Unnecessary CodeDeployServiceRole created when template contains at least one enabled and one disabled DeploymentPreference

[robertsigler]

Description:

I want to create a SAM template which uses a DeploymentPreference to specify how it should be deployed. However, I do not want SAM to create a CodeDeploy service role on my behalf--I want to provide a custom one. When I have at least one enabled DeploymentPreference, and at least one disabled DeploymentPreference in my template, the default CodeDeployServiceRole gets created in the 'translated' template, even if you provide your custom Role for every DeploymentPreference.

It looks like this is happening because the role field on the DeploymentPreference object is None for a disabled deployment preference, even when a role is provided. The disabled deployment preference is included in the list of deployment preferences that are considered in can_skip_service_role() (https://github.com/awslabs/serverless-application-model/blob/develop/samtranslator/model/preferences/deployment_preference_collection.py#L73) even though maybe it shouldn't be.

Steps to reproduce the issue:

1. Run bin/sam-translate.py on the following template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Template with unnecessary service role

Resources:

  Function:
    Type: AWS::Serverless::Function
    Properties:
      Handler: lambda.lambda_handler
      Role: arn:aws:iam::123456789999:role/lambda-role
      Runtime: python3.7
      CodeUri: s3://bucket/key
      AutoPublishAlias: live
      DeploymentPreference:
        Type: Linear10PercentEvery1Minute
        Role: arn:aws:iam::123456789999:role/custom-codedeploy-servicerole
        Hooks:
          PreTraffic: !Ref preTrafficHook
        Events:
          Api:
            Type: Api
            Properties:
              Path: /test
              Method: get

  preTrafficHook:
    Type: AWS::Serverless::Function
    Properties:
      Handler: hook.lambda_handler
      Role: arn:aws:iam::123456789999:role/lambda-role
      Runtime: python3.7
      CodeUri: s3://bucket/key
      FunctionName: 'CodeDeployHook_preTrafficHook'
      AutoPublishAlias: live
      DeploymentPreference:
        Enabled: false
        Role: arn:aws:iam::123456789999:role/custom-codedeploy-servicerole
        Type: Linear10PercentEvery1Minute
      Timeout: 5
      Environment:
        Variables:
          NewVersion: !Ref Function.Version

Observed result:
The output template contains a resource called "CodeDeployServiceRole" which is not used anywhere

Expected result:'
The output template does not contain a resource called "CodeDeployServiceRole"

[ShreyaGangishetty]

Thank for reporting this issue! I agree that for Enabled: False SAM should not create CodeDeployServiceRole.
SAM adds this role here. This role needs to be added after the Enabled property is set for this resource

[Lukas-Franz]

We've got the same issue. We're passing a role to DeploymentPreference and SAM tries to create a CodeDeployServiceRole which isn't even used after the transformation.

[robsigler]

The fix for this is simple--it's only being busy which has kept me from fixing it for so long. Here's a pull request that solves the problem: #1662

[martnr]

We have the same issue even if the all DeploymentPreference have Enabled: true.

Is there a tentative date when the fix will be available?

[martnr]

What if you don't have any role assigned to the DeploymentPreference and it is Enabled: True? will the 9/25 update make DeploymentPreference not require a role?

[mildaniel]

@hawflau has merged a fix. These changes will be pushed out in one of the coming releases.

[michael-k]

Would have been nice to see this in the changelog. Now that I'm here, I remember seeing this issue, but when the stack wanted to remove the role, we were a bit confused what's happening.

[moelasmar]

The fix got released, and I was able to verify that the CodeDeployServiceRole is not generated.