Skip to content

Add custom role to cloudwatch event which trigger step functions #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Apr 2, 2020
Merged

Add custom role to cloudwatch event which trigger step functions #317

merged 8 commits into from
Apr 2, 2020

Conversation

@bucha09
Copy link
Contributor

@bucha09 bucha09 commented Mar 2, 2020

Possible fix for this issue #306 It allows to add already created role to CloudWatch event

Update compileCloudWatchEventEvents.js
4fa6030 
Possible fix for this issue serverless-operations#306 It allows to add already created role to CloudWatch event
@theburningmonk
Copy link
Collaborator

theburningmonk commented Mar 4, 2020

@bucha09 LGTM and should work, can you add some tests around it?

Taras Buchko added 2 commits March 11, 2020 20:58
Possible fix for this issue serverless-operations#306
fb2bec6 
It allows to use already created role in CloudWatch event which trigger StepFunctions
Merge pull request #1 from bucha09/master
11e2b2d 
Possible fix for this issue serverless-operations#306
@bucha09
Copy link
Contributor Author

bucha09 commented Mar 11, 2020
edited
Loading

@bucha09 LGTM and should work, can you add some tests around it?

Made some research and add some fixes to code. It'll use iamRole when it defined in serverless.yml or if not defined, then leave as it was (create new role).
example:

Made some research and add some fixes to code. It'll use iamRole when it defined in serverless.yml or if not defined, then leave as it was (create new role).
example:

cloudwatchEvent:

    name: SwapApproveOrReject-${opt:stage}
        #iamRole: "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
        event:
          source:
            - "aws.codepipeline"

cloudformation template

  "State": "ENABLED",

    "Name": "SwapApproveOrReject-test",
    "Targets": [
      {
        "Arn": {
          "Ref": "DeleteOldDeploymentDashtest"
        },
        "Id": "deleteOldDeploymentCloudWatchEvent",
        "RoleArn": "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
      }
    ]

and if iamRole is defined:

  • cloudwatchEvent:

        name: SwapApproveOrReject-${opt:stage}
    iamRole: "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
    event:
      source:

then cloudformation template:

 "State": "ENABLED",

    "Name": "SwapApproveOrReject-test",
    "Targets": [
      {
        "Arn": {
          "Ref": "DeleteOldDeploymentDashtest"
        },
        "Id": "deleteOldDeploymentCloudWatchEvent",
        "RoleArn": {
          "Fn::GetAtt": [
            "DeleteOldDeploymentEventToStepFunctionsRole",
            "Arn"
          ]
        }
      }
    ]
  }
}

as result:
Screenshot from 2020-03-11 20-48-32

@bucha09
Copy link
Contributor Author

bucha09 commented Mar 12, 2020

@theburningmonk Finally, I've fixed issues and add description in readme.md, fixed lint problems. Tested, and looks like everything is ok

@theburningmonk
Copy link
Collaborator

theburningmonk commented Mar 12, 2020

@bucha09 I don't understand your example.. are the cloudformation templates pasted the wrong way round?

theburningmonk
theburningmonk reviewed Mar 12, 2020
View reviewed changes
lib/deploy/events/cloudWatchEvent/compileCloudWatchEventEvents.js
"Arn": { "Ref": "${stateMachineLogicalId}" },
"Id": "${cloudWatchId}",
"RoleArn": {
${IamRole ? `"RoleArn":"${IamRole}"` : `"RoleArn": {
Copy link
Collaborator

@theburningmonk theburningmonk Mar 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this feels a bit weird, having the entire blob inside an if/else, can you do the if-else on ln47 when you assign the value of IamRole instead?

Copy link
Contributor Author

@bucha09 bucha09 Mar 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@theburningmonk I'll do my best)

@bucha09
Copy link
Contributor Author

bucha09 commented Mar 12, 2020

@theburningmonk Now, cloudformation paste correct RoleArn if Role is defined in serverless.yml. If Role isn't defined in serverless.yml then leave as it was (it'll create new role)

@theburningmonk
Copy link
Collaborator

theburningmonk commented Mar 13, 2020

@bucha09 sorry, I meant the example you cited here. When you set the IAM role explicitly

name: SwapApproveOrReject-${opt:stage}
    iamRole: "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"

I'd have expected the CloudFormation template to reflect that:

    "State": "ENABLED",
    "Name": "SwapApproveOrReject-test",
    "Targets": [
      {
        "Arn": {
          "Ref": "DeleteOldDeploymentDashtest"
        },
        "Id": "deleteOldDeploymentCloudWatchEvent",
        "RoleArn": "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
      }
    ]

is that not the case?

