jets 3.1.0 → 4.0.0

data/lib/jets/internal/app/functions/jets/base_path.rb

@@ -1,13 +1,49 @@
-require 'bundler/setup'
+begin
+  require 'bundler/setup'
+  # When require bundler/setup fails, AWS Lambda won't be able to load base_path_mapping
+  # So we'll require base_path_mapping within begin/rescue block so that it does not also
+  # fail the entire lambda function.
+  require 'jets/internal/app/functions/jets/base_path_mapping'
+rescue Exception => e
+  # Note: rescue LoadError is not enough in AWS Lambda environment
+  # Actual exceptions:
+  #   require bundler/setup: Ruby exception "Bundler::GemNotFound"
+  #   require base_path_mappnig: AWS Lambda reported error "errorType": "Init<LoadError>"
+  # Will use a generic rescue Exception though in case error changes in the future.
+  puts "WARN: #{e.class} #{e.message}"
+  puts <<~EOL
+    Could not require bundler/setup.
+    This can happen for weird timeout missing error. Example:
+
+        Could not find timeout-0.3.2 in locally installed gems
+
+    Happens when the gem command is out-of-date on old versions of ruby 2.7.
+    See: https://community.boltops.com/t/could-not-find-timeout-0-3-1-in-any-of-the-sources/996
+  EOL
+end
 require 'cfn_response'
-require 'jets/internal/app/functions/jets/base_path_mapping'
 
 STAGE_NAME = "<%= @stage_name %>"
 
 def lambda_handler(event:, context:)
   cfn = CfnResponse.new(event, context)
   cfn.response do
-    mapping = BasePathMapping.new(event, STAGE_NAME)
+    # Super edge case: mapping is nil when require bundler/setup fails
+    begin
+      mapping = BasePathMapping.new(event, STAGE_NAME)
+    rescue NameError => e
+      puts "ERROR: #{e.class} #{e.message}"
+      puts error_message
+    end
+
+    # This is the "second pass" of CloudFormation when it tries to delete the BasePathMapping during rollback
+    if mapping.nil? && event['RequestType'] == "Delete"
+      cfn.success # so that CloudFormation can continue the delete process from a rollback
+      delay
+      return
+    end
+
+    # Normal behavior when mapping is not nil when bundler/setup loads successfully
     case event['RequestType']
     when "Create", "Update"
       mapping.update
@@ -16,3 +52,57 @@ def lambda_handler(event:, context:)
     end
   end
 end
+
+def delay
+  puts "Delaying 60 seconds to allow user some time to see lambda function logs."
+  60.times do
+    puts Time.now
+    sleep 1
+  end
+end
+
+def error_message
+  <<~EOL
+  This is ultimately the result of require bundler/setup failing to load.
+  On the CloudFormation first pass, the BasePathMapping fails to CREATE.
+  CloudFormation does a rollback and tries to delete the BasePathMapping.
+
+  Jets will send a success response to CloudFormation so it can continue and delete
+  BasePathMapping on the rollback. Otherwise, CloudFormation ends up in the terminal
+  UPDATE_FAILED state and the CloudFormation console provides 3 options:
+
+      1) retry 2) update 3) rollback.
+
+  The only option that seems to work is rollback to get it out of UPDATE_FAILED to
+  UPDATE_ROLLBACK_COMPLETE. But then, if we `jets deploy` again without fixing the
+  require bundler/setup issue, we'll end back up in the UPDATE_FAILED state.
+
+  Will handle this error so we can continue the stack because we do not want it to fail
+  and never be able to send the CfnResponse. Then we have to wait hours for a CloudFormation timeout.
+  Sometimes deleting the APP-dev-ApiDeployment20230518230443-EXAMPLEY8YQP0 stack
+  allows the cloudformation stacks to continue, but usually, it'll only just slightly speed up the rollback.
+
+  Some examples of actual rollback times:
+
+  When left alone, the rollback takes about 2.5 hours.
+
+      2023-05-19 05:39:25  User Initiated
+      2023-05-19 08:01:48  UPDATE_ROLLBACK_COMPLETE
+
+  When deleting the APP-dev-ApiDeployment20230518230443-EXAMPLEY8YQP0 stack, it takes about 1.5 hours.
+
+      2023-05-19 06:25:41  User Initiated
+      2023-05-19 07:47:03  UPDATE_ROLLBACK_COMPLETE
+
+  Rescuing and handling the error here allows the CloudFormation stack to continue and finish the rollback process.
+  It takes the rollback time down to about 3 minutes. Example:
+
+      2023-05-19 16:34:19 User Initiated
+      2023-05-19 16:37:34 UPDATE_ROLLBACK_COMPLETE
+
+  Note: The first cloudformation CREATE pass sends FAILED Status to CloudFormation,
+  and the second cloudformation DELETE pass sends SUCCESS Status to CloudFormation.
+
+  Related: https://community.boltops.com/t/could-not-find-timeout-0-3-1-in-any-of-the-sources/996
+  EOL
+end

