"sharedRole" is not properly written to claudia.json during deployment, causing shared IAM roles to be deleted on destroy

[mattdelsordo]

• Expected behaviour: When you deploy a lambda function with the --role tag, Claudia uses that role for the function instead of generating it's own. It should then set config.lambda.sharedRole = true in claudia.json, which is used by claudia destroy to avoid deleting a role that is being used by other AWS resources.

• What actually happens: claudia create never writes sharedRole to file. The output after a successful create looks like:

  zipping package
  initialising IAM role
  creating Lambda
  creating Lambda lambda.createFunction   FunctionName=tilegarden-predefined-role2-mdelsordo
  creating Lambda lambda.setupRequestListeners
  creating version alias
  creating version alias  lambda.updateAlias      FunctionName=tilegarden-predefined-role2-mdelsordo      Name=latest
  creating version alias  lambda.setupRequestListeners
  creating version alias  lambda.createAlias      FunctionName=tilegarden-predefined-role2-mdelsordo      Name=latest
  creating version alias  lambda.setupRequestListeners
  creating REST API
  creating REST API       apigateway.createRestApi        name=tilegarden-predefined-role2-mdelsordo
  creating REST API       apigateway.setupRequestListeners
  creating REST API       apigateway.setAcceptHeader
  [...]
  creating REST API       apigateway.setAcceptHeader
  saving configuration
  {
  "lambda": {
  "role": "arn:aws:iam::279682201306:role/tilegarden-predefined-role-mdelsordo-executor",
  "name": "tilegarden-predefined-role2-mdelsordo",
  "region": "us-east-1",
  "sharedRole": true
  },
  "api": {
  "id": "yz6j6o5v25",
  "module": "bin/api",
  "url": "https://yz6j6o5v25.execute-api.us-east-1.amazonaws.com/latest"
  }
  }

  but the actual claudia.json looks like:

  "lambda": {
  "role": "arn:aws:iam::279682201306:role/tilegarden-predefined-role-mdelsordo-executor",
  "name": "tilegarden-predefined-role2-mdelsordo",
  "region": "us-east-1"
  },
  "api": {
  "id": "yz6j6o5v25",
  "module": "bin/api"
  }
  }

  As a result, the check for !lambdaConfig.sharedRole in destroy.js always succeeds, and the role associated with the function that's being destroyed is also destroyed, regardless of what else it's attached to. Manually adding sharedRole to the file causes the expected behavior.

• Link to a minimal, executable project that demonstrates the problem: Any project that is created with an existing role set by the --role flag in claudia create.

• Steps to install the project: install node modules and run claudia create.

• Steps to reproduce the problem: Deploy the project, and compare the console output to what is actually saved into claudia.json.

  • Possible solution: It looks to me like the issue is in create.js. sharedRole is added to the config by the function formatResult, which is then called as part of the promise chain that sets up all the AWS resources:

    .then(saveConfig)
    .then(formatResult)
    .then(cleanup);

    It looks like the file gets formatted AFTER it is saved, so certain fields like sharedRole and s3key are only shown to the user and not actually included in claudia.json.

[gojko]

thanks for reporting this, i'll fix it tonight

[gojko]

this is now fixed in 5.0.1 on NPM