fix: support IAM role deleteSchedule

geolffreym · geolffreym · commit ca79b798d4fc · 2024-10-07T09:06:18.000-06:00
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -72,7 +72,7 @@ function sqsQueueUrlToArn(serverless, queueUrl) {
 
 function getSqsPermissions(serverless, state) {
   if (_.has(state, 'Parameters.QueueUrl')
-      || _.has(state, ['Parameters', 'QueueUrl.$'])) {
+    || _.has(state, ['Parameters', 'QueueUrl.$'])) {
     // if queue URL is provided by input, then need pervasive permissions (i.e. '*')
     const queueArn = state.Parameters['QueueUrl.$']
       ? '*'
@@ -85,7 +85,7 @@ function getSqsPermissions(serverless, state) {
 
 function getSnsPermissions(serverless, state) {
   if (_.has(state, 'Parameters.TopicArn')
-      || _.has(state, ['Parameters', 'TopicArn.$'])) {
+    || _.has(state, ['Parameters', 'TopicArn.$'])) {
     // if topic ARN is provided by input, then need pervasive permissions
     const topicArn = state.Parameters['TopicArn.$'] ? '*' : state.Parameters.TopicArn;
     return [{ action: 'sns:Publish', resource: topicArn }];
@@ -561,13 +561,13 @@ function getEventBridgePermissions(state) {
   ];
 }
 
-function getEventBridgeSchedulerPermissions(state) {
+function getEventBridgeSchedulerPermissions(action, state) {
   const scheduleGroupName = state.Parameters.GroupName;
   const scheduleTargetRoleArn = state.Parameters.Target.RoleArn;
 
   return [
     {
-      action: 'scheduler:CreateSchedule',
+      action,
       resource: {
         'Fn::Sub': [
           'arn:${AWS::Partition}:scheduler:${AWS::Region}:${AWS::AccountId}:schedule/${scheduleGroupName}/*',
@@ -748,7 +748,9 @@ function getIamPermissions(taskStates) {
         return getEventBridgePermissions(state);
 
       case 'arn:aws:states:::aws-sdk:scheduler:createSchedule':
-        return getEventBridgeSchedulerPermissions(state);
+        return getEventBridgeSchedulerPermissions("scheduler:CreateSchedule", state);
+      case 'arn:aws:states:::aws-sdk:scheduler:deleteSchedule':
+        return getEventBridgeSchedulerPermissions("scheduler:DeleteSchedule", state);
 
       case 'arn:aws:states:::s3:getObject':
       case 'arn:aws:states:::aws-sdk:s3:getObject':
