Skip to content

Commit

Permalink
Merge pull request #607 from jormaechea/eventbridge-scheduler-permiss…
Browse files Browse the repository at this point in the history 
…ions-fix

fix: added missing support for IAM PassRole of tasks that create Even…
  • Loading branch information
@horike37
horike37 authored Mar 6, 2024
2 parents 48c6bb0 + 84e6648 commit 67e83d1
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 4 deletions.
5 changes: 5 additions & 0 deletions lib/deploy/stepFunctions/compileIamRole.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -563,6 +563,7 @@ function getEventBridgePermissions(state) {

function getEventBridgeSchedulerPermissions(state) {
const scheduleGroupName = state.Parameters.GroupName;
const scheduleTargetRoleArn = state.Parameters.Target.RoleArn;

return [
{
Expand All @@ -574,6 +575,10 @@ function getEventBridgeSchedulerPermissions(state) {
],
},
},
{
action: 'iam:PassRole',
resource: scheduleTargetRoleArn,
},
];
}

Expand Down
11 changes: 7 additions & 4 deletions lib/deploy/stepFunctions/compileIamRole.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3722,7 +3722,7 @@ describe('#compileIamRole', () => {
]);
});

it('should give event bridge scheduler createSchedule permissions', () => {
it('should give event bridge scheduler createSchedule and passRole permissions', () => {
const genStateMachine = id => ({
id,
definition: {
Expand Down Expand Up @@ -3765,14 +3765,17 @@ describe('#compileIamRole', () => {
.provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
.Properties.Policies[0].PolicyDocument.Statement;

const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['scheduler:CreateSchedule']));
expect(eventPermissions[0].Resource).to.has.lengthOf(1);
expect(eventPermissions[0].Resource).to.deep.eq([{
const schedulerPermissions = statements.filter(s => _.isEqual(s.Action, ['scheduler:CreateSchedule']));
expect(schedulerPermissions[0].Resource).to.has.lengthOf(1);
expect(schedulerPermissions[0].Resource).to.deep.eq([{
'Fn::Sub': [
'arn:${AWS::Partition}:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/${scheduleGroupName}/*',
{ scheduleGroupName: 'MyScheduleGroup' },
],
}]);
const rolePermissions = statements.filter(s => _.isEqual(s.Action, ['iam:PassRole']));
expect(rolePermissions[0].Resource).to.has.lengthOf(1);
expect(rolePermissions[0].Resource).to.deep.eq(['arn:aws:iam::${AWS::AccountId}:role/MyIAMRole']);
});

it('should handle permissionsBoundary', () => {
Expand Down

0 comments on commit 67e83d1

Please sign in to comment.