data/lib/jets/internal/app/functions/jets/base_path_mapping.rb

@@ -28,8 +28,28 @@ class BasePathMapping
   # Cannot use update_base_path_mapping to update the base_mapping because it doesnt
   # allow us to change the rest_api_id. So we delete and create.
   def update
-    delete(true)
-    create
+    puts "BasePathMapping update"
+    if rest_api_changed?
+      delete(true)
+      create
+    else
+      puts "BasePathMapping update: rest_api_id #{rest_api_id} did not change. Skipping."
+    end
+
+    puts "BasePathMapping update complete"
+  end
+
+  def rest_api_changed?
+    puts "BasePathMapping checking if rest_api_id changed"
+    mapping = current_base_path_mapping
+    return true unless mapping
+    mapping.rest_api_id != rest_api_id
+  end
+
+  def current_base_path_mapping
+    resp = apigateway.get_base_path_mapping(base_path: "(none)", domain_name: domain_name)
+  rescue Aws::APIGateway::Errors::NotFoundException
+    return nil
   end
 
   # Dont delete the newly created base path mapping unless this is an operation
@@ -39,10 +59,14 @@ class BasePathMapping
   end
 
   def delete(fail_silently=false)
-    apigateway.delete_base_path_mapping(
+    puts "BasePathMapping delete"
+    options = {
       domain_name: domain_name, # required
       base_path: base_path.empty? ? '(none)' : base_path,
-    )
+    }
+    puts "BasePathMapping delete options #{options.inspect}"
+    apigateway.delete_base_path_mapping(options)
+    puts "BasePathMapping delete complete"
   # https://github.com/tongueroo/jets/issues/255
   # Used to return: Aws::APIGateway::Errors::NotFoundException
   # Now returns: Aws::APIGateway::Errors::InternalFailure
@@ -52,12 +76,41 @@ class BasePathMapping
   end
 
   def create
-    apigateway.create_base_path_mapping(
+    puts "BasePathMapping create"
+    options = {
       domain_name: domain_name, # required
       base_path: base_path,
       rest_api_id: rest_api_id, # required
       stage: @stage_name,
-    )
+    }
+    puts "BasePathMapping create options #{options.inspect}"
+    apigateway.create_base_path_mapping(options)
+    puts "BasePathMapping create complete"
+  rescue Aws::APIGateway::Errors::ServiceError => e
+    puts "ERROR: #{e.class}: #{e.message}"
+    puts "BasePathMapping create failed"
+    if e.message.include?("Invalid domain name identifier specified")
+      puts <<~EOL
+        This super edge case error seems to happen when the cloudformation stack does a rollback
+        because the BasePathMapping custom resource fails. This has happened with a strange combination of
+        ruby 2.7 and the timeout gem not being picked up in the AWS Lambda runtime environment
+        Specifically, when jets deploy was used with a rubygems install that is out-of-date.
+        See: https://community.boltops.com/t/could-not-find-timeout-0-3-1-in-any-of-the-sources/996
+
+        The new base path mapping is not created correctly and the old base path mapping is not properly deleted.
+        The old ghost base mapping interferes with the new base path mapping.
+        The workaround solution seems to require removing all the config.domain settings and deploying again. Example:
+
+        config/application.rb
+
+            config.domain.cert_arn = "arn:aws:acm:us-west-2:111111111111:certificate/EXAMPLE1-a3de-4fe7-b72e-4cc153c5303e"
+            config.domain.hosted_zone_name = "example.com"
+
+        Comment out those settings, deploy, then uncomment and deploy again.
+        If there's a better workaround, please let us know.
+      EOL
+    end
+    raise(e)
   end
 
   def deployment_stack
@@ -91,10 +144,28 @@ class BasePathMapping
   end
 
   def apigateway
-    @apigateway ||= Aws::APIGateway::Client.new
+    @apigateway ||= Aws::APIGateway::Client.new(aws_options)
   end
 
   def cfn
-    @cfn ||= Aws::CloudFormation::Client.new
+    @cfn ||= Aws::CloudFormation::Client.new(aws_options)
   end
+
+  def aws_options
+    options = {
+      retry_limit: 7, # default: 3
+      retry_base_delay: 0.6, # default: 0.3
+    }
+    options.merge!(
+      log_level: :debug,
+      logger: Logger.new($stdout),
+    ) if ENV['JETS_DEBUG_AWS_SDK']
+    options
+  end
+end
+
+if __FILE__ == $0
+  event = JSON.load(File.read(ARGV[0]))
+  context = nil # stub out
+  BasePathMapping.new(event, context).update
 end

data/lib/jets/internal/app/jobs/jets/preheat_job.rb

@@ -12,13 +12,17 @@ class Jets::PreheatJob < ApplicationJob
       sid: "Statement1",
       action: ["logs:*"],
       effect: "Allow",
-      resource: "arn:aws:logs:#{Jets.aws.region}:#{Jets.aws.account}:log-group:#{Jets.config.project_namespace}-*",
+      resource: [
+        sub("arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${WarmLambdaFunction}"),
+      ]
     },
     {
       sid: "Statement2",
       action: ["lambda:InvokeFunction", "lambda:InvokeAsync"],
       effect: "Allow",
-      resource: "arn:aws:lambda:#{Jets.aws.region}:#{Jets.aws.account}:function:#{Jets.config.project_namespace}-*",
+      resource: [
+        sub("arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${WarmLambdaFunction}")
+      ]
     }
   )
 

data/lib/jets/job/base.rb

@@ -13,6 +13,8 @@ module Jets::Job
     include Helpers::KinesisEventHelper
     include Helpers::LogEventHelper
     include Helpers::S3EventHelper
+    include Helpers::SnsEventHelper
+    include Helpers::SqsEventHelper
 
     # Tracks bucket each time an s3_event is declared
     # Map of bucket_name => stack_name (nested part)

data/lib/jets/job/helpers/sns_event_helper.rb

@@ -0,0 +1,8 @@
+module Jets::Job::Helpers
+    module SnsEventHelper
+       def sns_event_payload
+          message = event&.dig("Records", 0, "Sns", "Message")
+          @sns_event_payload ||= ActiveSupport::HashWithIndifferentAccess.new(JSON.load(message))
+      end
+    end
+end

data/lib/jets/job/helpers/sqs_event_helper.rb

@@ -0,0 +1,8 @@
+module Jets::Job::Helpers
+    module SqsEventHelper
+       def sqs_event_payload
+          message = event&.dig("Records", 0, "body")
+          @sqs_event_payload ||= ActiveSupport::HashWithIndifferentAccess.new(JSON.parse(message))
+       end
+    end
+end

data/lib/jets/lambda/dsl.rb

@@ -57,6 +57,7 @@ module Jets::Lambda::Dsl
       PROPERTIES = %W[
         dead_letter_config
         description
+        ephemeral_storage
         handler
         kms_key_arn
         memory_size
@@ -236,6 +237,10 @@ module Jets::Lambda::Dsl
         "!Ref #{name.to_s.camelize}"
       end
 
+      def sub(value)
+        "!Sub #{value.to_s.camelize}"
+      end
+
       # meth is a Symbol
       def method_added(meth)
         return if %w[initialize method_missing].include?(meth.to_s)
@@ -316,7 +321,8 @@ module Jets::Lambda::Dsl
       #
       # Do not include tasks from the direct subclasses of Jets::Lambda::Functions
       # because those classes are abstract.  Dont want those methods to be included.
-      def find_all_tasks(public: true)
+      def find_all_tasks(options={})
+        public = options[:public].nil? ? true : options[:public]
         klass = self
         direct_subclasses = Jets::Lambda::Functions.subclasses
         lookup = []

data/lib/jets/{naming.rb → names.rb}

@@ -1,7 +1,7 @@
-# This class groups the naming in one place.
-# Some naming is for CloudFormation
+# This class groups the names in one place.
+# Some names are for CloudFormation
 # Some are for the Build process
-class Jets::Naming
+class Jets::Names
   # Mainly used by build.rb
   class << self
     extend Memoist

