functionalone
DQL wrong SNS permissions while SQS resource set
Issue description:
Plugin adds sns:Publish permission in case if function has onError definition and doesn't take into account that it might be SQS resource arn
Steps to reproduce:
- Define any function with
onErrorproperty mapped to SQS resource:
functions:
function_name_here:
handler: functions/function_name_here/index.handler
iamRoleStatementsName: "function_name_here_lambda_role"
iamRoleStatements:
- ${file(../../function_name_here.yml)}
onError:
Fn::GetAtt: [QueueNameDeadLetterQueue, Arn]
- Define SQS Resource:
Resources:
QueueNameDeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: "SomeNameDeadLetterQueue"
- Deploy your code with
sls deploy
Expected result: No useless permissions should be added
Current result: Useless permissions added:
{
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sqs:{region_here}:{accountId_here}:SomeNameDeadLetterQueue",
"Effect": "Allow"
}
Background:
Serverless added support for DQL setup with onError function property here. However it has some strange concurrency issue described in docs. But still community has some workarounds and moreover, it's hard to reproduce it (that's why it's not fixed yet), so that most people (like me) use it as is without any issues.
TBD:
As possible solution I recommend to delete additional policy definitions in case if onError property set in function definition.
In case if we want to keep backward compatibility we may add configuration property like addOnErrorPolicy: boolean.
Looking forward for your comments, Thanks in advance.
