Deprecate awsKmsKeyArn for provider and functoin kmsKeyArn

docs/deprecations.md

@@ -73,3 +73,9 @@ Please use `onUnauthenticatedRequest` instead. `allowUnauthenticated` will be re
 ## `bin/serverless`
 
 Please use `bin/serverless.js` instead. `bin/serverless` will be removed with v2.0.0
+
+<a name="AWS_KMS_KEY_ARN"><div>&nbsp;</div></a>
+
+## awsKmsKeyArn references
+
+Plase use `provider.kmsKeyArn` and `functions[].kmsKeyArn`. `service.awsKmsKeyArn` and `functions[].awsKmsKeyArn` will be removed with v3.0.0

lib/configSchema.js

@@ -125,7 +125,7 @@ const schema = {
   additionalProperties: false,
   required: ['provider', 'service'],
   definitions: {
-    // TODO: awsKmsArn definition to be moved to lib/plugins/aws/provider/awsProvider.js once service.awsKmsKeyArn moved to provider.awsKmsKeyArn, see https://github.com/serverless/serverless/issues/8261
+    // TODO: awsKmsArn definition to be moved to lib/plugins/aws/provider/awsProvider.js once service.awsKmsKeyArn removed with v3.0.0, see https://github.com/serverless/serverless/issues/8261
     // TODO: awsKmsArn to include #/definitions/awsCfFunction instead of type: object as one of the possible definition, see https://github.com/serverless/serverless/issues/8261
     awsKmsArn: {
       anyOf: [{ type: 'object' }, { type: 'string', pattern: '^arn:aws[a-z-]*:kms' }],

lib/plugins/aws/package/compile/functions/index.js

@@ -210,12 +210,32 @@ class AwsCompileFunctions {
         }
       }
 
+      let kmsKeyArn;
       const serviceObj = this.serverless.service.serviceObject;
-      if (functionObject.awsKmsKeyArn || (serviceObj && serviceObj.awsKmsKeyArn)) {
-        const arn = functionObject.awsKmsKeyArn || (serviceObj && serviceObj.awsKmsKeyArn);
+      if (serviceObj && serviceObj.awsKmsKeyArn) {
+        this.serverless._logDeprecation(
+          'AWS_KMS_KEY_ARN',
+          'Starting with next major version, awsKmsKeyArn service property will be replaced by provider.kmsKeyArn'
+        );
+        kmsKeyArn = serviceObj.awsKmsKeyArn;
+      }
+      if (this.serverless.service.provider.kmsKeyArn) {
+        kmsKeyArn = this.serverless.service.provider.kmsKeyArn;
+      }
+      if (functionObject.awsKmsKeyArn) {
+        this.serverless._logDeprecation(
+          'AWS_KMS_KEY_ARN',
+          'Starting with next major version, awsKmsKeyArn function property will be replaced by kmsKeyArn'
+        );
+        kmsKeyArn = functionObject.awsKmsKeyArn;
+      }
+      if (functionObject.kmsKeyArn) {
+        kmsKeyArn = functionObject.kmsKeyArn;
+      }
 
-        if (typeof arn === 'string') {
-          functionResource.Properties.KmsKeyArn = arn;
+      if (kmsKeyArn) {
+        if (typeof kmsKeyArn === 'string') {
+          functionResource.Properties.KmsKeyArn = kmsKeyArn;
 
           // update the PolicyDocument statements (if default policy is used)
           const iamRoleLambdaExecution = cfTemplate.Resources.IamRoleLambdaExecution;
@@ -226,14 +246,14 @@ class AwsCompileFunctions {
                 {
                   Effect: 'Allow',
                   Action: ['kms:Decrypt'],
-                  Resource: [arn],
+                  Resource: [kmsKeyArn],
                 },
               ],
               _.isEqual
             );
           }
         } else {
-          functionResource.Properties.KmsKeyArn = arn;
+          functionResource.Properties.KmsKeyArn = kmsKeyArn;
         }
       }
 

lib/plugins/aws/provider/awsProvider.js

@@ -385,6 +385,7 @@ class AwsProvider {
               },
               additionalProperties: false,
             },
+            kmsKeyArn: { $ref: '#/definitions/awsKmsArn' },
             layers: { $ref: '#/definitions/awsLambdaLayers' },
             logs: {
               type: 'object',
@@ -469,6 +470,7 @@ class AwsProvider {
               required: ['localMountPath', 'arn'],
             },
             handler: { type: 'string' },
+            kmsKeyArn: { $ref: '#/definitions/awsKmsArn' },
             layers: { $ref: '#/definitions/awsLambdaLayers' },
             memorySize: { $ref: '#/definitions/awsLambdaMemorySize' },
             onError: {