Merge pull request #59 from FormidableLabs/feature/fix-canary-iam

IAM fixes for canary
FormidableLabs · Oct 8, 2019 · 5a21992 · 5a21992
2 parents 8dc94a0 + 95cbef8
commit 5a21992
Showing 1 changed file with 24 additions and 7 deletions.
diff --git a/modules/canary/policy-developer.tf b/modules/canary/policy-developer.tf
@@ -11,16 +11,27 @@ resource "aws_iam_policy" "developer" {
 }
 
 locals {
-  # Autogenerated name from serverless-plugin-canary-deployments.
-  # The plugin uses Serverless's built-in function to remove all non-alphanumeric
-  # characters from the name. We replicate that here with replace().
-  # 
-  # https://github.com/serverless/serverless/blob/0965a6baa043d17669015f3ee9ce4b125f668f22/lib/plugins/aws/lib/naming.js#L31
-  # https://github.com/davidgf/serverless-plugin-canary-deployments/blob/9afaefa996c1e9233f8d7f64529f6c69754644a0/serverless-plugin-canary-deployments.js#L20
-  codedeploy_application_name = "sls-${local.service_name}-${local.iam_stage}-Sls${replace(local.service_name, "/[^a-zA-Z0-9]+/", "")}${local.iam_stage}DeploymentApplication"
+  # The canary plugin generates a nasty suffix for the CodeDeploy project name.
+  # Since this is already keyed by service name and stage, wildcard it.
+  codedeploy_application_name = "sls-${local.service_name}-${local.iam_stage}-*"
 }
 
 data "aws_iam_policy_document" "developer" {
+  statement {
+    actions = [
+      "iam:GetRole",
+      "iam:PassRole",
+      "iam:CreateRole",
+      "iam:DeleteRole",
+      "iam:AttachRolePolicy",
+      "iam:DetachRolePolicy",
+    ]
+
+    resources = [
+      "arn:${local.partition}:iam::${local.account_id}:role/sls-${var.service_name}-${var.iam_stage}-CodeDeployServiceRole-*",
+    ]
+  }
+
   statement {
     actions = [
       "codedeploy:CreateApplication",
@@ -61,4 +72,10 @@ data "aws_iam_policy_document" "developer" {
 
     resources = ["arn:${local.iam_partition}:codedeploy:${local.iam_region}:${local.iam_account_id}:deploymentconfig:CodeDeployDefault.*"]
   }
+
+  statement {
+    actions = ["lambda:DeleteAlias"]
+
+    resources = ["${local.sls_lambda_arn}"]
+  }
 }