Another attempt at fixing 'access denied' when pushing to SQS from Lambda // #49

Author: lourot

aws/apex-up/README.md

@@ -5,6 +5,13 @@ This sets up AWS IAM for being able to deploy our web app on Up.
 >   for more details.
 > * [apex-up-policy.json](apex-up-policy.json) comes from
 >   [here](https://up.docs.apex.sh/#aws_credentials.iam_policy_for_up_cli).
+> * [apex-up-lambda-policy.json](apex-up-lambda-policy.json) is an extended version of the inline
+>   policy assigned originally to the default IAM role `ghuser-function` created by Up and
+>   assumed/impersonated by our Lambda function. We have added for example permissions to push to
+>   SQS.
+> * [apex-up-lambda-trust-relationship.json](apex-up-lambda-trust-relationship.json) is the
+>   [trust relationship policy document](https://stackoverflow.com/a/34188307/1855917) assigned
+>   originally to `ghuser-function`.
 
 ```bash
 $ export AWS_ACCOUNT_ID=123456789012

aws/apex-up/apex-up-lambda-policy.json

@@ -0,0 +1,20 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+                "ssm:GetParametersByPath",
+                "ec2:CreateNetworkInterface",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DeleteNetworkInterface",
+
+                "sqs:*"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}

aws/apex-up/apex-up-lambda-trust-relationship.json

@@ -0,0 +1,19 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "apigateway.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}

aws/apex-up/setup_iam_for_apex_up.sh

@@ -4,3 +4,10 @@ set -xe
 source ../impl/iam.sh
 
 createPolicyAndGroupForUser apex-up up.docs.apex.sh apex-up-policy.json apex-up
+
+aws iam create-policy --policy-name apex-up-lambda \
+    --policy-document "file://./apex-up-lambda-policy.json"
+aws iam create-role --role-name apex-up-lambda \
+    --assume-role-policy-document "file://./apex-up-lambda-trust-relationship.json"
+aws iam attach-role-policy --role-name apex-up-lambda \
+    --policy-arn "arn:aws:iam::$AWS_ACCOUNT_ID:policy/apex-up-lambda"

reframe/.gitignore

@@ -1 +1,2 @@
 /dist/
+/up.json

reframe/genUpJson.sh

@@ -0,0 +1 @@
+envsubst < up.json.template > up.json

reframe/package.json

@@ -15,7 +15,7 @@
     "local": "reframe start",
     "cleanmod": "rm -rf node_modules/ && npm install",
     "warmup": "curl -s --output /dev/null https://ghuser.io && curl -s --output /dev/null https://www.ghuser.io",
-    "deploy": "reframe build && rm -rf dist/previous/ && ./populateUpJson.sh && ./up && ./up production && ./up stack status && npm run warmup",
+    "deploy": "reframe build && rm -rf dist/previous/ && ./genUpJson.sh && ./up && ./up production && ./up stack status && npm run warmup",
     "_comment": "staging and production logs:",
     "logs": "./up logs --since=20m"
   },

reframe/populateUpJson.sh

@@ -6,6 +6,7 @@
     "us-east-1"
   ],
   "lambda": {
+    "role": "arn:aws:iam::$AWS_ACCOUNT_ID:role/apex-up-lambda",
     "memory": 256
   },
   "stages": {
@@ -22,10 +23,6 @@
     "COOKIE_ENCRYPTION_PASSWORD": "$COOKIE_ENCRYPTION_PASSWORD",
     "GITHUB_CLIENT_ID": "$GITHUB_CLIENT_ID",
     "GITHUB_CLIENT_SECRET": "$GITHUB_CLIENT_SECRET",
-    "SENTRY_DNS": "$SENTRY_DNS",
-
-    "comment__": "Underscore at the end is a temporary fix for the build. Without it Up fails with https://github.com/apex/apex/issues/829",
-    "AWS_ACCESS_KEY_ID_": "$AWS_ACCESS_KEY_ID",
-    "AWS_SECRET_ACCESS_KEY_": "$AWS_SECRET_ACCESS_KEY"
+    "SENTRY_DNS": "$SENTRY_DNS"
   }
 }