diff --git a/lib/plugins/aws/package/compile/events/lib/ensureApiGatewayCloudWatchRole.js b/lib/plugins/aws/package/compile/events/lib/ensureApiGatewayCloudWatchRole.js index b00291005..6f3e7665d 100644 --- a/lib/plugins/aws/package/compile/events/lib/ensureApiGatewayCloudWatchRole.js +++ b/lib/plugins/aws/package/compile/events/lib/ensureApiGatewayCloudWatchRole.js @@ -4,54 +4,56 @@ const { memoize } = require('lodash'); const BbPromise = require('bluebird'); const { addCustomResourceToService } = require('../../../../customResources'); -module.exports = memoize(provider => { - const cfTemplate = provider.serverless.service.provider.compiledCloudFormationTemplate; - const logicalId = provider.naming.getApiGatewayAccountCloudWatchRoleResourceLogicalId(); - const customResourceLogicalId = provider.naming.getCustomResourceApiGatewayAccountCloudWatchRoleResourceLogicalId(); - const customResourceFunctionLogicalId = provider.naming.getCustomResourceApiGatewayAccountCloudWatchRoleHandlerFunctionLogicalId(); +module.exports = memoize(provider => + BbPromise.try(() => { + const cfTemplate = provider.serverless.service.provider.compiledCloudFormationTemplate; + const logicalId = provider.naming.getApiGatewayAccountCloudWatchRoleResourceLogicalId(); + const customResourceLogicalId = provider.naming.getCustomResourceApiGatewayAccountCloudWatchRoleResourceLogicalId(); + const customResourceFunctionLogicalId = provider.naming.getCustomResourceApiGatewayAccountCloudWatchRoleHandlerFunctionLogicalId(); - // There may be a specific role ARN provided in the configuration - const config = provider.serverless.service.provider; - const restApi = config.logs && config.logs.restApi; - const configuredRoleArn = restApi && restApi.role; + // There may be a specific role ARN provided in the configuration + const config = provider.serverless.service.provider; + const restApi = config.logs && config.logs.restApi; + const configuredRoleArn = restApi && restApi.role; - if (configuredRoleArn) { - cfTemplate.Resources[logicalId] = { - Type: 'AWS::ApiGateway::Account', + if (configuredRoleArn) { + cfTemplate.Resources[logicalId] = { + Type: 'AWS::ApiGateway::Account', + Properties: { + CloudWatchRoleArn: configuredRoleArn, + }, + }; + return cfTemplate; + } + + cfTemplate.Resources[customResourceLogicalId] = { + Type: 'Custom::ApiGatewayAccountRole', + Version: 1.0, Properties: { - CloudWatchRoleArn: configuredRoleArn, + ServiceToken: { + 'Fn::GetAtt': [customResourceFunctionLogicalId, 'Arn'], + }, }, }; - return BbPromise.resolve(cfTemplate); - } - cfTemplate.Resources[customResourceLogicalId] = { - Type: 'Custom::ApiGatewayAccountRole', - Version: 1.0, - Properties: { - ServiceToken: { - 'Fn::GetAtt': [customResourceFunctionLogicalId, 'Arn'], + return addCustomResourceToService(provider, 'apiGatewayCloudWatchRole', [ + { + Effect: 'Allow', + Resource: { + 'Fn::Join': [':', ['arn:aws:iam:', { Ref: 'AWS::AccountId' }, 'role/*']], + }, + Action: [ + 'iam:AttachRolePolicy', + 'iam:CreateRole', + 'iam:ListAttachedRolePolicies', + 'iam:PassRole', + ], }, - }, - }; - - return addCustomResourceToService(provider, 'apiGatewayCloudWatchRole', [ - { - Effect: 'Allow', - Resource: { - 'Fn::Join': [':', ['arn:aws:iam:', { Ref: 'AWS::AccountId' }, 'role/*']], + { + Effect: 'Allow', + Resource: 'arn:aws:apigateway:*::/account', + Action: ['apigateway:GET', 'apigateway:PATCH'], }, - Action: [ - 'iam:AttachRolePolicy', - 'iam:CreateRole', - 'iam:ListAttachedRolePolicies', - 'iam:PassRole', - ], - }, - { - Effect: 'Allow', - Resource: 'arn:aws:apigateway:*::/account', - Action: ['apigateway:GET', 'apigateway:PATCH'], - }, - ]); -}); + ]); + }) +);