feat: add put events policy if eventbridge task is used by machine

fix #432

Author: Victor Korzunin

lib/deploy/stepFunctions/compileIamRole.js

@@ -315,6 +315,26 @@ function getSageMakerPermissions(state) {
   ];
 }
 
+function getEventBridgePermissions(state) {
+  const eventBuses = new Set();
+
+  for (const entry of state.Parameters.Entries) {
+    eventBuses.add(entry.EventBusName || 'default');
+  }
+
+  return [
+    {
+      action: 'events:PutEvents',
+      resource: [...eventBuses].map(eventBus => ({
+        'Fn::Sub': [
+          'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBus}',
+          { eventBus },
+        ],
+      })),
+    },
+  ];
+}
+
 // if there are multiple permissions with the same action, then collapsed them into one
 // permission instead, and collect the resources into an array
 function consolidatePermissionsByAction(permissions) {
@@ -402,6 +422,10 @@ function getIamPermissions(taskStates) {
       case 'arn:aws:states:::sagemaker:createTransformJob.sync':
         return getSageMakerPermissions(state);
 
+      case 'arn:aws:states:::events:putEvents':
+      case 'arn:aws:states:::events:putEvents.waitForTaskToken':
+        return getEventBridgePermissions(state);
+
       default:
         if (isIntrinsic(state.Resource) || state.Resource.startsWith('arn:aws:lambda')) {
           const trimmedArn = trimAliasFromLambdaArn(state.Resource);

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -2107,4 +2107,104 @@ describe('#compileIamRole', () => {
       ],
     }]);
   });
+
+  it('should give event bridge putEvents permissions', () => {
+    const genStateMachine = id => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::events:putEvents',
+            Parameters: {
+              Entries: [{
+                Source: 'source',
+                DetailType: 'DetailType',
+              }],
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['events:PutEvents']));
+    expect(eventPermissions).to.has.lengthOf(1);
+    expect(eventPermissions[0].Resource).to.deep.eq([{
+      'Fn::Sub': [
+        'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBus}',
+        { eventBus: 'default' },
+      ],
+    }]);
+  });
+
+  it('should give event bridge putEvents multiple permissions', () => {
+    const genStateMachine = id => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::events:putEvents',
+            Parameters: {
+              Entries: [
+                {
+                  Source: 'source',
+                  DetailType: 'DetailType',
+                  EventBusName: 'default',
+                },
+                {
+                  Source: 'source',
+                  DetailType: 'DetailType',
+                  EventBusName: 'custom',
+                },
+              ],
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['events:PutEvents']));
+    expect(eventPermissions[0].Resource).to.has.lengthOf(2);
+    expect(eventPermissions[0].Resource).to.deep.eq([
+      {
+        'Fn::Sub': [
+          'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBus}',
+          { eventBus: 'default' },
+        ],
+      },
+      {
+        'Fn::Sub': [
+          'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/${eventBus}',
+          { eventBus: 'custom' },
+        ],
+      },
+    ]);
+  });
 });