updated READMEs for adding policies to LambdaExecutionRole

samdengler · samdengler · commit 048588f43246 · 2019-02-03T08:26:19.000Z
diff --git a/DevOps/1_ServerlessApplicationModel/README.md b/DevOps/1_ServerlessApplicationModel/README.md
@@ -36,9 +36,7 @@ Below is a code snippet from the SAM template to list Unicorns:
           Properties:
             Path: /unicorns
             Method: get
-      Role:
-        Fn::ImportValue:
-          !Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
+      Role: !GetAtt LambdaExecutionRole.Arn
 ```
 
 There are several [properties](https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#properties) defined for the [AWS::Serverless::Function](https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction) resource, which we'll review in turn.
diff --git a/DevOps/1_ServerlessApplicationModel/uni-api/template.yml b/DevOps/1_ServerlessApplicationModel/uni-api/template.yml
@@ -3,58 +3,6 @@ Transform:
 - 'AWS::Serverless-2016-10-31'
 - 'AWS::CodeStar'
 
-Description:
-  Creates a RESTful API using API Gateway, Lambda and DynamoDB for the Wild Rydes serverless devops workshop
-
-Parameters:
-  ProjectId:
-    Type: String
-    Description: AWS CodeStar projectID used to associate new resources to team members
-  CodeDeployRole:
-    Type: String
-    Description: IAM role to allow AWS CodeDeploy to manage deployment of AWS Lambda functions
-  Stage:
-    Type: String
-    Description: The name for a project pipeline stage, such as Staging or Prod, for which resources are provisioned and deployed.
-    Default: ''
-
-Resources:
-  ListFunction:
-    Type: 'AWS::Serverless::Function'
-    Properties:
-      FunctionName: 'uni-api-list'
-      Runtime: nodejs6.10
-      CodeUri: app
-      Handler: list.lambda_handler
-      Description: List Unicorns
-      Timeout: 10
-      Events:
-        GET:
-          Type: Api
-          Properties:
-            Path: /unicorns
-            Method: get
-      Role: !GetAtt LambdaExecutionRole.Arn
-
-  LambdaExecutionRole:
-    Description: Creating service role in IAM for AWS Lambda
-    Type: AWS::IAM::Role
-    Properties:
-      RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
-      AssumeRolePolicyDocument:
-        Statement:
-        - Effect: Allow
-          Principal:
-            Service: [lambda.amazonaws.com]
-          Action: sts:AssumeRole
-      Path: /
-      ManagedPolicyArns:
-        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-      PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'AWSTemplateFormatVersion: '2010-09-09'
-Transform:
-- 'AWS::Serverless-2016-10-31'
-- 'AWS::CodeStar'
-
 Description:
   Creates a RESTful API using API Gateway, Lambda and DynamoDB for the Wild Rydes serverless devops workshop
 
@@ -102,4 +50,4 @@ Resources:
       Path: /
       ManagedPolicyArns:
         -  arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-      PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'
+      PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'
diff --git a/DevOps/2_ContinuousDeliveryPipeline/README.md b/DevOps/2_ContinuousDeliveryPipeline/README.md
@@ -139,18 +139,59 @@ Using a text editor, open the `template.yml` file and append a new **AWS::Server
          Environment:
            Variables:
              TABLE_NAME: !Ref Table
-         Role:
-           Fn::ImportValue:
-             !Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
+         Role: !GetAtt LambdaExecutionRole.Arn
    ```
    </details>
    
 </details>
 <p>
 
+Now that the API is using a DynamoDB table, we need to add permission for the Lambda Function to access it.
+
+### 2. Update LambdaExecutionRole with DynamoDB access
+
+**Goal**: Update the `AWS::IAM::Role` resource named **LambdaExecutionRole** in the `template.yml` SAM template to include the `arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess` policy in the `ManagedPolicyArns` section.
+
+<details>
+<summary><strong>
+HOW TO update the LambdaExecutionRole IAM Role in the template.yml with AmazonDynamoDBFullAccess (expand for details)
+</strong></summary>
+<p>
+
+1. Using a text editor, open the `template.yml` file and find the **AWS::IAM:Role** Resource labeled `LambdaExecutionRole`.
+ 
+2. Add `arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess` to the list of ManagedPolicyArns.
+
+   If you are unsure of the syntax to add to ``template.yml`` please refer to the code snippet below.
+
+   <details>
+   <summary><strong>template.yml changes for DynamoDB access (expand for details)</strong></summary><p>
+
+   ```yaml
+     LambdaExecutionRole:
+       Description: Creating service role in IAM for AWS Lambda
+       Type: AWS::IAM::Role
+       Properties:
+         RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
+         AssumeRolePolicyDocument:
+           Statement:
+           - Effect: Allow
+             Principal:
+               Service: [lambda.amazonaws.com]
+             Action: sts:AssumeRole
+         Path: /
+         ManagedPolicyArns:
+           - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+           - arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
+         PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'
+   ```
+   </details>
+</details>
+<p>
+
 Now that you've updated the the SAM template with the changes, use Git to commit the changes and push them to remote repository.  This will trigger CodePipeline to build and deploy your changes in AWS.
 
-### 2. Commit the change to local Git repository
+### 3. Commit the change to local Git repository
 
 1. Using your Git client, add the local changes to the Git index, and commit with a message.  For example:
 
@@ -165,7 +206,7 @@ Now that you've updated the the SAM template with the changes, use Git to commit
     git push origin
     ```
 
-### 3. Confirm CodePipeline Completion
+### 4. Confirm CodePipeline Completion
 
 **Goal**: After pushing your changes to your CodeCommit Git repository, use the AWS CodeStar Console to monitor and confirm that the changes are successfully built and deployed using CodePipeline.
 
diff --git a/DevOps/3_XRay/uni-api/template.yml b/DevOps/3_XRay/uni-api/template.yml
@@ -124,5 +124,5 @@ Resources:
       Path: /
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
-        - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
+        - arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
       PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'
diff --git a/DevOps/4_MultipleEnvironments/uni-api/template.yml b/DevOps/4_MultipleEnvironments/uni-api/template.yml
@@ -124,4 +124,6 @@ Resources:
       Path: /
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+        - arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
+        - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
       PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'