data/lib/jets/preheat.rb

@@ -91,12 +91,15 @@ module Jets
     #     ...
     #   ]
     def all_functions
-      classes.map do |klass|
-        tasks = klass.tasks.select { |t| t.lang == :ruby } # only prewarm ruby functions
-        tasks.map do |task|
-          meth = task.meth
-          underscored = klass.to_s.underscore.gsub('/','-')
-          "#{underscored}-#{meth}" # function_name
+      parent_stack = cfn.describe_stack_resources(stack_name: Jets::Names.parent_stack_name)
+      parent_resources = parent_stack.stack_resources.select do |resource|
+        resource.logical_resource_id =~ /Controller$/ # only controller functions
+      end
+      physical_resource_ids = parent_resources.map(&:physical_resource_id)
+      resources = physical_resource_ids.inject([]) do |acc, physical_resource_id|
+        stack_resources = cfn.describe_stack_resources(stack_name: physical_resource_id).stack_resources
+        stack_resources.each do |stack_resource|
+          acc << stack_resource if stack_resource.logical_resource_id.ends_with?('LambdaFunction') # only functions
         end
       end.flatten.uniq.compact
     end

data/lib/jets/resource/api_gateway/base_path/role.rb

@@ -54,7 +54,7 @@ module Jets::Resource::ApiGateway::BasePath
 
     # Duplicated in rest_api/change_detection.rb, base_path/role.rb, rest_api/routes.rb
     def rest_api_id
-      stack_name = Jets::Naming.parent_stack_name
+      stack_name = Jets::Names.parent_stack_name
       return "RestApi" unless stack_exists?(stack_name)
 
       stack = cfn.describe_stacks(stack_name: stack_name).stacks.first

data/lib/jets/resource/api_gateway/deployment.rb

@@ -33,7 +33,7 @@ module Jets::Resource::ApiGateway
     end
 
     def depends_on
-      expression = "#{Jets::Naming.template_path_prefix}-*_controller*"
+      expression = "#{Jets::Names.template_path_prefix}-*_controller*"
       controller_logical_ids = []
       Dir.glob(expression).each do |path|
         next unless File.file?(path)
@@ -57,7 +57,7 @@ module Jets::Resource::ApiGateway
 
     def self.stage_name
       # Stage name only allows a-zA-Z0-9_
-      [Jets.config.short_env, Jets.config.env_extra].compact.join('_').gsub('-','_')
+      [Jets.config.short_env, Jets.config.extra].compact.join('_').gsub('-','_')
     end
 
     def timestamp

data/lib/jets/resource/api_gateway/rest_api/logical_id/message.rb

@@ -8,8 +8,7 @@ class Jets::Resource::ApiGateway::RestApi::LogicalId
     end
 
     def custom_domain
-      api = Jets::Resource::ApiGateway::DomainName.new
-      domain_name = api.domain_name
+      domain_name = Jets.config.domain.name
       if domain_name
         <<~EOL
         It looks like you have already set up a custom domain.
@@ -25,7 +24,18 @@ class Jets::Resource::ApiGateway::RestApi::LogicalId
         More info: custom domain docs: https://rubyonjets.com/docs/routing/custom-domain/
         EOL
       else
-        "Please set up a custom domain https://rubyonjets.com/docs/routing/custom-domain/"
+        <<~EOL
+        To avoid this prompt in the future, you can configure:
+
+        config/application.rb
+
+            config.api.auto_replace = true
+
+        However, you should also set up a custom domain for a "stable" endpoint.
+
+        https://rubyonjets.com/docs/routing/custom-domain/
+
+        EOL
       end
     end
 

data/lib/jets/resource/api_gateway/rest_api/logical_id.rb

@@ -88,7 +88,7 @@ class Jets::Resource::ApiGateway::RestApi
     end
 
     def parent_stack_name
-      Jets::Naming.parent_stack_name
+      Jets::Names.parent_stack_name
     end
 
     def default

data/lib/jets/resource/api_gateway/rest_api/routes/change/base.rb

@@ -7,51 +7,22 @@ class Jets::Resource::ApiGateway::RestApi::Routes::Change
       new.changed?
     end
 
