Warning: "unsupported string format" when using lift variables in IAM Policies

[bboure]

Description

When using lift variables as an IAM policy Resource, ServerlessFramework shows a warning.

unsupported string format

How to Reproduce

myFunction:
  handler: src/myFunction.handler
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - sqs:SendMessage
        - sqs:ListQueues
      Resource:
        - ${construct:myQueue.queueArn}

Warning:

Serverless:   at 'functions.myFunction.iamRoleStatements[0].Resource[0]': unsupported string format

Additional Information

This is because when the config goes into the validation, variables have not fully been resolved and still contain the CDK tokens. Tokens don't match the ajv rules

eg:

[
  {
    Effect: 'Allow',
    Action: [ 'sqs:SendMessage', 'sqs:ListQueues' ],
    Resource: [ '${Token[TOKEN.64]}' ]
  }
]

Related/similar issue: serverless/serverless#8488

[t-richard]

Hi @bboure !

As far as i know, iamRoleStatements at the function level is not supported out of the box by Serverless and is provided by a third party plugin.

It seems this plugin is conflicting with Lift probably because it resolves the variable (which gives a CDK token) but Lift never has a chance to transform the CDK token to a proper Cloudformation reference before the schema validation occurs.

Not sure how to fix this but I guess if you bypass schema validation, then it would output a valid Cloudformation template.

Reference links:

• plugin hook: https://github.com/functionalone/serverless-iam-roles-per-function/blob/1bb7ca7da33385ac9b38f70aee9dd9c0da052382/src/lib/index.ts#L66
• lift hooks:

  lift/src/plugin.ts

  Lines 103 to 114 in 2ec84f8

  	this.hooks = {
  	initialize: () => {
  	this.loadConstructs();
  	this.appendPermissions();
  	this.resolveLazyVariables();
  	},
  	"before:aws:info:displayStackOutputs": this.info.bind(this),
  	"after:package:compileEvents": this.appendCloudformationResources.bind(this),
  	"after:deploy:deploy": this.postDeploy.bind(this),
  	"before:remove:remove": this.preRemove.bind(this),
  	"lift:eject:eject": this.eject.bind(this),
  	};

[bboure]

That's right, it's supported by a third party. I forgot to mention that.

However, the plugin uses "native" validation and type

So, this problem also happens here in the framework provider.iam.role.statements.

I just reproduced it:

provider:
  iam:
    role:
      statements:
        - Effect: 'Allow'
          Action:
            - sqs:deleteMessageBatch
          Resource:
            - ${construct:winningsProcess.queueArn}

Serverless:   at 'provider.iam.role.statements[0].Resource[0]': unsupported string format

I am not sure how to fix that. Right now it's just a warning and cfn compiles just fine when all hooks run.

Maybe a solution (or hack) would be to use custom tokens and token resolvers (not sure if this is possible)

if tokens could be generated to something that match any of the possible values. eg:

• arn:lift:Token.63:

- or -

Overwrite #/definitions/awsIamPolicyStatements definition, but that seems a bit dangerous.

[frcouceiro]

Another use case I just stumbled upon is if we want to setup a Lambda Trigger for the dead letter queue. I was trying something along the following lines on serverless.yml:

functions:
 on-dlq-message-received:
   handler: src/events/on-dlq-message-received.handler
   events:
     - sqs: ${construct:bulk-queue.queueArn}-dlq

I did saw a PR regarding attaching a lambda to DLQ, but it seems it is blocked by other reasons. Appending '-dlq' does not feel right though.