Replace deprecated AWS managed policy for codedeploy

After March 1, 2021, the AWS managed policies AWSLambdaReadOnlyAccess and AWSLambdaFullAccess will be deprecated and can no longer be attached to new IAM users.

AWS Lambda has introduced a new AWS managed policy.

The AWSLambda_FullAccess policy grants full access to Lambda, Lambda console features, and other related AWS services. This policy was created by scoping down the previous policy AWSLambdaFullAccess.

fixes #115

fixtures/1.output.json

@@ -515,7 +515,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/10.output.v2-websocket.json

@@ -829,7 +829,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/11.output.v2-websocket-authorizer.json

@@ -926,7 +926,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/12.output-with-permissions-boundary.json

@@ -504,7 +504,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/13.output.multiple-function-hooks.json

@@ -290,7 +290,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/2.output.without-hooks.json

@@ -371,7 +371,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/5.output.with-trigger.json

@@ -515,7 +515,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess",
           "arn:aws:iam::aws:policy/AmazonSNSFullAccess"
         ],
         "AssumeRolePolicyDocument": {

fixtures/6.output.cloudwatch-events-trigger.json

@@ -314,7 +314,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/7.output.cloudwatch-logs-trigger.json

@@ -307,7 +307,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/8.output.sns-subscriptions-trigger.json

@@ -244,7 +244,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess"
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
         ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",

fixtures/9.output.iot-topic-rule.json

@@ -718,7 +718,7 @@
       "Properties": {
         "ManagedPolicyArns": [
           "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited",
-          "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
+          "arn:aws:iam::aws:policy/AWSLambda_FullAccess",
           "arn:aws:iam::aws:policy/AmazonSNSFullAccess"
         ],
         "AssumeRolePolicyDocument": {

lib/CfTemplateGenerators/Iam.js

@@ -3,7 +3,7 @@ const _ = require('lodash/fp')
 function buildCodeDeployRole (codeDeployRolePermissionsBoundaryArn, areTriggerConfigurationsSet) {
   const attachedPolicies = [
     'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited',
-    'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
+    'arn:aws:iam::aws:policy/AWSLambda_FullAccess'
   ]
   if (areTriggerConfigurationsSet) {
     attachedPolicies.push('arn:aws:iam::aws:policy/AmazonSNSFullAccess')

lib/CfTemplateGenerators/Iam.test.js

@@ -10,7 +10,7 @@ describe('Iam', () => {
           Properties: {
             ManagedPolicyArns: [
               'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited',
-              'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
+              'arn:aws:iam::aws:policy/AWSLambda_FullAccess'
             ],
             AssumeRolePolicyDocument: {
               Version: '2012-10-17',
@@ -35,7 +35,7 @@ describe('Iam', () => {
           Properties: {
             ManagedPolicyArns: [
               'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited',
-              'arn:aws:iam::aws:policy/AWSLambdaFullAccess',
+              'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
               'arn:aws:iam::aws:policy/AmazonSNSFullAccess'
             ],
             AssumeRolePolicyDocument: {
@@ -62,7 +62,7 @@ describe('Iam', () => {
         Properties: {
           ManagedPolicyArns: [
             'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited',
-            'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
+            'arn:aws:iam::aws:policy/AWSLambda_FullAccess'
           ],
           AssumeRolePolicyDocument: {
             Version: '2012-10-17',
@@ -201,7 +201,7 @@ describe('Iam', () => {
           Properties: {
             ManagedPolicyArns: [
               'arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited',
-              'arn:aws:iam::aws:policy/AWSLambdaFullAccess'
+              'arn:aws:iam::aws:policy/AWSLambda_FullAccess'
             ],
             AssumeRolePolicyDocument: {
               Version: '2012-10-17',

package.json

@@ -61,4 +61,4 @@
       "afterEach"
     ]
   }
-}
+}