From 84e6648911b7022742ad87919a7aefb3e7f9fcd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joaqu=C3=ADn=20Ormaechea?= Date: Tue, 5 Mar 2024 12:12:08 -0300 Subject: [PATCH] fix: added missing support for IAM PassRole of tasks that create EventBridge Scheduler Schedules Resolves #606 --- lib/deploy/stepFunctions/compileIamRole.js | 5 +++++ lib/deploy/stepFunctions/compileIamRole.test.js | 11 +++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js index 6eae6e79..bcdc94c4 100644 --- a/lib/deploy/stepFunctions/compileIamRole.js +++ b/lib/deploy/stepFunctions/compileIamRole.js @@ -563,6 +563,7 @@ function getEventBridgePermissions(state) { function getEventBridgeSchedulerPermissions(state) { const scheduleGroupName = state.Parameters.GroupName; + const scheduleTargetRoleArn = state.Parameters.Target.RoleArn; return [ { @@ -574,6 +575,10 @@ function getEventBridgeSchedulerPermissions(state) { ], }, }, + { + action: 'iam:PassRole', + resource: scheduleTargetRoleArn, + }, ]; } diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js index 8b97f59e..16eb6449 100644 --- a/lib/deploy/stepFunctions/compileIamRole.test.js +++ b/lib/deploy/stepFunctions/compileIamRole.test.js @@ -3722,7 +3722,7 @@ describe('#compileIamRole', () => { ]); }); - it('should give event bridge scheduler createSchedule permissions', () => { + it('should give event bridge scheduler createSchedule and passRole permissions', () => { const genStateMachine = id => ({ id, definition: { @@ -3765,14 +3765,17 @@ describe('#compileIamRole', () => { .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role .Properties.Policies[0].PolicyDocument.Statement; - const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['scheduler:CreateSchedule'])); - expect(eventPermissions[0].Resource).to.has.lengthOf(1); - expect(eventPermissions[0].Resource).to.deep.eq([{ + const schedulerPermissions = statements.filter(s => _.isEqual(s.Action, ['scheduler:CreateSchedule'])); + expect(schedulerPermissions[0].Resource).to.has.lengthOf(1); + expect(schedulerPermissions[0].Resource).to.deep.eq([{ 'Fn::Sub': [ 'arn:${AWS::Partition}:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/${scheduleGroupName}/*', { scheduleGroupName: 'MyScheduleGroup' }, ], }]); + const rolePermissions = statements.filter(s => _.isEqual(s.Action, ['iam:PassRole'])); + expect(rolePermissions[0].Resource).to.has.lengthOf(1); + expect(rolePermissions[0].Resource).to.deep.eq(['arn:aws:iam::${AWS::AccountId}:role/MyIAMRole']); }); it('should handle permissionsBoundary', () => {