'zappa update' not using existing roles

[adamgilman]

This may be related to #199 and #201 but, wanted to make sure I'm not missing something.

Simple hello world flask app was successfully deployed using 'zappa deploy'. Subsequently, running 'zappa update' throws an EntityAlreadyExists error as it trying to recreate the already existing 'ZappaLambdaExecution' role.

(workspace)agilman:~/workspace (master) $ zappa deploy dev
Creating ZappaLambdaExecution IAM Role...
Creating zappa-permissions policy on ZappaLambdaExecution IAM Role.
Packaging project as zip...
Warning! Your project and virtualenv have the same name! You may want to re-create your venv with a new name, or explicitly define a 'project_name', as this may cause errors.
Uploading zip (34.3MiB)...
100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 36.0M/36.0M [00:59<00:00, 606Kit/s]
Scheduling keep-warm..
Creating API Gateway routes (this only happens once)..
1008it [02:00,  8.12it/s]                                                                                                                                    
Deploying API Gateway..
Deployed! https://xxx.execute-api.us-east-1.amazonaws.com/dev
(workspace)agilman:~/workspace (master) $ zappa update dev
Creating ZappaLambdaExecution IAM Role...
An error occurred (EntityAlreadyExists) when calling the CreateRole operation: Role with name ZappaLambdaExecution already exists.
(workspace)agilman:~/workspace (master) $ 

Here are the IAM permissions for the user as well

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1xxx",
            "Effect": "Allow",
            "Action": [
                "apigateway:*",
                "iam:PutRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:PassRole",
                "lambda:CreateFunction",
                "lambda:UpdateFunctionCode",
                "lambda:AddPermission",
                "events:PutRule",
                "events:PutTargets",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1xxx",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::xxx:role/ZappaLambdaExecution"
            ]
        },
        {
            "Sid": "Stmt1xxx",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:CreateMultipartUpload",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": [
                "arn:aws:s3:::dev.lambda.xxx.cc/*"
            ]
        }
    ]
}

[adamgilman]

Ok, this is 100% a AWS Permissions issue.

This works when our deploy_user is given an Administrator policy in AWS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

I would reclassify this bug as, Zappa needs to be explicit as to what the minimum policy permissions an AWS user needs to deploy Zappa.

[Miserlou]

Okay, I think this may be addressed in master now. So now you can set "manage_roles": false along with the role_name setting to use a pre-defined role, and Zappa won't try to update it. Previously, 'role_name' was just labeling, manage_roles: false will prevent Zappa from trying to meddle with IAM and failing.

Does that satisfy?