Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding ISR page to already created app doesn't update the IAM policy #1510

Open
3 tasks done
janario opened this issue Aug 6, 2021 · 3 comments
Open
3 tasks done

Adding ISR page to already created app doesn't update the IAM policy #1510

janario opened this issue Aug 6, 2021 · 3 comments

Comments

@janario
Copy link
Contributor

janario commented Aug 6, 2021
edited
Loading

Issue Summary

In a scenario where my application doesn't have ISR yet and all the resources were previously provisioned, by adding a page with ISR all the new resources get created but the IAM role of default lambda doesn't get updated.

Actual behavior

Adding new ISR page doesn't work.

Expected behavior

Adding new page feature should update the IAM policy

Steps to reproduce

  • create an app without ISR
  • add some ISR page
  • update the stack

Screenshots/Code/Configuration/Logs

image

Logs:

{
    "errorType": "AccessDenied",
    "errorMessage": "Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
    "Type": "Sender",
    "Code": "AccessDenied",
    "Detail": "",
    "name": "AccessDenied",
    "$fault": "client",
    "$metadata": {
        "httpStatusCode": 403,
        "requestId": "700ce142-f924-5041-a0e6-b8c5d45c40a6",
        "attempts": 1,
        "totalRetryDelay": 0
    },
    "stack": [
        "AccessDenied: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.",
        "    at /var/task/index-94ce7346.js:2068:68",
        "    at step (/var/task/serdePlugin-6d615471.js:91:23)",
        "    at Object.next (/var/task/serdePlugin-6d615471.js:72:53)",
        "    at fulfilled (/var/task/serdePlugin-6d615471.js:62:58)",
        "    at processTicksAndRejections (internal/process/task_queues.js:95:5)"
    ]
}

Policy not updated:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::pffaxfu-54g38jc/*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ]
        }
    ]
}

If I delete the IAM role it will get re-created but this time with the right policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::pffaxfu-54g38jc/*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "arn:aws:sqs:us-east-1:741788044765:pffaxfu-54g38jc.fifo",
            "Action": [
                "sqs:SendMessage"
            ]
        }
    ]
}

Only then with the new policy it starts to work again

Versions

  • OS/Environment:
  • @sls-next/serverless-component version: 3.2.0
  • Next.js version: 11

Additional context

Checklist

  • You have reviewed the README and FAQs, which answers several common questions.
  • You have reviewed our DEBUGGING wiki and have tried your best to include complete information and reproduction steps (including your configuration) as is possible.
  • You have first tried using the most recent latest or alpha @sls-next/serverless-component release version, which may have already fixed your issue or implemented the feature you are trying to use. Note that the old serverless-next.js component and the serverless-next.js plugin are deprecated and no longer maintained.
@mathvbarone
Copy link
Contributor

I am having the exact same issue here!
@janario
Copy link
Contributor Author

janario commented Aug 6, 2021

As pointed here #1098 (comment)

If using a predefined IAM policy, I had to manually add the SQS permissions to the policy. (maybe that is normal, not sure).

I guess it was a similar issue
@dphang
Copy link
Collaborator

dphang commented Aug 12, 2021

Yea, I guess for now you need to manually update the default lambda policy =/

I guess it should be this code that needs to be updated to update the policy:

serverless-next.js/packages/serverless-components/aws-lambda/src/utils.ts

Lines 273 to 288 in 8269ee8

const configChanged = (prevLambda, lambda) => {
const keys = [
"description",
"runtime",
"role",
"handler",
"memory",
"timeout",
"env",
"hash"
];
const inputs = pick(keys, lambda);
inputs.role = { arn: inputs.role.arn }; // remove other inputs.role component outputs
const prevInputs = pick(keys, prevLambda);
return not(equals(inputs, prevInputs));
};
, right now it seems to be checking the ARN only?
@hokidoki hokidoki mentioned this issue Feb 8, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@janario @dphang @mathvbarone