aws · mindstorms6 · Jun 4, 2018 · Jun 4, 2018 · Jun 4, 2018 · Jun 4, 2018
diff --git a/packages/aws-cdk-lambda/lib/lambda.ts b/packages/aws-cdk-lambda/lib/lambda.ts
@@ -1,4 +1,4 @@
-import { Construct, ServicePrincipal, Token } from 'aws-cdk';
+import { Arn, Construct, PolicyStatement, ServicePrincipal, Token } from 'aws-cdk';
 import { Role } from 'aws-cdk-iam';
 import { lambda } from 'aws-cdk-resources';
 import { LambdaCode } from './code';
@@ -70,6 +70,13 @@ export interface LambdaProps {
      * @default The default value is 128 MB
      */
     memorySize?: number;
+
+    /**
+     * Initial policy statements to add to the created Lambda Role.
+     *
+     * You can call `addToRolePolicy` to the created lambda to add statements post creation.
+     */
+    initialPolicy?: PolicyStatement[];
 }
 
 /**
@@ -113,9 +120,20 @@ export class Lambda extends LambdaRef {
 
         this.role = new Role(this, 'ServiceRole', {
             assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
-            managedPolicyArns: [ 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' ],
+            // the arn is in the form of - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+            managedPolicyArns: [  Arn.fromComponents({
+                service: "iam",
+                region: "", // no region for managed policy
+                account: "aws", // the account for a managed policy is 'aws'
+                resource: "policy",
+                resourceName: "service-role/AWSLambdaBasicExecutionRole",
+            })],
         });
 
+        for (const statement of (props.initialPolicy || [])) {
+            this.role.addToPolicy(statement);
+        }
+
         const resource = new lambda.FunctionResource(this, 'Resource', {
             functionName: props.functionName,
             description: props.description,

diff --git a/packages/aws-cdk-lambda/test/inline.expected.json b/packages/aws-cdk-lambda/test/inline.expected.json
@@ -74,7 +74,8 @@
           "Version": "2012-10-17"
         },
         "ManagedPolicyArns": [
-          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+          {"Fn::Join": ["", ["arn", ":", {"Ref": "AWS::Partition"}, ":", "iam", ":", "", ":", "aws", ":", "policy", "/", "service-role/AWSLambdaBasicExecutionRole"]]}
+
         ]
       }
     },

diff --git a/packages/aws-cdk-lambda/test/integ.inline.expected.json b/packages/aws-cdk-lambda/test/integ.inline.expected.json
@@ -74,7 +74,7 @@
           "Version": "2012-10-17"
         },
         "ManagedPolicyArns": [
-          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+          {"Fn::Join": ["", ["arn", ":", {"Ref": "AWS::Partition"}, ":", "iam", ":", "", ":", "aws", ":", "policy", "/", "service-role/AWSLambdaBasicExecutionRole"]]}
         ]
       }
     },

diff --git a/packages/aws-cdk-lambda/test/integ.lambda.expected.json b/packages/aws-cdk-lambda/test/integ.lambda.expected.json
@@ -16,7 +16,7 @@
           "Version": "2012-10-17"
         },
         "ManagedPolicyArns": [
-          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+          {"Fn::Join": ["", ["arn", ":", {"Ref": "AWS::Partition"}, ":", "iam", ":", "", ":", "aws", ":", "policy", "/", "service-role/AWSLambdaBasicExecutionRole"]]}
         ]
       }
     },

