From 3d44c3d453d0e0ef48ccc9aea25efc87005bdd10 Mon Sep 17 00:00:00 2001
From: Bill Matson <wrmatson@gmail.com>
Date: Tue, 12 Mar 2019 18:05:17 -0400
Subject: [PATCH] Added glue permissions mirroring console behavior.

---
 lib/deploy/stepFunctions/compileIamRole.js    | 11 +++++
 .../stepFunctions/compileIamRole.test.js      | 40 +++++++++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
index 51619ec3..691a947c 100644
--- a/lib/deploy/stepFunctions/compileIamRole.js
+++ b/lib/deploy/stepFunctions/compileIamRole.js
@@ -91,6 +91,13 @@ function getBatchPermissions() {
   }];
 }
 
+function getGluePermissions() {
+  return [{
+    action: 'glue:StartJobRun,glue:GetJobRun,glue:GetJobRuns,glue:BatchStopJobRun',
+    resource: '*',
+  }];
+}
+
 function getEcsPermissions() {
   return [{
     action: 'ecs:RunTask,ecs:StopTask,ecs:DescribeTasks',
@@ -181,6 +188,10 @@ function getIamPermissions(serverless, taskStates) {
       case 'arn:aws:states:::batch:submitJob':
         return getBatchPermissions();
 
+      case 'arn:aws:states:::glue:startJobRun.sync':
+      case 'arn:aws:states:::glue:startJobRun':
+        return getGluePermissions();
+
       case 'arn:aws:states:::ecs:runTask.sync':
       case 'arn:aws:states:::ecs:runTask':
         return getEcsPermissions();
diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js
index 7e0a5f40..6a71cc0c 100644
--- a/lib/deploy/stepFunctions/compileIamRole.test.js
+++ b/lib/deploy/stepFunctions/compileIamRole.test.js
@@ -590,6 +590,46 @@ describe('#compileIamRole', () => {
     }]);
   });
 
+  it('should give glue permissions (too permissive, but mirrors console behaviour)', () => {
+    const genStateMachine = (name) => ({
+      name,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::glue:startJobRun',
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::glue:startJobRun.sync',
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('stateMachineBeta1'),
+        myStateMachine2: genStateMachine('stateMachineBeta2'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const gluePermissions = statements.filter(s =>
+      _.isEqual(s.Action,
+        ['glue:StartJobRun', 'glue:GetJobRun', 'glue:GetJobRuns', 'glue:BatchStopJobRun'])
+    );
+    expect(gluePermissions).to.have.lengthOf(1);
+    expect(gluePermissions[0].Resource).to.equal('*');
+  });
+
   it('should give ECS permissions (too permissive, but mirrors console behaviour)', () => {
     const genStateMachine = (name) => ({
       name,