AWSLambdaVPCAccessExecutionRole is added in VPC configured lambdas even if it was manually added
jigarzon opened this issue · comments
Juan Ignacio Garzón commented
Are you certain it's a bug?
- Yes, it looks like a bug
Is the issue caused by a plugin?
- It is not a plugin issue
Are you using the latest v3 release?
- Yes, I'm using the latest v3 release
Is there an existing issue for this?
- I have searched existing issues, it hasn't been reported yet
Issue description
Serverless has a mechanism that, if VPC configuration detected, the AWSLambdaVPCAccessExecutionRole policy is added. But in case the user didn't read deeply the Serverless configuration to know that detail, and they added the policy manually, which is something that makes sense, the failure is very hard to debug:
Properties validation failed for resource IamRoleLambdaExecution with message:
#/ManagedPolicyArns: array items are not unique
Solution:
- the mechanism of adding the AWSLambdaVPCAccessExecutionRole should check that the policy doesn't exist previously.
Service configuration (serverless.yml) content
import type { AWS } from '@serverless/typescript';
import { generateJob } from '@/functions/generate-job';
import { processJob } from '@/functions/process-job';
const serverlessConfiguration: AWS = {
service: 'test',
frameworkVersion: '3',
plugins: ['serverless-esbuild', 'serverless-offline', 'serverless-dotenv-plugin'],
provider: {
name: 'aws',
runtime: 'nodejs18.x',
vpc: {
securityGroupIds: [
'${env:VPC_SECURITY_GROUP_ID}'
],
subnetIds: [
'${env:VPC_SUBNET_1}',
'${env:VPC_SUBNET_2}',
'${env:VPC_SUBNET_3}',
]
},
iam: {
role: {
statements: [
{
"Effect": "Allow",
"Action": "elasticache:*",
"Resource": "${env:ELASTIC_CACHE_ARN}"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:TagResource",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": [
"${env:LOG_GROUP_1_ARN}",
"${env:LOG_GROUP_2_ARN}"
]
},
],
managedPolicies: [
'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
]
},
}
},
functions: {
generateJob,
processJob,
},
package: { individually: true },
custom: {
esbuild: {
bundle: true,
minify: false,
sourcemap: true,
exclude: ['aws-sdk'],
target: 'node18',
define: { 'require.resolve': undefined },
platform: 'node',
concurrency: 10,
},
},
useDotenv: true,
resources: {
}
};
module.exports = serverlessConfiguration;
Command name and used flags
sls deploy --stage dev
Command output
Running "serverless" from node_modules
Pipeline environment detected, using Secret Manager: [hidden]
Pipeline environment detected, using Secret Manager: [hidden]
DOTENV: Could not find .env file.
Deploying [hidden] to stage dev (us-east-1)
Warning: Function (processJob) timeout setting (300) is greater than maximum allowed timeout for HTTP API endpoint (30s). This may introduce a situation where endpoint times out for a successful lambda invocation.
× Stack [hidden] failed to deploy (66s)
Environment: linux, node 18.18.0, framework 3.38.0 (local) 3.38.0v (global), plugin 7.2.0, SDK 4.5.1
Docs: docs.serverless.com
Support: forum.serverless.com
Bugs: github.com/serverless/serverless/issues
Error:
CREATE_FAILED: IamRoleLambdaExecution (AWS::IAM::Role)
Properties validation failed for resource IamRoleLambdaExecution with message:
#/ManagedPolicyArns: array items are not unique
View the full error: [hidden]
Cleaning up project directory and file based variables
Environment information
Framework Core: 3.38.0 (local)
Plugin: 7.2.0
SDK: 4.5.1