This repository was archived by the owner on Feb 10, 2021. It is now read-only.
feature: Add ability to specify IAM role#4
Open
ShaunEdiger wants to merge 1 commit intoFinancial-Times:masterfrom
Open
feature: Add ability to specify IAM role#4ShaunEdiger wants to merge 1 commit intoFinancial-Times:masterfrom
ShaunEdiger wants to merge 1 commit intoFinancial-Times:masterfrom
Conversation
… to assume instead of depending on the one generated by Serverless Framework - Remove a dangling comma
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Steps to reproduce
roleproperty (of each lambda function)serverless-plugin-healthcheckExpected Result
I would like to specify the IAM role used by the generated healthcheck lambda function.
Actual Result
I can't specify the IAM role used by the generated healthcheck lambda function because it's not exposed by the plugin. A new IAM role appears in the CloudFormation stack. I can add statements via Serverless Framework's
iamRoleStatementsfeature, but that isn't the same as specifying a role by its id.Why is this a problem?
Each lambda function or classes of lambda functions may have their own IAM role that fulfills unique security requirements. I might not want to fallback to the IAM role generated by Serverless Framework, and I might not want it to be shared with other lambda functions.
Workaround
Allow Serverless Framework to generate the default IAM role and customize it somewhat by adding statements to it using
iamRoleStatements. This only works assuming all other declared lambda functions already have roles, that is to say that the default IAM policy isn't already in use, or by assuming that it's acceptable for different classes of lambda functions to share the same IAM role.What's going on
If Serverless Framework detects that all lambda functions have an IAM role assigned, it won't take action. If it detects functions without roles, it will create a role for the role-less lambda functions to use (and share if there multiple role-less lambda functions). In our specific case, the lambda function generated by the plugin has no IAM role and will be treated just like any other lambda function without an IAM role.
What this pull request does
Exposes an option to specify the IAM role used for the healthcheck lambda function, including documentation.