From 59bc347b8bab77cff99cff65e6c7453be1ea8897 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Fri, 22 Feb 2019 13:18:20 +0100 Subject: [PATCH 1/2] fix(codedeploy): LambdaDeploymentGroup now takes IRole Change the arguments of LambdaDeploymentGroup to take interfaces wherever possible. Fixes #1833. --- .../lib/lambda/deployment-group.ts | 27 +++++++------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts b/packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts index bedf02c871b7d..99063157a5ea0 100644 --- a/packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts +++ b/packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts @@ -43,7 +43,7 @@ export interface LambdaDeploymentGroupProps { * * @default one will be created for you */ - application?: LambdaApplication; + application?: ILambdaApplication; /** * The physical, human-readable name of the CodeDeploy Deployment Group. @@ -76,7 +76,7 @@ export interface LambdaDeploymentGroupProps { * * @default a new Role will be created. */ - role?: iam.Role; + role?: iam.IRole; /** * Lambda Alias to shift traffic. Updating the version @@ -124,7 +124,7 @@ export class LambdaDeploymentGroup extends cdk.Construct implements ILambdaDeplo public readonly application: ILambdaApplication; public readonly deploymentGroupName: string; public readonly deploymentGroupArn: string; - public readonly role: iam.Role; + public readonly role: iam.IRole; private readonly alarms: cloudwatch.Alarm[]; private preHook?: lambda.IFunction; @@ -136,24 +136,15 @@ export class LambdaDeploymentGroup extends cdk.Construct implements ILambdaDeplo this.application = props.application || new LambdaApplication(this, 'Application'); this.alarms = props.alarms || []; - let serviceRole: iam.Role | undefined = props.role; - if (serviceRole) { - if (serviceRole.assumeRolePolicy) { - serviceRole.assumeRolePolicy.addStatement(new iam.PolicyStatement() - .addAction('sts:AssumeRole') - .addServicePrincipal('codedeploy.amazonaws.com')); - } - } else { - serviceRole = new iam.Role(this, 'ServiceRole', { - assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com') - }); - } - serviceRole.attachManagedPolicy('arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda'); - this.role = serviceRole; + this.role = props.role || new iam.Role(this, 'ServiceRole', { + assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com') + }); + + this.role.attachManagedPolicy('arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda'); const resource = new CfnDeploymentGroup(this, 'Resource', { applicationName: this.application.applicationName, - serviceRoleArn: serviceRole.roleArn, + serviceRoleArn: this.role.roleArn, deploymentGroupName: props.deploymentGroupName, deploymentConfigName: (props.deploymentConfig || LambdaDeploymentConfig.AllAtOnce).deploymentConfigName, deploymentStyle: { From a09cb251bb397206ddb116f2f2558237114ef3e3 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Wed, 27 Feb 2019 11:04:09 +0100 Subject: [PATCH 2/2] Fix test that asserts we add principal to provided role --- .../aws-codedeploy/test/lambda/test.deployment-group.ts | 6 ------ 1 file changed, 6 deletions(-) diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/test.deployment-group.ts b/packages/@aws-cdk/aws-codedeploy/test/lambda/test.deployment-group.ts index 19274ac6d4598..32eda4c39e1f3 100644 --- a/packages/@aws-cdk/aws-codedeploy/test/lambda/test.deployment-group.ts +++ b/packages/@aws-cdk/aws-codedeploy/test/lambda/test.deployment-group.ts @@ -140,12 +140,6 @@ export = { Principal: { Service: "not-codedeploy.amazonaws.com" } - }, { - Action: "sts:AssumeRole", - Effect: "Allow", - Principal: { - Service: "codedeploy.amazonaws.com" - } }], Version: "2012-10-17" },