Ability to create a role with inline policy at upload time

[boxidau]

I'm wanting to use lambda-uploader for work stuff instead of my personal project boxidau/alpha, however I can't define a lambda function role policy in the config file with lambda-uploader.

Here's my implementation of this https://github.com/boxidau/alpha/blob/master/alpha.py#L105-L137

and example config: https://github.com/boxidau/alpha/blob/master/example_project/test-lambda2/lambda.json#L8-L33

Any chance this functionality could make it into lambda-uploader?

[jarosser06]

I'm going to let other people weigh in here as well. I'm certainly not against the idea but it does start to change the scope of this project a little bit. The original scope was to simply aid in packaging and uploading/updating lambda functions.

It seems this would be a relatively simple change, check the policy class for a str or object and act off of that? Or maybe something a little more explicit with --create-policy and pass a policy document separately. I'm open to ideas on how this might look.

[martinb3]

I wonder if it would be better to use lambda-uploader as an API if you want to do other AWS-ish things in conjunction with it? Combining boto3 and lambda-uploader seems like a reasonable design. Alternately, making it a plugin for the AWS CLI might make sense too.

[boxidau]

From the perspective of a user of lambda-uploader I want to write a lambda function, fire off lambda-uploader and be able to call it immediately. At the moment I need to make sure I use CFN or IAM directly to create a role first that I can later associate to the lambda function with the role param in the config file.

I think once we get to the point of having quite a number of lambda functions to setup on an account it will be much easier to just run one tool allowing each lambda function to define it's own role in the lambda.json, it may prevent laziness of just having one very permissive role and associating that with many functions.

To allow for a non breaking change, the JSON file could have role which works with a pre-existing role or policy which allows a policy to be created inline on a role just for the given lambda function. Or like you said Rosser, just check for a string or object on the role key. Seems like a more self contained package.

[jarosser06]

I discussed this with @boxidau offline. I want to leave this issue open and allow for people to weigh in. I am open to a PR demonstrating this functionality and understand that this does expand the scope of the lambda-uploader a bit.