@bucha09 LGTM and should work, can you add some tests around it?

Made some research and add some fixes to code. It'll use iamRole when it defined in serverless.yml or if not defined, then leave as it was (create new role).
example:

Made some research and add some fixes to code. It'll use iamRole when it defined in serverless.yml or if not defined, then leave as it was (create new role).
example:

cloudwatchEvent:

    name: SwapApproveOrReject-${opt:stage}
        #iamRole: "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
        event:
          source:
            - "aws.codepipeline"

cloudformation template

  "State": "ENABLED",

    "Name": "SwapApproveOrReject-test",
    "Targets": [
      {
        "Arn": {
          "Ref": "DeleteOldDeploymentDashtest"
        },
        "Id": "deleteOldDeploymentCloudWatchEvent",
        "RoleArn": "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
      }
    ]

and if iamRole is defined:

  • cloudwatchEvent: 
        name: SwapApproveOrReject-${opt:stage}
    iamRole: "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
    event:
      source:

then cloudformation template:

 "State": "ENABLED",

    "Name": "SwapApproveOrReject-test",
    "Targets": [
      {
        "Arn": {
          "Ref": "DeleteOldDeploymentDashtest"
        },
        "Id": "deleteOldDeploymentCloudWatchEvent",
        "RoleArn": {
          "Fn::GetAtt": [
            "DeleteOldDeploymentEventToStepFunctionsRole",
            "Arn"
          ]
        }
      }
    ]
  }
}

as result:
Screenshot from 2020-03-11 20-48-32

@bucha09
Copy link
Contributor Author

bucha09 commented Mar 13, 2020

@theburningmonk
Sorry, my mistake in description
If cloudwatch event looks like this. Role disabled or isn't defined:

cloudwatchEvent:

    name: SwapApproveOrReject-${opt:stage}
        #iamRole: "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
        event:
          source:
            - "aws.codepipeline"

then cloudformation template:

"State": "ENABLED",

    "Name": "SwapApproveOrReject-test",
    "Targets": [
      {
        "Arn": {
          "Ref": "DeleteOldDeploymentDashtest"
        },
        "Id": "deleteOldDeploymentCloudWatchEvent",
        "RoleArn": {
          "Fn::GetAtt": [
            "DeleteOldDeploymentEventToStepFunctionsRole",
            "Arn"
          ]
        }
      }

and if iamRole is defined:

 cloudwatchEvent:

        name: SwapApproveOrReject-${opt:stage}
        iamRole: "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
        event:
          source:

then cloudformation template

"State": "ENABLED",

    "Name": "SwapApproveOrReject-test",
    "Targets": [
      {
        "Arn": {
          "Ref": "DeleteOldDeploymentDashtest"
        },
        "Id": "deleteOldDeploymentCloudWatchEvent",
        "RoleArn": "arn:aws:iam::accountid:role/Events-InvokeStepFunctions-Role"
      }
    ]

@theburningmonk theburningmonk merged commit 3a57548 into serverless-operations:master Apr 2, 2020
@theburningmonk
Copy link
Collaborator

theburningmonk commented Apr 2, 2020

🎉 This PR is included in version 2.17.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

@bucha09
Copy link
Contributor Author

bucha09 commented Apr 2, 2020

@theburningmonk Thanks!

@bucha09 bucha09 deleted the patch-1 branch April 2, 2020 11:48
ss-betseqnzr pushed a commit to BetSEQNZR/serverless-step-functions that referenced this pull request Sep 8, 2023
@theburningmonk
Merge pull request serverless-operations#317 from bucha09/patch-1
9df0ab1 
Add custom role to cloudwatch event which trigger step functions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theburningmonk theburningmonk theburningmonk approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bucha09 @theburningmonk