Support Slack-bot AWS lambda permissions issues

[powellkerry]

Who is the devops resource on your team?

@gperlangeli

Description

SRE would like to create a proof of concept to move the platform support slackbot to an AWS lambda. We would like access to create and manage a lambda, as well as permissions in the repo to manage secrets associated with AWS required to add github actions for deployment. See https://vfs.atlassian.net/wiki/spaces/SRE/pages/2308046892/Questions+for+Infra+Ops for more details.

Background/context

The current support bot is hosted on a free account in Heroku with limited dynos. The bot frequently sleeps because of the lack of traffic, but when we tried to hook up a scheduled task to keep it running it ran out of dynos by the end of the month. The support bot needs to be moved to a va managed service as it has become critical to many teams in offering support.

Technical notes

• Specific roles needed for serverless deployment can be found here: https://vfs.atlassian.net/wiki/spaces/SRE/pages/2308046892/Questions+for+Infra+Ops for more details.

---

Tasks

• [x] Add permissions for SRE to manage creation and deployment of a lambda in AWS (see list here: https://vfs.atlassian.net/wiki/spaces/SRE/pages/2308046892/Questions+for+Infra+Ops for more details.)
• [x] Give SRE permissions in the repo to manage secrets needed to use github actions for deployment: https://github.com/department-of-veterans-affairs/platform-support-slackbot

Acceptance Criteria

• [x] SRE is able to create, manage, and deploy a lambda

---

Reminders

• [ ] Please attach your team label and any other appropriate label(s) (operations, devops, and needs-grooming will automatically be applied as part of the template)
• [ ] Please connect to an epic (this will typically be done by the Platform Operations PM or TL)

[oseasmoran73]

@powellkerry Was grooming backlog, so I am see this fresh off the press 👀

Made your team admin for repo. So y'all can now add secrets

Add permissions for SRE to manage creation and deployment of a lambda in AWS

Regarding this snippet, I see Zach has access to lambda. Do you know what specific resources are required? What I am thinking is if you can make a PR in devops repo (so you can familiarize yourself a bit more, if you'd like) or have @gperlangeli as he is your devops resource, remove the access that Zach has and apply it vsp_sre group. Thoughts?

[powellkerry]

@oseasmoran73 Thanks for getting the repo access. I think that I specifically need access to create an IAM role for a lambda or access to a role that can create/manage lambdas. I get this error when creating a lambda: User: arn:aws-us-gov:iam::008577686731:user/Kerry.Powell is not authorized to perform: iam:CreateRole

I am pretty sure that I need the aws_access_key_id and aws_secret_access_key for that role to deploy to the lambda that is created.

[oseasmoran73]

Hey @powellkerry , was chatting a bit with the team and came up with the following:

Add that permission to your teams role (iam:CreateRole). It can be found here, in addition to it, you need to add the resource for it, located underneath it. Copy the prepending string and do it for role/*

Gino should be able to help you with the PR if you are running into issue. But if not, more than happy to help

[oseasmoran73]

Thanks for getting that PR Kerry! With it you should be unblocked. You should be good to go. Closing ticket out. Feel free to reopen or ping if you run into anything else