Misc: documentation updates + bugfixes #36

ryan-roemer · 2019-12-01T06:03:02Z

Work

Add warning have to re-initialize terraform when switching stages. Documentation updates #35
Add notes and warnings about aws-vault + IAM + MFA stuff. Adds note about Docs: Research aws-vault usage with instructions for MFA for IAM roles stuff. #38 future work
Update terrraform-aws-serverless to fix deploys. Fixes BUG: Layers function is missing permissions. #40 , BUG: Serverless Canary Plugin permissions aren't valid for -developer/-admin users #39

Sandbox Environment

I have now manually deleted the existing SLS + TF sandbox environments as they were compromised. Then I recreated both with the following:

# Re-init sandbox stage in local state as superadmin.
$ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- \
  yarn tf:service:init

# Create sandbox TF stack as superadmin.
$ STAGE=sandbox aws-vault exec FIRST.LAST --no-session -- \
  yarn tf:service:apply

# Create sandbox SLS as `-admin`
$ STAGE=sandbox aws-vault exec FIRST.LAST-admin --no-session -- \
  yarn lambda:deploy

# Re-deploy existing sandbox SLS as `-developer`
$ STAGE=sandbox aws-vault exec FIRST.LAST-developer --no-session -- \
  yarn lambda:deploy

ryan-roemer · 2019-12-02T14:50:20Z

@tptee -- I've reprovisioned TF and that's fine. Where I'm stuck is on SLS deploy:

$ STAGE=sandbox aws-vault exec FIRST.NAME-admin --no-session -- \
  yarn lambda:deploy

# ...

  Serverless Error ---------------------------------------
 
  An error occurred: CodeDeployServiceRole - API: iam:CreateRole User: arn:aws:iam::ACCOUNT:user/FIRST.NAME-admin is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::ACCOUNT:role/sls-simple-reference-sandbox-CodeDeployServiceRole-236BX48WS9ZX.

Looks like from generated resources from serverless-plugin-canary-deployments. What do we need to do to get that hooked up to our -admin role to be able to create?

Captured in #39

ryan-roemer · 2019-12-02T15:02:39Z

Another note: After a superadmin deploy to kick things off, get hung up with:

$ STAGE=sandbox aws-vault exec FIRST.LAST-developer --no-session --   yarn lambda:deploy

  Serverless Error ---------------------------------------
 
  An error occurred: LayersLambdaFunction - User: arn:aws:iam::ACCOUNT:user/FIRST.LAST-developer is not authorized to perform: iam:PassRole on resource: arn:aws:iam::ACCOUNT:role/tf-simple-reference-sandbox-lambda-execution (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: ba06c923-6e39-46ee-9cb6-7d80fb6a399c).

Same for -admin

README.md

ryan-roemer added 3 commits November 30, 2019 22:01

Add warning about tf init

8e445a5

Add notes about aws-vault

94f2d27

Add lambda deploy note

872cc79

ryan-roemer marked this pull request as ready for review December 2, 2019 14:57

andyrichardson reviewed Dec 2, 2019

View reviewed changes

README.md Show resolved Hide resolved

Update tf module. More readme notes.

f765179

ryan-roemer changed the title ~~Misc documentation updates.~~ Misc: documentation updates + bugfixes Dec 3, 2019

ryan-roemer merged commit 84dddf3 into master Dec 3, 2019

ryan-roemer deleted the chore/doc-updates branch December 3, 2019 04:51

ryan-roemer mentioned this pull request Dec 3, 2019

BUG: Serverless Canary Plugin permissions aren't valid for -developer/-admin users #39

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Misc: documentation updates + bugfixes #36

Misc: documentation updates + bugfixes #36

ryan-roemer commented Dec 1, 2019 •

edited

ryan-roemer commented Dec 2, 2019 •

edited

ryan-roemer commented Dec 2, 2019

Misc: documentation updates + bugfixes #36

Misc: documentation updates + bugfixes #36

Conversation

ryan-roemer commented Dec 1, 2019 • edited

Work

Sandbox Environment

ryan-roemer commented Dec 2, 2019 • edited

ryan-roemer commented Dec 2, 2019

ryan-roemer commented Dec 1, 2019 •

edited

ryan-roemer commented Dec 2, 2019 •

edited