Wrong permissions when using provisionedConcurrency

[humodz]

Repository that reproduces the problem: https://github.com/humodz-forks/serverless-canary-concurrency-issue

What are the steps to reproduce this issue?

1. In serverless.yml, add provisionedConcurrency: 1 to the function's configuration
2. Deploy
3. Attempt to call the function via API Gateway

What happens?

It returns an internal server error

In the linked repository, this endpoint doesn't use provisionedConcurency and is able to invoke the function:

curl https://API-ID.execute-api.us-east-1.amazonaws.com/dev/works

This one doesn't use provisionedConcurency and always returns Internal Server Error:

curl https://API-ID.execute-api.us-east-1.amazonaws.com/dev/broken

What were you expecting to happen?

It should be able to invoke the function, even with provisionedConcurrency

Any logs, error output, etc?

When provisionedConcurrency is set, Serverless creates a "provisioned" alias and an AWS::Lambda::Permission resource that looks like this:

"Type": "AWS::Lambda::Permission",
"Properties": {
  "FunctionName": {
    "Fn::Join": [
      ":",
      [
        {
          "Fn::GetAtt": [
            "BrokenLambdaFunction",
            "Arn"
          ]
        },
        "provisioned"
      ]
    ]
  },

Since this plugin creates another alias and makes API Gateway use it instead of the above one, API Gateway won't have permission to invoke the function.

Any other comments?

The linked repository has a plugin (commented out in serverless.yml) that attempts to fix the issue, by modifying the Permission resource.

What versions of software are you using?

Node v10.18.1
serverless@1.80.0
serverless-plugin-canary-deployments@0.4.8

[khvn26]

Hi everyone, we added this to our fork and published it to npm.

We also solved #91 and bumped a bunch of dependencies.

You can try npm i @flagsmith/serverless-plugin-canary-deployments and tell us what you think!