Lambda shortcuts should allow you to provide a complete IAM role

[rclark]

In many situations, it makes more sense to re-use an existing IAM role than it does to generate one for each Lambda function. The existing shortcuts do not provide any way to do this.

The shortcut should allow you to provide the ARN to a role that exists, or a CloudFormation intrinsic function that resolves to a role's ARN. The shortcut should confirm that the role has permissions to use the Lambda function's log group, which is also generated by the shortcut.

cc @k-mahoney @drboyer

[drboyer]

@rclark I want to try adding support this in a PR which also tackles #112 but I'd like to confirm what you intended by this statement:

The shortcut should confirm that the role has permissions to use the Lambda function's log group, which is also generated by the shortcut.

Do you want to modify the role passed to the shortcut (by adding a new policy, perhaps?) so as to ensure it has access to write to the log group? Or did you have something else in mind to purely validate that it has permission. The former is well-defined but will have side effects on the referenced resource, while I'm not really sure how to implement the latter.

[rclark]

Do you want to modify the role passed to the shortcut

Yes. Cloudfriend could add an inline-policy via https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html.