aws · ShreyaGangishetty · Dec 20, 2019 · Dec 9, 2019 · Dec 9, 2019 · Dec 10, 2019
@@ -61,24 +61,14 @@ Resources:
           Handler: index.handler
           Timeout: 5
           # More info at https://github.com/awslabs/serverless-application-model/blob/master/docs/safe_lambda_deployments.rst
-          AutoPublishAlias: live 
-
-    LambdaEdgeFunctionRole:
-      Type: "AWS::IAM::Role"
-      Properties:
-          Path: "/"
-          ManagedPolicyArns:
-              - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+          AutoPublishAlias: live
           AssumeRolePolicyDocument:
             Version: "2012-10-17"
             Statement:
-              -
-                Sid: "AllowLambdaServiceToAssumeRole"
-                Effect: "Allow"
-                Action: 
-                  - "sts:AssumeRole"
+              - Effect: "Allow"
+                Action: "sts:AssumeRole"
                 Principal:
-                  Service: 
+                  Service:
                     - "lambda.amazonaws.com"
                     - "edgelambda.amazonaws.com"
 

@@ -44,6 +44,7 @@ class SamFunction(SamResourceMacro):
         'Timeout': PropertyType(False, is_type(int)),
         'VpcConfig': PropertyType(False, is_type(dict)),
         'Role': PropertyType(False, is_str()),
+        'AssumeRolePolicyDocument': PropertyType(False, is_type(dict)),
         'Policies': PropertyType(False, one_of(is_str(), list_of(one_of(is_str(), is_type(dict), is_type(dict))))),
         'PermissionsBoundary': PropertyType(False, is_str()),
         'Environment': PropertyType(False, dict_of(is_str(), is_type(dict))),
@@ -201,7 +202,11 @@ def _construct_role(self, managed_policy_map):
         :rtype: model.iam.IAMRole
         """
         execution_role = IAMRole(self.logical_id + 'Role', attributes=self.get_passthrough_resource_attributes())
-        execution_role.AssumeRolePolicyDocument = IAMRolePolicies.lambda_assume_role_policy()
+
+        if self.AssumeRolePolicyDocument is not None:
+            execution_role.AssumeRolePolicyDocument = self.AssumeRolePolicyDocument
+        else:
+            execution_role.AssumeRolePolicyDocument = IAMRolePolicies.lambda_assume_role_policy()
 
         managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn('service-role/AWSLambdaBasicExecutionRole')]
         if self.Tracing:

@@ -37,7 +37,8 @@ class Globals(object):
             "DeploymentPreference",
             "PermissionsBoundary",
             "ReservedConcurrentExecutions",
-            "ProvisionedConcurrencyConfig"
+            "ProvisionedConcurrencyConfig",
+            "AssumeRolePolicyDocument"
         ],
 
         # Everything except

@@ -8,6 +8,7 @@
 from samtranslator.model.apigateway import ApiGatewayRestApi
 from samtranslator.model.apigateway import ApiGatewayDeployment
 from samtranslator.model.apigateway import ApiGatewayStage
+from samtranslator.model.iam import IAMRole
 from samtranslator.model.sam_resources import SamFunction
 from samtranslator.model.sam_resources import SamApi
 
@@ -53,6 +54,70 @@ def test_with_no_code_uri_or_zipfile(self):
         with pytest.raises(InvalidResourceException):
             function.to_cloudformation(**self.kwargs)
 
