Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iamRoleStatements.Resource error on Fn::Join #8365

Closed
devpow112 opened this issue Oct 8, 2020 · 1 comment · Fixed by #8366
Closed

iamRoleStatements.Resource error on Fn::Join #8365

devpow112 opened this issue Oct 8, 2020 · 1 comment · Fixed by #8366
Labels
bug cat/aws-iam cat/config-schema

Comments

@devpow112
Copy link
Contributor

Before latest updates to schema validation doing the following worked without warning

iamRoleStatements:
  - Effect: Allow
    Action:
	  - secretsmanager:GetSecretValue
	  - secretsmanager:DescribeSecret
    Resource:
	  Fn::Join:
	    - ':'
	    - - arn:aws:secretsmanager
		  - Ref: AWS::Region
		  - Ref: AWS::AccountId
		  - secret
		  - '*'

This now causes schema validation issues as only constants or arrays of arn/cffunctions are allowed now.

serverless.yml 
service: test

package:
  individually: true
  excludeDevDependencies: false
  include:
    - package.json
  exclude:
    - ./**

provider:
  name: aws
  runtime: nodejs12.x
  stage: dev
  region: us-east-1
  iamRoleStatements:
    - Effect: Allow
      Action:
        - secretsmanager:GetSecretValue
        - secretsmanager:DescribeSecret
      Resource:
        Fn::Join:
          - ':'
          - - arn:aws:secretsmanager
            - Ref: AWS::Region
            - Ref: AWS::AccountId
            - secret
            - '*'
serverless package output 
Serverless Error ---------------------------------------
 
Configuration error at 'provider.iamRoleStatements[1].Resource': should be equal to constant
 
Get Support --------------------------------------------
   Docs:          docs.serverless.com
   Bugs:          github.com/serverless/serverless/issues
   Issues:        forum.serverless.com
 
Your Environment Information ---------------------------
   Operating System:          linux
   Node Version:              12.18.4
   Framework Version:         2.5.0 (local)
   Plugin Version:            4.0.4
   SDK Version:               2.3.2
   Components Version:        3.2.1

Installed version

Framework Core: 2.5.0 (local)
Plugin: 4.0.4
SDK: 2.3.2
Components: 3.2.1

I believe this can simply be fixed by adjusting
https://github.com/serverless/serverless/blob/master/lib/plugins/aws/provider/awsProvider.js#L306
to also allow for CloudFormation functions outside of an array

anyOf: [
  { const: '*' },
  { $ref: '#/definitions/awsArn' }, // new allowed type
  { type: 'array', items: { $ref: '#/definitions/awsArn' } }
],

I'm willing to put this fix in 😃
@medikoo medikoo mentioned this issue Oct 8, 2020
Merged
@medikoo
Copy link
Contributor

medikoo commented Oct 8, 2020

@devpow112 indeed, thanks for report!

It's a regression introduced with #8319 where by mistake this instruction was removed.

As when investigating it, I've spotted some other parts of the schema that were also broken. I've prepared a fix that addresses all of them: #8366

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug cat/aws-iam cat/config-schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Config Schema: Bring back non-array supported variants serverless/serverless
2 participants
@medikoo @devpow112