API Gateway Dependent on Role Creation

[Tybot204]

Hey all, I am attempting to create a Serverless config that creates a role as an additional resource, and then uses that role name in the resource policy for the API Gateway. I've run into a few issues and am not sure if this is not possible or if I just don't know the right syntax for adapting this config to Serverless.

Here is an except from my config:

provider:
  apiGateway:
    resourcePolicy:
      - Effect: Allow
        Principal:
          AWS: arn:aws:sts::{aws:accountId}:assumed-role/my-custom-role-${opt:stage, "staging"}/role
        Action: execute-api:Invoke
        Resource:
          - execute-api:/*/*/*

# Other function config here...

resources:
  Resources:
    MyCustomRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: my-custom-role-${opt:stage, "staging"}
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                AWS: ${env:MY_ROLE_ARN}
              Action: sts:AssumeRole
              Condition:
                StringEquals:
                  sts:ExternalId: ${env:MY_EXTERNAL_ID}

I originally tried to use the return value from MyCustomRole and Fn::GetAtt, but I found roles do not return their name. Since I generate the role name by a pattern using the current stage, I next tried the above config. The issue I run into is the API Gateway attempts to set it's resource policy before the role is created, causing an error as the resource policy checks the role ARN actually exists first.

Is there a way I can utilize DependsOn or some other setup here to ensure my role is created before the API gateway resource policy is updated?

[Tybot204]

I think I may have found a solution after posting. I tried using a direct Ref for MyCustomRole and it appears to return the name that I'm looking for, and now creates a dependency in Cloudformation since that role must return it's ref first:

provider:
  apiGateway:
    resourcePolicy:
      - Effect: Allow
        Principal:
          AWS:
            - Fn::Join:
              - "/"
              - - arn:aws:sts::${aws:accountId}:assumed-role
                - Ref: MyCustomRole
                - role
        Action: execute-api:Invoke
        Resource:
          - execute-api:/*/*/*

# Other function config here...

resources:
  Resources:
    MyCustomRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: my-custom-role-${opt:stage, "staging"}
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                AWS: ${env:MY_ROLE_ARN}
              Action: sts:AssumeRole
              Condition:
                StringEquals:
                  sts:ExternalId: ${env:MY_EXTERNAL_ID}

[Tybot204]

The above solution has been tested now and appears to be what I need! There isn't an explicit DependsOn clause generated in the CloudFormation config, but I no longer see the error as the role is always created first now.