-
Notifications
You must be signed in to change notification settings - Fork 1.2k
08 2020 codeploy servicerole
Unnecessary CodeDeploy service role when a template contains at least one enabled and one disabled DeploymentPreference
As of Sept 3, 2020, SAM cli will produce a warning for customers deploying applications that may be affected by an issue in SAM where an unnecessary CodeDeploy service role when your application template contains at least one enabled and one disabled DeploymentPreference. In the future the SAM translator will no longer create this additional service role as part of the deployment process, and any existing service role will be removed as part of the deployment process. While most SAM users will not notice this difference, you may be impacted if your application or other AWS services directly reference the extra service role.
To address this issue in your application you have two options:
- set the 'Enabled' property of the DeploymentPreference in your SAM application template to 'true' instead of 'false'. This will no longer create the service role:
preTrafficHook:
Type: AWS::Serverless::Function
Properties:
...
DeploymentPreference:
Enabled: false
Role: arn:aws:iam::123456789999:role/custom-codedeploy-servicerole
Type: Linear10PercentEvery1MinuteThis will still create the service role:
preTrafficHook:
Type: AWS::Serverless::Function
Properties:
...
DeploymentPreference:
Enabled: true
Role: arn:aws:iam::123456789999:role/custom-codedeploy-servicerole
Type: Linear10PercentEvery1Minute- change existing references to the extra service role to another manually created service role that will not be removed as a by-product of the application deployment.
For more information on the root cause and resolution of this issue, please see this Github issue.