-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optional CodeDeploy IAM Roles #25
Optional CodeDeploy IAM Roles #25
Conversation
…nfiguration, in which case an IamRole for CodeDeploy will be referenced in the CloudFormation config instead of created
…mple of the policy used for codedeploy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for your contribution! Please, check out the review and let me know if it makes sense to you
if(typeof deploymentSettings.codeDeployRole === "undefined") { | ||
Object.assign(codeDeployRole, this.buildCodeDeployRole()); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By shifting the role creation to the .buildFunctionResources()
function, you'd be creating as many roles as functions with deploymentSettings
, while we only need one. The codeDeployRole
configuration should be global, not per function, so you could place it in the custom
section of serverless.yml
:
custom:
deploymentSettings:
codeDeployRole: <...>
Actually, this section is already being used for setting defaults, although it is not documented (shame on me 😅 ). So, it would probably make sense to move the logic for generating the role back to the .addCanaryDeploymentResources()
function, and check if there's a role configured in .buildCodeDeployRole()
, returning an empty object it exists.
] | ||
} | ||
|
||
if (typeof codeDeployRole != 'undefined') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could be simplified with something like:
const role = codeDeployRole || lookupRole;
Object.assign(deploymentGroup.Properties, { SericeRoleArn: role });
…. dont create a role for every function
Still todo:
|
@davidgf I made your requested changes. Lemme know if that looks good |
@MrThomasWagner thanks a lot, it looks fine. I'd like to perform some tests, if everything is OK I'll merge it. Thanks! |
@davidgf Any idea of an ETA on a merge for this? |
@MrThomasWagner sorry for the delay! I've already merged it and published it to npm |
* Allow for a CodeDeploy role to be specified via deploymentSettings configuration, in which case an IamRole for CodeDeploy will be referenced in the CloudFormation config instead of created * Update the readme with the new configuration option and add in an example of the policy used for codedeploy * Move codeDeployRole creation into the 'globalresources' section - i.e. dont create a role for every function * Udpate readme to document codedeploy role * Minor tweaks
Hello, awesome plugin!
For security reasons, I cannot create IAM Roles using the same credentials that I have for my normal AWS workflow. So, I can't use the plugin as-is since it attempts to create an IAM role for CodeDeploy.
I've added a configuration parameter to
deploymentSettings
namedcodeDeployRole
. If it's given in theserverless.yml
with an arn as the value, the templates will not attempt to create a CodeDeploy role and instead reference the existing one.Lemme know what you think -
p.s. JS is not my primary language so please bear with me - I'd happily make changes if anything here doesn't follow your conventions.