Use new serverless.yml#/provider/iam grouping (#357)

72636c · Dmitry Shirokov · Toby Heighway · web-flow · commit 7b9c728ef1f0 · 2021-02-17T03:00:10.000Z
Co-authored-by: Dmitry Shirokov &lt;dshirokov@seek.com.au&gt;
Co-authored-by: Toby Heighway &lt;theighway@seek.com.au&gt;
diff --git a/.changeset/brave-taxis-prove.md b/.changeset/brave-taxis-prove.md
@@ -0,0 +1,7 @@
+---
+'skuba': patch
+---
+
+**template/lambda-sqs-worker:** Use new `serverless.yml#/provider/iam` grouping
+
+The `provider.iamRoleStatements` property [will be removed in Serverless v3](https://github.com/serverless/serverless/blob/v2.25.1/docs/deprecations.md#grouping-iam-settings-under-provideriam).
diff --git a/template/lambda-sqs-worker/package.json b/template/lambda-sqs-worker/package.json
@@ -13,7 +13,7 @@
     "@types/node": "^14.14.22",
     "chance": "^1.1.7",
     "pino-pretty": "^4.3.0",
-    "serverless": "^2.20.1",
+    "serverless": "^2.25.1",
     "serverless-plugin-canary-deployments": "^0.5.0",
     "serverless-prune-plugin": "^1.4.3",
     "skuba": "*"
diff --git a/template/lambda-sqs-worker/serverless.yml b/template/lambda-sqs-worker/serverless.yml
@@ -31,21 +31,23 @@ provider:
     # Use a shared account-level bucket for Lambda bundles and other artefacts.
     # This is easier to manage in terms of access, deployment, and tagging.
     name: ${self:custom.env.deploymentBucket}
-  iamRoleStatements:
-    - Action:
-        - kms:Decrypt
-        - kms:GenerateDataKey*
-      Effect: Allow
-      Resource: !GetAtt EncryptionKey.Arn
-    - Action: lambda:InvokeFunction
-      Effect: Allow
-      Resource: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${self:functions.Worker.name}
-    - Action: sns:Publish
-      Effect: Allow
-      Resource: !Ref DestinationTopic
-    - Action: sqs:SendMessage*
-      Effect: Allow
-      Resource: !GetAtt DeadLetterQueue.Arn
+  iam:
+    role:
+      statements:
+        - Action:
+            - kms:Decrypt
+            - kms:GenerateDataKey*
+          Effect: Allow
+          Resource: !GetAtt EncryptionKey.Arn
+        - Action: lambda:InvokeFunction
+          Effect: Allow
+          Resource: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${self:functions.Worker.name}
+        - Action: sns:Publish
+          Effect: Allow
+          Resource: !Ref DestinationTopic
+        - Action: sqs:SendMessage*
+          Effect: Allow
+          Resource: !GetAtt DeadLetterQueue.Arn
   stackTags:
     # TODO: add data classification tags
     # https://rfc.skinfra.xyz/RFC019-AWS-Tagging-Standard.html#seekdataconsumers
