diff --git a/docs/deprecations.md b/docs/deprecations.md index e734d9f9567..d5d5b5102c1 100644 --- a/docs/deprecations.md +++ b/docs/deprecations.md @@ -73,3 +73,9 @@ Please use `onUnauthenticatedRequest` instead. `allowUnauthenticated` will be re ## `bin/serverless` Please use `bin/serverless.js` instead. `bin/serverless` will be removed with v2.0.0 + +
 
 + +## awsKmsKeyArn references + +Plase use `provider.kmsKeyArn` and `functions[].kmsKeyArn`. `service.awsKmsKeyArn` and `functions[].awsKmsKeyArn` will be removed with v3.0.0 diff --git a/lib/configSchema.js b/lib/configSchema.js index 4fb47304729..f035a16f011 100644 --- a/lib/configSchema.js +++ b/lib/configSchema.js @@ -125,7 +125,7 @@ const schema = { additionalProperties: false, required: ['provider', 'service'], definitions: { - // TODO: awsKmsArn definition to be moved to lib/plugins/aws/provider/awsProvider.js once service.awsKmsKeyArn moved to provider.awsKmsKeyArn, see https://github.com/serverless/serverless/issues/8261 + // TODO: awsKmsArn definition to be moved to lib/plugins/aws/provider/awsProvider.js once service.awsKmsKeyArn removed with v3.0.0, see https://github.com/serverless/serverless/issues/8261 // TODO: awsKmsArn to include #/definitions/awsCfFunction instead of type: object as one of the possible definition, see https://github.com/serverless/serverless/issues/8261 awsKmsArn: { anyOf: [{ type: 'object' }, { type: 'string', pattern: '^arn:aws[a-z-]*:kms' }], diff --git a/lib/plugins/aws/package/compile/functions/index.js b/lib/plugins/aws/package/compile/functions/index.js index 9e676864809..c39da6a05a2 100644 --- a/lib/plugins/aws/package/compile/functions/index.js +++ b/lib/plugins/aws/package/compile/functions/index.js @@ -210,12 +210,32 @@ class AwsCompileFunctions { } } + let kmsKeyArn; const serviceObj = this.serverless.service.serviceObject; - if (functionObject.awsKmsKeyArn || (serviceObj && serviceObj.awsKmsKeyArn)) { - const arn = functionObject.awsKmsKeyArn || (serviceObj && serviceObj.awsKmsKeyArn); + if (serviceObj && serviceObj.awsKmsKeyArn) { + this.serverless._logDeprecation( + 'AWS_KMS_KEY_ARN', + 'Starting with next major version, awsKmsKeyArn service property will be replaced by provider.kmsKeyArn' + ); + kmsKeyArn = serviceObj.awsKmsKeyArn; + } + if (this.serverless.service.provider.kmsKeyArn) { + kmsKeyArn = this.serverless.service.provider.kmsKeyArn; + } + if (functionObject.awsKmsKeyArn) { + this.serverless._logDeprecation( + 'AWS_KMS_KEY_ARN', + 'Starting with next major version, awsKmsKeyArn function property will be replaced by kmsKeyArn' + ); + kmsKeyArn = functionObject.awsKmsKeyArn; + } + if (functionObject.kmsKeyArn) { + kmsKeyArn = functionObject.kmsKeyArn; + } - if (typeof arn === 'string') { - functionResource.Properties.KmsKeyArn = arn; + if (kmsKeyArn) { + if (typeof kmsKeyArn === 'string') { + functionResource.Properties.KmsKeyArn = kmsKeyArn; // update the PolicyDocument statements (if default policy is used) const iamRoleLambdaExecution = cfTemplate.Resources.IamRoleLambdaExecution; @@ -226,14 +246,14 @@ class AwsCompileFunctions { { Effect: 'Allow', Action: ['kms:Decrypt'], - Resource: [arn], + Resource: [kmsKeyArn], }, ], _.isEqual ); } } else { - functionResource.Properties.KmsKeyArn = arn; + functionResource.Properties.KmsKeyArn = kmsKeyArn; } } diff --git a/lib/plugins/aws/provider/awsProvider.js b/lib/plugins/aws/provider/awsProvider.js index 02d11b10f81..d5a4126d15d 100644 --- a/lib/plugins/aws/provider/awsProvider.js +++ b/lib/plugins/aws/provider/awsProvider.js @@ -386,6 +386,7 @@ class AwsProvider { }, additionalProperties: false, }, + kmsKeyArn: { $ref: '#/definitions/awsKmsArn' }, layers: { $ref: '#/definitions/awsLambdaLayers' }, logs: { type: 'object', @@ -470,6 +471,7 @@ class AwsProvider { required: ['localMountPath', 'arn'], }, handler: { type: 'string' }, + kmsKeyArn: { $ref: '#/definitions/awsKmsArn' }, layers: { $ref: '#/definitions/awsLambdaLayers' }, memorySize: { $ref: '#/definitions/awsLambdaMemorySize' }, onError: {