serverless-iam-roles-per-function
serverless-iam-roles-per-function copied to clipboard
functionalone
Add plugin option: skipCreateDefaultRole
By design the default global role is created to maintain backwards compatibility. If all functions in the project use a per-function role and the default role is not being used by an external resource, then the role is really not needed. This feature will add a plugin option named: skipCreateDefaultRole. The default for this option is false. If set to true then the global default role of the project will not be created.
This is actually an important feature, I have just run into a problem where the default role is getting a policy that is longer than what IAM supports and it is causing my deploy to fail even though this role serves no purpose in existing.
A workaround for this is to rename the default role to something shorter.
resources:
Resources:
IamRoleLambdaExecution:
Properties:
RoleName: "my-short-role-name"
The RoleName gets merged into the IamRoleLambdaExecution resource.
Is plugin creates a default role on top of provider.iamRoleStatements? Because I have the same issue during the deploy - IamRoleLambdaExecution - <name>-dev-<region>-lambdaRole already exists, but I want to keep provider.iamRoleStatements. I am also using defaultInherit: true.
Thanks
Just an FYI, the fact that the default role still gets created is problematic for us. We do not care about the fact it is created, but the naming convention will cause namespace collisions. For our use case, we use an additional custom command line parameter to control naming (eg "--myParameter bill" to set myParameter to bill, which then adds bill to resource names).
This would be an amazing feature to have, running into the same issue as @Gerharddc
Agree, this would be a great option to have as had same issue as @Gerharddc
Using custom role was not option as this plugin then does not work as it requires the default role (IamRoleLambdaExecution) to be there as it then builds on that for each function.
A work-around that might help and I am sure others can make this better, but you can create a basic plugin to adjust the template contents before it is deployed. Example below:
- Create sub folder
.serverless_pluginsin your project folder (same one as where your serverless.yml will be) and create a script in this sub folder - example -reset-role-plugin.js
Example reset-role-plugin.js (note the file name will be the name of plugin in serverless.yml)
'use strict'
class ResetDefaultExecutionRole {
constructor (serverless, options) {
this.hooks = {
'before:package:finalize': function () { resetDefaultExecRole(serverless) }
}
}
}
function resetDefaultExecRole (serverless) {
let resourceSection = serverless.service.provider.compiledCloudFormationTemplate.Resources
// build new policyStatement, customize this to requirements, example only
const policyStatements = [];
policyStatements[0] = {
Effect: 'Allow',
Action: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
Resource: [
{
'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*:*'
},
],
};
for (let key in resourceSection) {
if (key === 'IamRoleLambdaExecution') {
// update the IamRoleLambdaExecution role policy statements
resourceSection[key].Properties.Policies[0].PolicyDocument.Statement = policyStatements
}
}
}
module.exports = ResetDefaultExecutionRole
- Add to your
serverless.ymlfile:
...
...
plugins:
- serverless-iam-roles-per-function
- reset-role-plugin
...
...
- Test your CloudFormation template by running "sls package ......" which just creates the files in
.serverlessfolder and you can then review the CloudFormation template there and look at the IamRoleLambdaExecution role.
For anybody interested in reducing the default IAM role size - check out https://github.com/shelfio/serverless-simplify-default-exec-role-plugin (kudos to @aelsnz)