-    # Build up deployed routes from the existing CloudFormation resources.
+    # Recreate routes from previously deployed stored state in s3
     def deployed_routes
-      routes = []
-
-      resources, position = [], true
-      while position
-        position = nil if position == true # start of loop
-        resp = apigateway.get_resources(
-          rest_api_id: rest_api_id,
-          position: position,
-          limit: 500, # default: 25 max: 500
+      state = Jets::Router::State.new
+      data = state.load("routes")
+      return [] if data.nil?
+
+      data.map do |item|
+        Jets::Router::Route.new(
+          path: item['path'],
+          method: item['options']['method'],
+          to: item['to'],
         )
-        resources += resp.items
-        position = resp.position
-      end
-
-      resources.each do |resource|
-        resource_methods = resource.resource_methods
-        next if resource_methods.nil?
-
-        resource_methods.each do |http_verb, resource_method|
-          # puts "#{http_verb} #{resource.path} | resource.id #{resource.id}"
-          # puts to(resource.id, http_verb)
-
-          # Test changing config.cors and CloudFormation does an in-place update
-          # on the resource. So no need to do bluegreen deployments for OPTIONS.
-          next if http_verb == "OPTIONS"
-
-          path = recreate_path(resource.path)
-          method = http_verb.downcase.to_sym
-          to = to(resource.id, http_verb)
-          route = Jets::Router::Route.new(path: path, method: method, to: to)
-          routes << route
-        end
       end
-      routes
     end
     memoize :deployed_routes
 
-    def recreate_path(path)
-      path = path.gsub(%r{^/},'')
-      path = path.gsub(/{([^}]*)\+}/, '*\1')
-      path.gsub(/{([^}]*)}/, ':\1')
-    end
-
     def to(resource_id, http_method)
       uri = method_uri(resource_id, http_method)
       recreate_to(uri) unless uri.nil?
@@ -115,7 +86,7 @@ class Jets::Resource::ApiGateway::RestApi::Routes::Change
 
     # Duplicated in rest_api/change_detection.rb, base_path/role.rb, rest_api/routes.rb
     def rest_api_id
-      stack_name = Jets::Naming.parent_stack_name
+      stack_name = Jets::Names.parent_stack_name
       return "RestApi" unless stack_exists?(stack_name)
 
       stack = cfn.describe_stacks(stack_name: stack_name).stacks.first

data/lib/jets/resource/api_gateway/rest_api/routes/change/media_types.rb

@@ -30,7 +30,7 @@ class Jets::Resource::ApiGateway::RestApi::Routes::Change
     end
 
     def parent_stack_name
-      Jets::Naming.parent_stack_name
+      Jets::Names.parent_stack_name
     end
   end
 end

data/lib/jets/resource/api_gateway/rest_api/routes/change/page.rb

@@ -33,7 +33,7 @@ class Jets::Resource::ApiGateway::RestApi::Routes::Change
     # logical id to page map
     # Important: In Cfn::Builders::ApiGatewayBuilder, the add_gateway_routes and ApiResourcesBuilder needs to run
     # before the parent add_gateway_rest_api method.
-    def local_logical_ids_map(path_expression="#{Jets::Naming.template_path_prefix}-api-resources-*.yml")
+    def local_logical_ids_map(path_expression="#{Jets::Names.template_path_prefix}-api-resources-*.yml")
       logical_ids = {} # logical id => page number
 
       Dir.glob(path_expression).each do |path|
@@ -85,7 +85,7 @@ class Jets::Resource::ApiGateway::RestApi::Routes::Change
     end
 
     def parent_resources
-      resp = cfn.describe_stack_resources(stack_name: Jets::Naming.parent_stack_name)
+      resp = cfn.describe_stack_resources(stack_name: Jets::Names.parent_stack_name)
       resp.stack_resources
     end
     memoize :parent_resources

data/lib/jets/resource/api_gateway/rest_api/routes/change.rb

@@ -10,7 +10,7 @@ class Jets::Resource::ApiGateway::RestApi::Routes
     end
 
     def parent_stack_exists?
-      stack_exists?(Jets::Naming.parent_stack_name)
+      stack_exists?(Jets::Names.parent_stack_name)
     end
   end
 end

data/lib/jets/resource/api_gateway/rest_api.rb

@@ -2,9 +2,10 @@ module Jets::Resource::ApiGateway
   class RestApi < Jets::Resource::Base
     def definition
       properties = {
-        name: Jets::Naming.gateway_api_name,
+        name: Jets::Names.gateway_api_name,
         endpoint_configuration: { types: endpoint_types }
       }
+      properties[:endpoint_configuration][:vpc_endpoint_ids] = vpce_ids if vpce_ids
       properties[:binary_media_types] = binary_media_types if binary_media_types
       properties[:policy] = endpoint_policy if endpoint_policy
 
