Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

defaultInherit does not work #74

Open
BartusZak opened this issue Mar 11, 2021 · 4 comments
Open

defaultInherit does not work #74

BartusZak opened this issue Mar 11, 2021 · 4 comments

Comments

@BartusZak
Copy link

BartusZak commented Mar 11, 2021
edited
Loading 

service: multibook-service-${self:custom.clientName}

package:
  individually: true # Create an optimized package for our functions
  include:
    - "../libs/**" # Adds shared extensions
    
plugins:
  - serverless-dynamodb-local # Development
  - serverless-offline # Development
  - serverless-iam-roles-per-function # Define IAM roles per function
  - serverless-deployment-bucket # Create and configure the custom Serverless deployment bucket.
  
custom: ${file(../serverless.common.yml):custom}

provider: 
  name: aws
  lambdaHashingVersion: 20201221
  runtime: nodejs14.x
  stage: ${self:custom.stage}
  region: ${self:custom.region}
  profile: ${self:custom.stages.${self:provider.stage}.profile}
  # Deployment Bucket Configuration shared across stacks
  # Does not work when importing from serverless.common.yml
  deploymentBucket:
    name: ${self:custom.artifactsBucketName}
    serverSideEncryption: AES256
    tags: # Tags that will be added to each of the deployment resources
      CLIENT_NAME: ${self:custom.clientName}
  stackTags: # Optional CF stack tags
    CLIENT_NAME: ${self:custom.clientName}
  tracing:
    apiGateway: true
    lambda: true

  environment:
    MULTIBOOKS_DYNAMODB_TABLE: ${self:custom.dynamodbTables.MULTIBOOKS_DYNAMODB_TABLE}
    USERS_DYNAMODB_TABLE: ${self:custom.dynamodbTables.USERS_DYNAMODB_TABLE}
    RELEASES_DYNAMODB_TABLE: ${self:custom.dynamodbTables.RELEASES_DYNAMODB_TABLE}

  iamRoleStatements:
      - ${file(../serverless.common.yml):lambdaPolicyXRay}
      - Effect: Allow
        Action:
          - dynamodb:Query
        Resource: !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.MULTIBOOKS_DYNAMODB_TABLE}/index/*"
  
  functions:
    currentUserList:
      handler: handlers/currentUser/list.handler
      # iamRoleStatementsInherit: true <-- i still have to explicitly declare it to make it inherit
      iamRoleStatements:
        - Effect: "Allow"
          Action:
            - dynamodb:GetItem
          Resource:
            - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.USERS_DYNAMODB_TABLE}"
            - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.RELEASES_DYNAMODB_TABLE}"

custom:
  serverless-iam-roles-per-function: # Not working
    defaultInherit: true
    "serverless-iam-roles-per-function": "^3.1.0",
serverless --version
Framework Core: 2.25.2
Plugin: 4.4.3
SDK: 2.3.2
Components: 3.7.0

Edit:

  • Added missing provider and more details to serverless.yml
  • Added serverless framework and plugin version
@Enase
Copy link
Collaborator

Enase commented Mar 11, 2021

@BartusZak Please make sure that the default iamRoleStatements stored under provider in configuration tree like that:

custom: ${file(../serverless.common.yml):custom}

provider: # <-- difference is here
  iamRoleStatements:
      - ${file(../serverless.common.yml):lambdaPolicyXRay}
      - Effect: Allow
        Action:
          - dynamodb:Query
        Resource: !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.MULTIBOOKS_DYNAMODB_TABLE}/index/*"

functions:
  currentUserList:
    handler: handlers/currentUser/list.handler
    # iamRoleStatementsInherit: true <-- i still have to explicitly declare it to make it inherit
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - dynamodb:GetItem
        Resource:
          - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.USERS_DYNAMODB_TABLE}"
          - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.RELEASES_DYNAMODB_TABLE}"

@BartusZak
Copy link
Author

@Enase thanks for comment.
Missing provider is not the problem here.

Originally it's there. I just have cut too much and forgot to include it in my comment. :D

I edited the first comment.

Any other bets? :)

@Enase
Copy link
Collaborator

Enase commented Mar 11, 2021

@BartusZak could you please do the following:

  1. open plugin source file in your project. Path sample /node_modules/serverless-iam-roles-per-function/dist/lib/index.js
  2. Go to string #317 - node_modules/serverless-iam-roles-per-function/dist/lib/index.js:317
  3. Add console logs like below
        const isInherit = functionObject.iamRoleStatementsInherit
            || (this.defaultInherit && functionObject.iamRoleStatementsInherit !== false);
        console.log('Default inherit state:', this.defaultInherit);
        console.log('Function inherit state:', functionObject.iamRoleStatementsInherit);
  1. Run sls package and try to find out why your isInherit value is false.

@Enase
Copy link
Collaborator

Enase commented Mar 19, 2021

@BartusZak any updates?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Enase @BartusZak