Lambda/Role changes

[drboyer]

What's this PR?

• Explicitly sets the Version in policies in all Roles this library generates (Closes Role shortcuts should set the policy version in the generated policy #112)
  • Switches the Lambda shortcut to use the ServiceRole shortcut, so it automatically picks up the above shortcut
• Adds a new RoleArn parameter to Lambda shortcuts, enabling users to pass an existing role instead of always creating a new one (Closes Lambda shortcuts should allow you to provide a complete IAM role #103)
• Switches test reporting to tap-spec because I like how it shows me exactly what failed at the bottom of my test runs 😎

What's left?

I left a question in #103 about some advanced functionality @rclark originally suggested. We should probably come to a conclusion on that before merging this.

About this review

• Are my new/updated comments logical?
• Sorry for all the fixture updates - this change reordered templates which meant lots of fixture updates (and meant I made use of the UPDATE environment variable)

[rclark]

I think that when RoleARN is set

• Statement should be disallowed to prevent confusion
• We should add an AWS::IAM::Policy to the specified RoleARN to be absolutely sure that it has permission to access the log group.

[drboyer]

I've updated this PR to attach a new LogPolicy to all Lambdas, per discussion. Based on that I had to re-jigger some configuration in the Stream and Queue lambdas, but hopefully the change makes sense.

I'll give this a try in a PR where I'd like to provide my own role, but in the meantime, putting this back up for review.

[rclark]

Nervous here because it looks like this might mismatch role names (Ref value for a role) with role arns (per the variable name).

Do you know whether this CloudFormation property accepts name or arn or either?

[drboyer]

yeah that makes me a little nervous too - I need to test it. The docs note that the name of the role should be used, but I know sometimes you can mix and match them alright. Will report back.

[drboyer]

So it turns out you do need to provide just the role name with these policies - you'll get an error if you provide the full ARN. But the Lambda Function resource requires the full ARN 😭

As a result, I added some logic to handle this. It's now working in my test repository.

[rclark]

Thanks for sorting this out!