Miserlou/Zappa

zappa.get_domain_name fails silently when deployment IAM policy has insufficient permissions

aehlke opened this issue · 0 comments

aehlke commented

Context

The use-case is using zappa certify to create and then update a domain name in Route53.

Expected Behavior

When the IAM role/policy used for zappa deployment lacks sufficient permissions to update a domain name, I'd expect an error to be raised.

Actual Behavior

get_domain_name returns None when the calls to the Route53 client fail for permissions reasons, which gets interpreted as no domain existing, leading to the subsequent call to create a domain name record failing. This is surprising since the domain record already exists, yet Zappa tries to create a domain name again.

Possible Fix

Constrain the try/except to be more specific, to exclude permissions errors:

Zappa/zappa/zappa.py

Line 1548 in 30d186f

except Exception as e:

We can probably preemptively fix other bugs lurking in Zappa by avoiding most/all usage of try: ...; except Exception: ... "pokemon exceptions" ("gotta catch 'em all").

Steps to Reproduce

  1. Create a domain name via zappa certify
  2. Ensure the IAM used for zappa deployment lacks the route53:ListResourceRecordSets permission
  3. Call zappa certify again and watch it fail when it tries to re-create the existing domain name.

Your Environment

  • Zappa version used:
  • Operating System and Python version:
  • Link to your project (optional):
  • Your zappa_settings.py: