"serverless deploy" continues to run while async policies are processing

[sc0ttdav3y]

Hi,

I've written an asynchronous policy that returns a promise and it works, but I'm wondering whether I've implemented it correctly because serverless deploy seems to continue running while the plugin is evaluating its condition.

Is there something I've missed in documentation about writing async policies, or does the safeguards plugin itself not await them?

The good news is the policy works. But the bad news is serverless continues to run while it's evaluating.

Here's an example output.

   Summary --------------------------------------------------

   passed  - No secrets in lambda ENV VARs
   passed  - no secret ENV vars
  running - No deploy to blocked accountsServerless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service hello-fullstack.zip file to S3 (23.68 MB)...
   passed  - No deploy to blocked accounts

Serverless: Safeguards Summary: 3 passed, 0 warnings, 0 errors, 0 skipped

You can see the two lines from my plugin:

running - No deploy to blocked accounts
passed  - No deploy to blocked accounts

But before it passes, you can also see serverless begin to upload my stack.

My plugin looks like this:

const AWS = require('aws-sdk');

/**
 * Denies deploying this project to the blocked AWS accounts.
 *
 * @param policy
 * @param service
 * @param options
 */
module.exports = async function noDeployToBlockedAccountPolicy(policy, service, options) {
    // @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#getCallerIdentity-property
    const sts = new AWS.STS();

    if (!Array.isArray(options.accountIds)) {
        policy.fail(`The policy no-deploy-to-blocked-accounts is missing a 'config.accountIds' array.`);
    }

    try {
        const data = await sts.getCallerIdentity({}).promise();
        if (options.accountIds.includes((parseInt(data.Account)))) {
            policy.fail(
                `Your current AWS account ${data.Account} is blocked from deployment. ` +
                `Switch to another account and try again.`);
            return;
        }
        policy.approve();
    } catch (err) {
        console.error(err, err.stack);
        policy.fail(`An error occurred`);
    }
};

And it's configured as follows:

custom:
  safeguards:
    - title: No deploy to blocked accounts
      safeguard: no-deploy-to-blocked-accounts
      path: ./policies
      config:
        accountIds:
          - XXXXX
          - YYYYY

Is there a way to make the safeguards plugin await my policy?

Thanks in advance... Scott

[pgrzesik]

Hello @sc0ttdav3y 👋 I believe the issue might lie here:

safeguards-plugin/index.js

Line 94 in 813d594

beforeDeployResources() {

where the promise is orphaned and never awaited.

We'd be happy to accept a fix for this from the community (and verifying if that's the actual problem). 🙌