@@ -60,5 +61,14 @@ module Jets::Resource::ApiGateway
 
       endpoint_policy
     end
+
+    private
+
+    def vpce_ids
+      ids = Jets.config.api.vpc_endpoint_ids
+      return nil if ids.nil? || ids.empty?
+
+      ids
+    end
   end
-end
+end

data/lib/jets/resource/child_stack/api_deployment.rb

@@ -31,7 +31,7 @@ module Jets::Resource::ChildStack
     end
 
     def depends_on
-      expression = "#{Jets::Naming.template_path_prefix}-*_controller*"
+      expression = "#{Jets::Names.template_path_prefix}-*_controller*"
       controller_logical_ids = []
       Dir.glob(expression).each do |path|
         next unless File.file?(path)

data/lib/jets/resource/child_stack/api_resource/page.rb

@@ -3,7 +3,7 @@ class Jets::Resource::ChildStack::ApiResource
   # Returns: logical id of ApiResource Page
   class Page
     def self.logical_id(parameter)
-      expression = "#{Jets::Naming.template_path_prefix}-api-resources-*"
+      expression = "#{Jets::Names.template_path_prefix}-api-resources-*"
       # IE: path: #{Jets.build_root}/templates/demo-dev-2-api-resources-1.yml"
       template_paths = Dir.glob(expression).sort.to_a
       found_template = template_paths.detect do |path|

data/lib/jets/resource/child_stack/api_resource.rb

@@ -28,7 +28,7 @@ module Jets::Resource::ChildStack
       # Since dont have all the info required.
       # Read the template back to find the parameters required.
       # Actually might be easier to rationalize this approach.
-      template_path = Jets::Naming.api_resources_template_path(@page)
+      template_path = Jets::Names.api_resources_template_path(@page)
       template = Jets::Cfn::BuiltTemplate.get(template_path)
       template['Parameters'].keys.each do |p|
         case p

data/lib/jets/resource/child_stack/app_class.rb

@@ -125,7 +125,7 @@ module Jets::Resource::ChildStack
     end
 
     def current_app_class
-      templates_prefix = "#{Jets::Naming.template_path_prefix}-app-"
+      templates_prefix = "#{Jets::Names.template_path_prefix}-app-"
       @path.sub(templates_prefix, '')
         .sub(/\.yml$/,'')
         .gsub('-','/')

data/lib/jets/resource/child_stack/shared.rb

@@ -63,7 +63,7 @@ module Jets::Resource::ChildStack
     # IE: app/resource.rb => Resource
     # Returns Resource class object in the example
     def current_shared_class
-      templates_prefix = "#{Jets::Naming.template_path_prefix}-shared-"
+      templates_prefix = "#{Jets::Names.template_path_prefix}-shared-"
       @path.sub(templates_prefix, '')
         .sub(/\.yml$/,'')
         .gsub('-','/')

data/lib/jets/resource/iam/base_role_definition.rb

@@ -24,11 +24,6 @@ module Jets::Resource::Iam
         }
       }
 
-      definition[logical_id][:properties][:policies] = [
-        policy_name: "#{policy_name[0..127]}", # required, limited to 128-chars
-        policy_document: policy_document,
-      ] unless policy_document['Statement'].empty?
-
       unless managed_policy_arns.empty?
         definition[logical_id][:properties][:managed_policy_arns] = managed_policy_arns
       end

data/lib/jets/resource/iam/policy.rb

@@ -0,0 +1,31 @@
+module Jets::Resource::Iam
+  class Policy < Jets::Resource::Base
+    def initialize(role)
+      @role = role
+    end
+    delegate :policy_document, :policy_name, :role_logical_id, :replacements, to: :@role
+
+    def policy_logical_id
+      role_logical_id.sub(/role$/, "policy")
+    end
+
+    def definition
+      logical_id = policy_logical_id
+
+      # Do not assign pretty role_name because long controller names might hit the 64-char
+      # limit. Also, IAM roles are global, so assigning role names prevents cross region deploys.
+      definition = {
+        logical_id => {
+          type: "AWS::IAM::Policy",
+          properties: {
+            roles: [Ref: role_logical_id.camelize],
+            policy_name: "#{policy_name[0..127]}", # required, limited to 128-chars
+            policy_document: policy_document,
+          }
+        }
+      }
+
+      definition
+    end
+  end
+end