Skip to content

08 2020 codeploy servicerole

Jump to bottom
Jeff Griffiths (@aws) edited this page Nov 17, 2020 · 3 revisions

Unnecessary CodeDeploy service role when a template contains at least one enabled and one disabled DeploymentPreference

As of Sept 3, 2020, SAM cli will produce a warning for customers deploying applications that may be affected by an issue in SAM where an unnecessary CodeDeploy service role when your application template contains at least one enabled and one disabled DeploymentPreference. In the future the SAM translator will no longer create this additional service role as part of the deployment process, and any existing service role will be removed as part of the deployment process. While most SAM users will not notice this difference, you may be impacted if your application or other AWS services directly reference the extra service role.

To address this issue in your application you have two options:

  1. set the 'Enabled' property of the DeploymentPreference in your SAM application template to 'true' instead of 'false'. This will no longer create the service role:
preTrafficHook:
    Type: AWS::Serverless::Function
    Properties:
      ...
      DeploymentPreference:
        Enabled: false
        Role: arn:aws:iam::123456789999:role/custom-codedeploy-servicerole
        Type: Linear10PercentEvery1Minute

This will still create the service role:

preTrafficHook:
    Type: AWS::Serverless::Function
    Properties:
      ...
      DeploymentPreference:
        Enabled: true
        Role: arn:aws:iam::123456789999:role/custom-codedeploy-servicerole
        Type: Linear10PercentEvery1Minute
  1. change existing references to the extra service role to another manually created service role that will not be removed as a by-product of the application deployment.

For more information on the root cause and resolution of this issue, please see this Github issue.

Clone this wiki locally