diff --git a/packages/aws-cdk-lambda/test/test.lambda.ts b/packages/aws-cdk-lambda/test/test.lambda.ts
@@ -1,4 +1,4 @@
-import { AccountPrincipal, Arn, ArnPrincipal, AwsAccountId, Construct, ServicePrincipal, Stack } from 'aws-cdk';
+import { AccountPrincipal, Arn, ArnPrincipal, AwsAccountId, Construct, PolicyStatement, ServicePrincipal, Stack } from 'aws-cdk';
 import { expect } from 'aws-cdk-assert';
 import { Test } from 'nodeunit';
 import { Lambda, LambdaInlineCode, LambdaRuntime } from '../lib';
@@ -26,7 +26,10 @@ export = {
                             Principal: { Service: 'lambda.amazonaws.com' } } ],
                        Version: '2012-10-17' },
                     ManagedPolicyArns:
-                     [ 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' ] } },
+                    // arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+                     // tslint:disable-next-line:max-line-length
+                     [{'Fn::Join': ['', ['arn', ':', {Ref: 'AWS::Partition'}, ':', 'iam', ':', '', ':', 'aws', ':', 'policy', '/', 'service-role/AWSLambdaBasicExecutionRole']]}],
+                  }},
               MyLambdaCCE802FB:
                { Type: 'AWS::Lambda::Function',
                  Properties:
@@ -38,6 +41,61 @@ export = {
         test.done();
     },
 
+    'adds policy permissions'(test: Test) {
+        const stack = new Stack();
+        new Lambda(stack, 'MyLambda', {
+            code: new LambdaInlineCode('foo'),
+            handler: 'index.handler',
+            runtime: LambdaRuntime.NodeJS610,
+            initialPolicy: [new PolicyStatement().addAction("*").addResource("*")]
+        });
+        expect(stack).toMatch({ Resources:
+            { MyLambdaServiceRole4539ECB6:
+               { Type: 'AWS::IAM::Role',
+                 Properties:
+                  { AssumeRolePolicyDocument:
+                     { Statement:
+                        [ { Action: 'sts:AssumeRole',
+                            Effect: 'Allow',
+                            Principal: { Service: 'lambda.amazonaws.com' } } ],
+                       Version: '2012-10-17' },
+                    ManagedPolicyArns:
+                    // tslint:disable-next-line:max-line-length
+                    [{'Fn::Join': ['', ['arn', ':', {Ref: 'AWS::Partition'}, ':', 'iam', ':', '', ':', 'aws', ':', 'policy', '/', 'service-role/AWSLambdaBasicExecutionRole']]}],
+                }},
+                MyLambdaServiceRoleDefaultPolicy5BBC6F68: {
+                    Type: "AWS::IAM::Policy",
+                    Properties: {
+                        PolicyDocument: {
+                        Statement: [
+                            {
+                            Action: "*",
+                            Effect: "Allow",
+                            Resource: "*"
+                            }
+                        ],
+                        Version: "2012-10-17"
+                        },
+                        PolicyName: "MyLambdaServiceRoleDefaultPolicy5BBC6F68",
+                        Roles: [
+                        {
+                            Ref: "MyLambdaServiceRole4539ECB6"
+                        }
+                        ]
+                    }
+                },
+              MyLambdaCCE802FB:
+               { Type: 'AWS::Lambda::Function',
+                 Properties:
+                  { Code: { ZipFile: 'foo' },
+                    Handler: 'index.handler',
+                    Role: { 'Fn::GetAtt': [ 'MyLambdaServiceRole4539ECB6', 'Arn' ] },
+                    Runtime: 'nodejs6.10' },
+                 DependsOn: [ 'MyLambdaServiceRole4539ECB6', 'MyLambdaServiceRoleDefaultPolicy5BBC6F68' ] } } } );
+        test.done();
+
+    },
+
     'fails if inline code is used for an invalid runtime'(test: Test) {
         const stack = new Stack();
         test.throws(() => new Lambda(stack, 'MyLambda', {
@@ -77,9 +135,9 @@ export = {
                         ],
                         "Version": "2012-10-17"
                     },
-                    "ManagedPolicyArns": [
-                        "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-                    ]
+                    "ManagedPolicyArns":
+                    // tslint:disable-next-line:max-line-length
+                    [{'Fn::Join': ['', ['arn', ':', {Ref: 'AWS::Partition'}, ':', 'iam', ':', '', ':', 'aws', ':', 'policy', '/', 'service-role/AWSLambdaBasicExecutionRole']]}],
                     }
                 },
                 "MyLambdaCCE802FB": {