Optional CodeDeploy IAM Roles #25
Conversation
…nfiguration, in which case an IamRole for CodeDeploy will be referenced in the CloudFormation config instead of created
…mple of the policy used for codedeploy
| if(typeof deploymentSettings.codeDeployRole === "undefined") { | ||
| Object.assign(codeDeployRole, this.buildCodeDeployRole()); | ||
| } | ||
|
|
There was a problem hiding this comment.
By shifting the role creation to the .buildFunctionResources() function, you'd be creating as many roles as functions with deploymentSettings, while we only need one. The codeDeployRole configuration should be global, not per function, so you could place it in the custom section of serverless.yml:
custom:
deploymentSettings:
codeDeployRole: <...>Actually, this section is already being used for setting defaults, although it is not documented (shame on me 😅 ). So, it would probably make sense to move the logic for generating the role back to the .addCanaryDeploymentResources() function, and check if there's a role configured in .buildCodeDeployRole(), returning an empty object it exists.
| ] | ||
| } | ||
|
|
||
| if (typeof codeDeployRole != 'undefined') { |
There was a problem hiding this comment.
This could be simplified with something like:
const role = codeDeployRole || lookupRole;
Object.assign(deploymentGroup.Properties, { SericeRoleArn: role });…. dont create a role for every function
|
Still todo:
|
|
@davidgf I made your requested changes. Lemme know if that looks good |
|
@MrThomasWagner thanks a lot, it looks fine. I'd like to perform some tests, if everything is OK I'll merge it. Thanks! |
|
@davidgf Any idea of an ETA on a merge for this? |
|
@MrThomasWagner sorry for the delay! I've already merged it and published it to npm |
* Allow for a CodeDeploy role to be specified via deploymentSettings configuration, in which case an IamRole for CodeDeploy will be referenced in the CloudFormation config instead of created * Update the readme with the new configuration option and add in an example of the policy used for codedeploy * Move codeDeployRole creation into the 'globalresources' section - i.e. dont create a role for every function * Udpate readme to document codedeploy role * Minor tweaks
Hello, awesome plugin!
For security reasons, I cannot create IAM Roles using the same credentials that I have for my normal AWS workflow. So, I can't use the plugin as-is since it attempts to create an IAM role for CodeDeploy.
I've added a configuration parameter to
deploymentSettingsnamedcodeDeployRole. If it's given in theserverless.ymlwith an arn as the value, the templates will not attempt to create a CodeDeploy role and instead reference the existing one.Lemme know what you think -
p.s. JS is not my primary language so please bear with me - I'd happily make changes if anything here doesn't follow your conventions.