From ce54e22e30557ec4ce14925ac6da08e79b4a2128 Mon Sep 17 00:00:00 2001
From: Tyler Thompson <tyler.thompson@formidable.com>
Date: Fri, 4 Oct 2019 14:24:52 -0700
Subject: [PATCH 1/4] Add missing IAM for CodeDeploy in the canary module

---
 modules/canary/policy-developer.tf | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/modules/canary/policy-developer.tf b/modules/canary/policy-developer.tf
index 3570b2a..cd95d0c 100644
--- a/modules/canary/policy-developer.tf
+++ b/modules/canary/policy-developer.tf
@@ -17,10 +17,25 @@ locals {
   # 
   # https://github.com/serverless/serverless/blob/0965a6baa043d17669015f3ee9ce4b125f668f22/lib/plugins/aws/lib/naming.js#L31
   # https://github.com/davidgf/serverless-plugin-canary-deployments/blob/9afaefa996c1e9233f8d7f64529f6c69754644a0/serverless-plugin-canary-deployments.js#L20
-  codedeploy_application_name = "sls-${local.service_name}-${local.iam_stage}-Sls${replace(local.service_name, "/[^a-zA-Z0-9]+/", "")}${local.iam_stage}DeploymentApplication"
+  codedeploy_application_name = "sls-${local.service_name}-${local.iam_stage}-Sls${replace(local.service_name, "/[^a-zA-Z0-9]+/", "")}${replace(local.iam_stage, "/[^a-zA-Z0-9*]+/", "")}DeploymentApplication"
 }
 
 data "aws_iam_policy_document" "developer" {
+  statement {
+    actions = [
+      "iam:GetRole",
+      "iam:PassRole",
+      "iam:CreateRole",
+      "iam:DeleteRole",
+      "iam:AttachRolePolicy",
+      "iam:DetachRolePolicy",
+    ]
+
+    resources = [
+      "arn:${local.partition}:iam::${local.account_id}:role/sls-${var.service_name}-${var.iam_stage}-CodeDeployServiceRole-*"
+    ]
+  }
+
   statement {
     actions = [
       "codedeploy:CreateApplication",

From 3fdaa82e9b876358eee439e5ebc3853cc9cdf65a Mon Sep 17 00:00:00 2001
From: Tyler Thompson <tyler.thompson@formidable.com>
Date: Mon, 7 Oct 2019 22:31:58 -0700
Subject: [PATCH 2/4] Additional fixes

---
 modules/canary/policy-developer.tf | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/modules/canary/policy-developer.tf b/modules/canary/policy-developer.tf
index cd95d0c..793321e 100644
--- a/modules/canary/policy-developer.tf
+++ b/modules/canary/policy-developer.tf
@@ -11,13 +11,9 @@ resource "aws_iam_policy" "developer" {
 }
 
 locals {
-  # Autogenerated name from serverless-plugin-canary-deployments.
-  # The plugin uses Serverless's built-in function to remove all non-alphanumeric
-  # characters from the name. We replicate that here with replace().
-  # 
-  # https://github.com/serverless/serverless/blob/0965a6baa043d17669015f3ee9ce4b125f668f22/lib/plugins/aws/lib/naming.js#L31
-  # https://github.com/davidgf/serverless-plugin-canary-deployments/blob/9afaefa996c1e9233f8d7f64529f6c69754644a0/serverless-plugin-canary-deployments.js#L20
-  codedeploy_application_name = "sls-${local.service_name}-${local.iam_stage}-Sls${replace(local.service_name, "/[^a-zA-Z0-9]+/", "")}${replace(local.iam_stage, "/[^a-zA-Z0-9*]+/", "")}DeploymentApplication"
+  # The canary plugin generates a nasty suffix for the CodeDeploy project name.
+  # Since this is already keyed by service name and stage, wildcard it.
+  codedeploy_application_name = "sls-${local.service_name}-${local.iam_stage}-*"
 }
 
 data "aws_iam_policy_document" "developer" {
@@ -76,4 +72,10 @@ data "aws_iam_policy_document" "developer" {
 
     resources = ["arn:${local.iam_partition}:codedeploy:${local.iam_region}:${local.iam_account_id}:deploymentconfig:CodeDeployDefault.*"]
   }
+
+  statement {
+    actions = ["lambda:DeleteAlias"]
+
+    resources = [local.sls_lambda_arn]
+  }
 }

From 8aacb086a47ff27d2f1af853fa8b34c5aa10b664 Mon Sep 17 00:00:00 2001
From: Tyler Thompson <tyler.thompson@formidable.com>
Date: Mon, 7 Oct 2019 22:53:37 -0700
Subject: [PATCH 3/4] Fix 0.11

---
 modules/canary/policy-developer.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/canary/policy-developer.tf b/modules/canary/policy-developer.tf
index 793321e..9997479 100644
--- a/modules/canary/policy-developer.tf
+++ b/modules/canary/policy-developer.tf
@@ -76,6 +76,6 @@ data "aws_iam_policy_document" "developer" {
   statement {
     actions = ["lambda:DeleteAlias"]
 
-    resources = [local.sls_lambda_arn]
+    resources = ["${local.sls_lambda_arn}"]
   }
 }

From 95cbef8071e559b5770e01b38fc8b21fe55905dd Mon Sep 17 00:00:00 2001
From: Tyler Thompson <tyler.thompson@formidable.com>
Date: Mon, 7 Oct 2019 22:58:46 -0700
Subject: [PATCH 4/4] Format

---
 modules/canary/policy-developer.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/canary/policy-developer.tf b/modules/canary/policy-developer.tf
index 9997479..5435158 100644
--- a/modules/canary/policy-developer.tf
+++ b/modules/canary/policy-developer.tf
@@ -28,7 +28,7 @@ data "aws_iam_policy_document" "developer" {
     ]
 
     resources = [
-      "arn:${local.partition}:iam::${local.account_id}:role/sls-${var.service_name}-${var.iam_stage}-CodeDeployServiceRole-*"
+      "arn:${local.partition}:iam::${local.account_id}:role/sls-${var.service_name}-${var.iam_stage}-CodeDeployServiceRole-*",
     ]
   }