diff --git a/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/aws-custom-resource.ts b/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/aws-custom-resource.ts index 11481498a42f9..ed607df8140b6 100644 --- a/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/aws-custom-resource.ts +++ b/packages/@aws-cdk/custom-resources/lib/aws-custom-resource/aws-custom-resource.ts @@ -132,6 +132,16 @@ export interface AwsCustomResourceProps { */ readonly policyStatements?: iam.PolicyStatement[]; + /** + * The execution role for the Lambda function implementing this custom + * resource provider. This role will apply to all `AwsCustomResource` + * instances in the stack. The role must be assumable by the + * `lambda.amazonaws.com` service principal. + * + * @default - a new role is created + */ + readonly role?: iam.IRole; + /** * The timeout for the Lambda function implementing this custom resource. * @@ -165,6 +175,7 @@ export class AwsCustomResource extends cdk.Construct implements iam.IGrantable { uuid: '679f53fa-c002-430c-b0da-5b7982bd2287', lambdaPurpose: 'AWS', timeout: props.timeout || cdk.Duration.seconds(30), + role: props.role, }); this.grantPrincipal = provider.grantPrincipal; diff --git a/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource-provider.test.ts b/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource-provider.test.ts index e3dfa2f56c264..4f4158f8c18fa 100644 --- a/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource-provider.test.ts +++ b/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource-provider.test.ts @@ -7,6 +7,8 @@ import { handler } from '../../lib/aws-custom-resource/runtime'; AWS.setSDK(require.resolve('aws-sdk')); +console.log = jest.fn(); // tslint:disable-line no-console + const eventCommon = { ServiceToken: 'token', ResponseURL: 'https://localhost', diff --git a/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource.test.ts b/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource.test.ts index 21357fd652d25..a552dfc43fa90 100644 --- a/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource.test.ts +++ b/packages/@aws-cdk/custom-resources/test/aws-custom-resource/aws-custom-resource.test.ts @@ -283,4 +283,27 @@ test('implements IGrantable', () => { Version: '2012-10-17' } }); -}); \ No newline at end of file +}); + +test('can use existing role', () => { + // GIVEN + const stack = new cdk.Stack(); + const role = iam.Role.fromRoleArn(stack, 'Role', 'arn:aws:iam::123456789012:role/CoolRole'); + + // WHEN + new AwsCustomResource(stack, 'AwsSdk', { + onCreate: { + service: 'service', + action: 'action', + physicalResourceId: 'id' + }, + role + }); + + // THEN + expect(stack).toHaveResource('AWS::Lambda::Function', { + Role: 'arn:aws:iam::123456789012:role/CoolRole' + }); + + expect(stack).not.toHaveResource('AWS::IAM::Role'); +}); diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/runtime.test.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/runtime.test.ts index 9f25bb0ac815d..7fe760f24549d 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/runtime.test.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/runtime.test.ts @@ -6,6 +6,8 @@ import framework = require('../../lib/provider-framework/runtime/framework'); import outbound = require('../../lib/provider-framework/runtime/outbound'); import mocks = require('./mocks'); +console.log = jest.fn(); + cfnResponse.includeStackTraces = false; const MOCK_PHYSICAL_ID = 'mock-physical-resource-id';