From ed724936bd9ad00f842cda278531b0d98c93ebee Mon Sep 17 00:00:00 2001
From: Chris Park <chris.park@aligent.com.au>
Date: Thu, 27 Jun 2024 15:53:18 +0930
Subject: [PATCH 1/3] add iam:CreateServiceLinkedRole to allow API GW custom
 domain creation

---
 packages/serverless-deploy-iam/bin/app.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts
index 3ed7edc..d6a2ab9 100755
--- a/packages/serverless-deploy-iam/bin/app.ts
+++ b/packages/serverless-deploy-iam/bin/app.ts
@@ -481,7 +481,17 @@ export class ServiceDeployIAM extends cdk.Stack {
         {
           name: "IAM",
           resources: [(serviceRole.type as Role).roleArn],
-          actions: ["iam:PassRole"],
+          actions: [
+            "iam:PassRole", 
+          ],
+        },
+        {
+          name: "IAM",
+          prefix: `arn:aws:iam::${accountId}:role`,
+          qualifiers: ["*"],
+          actions: [
+            "iam:CreateServiceLinkedRole"
+          ],
         },
         {
           name: "S3",

From bd274a5edb6a264e0e2dd8acc3993263f376f5b2 Mon Sep 17 00:00:00 2001
From: Chris Park <chris.park@aligent.com.au>
Date: Fri, 28 Jun 2024 08:10:41 +0930
Subject: [PATCH 2/3] run prettier formatter

---
 packages/serverless-deploy-iam/bin/app.ts | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts
index d6a2ab9..6513367 100755
--- a/packages/serverless-deploy-iam/bin/app.ts
+++ b/packages/serverless-deploy-iam/bin/app.ts
@@ -481,17 +481,13 @@ export class ServiceDeployIAM extends cdk.Stack {
         {
           name: "IAM",
           resources: [(serviceRole.type as Role).roleArn],
-          actions: [
-            "iam:PassRole", 
-          ],
+          actions: ["iam:PassRole"],
         },
         {
           name: "IAM",
           prefix: `arn:aws:iam::${accountId}:role`,
           qualifiers: ["*"],
-          actions: [
-            "iam:CreateServiceLinkedRole"
-          ],
+          actions: ["iam:CreateServiceLinkedRole"],
         },
         {
           name: "S3",

From 42b37dba5242bb472ceaf3bb336ac6c3814661c8 Mon Sep 17 00:00:00 2001
From: Chris Park <chris.park@aligent.com.au>
Date: Fri, 28 Jun 2024 08:16:30 +0930
Subject: [PATCH 3/3] restrict CreateServiceLinkedRole to API Gateway

---
 packages/serverless-deploy-iam/bin/app.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts
index 6513367..254062b 100755
--- a/packages/serverless-deploy-iam/bin/app.ts
+++ b/packages/serverless-deploy-iam/bin/app.ts
@@ -486,7 +486,9 @@ export class ServiceDeployIAM extends cdk.Stack {
         {
           name: "IAM",
           prefix: `arn:aws:iam::${accountId}:role`,
-          qualifiers: ["*"],
+          qualifiers: [
+            "aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway",
+          ],
           actions: ["iam:CreateServiceLinkedRole"],
         },
         {