Skip to content

Commit

Permalink
fix(codedeploy): LambdaDeploymentGroup now takes IRole (aws#1840)
Browse files Browse the repository at this point in the history
Change the arguments of LambdaDeploymentGroup to take interfaces
wherever possible.

Fixes aws#1833.

BREAKING CHANGE: If an existing role is provided to a LambdaDeploymentGroup, 
you will need to provide the assuming service principal (`codedeploy.amazonaws.com`) 
yourself.
  • Loading branch information
rix0rrr authored Feb 27, 2019
1 parent 241ae97 commit f6adb7c
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 24 deletions.
27 changes: 9 additions & 18 deletions packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ export interface LambdaDeploymentGroupProps {
*
* @default one will be created for you
*/
application?: LambdaApplication;
application?: ILambdaApplication;

/**
* The physical, human-readable name of the CodeDeploy Deployment Group.
Expand Down Expand Up @@ -76,7 +76,7 @@ export interface LambdaDeploymentGroupProps {
*
* @default a new Role will be created.
*/
role?: iam.Role;
role?: iam.IRole;

/**
* Lambda Alias to shift traffic. Updating the version
Expand Down Expand Up @@ -124,7 +124,7 @@ export class LambdaDeploymentGroup extends cdk.Construct implements ILambdaDeplo
public readonly application: ILambdaApplication;
public readonly deploymentGroupName: string;
public readonly deploymentGroupArn: string;
public readonly role: iam.Role;
public readonly role: iam.IRole;

private readonly alarms: cloudwatch.Alarm[];
private preHook?: lambda.IFunction;
Expand All @@ -136,24 +136,15 @@ export class LambdaDeploymentGroup extends cdk.Construct implements ILambdaDeplo
this.application = props.application || new LambdaApplication(this, 'Application');
this.alarms = props.alarms || [];

let serviceRole: iam.Role | undefined = props.role;
if (serviceRole) {
if (serviceRole.assumeRolePolicy) {
serviceRole.assumeRolePolicy.addStatement(new iam.PolicyStatement()
.addAction('sts:AssumeRole')
.addServicePrincipal('codedeploy.amazonaws.com'));
}
} else {
serviceRole = new iam.Role(this, 'ServiceRole', {
assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com')
});
}
serviceRole.attachManagedPolicy('arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda');
this.role = serviceRole;
this.role = props.role || new iam.Role(this, 'ServiceRole', {
assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com')
});

this.role.attachManagedPolicy('arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda');

const resource = new CfnDeploymentGroup(this, 'Resource', {
applicationName: this.application.applicationName,
serviceRoleArn: serviceRole.roleArn,
serviceRoleArn: this.role.roleArn,
deploymentGroupName: props.deploymentGroupName,
deploymentConfigName: (props.deploymentConfig || LambdaDeploymentConfig.AllAtOnce).deploymentConfigName,
deploymentStyle: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -140,12 +140,6 @@ export = {
Principal: {
Service: "not-codedeploy.amazonaws.com"
}
}, {
Action: "sts:AssumeRole",
Effect: "Allow",
Principal: {
Service: "codedeploy.amazonaws.com"
}
}],
Version: "2012-10-17"
},
Expand Down

0 comments on commit f6adb7c

Please sign in to comment.