Allow arbitrary named hook functions for Pre and Post Hook feature of Safe Deployments.

[jfuss]

If you need to use the Pre or Post Hook feature of the Safe Deployments, you need to name the hook function with a prefix (CodeDeployHook_). This is not super clear and breaks the mental model customers have on naming CloudFormation resources.

Option 1: To make this feature more flexible and allow customers to follow the naming schema's they wish, I am proposing to add a Policy Template. This would be mostly the same IAM Role CodeDeploy needs that takes the hook functions in as a parameter.

Option 2: SAM could create the CodeDeploy IAM Role and inject the Lambda Function arns into the policy. In the DeploymentPreference block, customers are already defining the functions for the pre and post hook.

Thoughts?

[etai-shuchatowitz]

Is there any update on this issue? On my account I don't have permissions to name functions CodeDeployHook_ and this make the preTraffic impossible.

[villasv]

Stumbled upon this limitation today. I vigorously vote for option 2.

I love SAM because it's laser focused on simplicity that covers most use cases instead of trying to be a general tool like CloudFormation already is.

[shortjared]

Just lost some time to this, pretty infuriating and doesn't even follow published AWS best practices.

Any chance we will see action on this before another year passes?

Thanks!

[digitizdat]

This is still an issue, still not a clearly documented requirement, still requiring people's time to figure out the problem and work around it.

I vote Option 2.

[digitizdat]

For anyone else who runs into this issue, you can work around it by creating an IAM role for CodeDeploy in your SAM template and then referencing that with the Role property under the DeploymentPreference property.

This example simply augments the existing managed service role, AWSCodeDeployRoleForLambda, with an inline policy that allows invoking the function TestRunner-MeLambda-BeforeAllowTraffic.

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: An AWS Serverless Specification template describing your function.

Resources:
  LambdaFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      FunctionName: MeLambda
      AutoPublishAlias: live
      DeploymentPreference:
        Type: Linear10PercentEvery1Minute
        Hooks:
          PreTraffic: TestRunner-MeLambda-BeforeAllowTraffic
        Role: !GetAtt CodeDeployRole.Arn

      Handler: lambda_function.lambda_handler
      Runtime: python3.8
      CodeUri: .
      Description: ''
      MemorySize: 128
      Timeout: 300
      Environment:
        Variables:
          AWS_LAMBDA_EXEC_WRAPPER: /opt/otel-instrument
      Tracing: Active
      Layers:
        - arn:aws:lambda:us-east-2:901920570463:layer:aws-otel-python38-ver-1-1-0:1
        - arn:aws:lambda:us-east-2:580247275435:layer:LambdaInsightsExtension:14
      Policies:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess

  CodeDeployRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codedeploy.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda 
      Policies:
        -
          PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: Allow
                Action:
                  - 'lambda:InvokeFunction'
                Resource:
                  - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:TestRunner-MeLambda-BeforeAllowTraffic