update iam role implementaion

horike37 · horike37 · commit 60abf53ea483 · 2016-12-30T22:31:23.000+09:00
diff --git a/lib/deploy.js b/lib/deploy.js
@@ -7,6 +7,7 @@ module.exports = {
   deploy() {
     this.awsStateLanguage = {};
     this.functionArns = {};
+    const region = this.options.region || 'us-east-1';
 
     this.iamPolicyStatement = `{
       "Version": "2012-10-17",
@@ -22,6 +23,23 @@ module.exports = {
     }
     `;
 
+    this.assumeRolePolicyDocument = `{
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "states.${region}.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+   `;
+
+    this.iamRoleName = `serverless-step-functions-executerole-${region}`;
+    this.iamPolicyName = `serverless-step-functions-executepolicy-${region}`;
+
     this.serverless.cli.log(`Start to deploy ${this.options.state} step function...`);
     BbPromise.bind(this)
     .then(this.yamlParse)
@@ -39,7 +57,7 @@ module.exports = {
     return this.provider.request('IAM',
       'getRole',
       {
-        RoleName: 'StatesExecutionRole-us-east-1',
+        RoleName: this.iamRoleName,
       },
       this.options.stage,
       this.options.region)
@@ -74,15 +92,33 @@ module.exports = {
     return this.provider.request('IAM',
       'createRole',
       {
-        AssumeRolePolicyDocument: this.iamPolicyStatement,
+        AssumeRolePolicyDocument: this.assumeRolePolicyDocument,
         RoleName: this.iamRoleName,
       },
       this.options.stage,
       this.options.region)
     .then((result) => {
       this.iamRoleArn = result.Role.Arn;
-      return BbPromise.resolve();
-    });
+      return this.provider.request('IAM',
+        'createPolicy',
+        {
+          PolicyDocument: this.iamPolicyStatement,
+          PolicyName: this.iamPolicyName,
+        },
+        this.options.stage,
+        this.options.region)
+    })
+    .then((result) => {
+      return this.provider.request('IAM',
+        'attachRolePolicy',
+        {
+          PolicyArn: result.Policy.Arn,
+          RoleName: this.iamRoleName,
+        },
+        this.options.stage,
+        this.options.region)
+    })
+    .then(() => BbPromise.resolve());
   },
 
   getStateMachineArn() {
