I have a use case where my serverless application requires setting up of DNS and SSL certificates which I’m setting up automagically with https://github.com/ImmobilienScout24/aws-cf-verified-ssl-certificate.
I’ve done this successfully with vanilla CloudFormation, but when I try to set this up in Serverless, with the one-time-run Lambdas defined in the Resources section of the template, I get error “Value of property Role must be of type String.”
I’ve found that this error is often caused when a referenced resource is not ready, so I’ve used DependsOn to mitigate it. DependsOn doesn’t appear to be supported in AWS::Lambda::Function.
Is there a way to define these lambdas and roles so that the roles are ready before the Lambda attempts to use the ARN? I would prefer not to muddy my Functions section in serverless.yml with functions that are not part of my service.
SesDomainCustomResourceFunction:
Type: AWS::Lambda::Function
DependsOn: SesDomainCustomResourceRole
Properties:
Code:
S3Bucket:
Ref: ServerlessDeploymentBucket
S3Key: ${self:custom.sslLambdaFunctions}
Runtime: python2.7
Handler: ses_domain_identity.lambda_handler
Role:
GetAtt: [ SesDomainCustomResourceRole, Arn ]
Timeout: 30
SesDomainCustomResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: SesDomainCustomResourceRole
Policies:
-
PolicyName: SES
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Action:
- ses:VerifyDomainIdentity
- ses:DeleteIdentity
Resource:
- "*"
Effect: Allow
-
PolicyName: cloudwatchLogsWriteAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Action:
- logs:Describe*
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
Effect: Allow
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Action: sts:AssumeRole
Principal:
Service: lambda.amazonaws.com
Effect: Allow
Thanks!