zappa.get_domain_name fails silently when deployment IAM policy has insufficient permissions
aehlke opened this issue · 0 comments
Context
The use-case is using zappa certify
to create and then update a domain name in Route53.
Expected Behavior
When the IAM role/policy used for zappa deployment lacks sufficient permissions to update a domain name, I'd expect an error to be raised.
Actual Behavior
get_domain_name
returns None
when the calls to the Route53 client fail for permissions reasons, which gets interpreted as no domain existing, leading to the subsequent call to create a domain name record failing. This is surprising since the domain record already exists, yet Zappa tries to create a domain name again.
Possible Fix
Constrain the try/except to be more specific, to exclude permissions errors:
Line 1548 in 30d186f
We can probably preemptively fix other bugs lurking in Zappa by avoiding most/all usage of try: ...; except Exception: ...
"pokemon exceptions" ("gotta catch 'em all").
Steps to Reproduce
- Create a domain name via
zappa certify
- Ensure the IAM used for zappa deployment lacks the
route53:ListResourceRecordSets
permission - Call
zappa certify
again and watch it fail when it tries to re-create the existing domain name.
Your Environment
- Zappa version used:
- Operating System and Python version:
- Link to your project (optional):
- Your
zappa_settings.py
: