@mapbox/cloudfriend 7.3.0-5 → 7.3.0-8

package/lib/shortcuts/api.md

@@ -670,11 +670,12 @@ a Lambda permission.
 
 ### new ScheduledLambda(options)
 
-| Param | Type | Default | Description |
-| --- | --- | --- | --- |
-| options | <code>Object</code> |  | Extends the options for [`Lambda`](#lambda) with the following additional attributes: |
-| options.ScheduleExpression | <code>String</code> |  | See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html#cfn-events-rule-scheduleexpression). |
-| [options.State] | <code>String</code> | <code>&#x27;ENABLED&#x27;</code> | See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html#cfn-events-rule-state). |
+| Param | Type | Description |
+| --- | --- | --- |
+| options | <code>Object</code> | Extends the options for [`Lambda`](#lambda) with the following additional attributes: |
+| options.ScheduleExpression | <code>String</code> | See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html#cfn-events-rule-scheduleexpression). |
+| [options.ScheduleRoleArn] | <code>String</code> | If specified, the eventbride scheduler will use this role to invoke your lambda . _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._ See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-scheduler-schedule-target.html#cfn-scheduler-schedule-target-rolearn) |
+| [options.ScheduleGroupName] | <code>String</code> | See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-scheduler-schedule.html#cfn-scheduler-schedule-groupname). |
 
 **Example**  
 ```js
@@ -693,6 +694,36 @@ const lambda = new cf.shortcuts.ScheduledLambda({
 
 module.exports = cf.merge(myTemplate, lambda);
 ```
+**Example**  
+```js
+const cf = require('@mapbox/cloudfriend');
+
+const myTemplate = { ... };
+
+const role = new cf.shortcuts.ServiceRole({
+  LogicalName: 'MyRole',
+  Service: 'scheduler.amazonaws.com',
+  Statement: [
+    {
+      Effect: 'Allow',
+      Action: 'lambda:InvokeFunction',
+      Resource: 'arn:aws:lambda:us-east-1:012345678901:function:my-role-*'
+    }
+  ]
+});
+
+const lambda = new cf.shortcuts.ScheduledLambda({
+  LogicalName: 'MyLambda',
+  Code: {
+    S3Bucket: 'my-code-bucket',
+    S3Key: 'path/to/code.zip'
+  },
+  ScheduleRoleArn: cf.ref('MyRole'),
+  ScheduleExpression: 'rate(1 hour)',
+});
+
+module.exports = cf.merge(myTemplate, role, lambda);
+```
 <a name="ServiceRole"></a>
 
 ## ServiceRole

package/lib/shortcuts/scheduled-lambda.js

@@ -1,6 +1,8 @@
 'use strict';
 
 const Lambda = require('./lambda');
+const merge = require('../merge');
+const ServiceRole = require('./service-role');
 
 /**
  * A Lambda function that runs on in response to a CloudWatch Event. Includes
@@ -9,7 +11,9 @@ const Lambda = require('./lambda');
  *
  * @param {Object} options - Extends the options for [`Lambda`](#lambda) with the following additional attributes:
  * @param {String} options.ScheduleExpression - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html#cfn-events-rule-scheduleexpression).
- * @param {String} [options.State='ENABLED'] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-rule.html#cfn-events-rule-state).
+ * @param {String} [options.ScheduleRoleArn=undefined] If specified, the eventbride scheduler will use this role to invoke your lambda . _If this option is specified, do not use the Statement option; add the permissions you need to your Role directly._
+ * See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-scheduler-schedule-target.html#cfn-scheduler-schedule-target-rolearn)
+ * @param {String} [options.ScheduleGroupName=undefined] - See [AWS documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-scheduler-schedule.html#cfn-scheduler-schedule-groupname).
  *
  * @example
  * const cf = require('@mapbox/cloudfriend');
@@ -26,6 +30,35 @@ const Lambda = require('./lambda');
  * });
  *
  * module.exports = cf.merge(myTemplate, lambda);
+ *
+ * @example
+ * const cf = require('@mapbox/cloudfriend');
+ *
+ * const myTemplate = { ... };
+ *
+ * const role = new cf.shortcuts.ServiceRole({
+ *   LogicalName: 'MyRole',
+ *   Service: 'scheduler.amazonaws.com',
+ *   Statement: [
+ *     {
+ *       Effect: 'Allow',
+ *       Action: 'lambda:InvokeFunction',
+ *       Resource: 'arn:aws:lambda:us-east-1:012345678901:function:my-role-*'
+ *     }
+ *   ]
+ * });
+ *
+ * const lambda = new cf.shortcuts.ScheduledLambda({
+ *   LogicalName: 'MyLambda',
+ *   Code: {
+ *     S3Bucket: 'my-code-bucket',
+ *     S3Key: 'path/to/code.zip'
+ *   },
+ *   ScheduleRoleArn: cf.ref('MyRole'),
+ *   ScheduleExpression: 'rate(1 hour)',
+ * });
+ *
+ * module.exports = cf.merge(myTemplate, role, lambda);
  */
 class ScheduledLambda extends Lambda {
   constructor(options) {
@@ -34,6 +67,8 @@ class ScheduledLambda extends Lambda {
 