+class TestAssumeRolePolicyDocument(TestCase):
+    kwargs = {
+        'intrinsics_resolver': IntrinsicsResolver({}),
+        'event_resources': [],
+        'managed_policy_map': {
+            "foo": "bar"
+        }
+    }
+
+    @patch('boto3.session.Session.region_name', 'ap-southeast-1')
+    def test_with_assume_role_policy_document(self):
+        function = SamFunction("foo")
+        function.CodeUri = "s3://foobar/foo.zip"
+
+        assume_role_policy_document = {
+          'Version': '2012-10-17',
+          'Statement': [
+            {
+              'Action': [
+                'sts:AssumeRole'
+              ],
+              'Effect': 'Allow',
+              'Principal': {
+                'Service': [
+                  'lambda.amazonaws.com',
+                  'edgelambda.amazonaws.com'
+                ]
+              }
+            }
+          ]
+        }
+
+        function.AssumeRolePolicyDocument = assume_role_policy_document
+
+        cfnResources = function.to_cloudformation(**self.kwargs)
+        generateFunctionVersion = [x for x in cfnResources if isinstance(x, IAMRole)]
+        self.assertEqual(generateFunctionVersion[0].AssumeRolePolicyDocument, assume_role_policy_document)
+
+    @patch('boto3.session.Session.region_name', 'ap-southeast-1')
+    def test_without_assume_role_policy_document(self):
+        function = SamFunction("foo")
+        function.CodeUri = "s3://foobar/foo.zip"
+
+        assume_role_policy_document = {
+          'Version': '2012-10-17',
+          'Statement': [
+            {
+              'Action': [
+                'sts:AssumeRole'
+              ],
+              'Effect': 'Allow',
+              'Principal': {
+                'Service': [
+                  'lambda.amazonaws.com'
+                ]
+              }
+            }
+          ]
+        }
+
+        cfnResources = function.to_cloudformation(**self.kwargs)
+        generateFunctionVersion = [x for x in cfnResources if isinstance(x, IAMRole)]
+        self.assertEqual(generateFunctionVersion[0].AssumeRolePolicyDocument, assume_role_policy_document)
+
 class TestVersionDescription(TestCase):
     kwargs = {
         'intrinsics_resolver': IntrinsicsResolver({}),

@@ -4,5 +4,5 @@
       "errorMessage": "'Globals' section is invalid. 'SomeKey' is not a supported property of 'Function'. Must be one of the following values - ['Handler', 'Runtime', 'CodeUri', 'DeadLetterQueue', 'Description', 'MemorySize', 'Timeout', 'VpcConfig', 'Environment', 'Tags', 'Tracing', 'KmsKeyArn', 'AutoPublishAlias', 'Layers', 'DeploymentPreference', 'PermissionsBoundary', 'ReservedConcurrentExecutions', 'ProvisionedConcurrencyConfig']"
     }
   ],
-  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. 'Globals' section is invalid. 'SomeKey' is not a supported property of 'Function'. Must be one of the following values - ['Handler', 'Runtime', 'CodeUri', 'DeadLetterQueue', 'Description', 'MemorySize', 'Timeout', 'VpcConfig', 'Environment', 'Tags', 'Tracing', 'KmsKeyArn', 'AutoPublishAlias', 'Layers', 'DeploymentPreference', 'PermissionsBoundary', 'ReservedConcurrentExecutions', 'ProvisionedConcurrencyConfig']"
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. 'Globals' section is invalid. 'SomeKey' is not a supported property of 'Function'. Must be one of the following values - ['Handler', 'Runtime', 'CodeUri', 'DeadLetterQueue', 'Description', 'MemorySize', 'Timeout', 'VpcConfig', 'Environment', 'Tags', 'Tracing', 'KmsKeyArn', 'AutoPublishAlias', 'Layers', 'DeploymentPreference', 'PermissionsBoundary', 'ReservedConcurrentExecutions', 'ProvisionedConcurrencyConfig', 'AssumeRolePolicyDocument']"
 }
@@ -117,6 +117,7 @@ Description | `string` | Description of the function.
 MemorySize | `integer` | Size of the memory allocated per invocation of the function in MB. Defaults to 128.
 Timeout | `integer` | Maximum time that the function can run before it is killed in seconds. Defaults to 3.
 Role | `string` | ARN of an IAM role to use as this function's execution role. If omitted, a default role is created for this function.
+AssumeRolePolicyDocument | [IAM policy document object](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) | AssumeRolePolicyDocument of the default created role for this function.
 Policies | `string` <span>&#124;</span> List of `string` <span>&#124;</span> [IAM policy document object](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) <span>&#124;</span> List of [IAM policy document object](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) <span>&#124;</span> List of [SAM Policy Templates](../docs/policy_templates.rst) | Names of AWS managed IAM policies or IAM policy documents or SAM Policy Templates that this function needs, which should be appended to the default role for this function. If the Role property is set, this property has no meaning.
 PermissionsBoundary | `string` | ARN of a permissions boundary to use for this function's execution role.
 Environment | [Function environment object](#environment-object) | Configuration for the runtime environment.