the Construct

src/generator.ts

@@ -1,4 +1,5 @@
 import Ajv, { SchemaObject } from 'ajv';
+import { IRole } from 'aws-cdk-lib/aws-iam';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import { Construct } from 'constructs';
@@ -29,6 +30,11 @@ export interface UploadProps {
    * @default false
    */
   readonly prune?: boolean;
+  /**
+   * Used as the Lambda Execution Role for the BucketDeployment.
+   * @default - role is created automatically by the Construct
+   */
+  readonly role?: IRole;
 }
 
 export interface SerializerProps {
@@ -152,6 +158,7 @@ export class Generator extends Construct {
       destinationKeyPrefix: this._uploadProps.path,
       sources: [Source.jsonData(this._uploadProps.fileName, contents)],
       prune: this._uploadProps.prune ?? false,
+      role: this._uploadProps.role,
     });
   }
 }

test/generator.test.ts

@@ -1,7 +1,8 @@
 /* eslint-disable dot-notation */
 // ^ Helps us test private properties like functions and fields
-import { App, Stack } from 'aws-cdk-lib';
+import { App, CfnElement, Stack } from 'aws-cdk-lib';
 import { Template } from 'aws-cdk-lib/assertions';
+import { Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 import { schema } from './resources/test.schema';
 import { Generator, GeneratorFileType, GeneratorProps } from '../src';
 
@@ -86,5 +87,28 @@ describe('Generator', () => {
         Prune: true,
       });
     });
+
+    it('uses custom Lambda execution role when set', () => {
+      const testRole = new Role(stack, 'TestExecutionRole', { assumedBy: new ServicePrincipal('test.amazonaws.com') });
+      new Generator(stack, 'Generator', {
+        ...actualProps,
+        upload: {
+          ...actualProps.upload,
+          role: testRole,
+        },
+      });
+      const template = Template.fromStack(stack);
+      const lambda = template.findResources('AWS::Lambda::Function');
+      const lambdaId = Object.keys(lambda)[0];
+      // Verify BucketDeployment uses the Lambda with role set
+      template.hasResourceProperties('Custom::CDKBucketDeployment', {
+        ServiceToken: { 'Fn::GetAtt': [lambdaId, 'Arn'] },
+      });
+      // Verify Lambda uses the role
+      const roleId = stack.getLogicalId(testRole.node.defaultChild as CfnElement);
+      template.hasResourceProperties('AWS::Lambda::Function', {
+        Role: { 'Fn::GetAtt': [roleId, 'Arn'] },
+      });
+    });
   });
 });