-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve IAM role statements, policies and principals internal handling and resolution #8396
Comments
Hi @medikoo . I can have a go at this |
@zaldanaraul great to hear that! Go for it. I believe (as mentioned in description) it'll break some test files, and refactoring them can be challenging. I suggest once you have the initial implementation working, you post the list of test files that break, and we will open another dedicated issue to address their refactor (this will likely result with other members of community helping us). |
Hi @medikoo . I've been working on this issue but I have a couple questions before I submit a first draft:
Do you mean just adding the line like this: 'package:finalize': () =>
BbPromise.bind(this).then(() =>
this.serverless.pluginManager.spawn('aws:package:finalize');
this.resolveIamRoles(); // adding line here
), or is there something I'm missing? On that note, I'm not too familiar with how the lifecycle manager works with events and hooks so if there is some more specific doc that talks about that I'd be grateful!
Waiting for your input on this! |
@zaldanaraul sorry for late response! Great thanks for questions see my answers
Yes, exactly.
Yes, however I think we need to populate IAM role before this.resolveIamRoles();
return this.serverless.pluginManager.spawn('aws:package:finalize');
Currently we're adding principals to
principals property name could be made more specific for that ?)
|
(cc: @zaldanaraul) Hello @medikoo 👋 - The description sounds straightforward. Could you let me in? |
@issea1015 Sure, that's a great task to cover, many users are awaiting this |
In the PR, we've found and listed broken test files after this change:
@medikoo It'd be appreciated if you can make issues for each of them, just like #8523 |
Great thanks @issea1015 for gathering the list!
Has dedicated at issue at #8528 I'll try to create issues for others this week. I'll list them here, once done |
@issea1015 sorry for delay, but after all I've created a refactor map for test files which we should refactor. I've created corresponding issues: |
@medikoo I'm glad to hear that! Thanks for cleaning them up. We got one more step closer to the end. |
issea1015, are you working on this? |
Use case description
Goal is to pave path for #4313
Currently Framework creates one IAM role, in which all needed statements for all functions are located.
We need a clear understanding which statements, managed policies and eventual principal registrations are required for which function
Current handling of IAM roles
mergeIamTemplates
function (assuming there's noprovider.role
set or all functions havingrole
) where:provider.iamRoleStatements
are added to itprovider.iamManagedPolicies
are added to itIt is all happening here:
serverless/lib/plugins/aws/package/lib/mergeIamTemplates.js
Lines 41 to 173 in 4e49473
IamRoleLambdaExecution
resource fromserverless.service.provider.compiledCloudFormationTemplate.Resource
and adding needed configuration on pre-created object literally, as e.g. it's done here:serverless/lib/plugins/aws/package/compile/events/msk/index.js
Lines 115 to 124 in 4e49473
Proposed solution
Ideally would be to refactor above into following:
mergeIamTemplates
:awsProvider.iamConfig
andfunctions[].iamConfig
, where eachiamConfig
is object as follows:provider.iamRoleStatements
toawsProvider.iamConfig.policyStatements
provider.iamManagedPolicies
toawsProvider.iamConfig.managedPolicies
provider.vpc
add VPC related polices toawsProvider.iamConfig.managedPolicies
In any place where we currently extend
IamRoleLambdaExecution
directly (look forgetRoleLogicalId()
andIamRoleLambdaExecution
references) Refactor the code, to not extend IAM role resource directly, but instead add related policy statements, managed policies, principals to corresponding function'siamConfig
(as those cases will be about specific function event configurations)In lib/plugins/aws/package/compile/functions/index.js:
iamConfig.policyStatements
(at this point reflect exactly statements as were added atmergeIamTemplates
function)vpc
configuration add VPC related policies to itsiamConfig.managedPolicies
Create
resolveIamRoles.js
in lib/plugins/aws/package/lib which should export a method to be assigned atserverless/lib/plugins/aws/package/index.js
Lines 23 to 31 in 4e49473
serverless/lib/plugins/aws/package/index.js
Line 69 in 4e49473
awProvider.iamConfig.principals
andfunctions[].iamConfig.principals
onIamRoleLambdaExecution
resource (ensuring no duplicates)awsProvider.iamConfig.managedPolicies
andfunctions[].iamConfig.managedPolicies
toIamRoleLambdaExecution
resource (ensuring no duplicates)awsProvider.iamConfig.policyStatements
andfunctions[].iamConfig.managedPolicies
toIamRoleLambdaExecution
resource (ensuring no duplicates)Testing
This change will likely break a lot of tests, why at the same time we should end with same result CF template.
This signals that again our tests are wrong, and we should not put any effort in updating them in current shape.
Instead, any test file that will host broken tests should be refactored to be based on
runServerless
(https://github.com/serverless/serverless/tree/master/test#unit-tests), and PR's that refactor each file should be proposed separate (different PR per each test file).Having those tests migrated to
runServerless
should keep same tests passing after given refactor is made.The text was updated successfully, but these errors were encountered: