Serverless 1.27.x breaks the plugin: Any policy not added to alias of lambda function for all events

[c--m]

serverless : 1.27.2
serverless-aws-alias : 1.7.0

After a fresh sls deploy, or subsequent sls deploy --alias alias, the aliases of my lambda functions don't have any Api Gateway trigger attached, nor any function policy. Those are attached only on my bare function without any identifier ($LATEST, or alias, or version number)

As a result, none of my Api Gateway resources are working, since they are referred to with the alias (MyProject-dev-myFunction:${stageVariables.SERVERLESS_ALIAS})

All the rest seems to be set up properly

[HyperBrain]

Hi @c--m , can you check if the reason is the new 1.27.2 version of Serverless or the new 1.7.0 version (opposed to 1.6.1) of the alias plugin?

[c--m]

I just checked.

serverless : 1.27.*
serverless-aws-alias : 1.7.0 or 1.6.1
The situation is the same

serverless : 1.26.1
serverless-aws-alias : 1.7.0
It looks like it's working fine. (Triggers and function policy attached to aliases, and no trigger and function policy attached to the bare function, $LATEST, or version number)

So it looks like serverless 1.27 broke something

[HyperBrain]

Thanks for testing - that's bad. I think someone changed the construction of the API Gateway resources in 1.27.x, so that the resources are not patched correctly anymore. @horike37 Do you have any idea what changed in Serverless in that area? This might also affect other plugins,

[HyperBrain]

We also experience broken deployments with 1.27.x when using CW event triggers. It seems there was a breaking change in the resource layouts in 1.27

[HyperBrain]

I think I found the issue:

              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":apigateway:",
                {
                  "Ref": "AWS::Region"
                },
                ":lambda:path/2015-03-31/functions/",
                {
                  "Fn::GetAtt": [
                    "Testfct1LambdaFunction",
                    "Arn"
                  ]
                },
                "/invocations"
              ]

SLS now uses AWS::Partition as additional reference in the built ARN. That might screw up the injection of the alias. I'll do some further debugging and might be able to provide a hotfix asap.

[HyperBrain]

Did some further analysis, and it seems that EVERYTHING is bound to $LATEST with Serverless 1.27.x, instead of the alias.
It seems none of the resources got moved into the alias stack. Investigating further....

[HyperBrain]

I think I found the reason. For all permissions, Serverless now creates the Principal property with dynamic CF references. The plugin has to apply a different detection mechanism now to support this new breaking format.

[HyperBrain]

Verified that this is the problem. Fix is on the way and will be released with 1.7.1 today.

[HyperBrain]

I did a test with one of our projects and it seems that everything used is attached to the aliases again (APIG, CW events, SNS and Kinesis). I'd assume that all other permissions work properly again too 😄 .

Hotfix release is on the way.

[HyperBrain]

Hotfix released with 1.7.1

[c--m]

Thanks for the fast work on the fix.
A quick test on my system confirms that it works in my environment. 👍

serverless 1.27.2
serverless-aws-alias 1.7.1