search

aws / serverless-application-model

The AWS Serverless Application Model (AWS SAM) transform is a AWS CloudFormation macro that transforms SAM templates into CloudFormation templates.
https://aws.amazon.com/serverless/sam
Apache License 2.0
9.34k stars 2.38k forks source link

redundant role created #1726

Closed shaykeren closed 3 years ago

shaykeren commented 4 years ago

Description

Redundant role created when using sam deploy. My sam template has serverless function which enable gradual Lambda, using DeploymentPreference. I set the Role property with a predefined Role Arn. In the documentation it says that "An IAM role will not be created if this is provided" reference

sam deploy will create role with name CodeDeployServiceRole, although I specified a specific role arn under the DeploymentPreference section.

<when viewing the processed template I can see that the the resource of type AWS::CodeDeploy::DeploymentGroup has ServiceRoleArn with my specified role arn and also new role with name CodeDeployServiceRole

Steps to reproduce

create sam template with severless function and set role arn under the DeploymentPreference/Role run sam deploy and observe CodeDeployServiceRole role was created

Observed result

am deploy --region eu-west-1 --stack-name XXXX --s3-bucket XXXX --s3-prefix XXXX --tags Creator=sam sam=Owned --template-file template.yaml --capabilities CAPABILITY_IAM --parameter-overrides ENVIRONMENT=XXXX --debug

Telemetry endpoint configured to be https://aws-serverless-tools-telemetry.us-west-2.amazonaws.com/metrics
File with same data is already exists at XXXX/1d3c4b3a706e99044d2af16886544679. Skipping upload
File with same data is already exists at XXXX/3c48d1ce33488ed5a5c6fe11169982f2. Skipping upload

    Deploying with following values
    ===============================
    Stack name                 : XXXX
    Region                     : eu-west-1
    Confirm changeset          : False
    Deployment s3 bucket       : XXXX
    Capabilities               : ["CAPABILITY_IAM"]
    Parameter overrides        : {'ENVIRONMENT': 'XXXX'}

Initiating deployment
=====================
Collected default values for parameters: {'ENVIRONMENT': 'XXXX'}
2 resources found in the template
Found Serverless function with name='XXXX' and CodeUri='.'
Found Serverless function with name='XXXX' and CodeUri='.'
Stack with id XXXX does not exist
File with same data is already exists at XXXX/316d194e35f769134a8af3fedc5627ba.template. Skipping upload

Waiting for changeset to be created..

CloudFormation stack changeset
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Operation                                         LogicalResourceId                                 ResourceType                                      Replacement                                     
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ Add                                             CodeDeployServiceRole                             AWS::IAM::Role                                    N/A                                             
+ Add                                             XXXX                                              AWS::Lambda::Alias                                N/A                                             
+ Add                                             XXXX                                              AWS::Lambda::Permission                           N/A                                                                                                                                                                                       
+ Add                                             XXXX                                              AWS::Events::Rule                                 N/A                                             
+ Add                                             XXXX                                              AWS::CodeDeploy::DeploymentGroup                  N/A                                             
+ Add                                             XXXX                                              AWS::Lambda::Version                              N/A                                             
+ Add                                             XXXX                                              AWS::Lambda::Function                             N/A                                             
+ Add                                             XXXX                                              AWS::Lambda::Function                             N/A                                             
+ Add                                             ServerlessDeploymentApplication                   AWS::CodeDeploy::Application                      N/A                                             
------------------------------------------------------------------------------------------

Expected result

Role should not being created

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: ubuntu
  2. sam --version: SAM CLI, version 1.3.2

Add --debug flag to command you are running

shaykeren commented 3 years ago

Hi, Any updates on this one?

Jacco commented 3 years ago

There is a test case that verifies one is not created if all DelploymentPreferences specify a role.

function_with_deployment_no_service_role.yaml

To research your bug we would need more details about the template you are using.

sriram-mv commented 3 years ago

I just tried to reproduce this and I could not reproduce this, below is my template. I do not see any codeservice deploy role being created.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  sam-app

  Sample SAM Template for sam-app

Globals:
  Function:
    Timeout: 3

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: hello_world/
      Handler: app.lambda_handler
      Runtime: python3.8
      AutoPublishAlias: "Myalias"
      DeploymentPreference:
        Enabled: True
        Type: AllAtOnce
        Role: arn:aws:iam::<myaccount>:role/<myrolename>
      Events:
        HelloWorld:
          Type: Api
          Properties:
            Path: /hello
            Method: get

I'm closing this issue, please comment here if you still are facing this issue and provide your template too for investigation.