Added glue permissions mirroring console behavior.

Author: bmatson

lib/deploy/stepFunctions/compileIamRole.js

@@ -91,6 +91,13 @@ function getBatchPermissions() {
   }];
 }
 
+function getGluePermissions() {
+  return [{
+    action: 'glue:StartJobRun,glue:GetJobRun,glue:GetJobRuns,glue:BatchStopJobRun',
+    resource: '*',
+  }];
+}
+
 function getEcsPermissions() {
   return [{
     action: 'ecs:RunTask,ecs:StopTask,ecs:DescribeTasks',
@@ -181,6 +188,10 @@ function getIamPermissions(serverless, taskStates) {
       case 'arn:aws:states:::batch:submitJob':
         return getBatchPermissions();
 
+      case 'arn:aws:states:::glue:startJobRun.sync':
+      case 'arn:aws:states:::glue:startJobRun':
+        return getGluePermissions();
+
       case 'arn:aws:states:::ecs:runTask.sync':
       case 'arn:aws:states:::ecs:runTask':
         return getEcsPermissions();

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -590,6 +590,46 @@ describe('#compileIamRole', () => {
     }]);
   });
 
+  it('should give glue permissions (too permissive, but mirrors console behaviour)', () => {
+    const genStateMachine = (name) => ({
+      name,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::glue:startJobRun',
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::glue:startJobRun.sync',
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('stateMachineBeta1'),
+        myStateMachine2: genStateMachine('stateMachineBeta2'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const gluePermissions = statements.filter(s =>
+      _.isEqual(s.Action,
+        ['glue:StartJobRun', 'glue:GetJobRun', 'glue:GetJobRuns', 'glue:BatchStopJobRun'])
+    );
+    expect(gluePermissions).to.have.lengthOf(1);
+    expect(gluePermissions[0].Resource).to.equal('*');
+  });
+
   it('should give ECS permissions (too permissive, but mirrors console behaviour)', () => {
     const genStateMachine = (name) => ({
       name,