From 6495c00c991262a56f8133a4b78f05e6791b1f7f Mon Sep 17 00:00:00 2001 From: Paul Poulsen Date: Thu, 24 Oct 2024 14:36:51 -0500 Subject: [PATCH 1/2] SK24 - If we can't delete the old role, update it --- serverless.yml | 57 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/serverless.yml b/serverless.yml index b6a1de8..b819bf2 100644 --- a/serverless.yml +++ b/serverless.yml @@ -30,7 +30,7 @@ functions: - http: path: 'slack/install' method: get - role: slackbotRole + role: slackInstallRole create-user: handler: src/index.createUser events: @@ -201,6 +201,61 @@ resources: - Ref: 'AWS::Region' - Ref: 'AWS::AccountId' - 'table/cal2slack-usersettings' + slackInstallRole: + Type: AWS::IAM::Role + Properties: + Path: / + RoleName: ${self:custom.lambda.slackbot.roleName} + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: calendar2slack-prod-us-east-1-lambdaRole + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:CreateLogStream + - logs:PutLogEvents + Resource: + - 'Fn::Join': + - ':' + - - 'arn:aws:logs' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'log-group:/aws/lambda/*:*:*' + - Effect: Allow + Action: + - secretsmanager:GetSecretValue + Resource: + - 'Fn::Join': + - ':' + - - 'arn:aws:secretsmanager' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'secret:${self:custom.lambda.slackbot.secretsPrefix}/*' + - Effect: Allow + Action: + - dynamodb:Scan + - dynamodb:Query + - dynamodb:GetItem + - dynamodb:BatchGetItem + - dynamodb:PutItem + - dynamodb:UpdateItem + Resource: + - 'Fn::Join': + - ':' + - - 'arn:aws:dynamodb' + - Ref: 'AWS::Region' + - Ref: 'AWS::AccountId' + - 'table/cal2slack-usersettings' Outputs: UserSettingsTableArn: Description: 'The ARN for the cal2slack-usersettings table' From cd32be0c99f673f0904e914d07613868adaa774e Mon Sep 17 00:00:00 2001 From: Paul Poulsen Date: Thu, 24 Oct 2024 14:39:26 -0500 Subject: [PATCH 2/2] SK24 - Use configured names --- serverless-config.yml | 3 +++ serverless.yml | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/serverless-config.yml b/serverless-config.yml index 9d81c1b..a1c8c12 100644 --- a/serverless-config.yml +++ b/serverless-config.yml @@ -1,4 +1,7 @@ lambda: + install: + roleName: calendar2slack-prod-us-east-1-lambdaRole + policyName: calendar2slack-prod-us-east-1-lambdaRole-policy update: roleName: hudl-cal2slack-lambda-update policyName: hudl-cal2slack-lambda-update-policy diff --git a/serverless.yml b/serverless.yml index b819bf2..90c0df0 100644 --- a/serverless.yml +++ b/serverless.yml @@ -205,7 +205,7 @@ resources: Type: AWS::IAM::Role Properties: Path: / - RoleName: ${self:custom.lambda.slackbot.roleName} + RoleName: ${self:custom.lambda.install.roleName} AssumeRolePolicyDocument: Version: '2012-10-17' Statement: @@ -215,7 +215,7 @@ resources: - lambda.amazonaws.com Action: sts:AssumeRole Policies: - - PolicyName: calendar2slack-prod-us-east-1-lambdaRole + - PolicyName: ${self:custom.lambda.install.policyName} PolicyDocument: Version: '2012-10-17' Statement: