From 57a667dd966c63741b577c1d1a918c92d0626f96 Mon Sep 17 00:00:00 2001 From: Brian McMahon Date: Sat, 11 Apr 2026 13:48:04 -0700 Subject: [PATCH] Remove dead IAM bootstrap block from deploy.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The post-canary IAM block attempted \`aws iam get-role alpha-engine-data-role\` as a "create if missing" bootstrap, then fell through to CreateRole when the get-role call failed. This was dead code with a silent-fail trap inside it: 1. \`alpha-engine-data-role\` already exists in AWS and is the live Lambda's execution role. The get-role check should succeed and exit the branch as a no-op — it never actually needs to create anything. 2. The deploy.sh header already documents the role as a prerequisite. The bootstrap block contradicted that contract. 3. \`&>/dev/null\` swallowed any non-zero exit from get-role, including "permission denied" from the github-actions-lambda-deploy role (which correctly lacks iam:* permissions). The branch then interpreted "permission denied" as "role does not exist" and tried to create it, which failed explicitly with iam:CreateRole AccessDenied. Today's auto-deploy after PR #18 merged surfaced all of this: the Lambda itself deployed successfully (version 4 live, canary passed), but the workflow failed at the dead IAM step and marked the run red. Fix: delete the entire block. Replace with a comment explaining the role is a one-time out-of-band provisioning concern, ideally extended into \`infrastructure/iam/\` the same way #17 did for github-actions-lambda-deploy. This also aligns with the no-silent-fails rule: any future IAM provisioning that belongs in this path should fail loudly, not fall through a pattern-matching check. Co-Authored-By: Claude Opus 4.6 (1M context) --- infrastructure/deploy.sh | 52 ++++++++++------------------------------ 1 file changed, 13 insertions(+), 39 deletions(-) diff --git a/infrastructure/deploy.sh b/infrastructure/deploy.sh index 7b48d1c..1637c20 100755 --- a/infrastructure/deploy.sh +++ b/infrastructure/deploy.sh @@ -196,45 +196,19 @@ if [ "$CANARY_STATUS" != "OK" ] && [ "$CANARY_STATUS" != "SKIPPED" ]; then fi echo " Canary passed (status=$CANARY_STATUS)" -# ── IAM role setup (create if doesn't exist) ────────────────────────────── - -echo "" -echo "Checking IAM role: alpha-engine-data-role..." -if ! aws iam get-role --role-name "alpha-engine-data-role" --region "$REGION" &>/dev/null; then - echo " Creating IAM role..." - aws iam create-role \ - --role-name "alpha-engine-data-role" \ - --assume-role-policy-document '{ - "Version": "2012-10-17", - "Statement": [ - {"Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"} - ] - }' --region "$REGION" > /dev/null - - aws iam put-role-policy \ - --role-name "alpha-engine-data-role" \ - --policy-name "alpha-engine-data-policy" \ - --policy-document '{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "S3Access", - "Effect": "Allow", - "Action": ["s3:GetObject", "s3:PutObject", "s3:ListBucket"], - "Resource": ["arn:aws:s3:::alpha-engine-research", "arn:aws:s3:::alpha-engine-research/*"] - }, - { - "Sid": "CloudWatchLogs", - "Effect": "Allow", - "Action": ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"], - "Resource": "arn:aws:logs:*:*:*" - } - ] - }' --region "$REGION" - echo " Created alpha-engine-data-role with S3 + CloudWatch access" -else - echo " Role exists" -fi +# NOTE: IAM role `alpha-engine-data-role` is a prerequisite (see header). +# It currently exists in AWS and is the execution role for the live +# alpha-engine-data-collector Lambda. A prior version of this script +# tried to `aws iam get-role` as a "create-if-missing" bootstrap and +# fell through to CreateRole when the GetRole call lacked permission — +# masking the permission error as "role not found" (silent fail) and +# then dying loudly on CreateRole. The github-actions-lambda-deploy +# role intentionally lacks iam:* permissions (principle of least +# privilege), so the bootstrap block had been dead code since day one +# of the auto-deploy path. Provisioning this role is a one-time +# operation — do it out of band with a privileged principal, ideally +# by extending infrastructure/iam/ the way #17 did for +# github-actions-lambda-deploy. echo "" echo "Deployment complete."