     const {
       ScheduleExpression,
+      ScheduleRoleArn,
+      ScheduleGroupName,
       State = 'ENABLED'
     } = options;
 
@@ -57,33 +92,38 @@ class ScheduledLambda extends Lambda {
         FlexibleTimeWindow: {
           Mode: 'OFF'
         },
-        Target: [
+        Target: {
+          Arn: {
+            'Fn::GetAtt': [this.LogicalName, 'Arn']
+          }
+        }
+      }
+    };
+
+    if (ScheduleGroupName) {
+      this.Resources[`${this.LogicalName}EventBridgeSchedule`].Properties.GroupName = ScheduleGroupName;
+    }
+
+    if (ScheduleRoleArn) {
+      this.Resources[`${this.LogicalName}EventBridgeSchedule`].Properties.Target.RoleArn = ScheduleRoleArn;
+    } else {
+      const serviceRole = new ServiceRole({
+        LogicalName: `${this.LogicalName}EventBridgeScheduleRole`,
+        Service: 'scheduler.amazonaws.com',
+        Condition: this.Condition,
+        Statement: [
           {
-            Id: this.FunctionName,
-            Arn: {
+            Effect: 'Allow',
+            Action: 'lambda:InvokeFunction',
+            Resource: {
               'Fn::GetAtt': [this.LogicalName, 'Arn']
             }
           }
         ]
-      }
-    };
-
-    this.Resources[`${this.LogicalName}Permission`] = {
-      Type: 'AWS::Lambda::Permission',
-      Condition: this.Condition,
-      Properties: {
-        Action: 'lambda:InvokeFunction',
-        FunctionName: {
-          'Fn::GetAtt': [this.LogicalName, 'Arn']
-        },
-        Principal: {
-          'Fn::Sub': 'events.${AWS::URLSuffix}'
-        },
-        SourceArn: {
-          'Fn::GetAtt': [`${this.LogicalName}EventBridgeSchedule`, 'Arn']
-        }
-      }
-    };
+      });
+      this.Resources[`${this.LogicalName}EventBridgeSchedule`].Properties.Target.RoleArn = { 'Fn::GetAtt': [`${this.LogicalName}EventBridgeScheduleRole`, 'Arn'] };
+      this.Resources = merge(this, serviceRole).Resources;
+    }
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mapbox/cloudfriend",
-  "version": "7.3.0-5",
+  "version": "7.3.0-8",
   "description": "Helper functions for assembling CloudFormation templates in JavaScript",
   "main": "index.js",
   "engines": {

package/test/fixtures/shortcuts/hookshot-github-secret-ref.json

@@ -28,7 +28,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -47,7 +47,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-github-secret-string.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -43,7 +43,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-github.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -43,7 +43,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-passthrough-access-log-format.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -52,7 +52,7 @@
         }
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-passthrough-alarms.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -43,7 +43,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-passthrough-enhanced-logging.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -43,7 +43,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-passthrough-full-blown-logging.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -43,7 +43,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-passthrough-logging.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -43,7 +43,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/hookshot-passthrough.json

@@ -24,7 +24,7 @@
       "Type": "AWS::ApiGateway::Stage",
       "Properties": {
         "DeploymentId": {
-          "Ref": "PassDeployment01229d54"
+          "Ref": "PassDeploymentd18750cb"
         },
         "StageName": "hookshot",
         "RestApiId": {
@@ -43,7 +43,7 @@
         ]
       }
     },
-    "PassDeployment01229d54": {
+    "PassDeploymentd18750cb": {
       "Type": "AWS::ApiGateway::Deployment",
       "DependsOn": "PassMethod",
       "Properties": {

