问题
In my serverless.yml file, I want to be able to add iamRoleStatements from two differents files (this cannot change). So I tried doing it like this:
provider:
iamRoleStatements:
- ${file(__environments.yml):dev.iamRoleStatements, ''}
- ${file(custom.yml):provider.iamRoleStatements, ''}
Each of these files have an iamRoleStatements section.
__environments.yml:
dev:
iamRoleStatements:
- Effect: 'Allow'
Action: 'execute-api:Invoke'
Resource: '*'
custom.yml:
provider:
iamRoleStatements:
- Effect: "Allow"
Action:
- lambda:InvokeFunction
Resource:
- "*"
Individually, each of them works great. But when I try to run sls deploy with both of them, I encounter the following error:
iamRoleStatements should be an array of objects, where each object has Effect, Action / NotAction, Resource / NotResource fields. Specifically, statement 0 is missing the following properties: Effect, Action / NotAction, Resource / NotResource; statement 1 is missing the following properties: Effect, Action / NotAction, Resource / NotResource
I searched online and this appears to work for other sections of the serverless file such as resources:
# This works perfectly well.
resources:
- ${file(custom.yml):resources, ''}
- ${file(__environments.yml):resources, ''}
So I wonder if there is any solution to this or if it is something that is not currently supported by the Serverless Framework.
Thanks for your help.
回答1:
You're going to have to jump through a few hoops to get there.
File Merge Limitations
The serverless framework allows file imports anywhere in the configuration but only merges resources and functions sections.
Your example:
provider:
iamRoleStatements:
- ${file(__environments.yml):dev.iamRoleStatements, ''}
- ${file(custom.yml):provider.iamRoleStatements, ''}
Results in an array of arrays like this:
{
"provider": {
"iamRoleStatements": [
[
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "*"
}
],
[
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
]
}
}
You might be able to submit a very small pull request to rectify this.
IAM Managed Policies using References
It might be possible to define each of your IAM roles as custom resources, and use the iamManagedPolicies provider config to point to each of those resources. Something like:
provider:
name: aws
iamManagedPolicies:
- Ref: DevIamRole
- Ref: CustomIamRole
resources:
- ${file(__environments.yml):resources, ''}
- ${file(custom.yml):resources, ''}
Of course you'd need to change the structure of those two files to be AWS::IAM::Role resources.
Custom IAM Role
The framework also gives you the option to take complete control, which is fully documented.
I hope this helps.
来源:https://stackoverflow.com/questions/60640954/serverless-how-to-add-multiple-files-to-iamrolestatements