Closed heythisisnate closed 3 years ago
I dug into this a little more. The problem has to do with a race condition in my configuration
I'm trying to append the global IAM policy to allow lambda:InvokeFunction. In application.rb
:
config.iam_policy = [
Jets::Application.default_iam_policy,
{
action: %w{ lambda:invokeFunction },
effect: 'Allow',
resource: "arn:aws:lambda:#{Jets.aws.region}:#{Jets.aws.account}:function:#{Jets::Naming.parent_stack_name}-*"
}
]
The problem that I just realized is that calling Jets::Application.default_iam_policy
here creates a race condition where the default policy is generated before the correct environment is loaded.
I'm currently looking for other ways to cleanly append to default_iam_policy
without the race condition. @tongueroo any ideas?
Got something that I think works. The goal is to cleanly append to default_iam_policy
without causing the env loading race condition. I modified application.rb
as follows:
Jets.application.config do
# config.iam_policy = [] # this is commented out so defaults apply
...
end
module MyDefaults
def default_iam_policy
super << {
action: %w{ lambda:invokeFunction },
effect: 'Allow',
resource: "arn:aws:lambda:#{Jets.aws.region}:#{Jets.aws.account}:function:#{Jets.project_namespace}-*"
}
end
end
Jets::Application.singleton_class.prepend MyDefaults
It wasn't obvious how to use prepend with a class method. Took a bit of searching and experimentation to make this work. Might be useful for the docs?
Thanks for reporting this. This was handled by #457
Tested specifically your examples. Thanks!
Checklist
jets upgrade
command that makes this a simple task. There's also an Upgrading Guide: http://rubyonjets.com/docs/upgrading/My Environment
I have a
vpc_config
defined in the production environment only. Inproduction.rb
:Expected Behaviour
jets deploy
should be able to create a new Lambda resource and connect it to the configured VPCCurrent Behavior
Resource creation fails in CloudFormation with an error related to missing the
ec2:CreateNetworkInterface
pemission.Step-by-step reproduction instructions
Define
Jets.config.function.vpc_config
inproduction.rb
or in a specific environment and deploy a new Lambda resource (such as a Jets controller) usingjets deploy
. Resource creation will fail.Code Sample
Solution Suggestion
The problem seems to originate from: https://github.com/tongueroo/jets/blob/master/lib/jets/application/defaults.rb#L33-L47
When running the
jets deploy
task, this section of code gets executed twice. It appears that on the first execution, the conditional does not return true, so these VPC related actions are not added to the default policies. I couldn't figure out why this occurs. My presumption is that theproduction.rb
environment is not loaded locally when thejets deploy
task is creating a new resource.Workaround: comment out the conditional
if Jets.config.function.vpc_config ... end
in the above code block locally, then deploy.I'd be happy to try to propose a fix, but I'm not sure why this is being loaded twice, once without the production environment variables loaded. Any guidance would be appreciated!