package/test/fixtures/shortcuts/scheduled-lambda-defaults.json

@@ -128,7 +128,7 @@
         }
       }
     },
-    "MyLambdaSchedule": {
+    "MyLambdaEventBridgeSchedule": {
       "Type": "AWS::Scheduler::Schedule",
       "Properties": {
         "Name": {
@@ -149,40 +149,58 @@
         "FlexibleTimeWindow": {
           "Mode": "OFF"
         },
-        "Target": [
-          {
-            "Id": {
-              "Fn::Sub": "${AWS::StackName}-MyLambda"
-            },
-            "Arn": {
-              "Fn::GetAtt": [
-                "MyLambda",
-                "Arn"
-              ]
-            }
+        "Target": {
+          "Arn": {
+            "Fn::GetAtt": [
+              "MyLambda",
+              "Arn"
+            ]
+          },
+          "RoleArn": {
+            "Fn::GetAtt": [
+              "MyLambdaEventBridgeScheduleRole",
+              "Arn"
+            ]
           }
-        ]
+        }
       }
     },
-    "MyLambdaPermission": {
-      "Type": "AWS::Lambda::Permission",
+    "MyLambdaEventBridgeScheduleRole": {
+      "Type": "AWS::IAM::Role",
       "Properties": {
-        "Action": "lambda:InvokeFunction",
-        "FunctionName": {
-          "Fn::GetAtt": [
-            "MyLambda",
-            "Arn"
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "Service": {
+                  "Fn::Sub": "scheduler.${AWS::URLSuffix}"
+                }
+              }
+            }
           ]
         },
-        "Principal": {
-          "Fn::Sub": "events.${AWS::URLSuffix}"
-        },
-        "SourceArn": {
-          "Fn::GetAtt": [
-            "MyLambdaSchedule",
-            "Arn"
-          ]
-        }
+        "Policies": [
+          {
+            "PolicyName": "main",
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": "lambda:InvokeFunction",
+                  "Resource": {
+                    "Fn::GetAtt": [
+                      "MyLambda",
+                      "Arn"
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        ]
       }
     }
   },

package/test/fixtures/shortcuts/scheduled-lambda-full.json

@@ -128,7 +128,7 @@
         }
       }
     },
-    "MyLambdaSchedule": {
+    "MyLambdaEventBridgeSchedule": {
       "Type": "AWS::Scheduler::Schedule",
       "Properties": {
         "Name": {
@@ -149,40 +149,59 @@
         "FlexibleTimeWindow": {
           "Mode": "OFF"
         },
-        "Target": [
-          {
-            "Id": {
-              "Fn::Sub": "${AWS::StackName}-MyLambda"
-            },
-            "Arn": {
-              "Fn::GetAtt": [
-                "MyLambda",
-                "Arn"
-              ]
-            }
+        "Target": {
+          "Arn": {
+            "Fn::GetAtt": [
+              "MyLambda",
+              "Arn"
+            ]
+          },
+          "RoleArn": {
+            "Fn::GetAtt": [
+              "MyLambdaEventBridgeScheduleRole",
+              "Arn"
+            ]
           }
-        ]
+        },
+        "GroupName": "my-cool-stack"
       }
     },
-    "MyLambdaPermission": {
-      "Type": "AWS::Lambda::Permission",
+    "MyLambdaEventBridgeScheduleRole": {
+      "Type": "AWS::IAM::Role",
       "Properties": {
-        "Action": "lambda:InvokeFunction",
-        "FunctionName": {
-          "Fn::GetAtt": [
-            "MyLambda",
-            "Arn"
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRole",
+              "Principal": {
+                "Service": {
+                  "Fn::Sub": "scheduler.${AWS::URLSuffix}"
+                }
+              }
+            }
           ]
         },
-        "Principal": {
-          "Fn::Sub": "events.${AWS::URLSuffix}"
-        },
-        "SourceArn": {
-          "Fn::GetAtt": [
-            "MyLambdaSchedule",
-            "Arn"
-          ]
-        }
+        "Policies": [
+          {
+            "PolicyName": "main",
+            "PolicyDocument": {
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": "lambda:InvokeFunction",
+                  "Resource": {
+                    "Fn::GetAtt": [
+                      "MyLambda",
+                      "Arn"
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        ]
       }
     }
   },

package/test/shortcuts.test.js

@@ -334,6 +334,8 @@ test('[shortcuts] scheduled-lambda', (assert) => {
       S3Bucket: 'my-code-bucket',
       S3Key: 'path/to/code.zip'
     },
+    ScheduledRoleArn: 'arn:aws:iam::012345678901:role/MyCoolRole',
+    ScheduleGroupName: 'my-cool-stack',
     ScheduleExpression: 'rate(1 hour)',
     State: 'DISABLED'
   });