From d06b27fd4bf351cc9ba5c603352f756c679c34fc Mon Sep 17 00:00:00 2001 From: Madeline Kusters <80541297+madeline-k@users.noreply.github.com> Date: Thu, 24 Mar 2022 02:51:09 -0700 Subject: [PATCH] fix(lambda): support Lambda's new `Invoke` with `Qualifier` authorization strategy (#19318) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ‼️ Lambda is changing their authorization strategy, which means that some behavior that was previously valid now results in `access-denied` errors. Under the new behavior, customer lambda invocations will fail if the CDK generates a policy with an unqualified ARN as the resource, and the customer invokes lambda with the unqualified ARN and the `Qualifier` request parameter. Example of an affected setup: ``` Statement: { Effect: "Allow", Action: "lambda:InvokeFunction", Resource: "arn:aws:lambda:...:function:MyFunction", } API Call: lambda.Invoke({ FunctionName: "MyFunction", Qualifier: "1234", }) ``` This `Invoke` call *used* to succeed, but under the new authorization strategy it will fail. The required statement to make the call succeed would be (note the qualified ARN): ``` { Effect: "Allow", Action: "lambda:InvokeFunction", Resource: "arn:aws:lambda:...:function:MyFunction:1234", } ``` This PR aims to align the CDK with the new authorization strategy. The PR introduces changes to the `grantInvoke()` api on a lambda function. Now, when calling `grantInvoke()` on a lambda function, `[ARN, ARN:*]` is used in the identity policy, so that identities that are granted permission to invoke the Function may also invoke all of its Versions and Aliases. When calling `grantInvoke()` on a lambda function Version or Alias, the generated identity policy will remain the same, and only include `ARN:` in the policy. This is part of #19273 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../test/integ.assign-public-ip.expected.json | 28 +++- .../aws-apigateway/lib/authorizers/lambda.ts | 2 +- ...eg.token-authorizer-iam-role.expected.json | 28 +++- .../test/authorizers/lambda.test.ts | 4 +- .../test/integ.appsync-lambda.expected.json | 28 +++- .../lib/experimental/edge-function.ts | 2 + .../test/lambda/deployment-group.test.ts | 40 ++--- .../integ.deployment-group.expected.json | 28 ++++ .../lib/lambda/invoke-action.ts | 5 +- .../test/integ.lambda-pipeline.expected.json | 28 +++- .../test/integ.alb-controller.expected.json | 84 ++++++----- .../integ.lambda-invoke-action.expected.json | 28 +++- .../test/lambda/lambda-invoke-action.test.ts | 2 +- .../test/integ.s3-bucket.lit.expected.json | 46 ++++-- .../test/s3-bucket.test.ts | 5 +- .../test/destinations.test.ts | 10 +- .../test/integ.destinations.expected.json | 28 +++- .../@aws-cdk/aws-lambda/lib/function-base.ts | 31 +++- packages/@aws-cdk/aws-lambda/lib/function.ts | 5 + .../aws-lambda/lib/singleton-lambda.ts | 4 + .../@aws-cdk/aws-lambda/test/function.test.ts | 10 +- .../aws-lambda/test/singleton-lambda.test.ts | 7 +- .../test/integ.database.expected.json | 96 +++++++++--- .../lib/evaluate-expression.ts | 2 +- .../lib/lambda/invoke-function.ts | 2 +- .../lib/lambda/invoke.ts | 2 +- .../lib/lambda/run-lambda-task.ts | 2 +- .../integ.start-job-run.expected.json | 90 ++++++----- .../integ.evaluate-expression.expected.json | 28 +++- .../integ.invoke-function.expected.json | 28 ++++ .../test/lambda/integ.invoke.expected.json | 28 ++++ .../integ.invoke.payload.only.expected.json | 28 ++++ .../lambda/integ.run-lambda.expected.json | 28 ++++ .../waiter-state-machine.ts | 12 +- .../integ.provider.expected.json | 140 +++++++++++++++++- .../waiter-state-machine.test.ts | 4 +- .../test/integ.awscli-layer.expected.json | 102 +++++++++---- .../test/compliance/security-check.test.ts | 28 +++- .../integ.pipeline-security.expected.json | 56 +++++-- 39 files changed, 862 insertions(+), 267 deletions(-) diff --git a/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json b/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json index 0ea88dfb2d4e9..dd7f3d375b03a 100644 --- a/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json +++ b/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json @@ -1051,12 +1051,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts index f7be4f954d7e8..85ac3c901f3a5 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts @@ -105,7 +105,7 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer { this.role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', { statements: [ new iam.PolicyStatement({ - resources: [this.handler.functionArn], + resources: this.handler.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], }), ], diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json index eda922f948d66..d5cca0c564f32 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json @@ -176,12 +176,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyAuthorizerFunction70F1223E", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts index a4eea0f56892d..f215a5143b54b 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts @@ -393,7 +393,7 @@ describe('lambda authorizer', () => { PolicyDocument: { Statement: [ { - Resource: stack.resolve(func.functionArn), + Resource: stack.resolve(func.resourceArnsForGrantInvoke), Action: 'lambda:InvokeFunction', Effect: 'Allow', }, @@ -485,7 +485,7 @@ describe('lambda authorizer', () => { PolicyDocument: { Statement: [ { - Resource: stack.resolve(func.functionArn), + Resource: stack.resolve(func.resourceArnsForGrantInvoke), Action: 'lambda:InvokeFunction', Effect: 'Allow', }, diff --git a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json index f4bd20a97d90e..c3c4e3e186912 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json @@ -58,12 +58,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "funcC3A0C2E2", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "funcC3A0C2E2", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "funcC3A0C2E2", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts b/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts index e095984ed2081..126db00ecc323 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts @@ -47,6 +47,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion { public readonly role?: iam.IRole; public readonly version: string; public readonly architecture: lambda.Architecture; + public readonly resourceArnsForGrantInvoke: string[]; private readonly _edgeFunction: lambda.Function; @@ -68,6 +69,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion { this.permissionsNode = this._edgeFunction.permissionsNode; this.version = lambda.extractQualifierFromArn(this.functionArn); this.architecture = this._edgeFunction.architecture; + this.resourceArnsForGrantInvoke = this._edgeFunction.resourceArnsForGrantInvoke; this.node.defaultChild = this._edgeFunction; } diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts b/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts index 365a03c4d5d30..c6ecfde1ae2de 100644 --- a/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts +++ b/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts @@ -299,12 +299,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PreHook8B53F672', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', @@ -347,12 +345,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PreHook8B53F672', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', @@ -395,12 +391,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PostHookF2E49B30', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', @@ -443,12 +437,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PostHookF2E49B30', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json b/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json index d9bb6bf025c5b..e9b096abe09f9 100644 --- a/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json +++ b/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json @@ -495,6 +495,34 @@ "PreHook8B53F672", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PostHookF2E49B30", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PreHook8B53F672", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts index 8740d8fafb9ff..79029a95641fa 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts +++ b/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts @@ -115,10 +115,7 @@ export class LambdaInvokeAction extends Action { })); // allow pipeline to invoke this lambda functionn - options.role.addToPolicy(new iam.PolicyStatement({ - actions: ['lambda:InvokeFunction'], - resources: [this.props.lambda.functionArn], - })); + this.props.lambda.grantInvoke(options.role); // allow the Role access to the Bucket, if there are any inputs/outputs if ((this.actionProperties.inputs || []).length > 0) { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json index d7d6c28eebd9f..ad6afd39fa570 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json @@ -551,12 +551,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "LambdaFun98622869", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "LambdaFun98622869", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LambdaFun98622869", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json index b46c3360007da..b8bc3541bb0cd 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json @@ -1100,7 +1100,7 @@ }, "/", { - "Ref": "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3Bucket6B6D2051" + "Ref": "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3Bucket1FB496C9" }, "/", { @@ -1110,7 +1110,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3VersionKey41E00248" + "Ref": "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3VersionKey412AA341" } ] } @@ -1123,7 +1123,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3VersionKey41E00248" + "Ref": "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3VersionKey412AA341" } ] } @@ -1175,7 +1175,7 @@ }, "/", { - "Ref": "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3BucketDF00C8B8" + "Ref": "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3Bucket30803CC9" }, "/", { @@ -1185,7 +1185,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3VersionKey9504F126" + "Ref": "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3VersionKeyCAAA61AB" } ] } @@ -1198,7 +1198,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3VersionKey9504F126" + "Ref": "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3VersionKeyCAAA61AB" } ] } @@ -1241,11 +1241,11 @@ "ClusterSecurityGroupId" ] }, - "referencetoawscdkeksclusteralbcontrollertestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3Bucket1FA2468ERef": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "referencetoawscdkeksclusteralbcontrollertestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket916394C8Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, - "referencetoawscdkeksclusteralbcontrollertestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey22C96426Ref": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "referencetoawscdkeksclusteralbcontrollertestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey639D7E45Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" }, "referencetoawscdkeksclusteralbcontrollertestAssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3Bucket65F5BE5ARef": { "Ref": "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998" @@ -1988,12 +1988,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "IngressPingerFunction54746D9B", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "IngressPingerFunction54746D9B", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "IngressPingerFunction54746D9B", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -2200,17 +2216,17 @@ "Type": "String", "Description": "Artifact hash for asset \"a70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D": { "Type": "String", - "Description": "S3 bucket for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 bucket for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936": { "Type": "String", - "Description": "S3 key for asset version \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 key for asset version \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95ArtifactHash16B60F6C": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27ArtifactHash934284DB": { "Type": "String", - "Description": "Artifact hash for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "Artifact hash for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998": { "Type": "String", @@ -2260,29 +2276,29 @@ "Type": "String", "Description": "Artifact hash for asset \"5f49893093e1ad14831626016699156d48da5f0890f19eb930bc3c46cf5f636d\"" }, - "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3Bucket6B6D2051": { + "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3Bucket1FB496C9": { "Type": "String", - "Description": "S3 bucket for asset \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" + "Description": "S3 bucket for asset \"712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9\"" }, - "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3VersionKey41E00248": { + "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3VersionKey412AA341": { "Type": "String", - "Description": "S3 key for asset version \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" + "Description": "S3 key for asset version \"712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9\"" }, - "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88ArtifactHash5B7180F8": { + "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9ArtifactHashA7B6B572": { "Type": "String", - "Description": "Artifact hash for asset \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" + "Description": "Artifact hash for asset \"712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9\"" }, - "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3BucketDF00C8B8": { + "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3Bucket30803CC9": { "Type": "String", - "Description": "S3 bucket for asset \"593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90a\"" + "Description": "S3 bucket for asset \"b02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2\"" }, - "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3VersionKey9504F126": { + "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3VersionKeyCAAA61AB": { "Type": "String", - "Description": "S3 key for asset version \"593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90a\"" + "Description": "S3 key for asset version \"b02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2\"" }, - "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aArtifactHashF51483B1": { + "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2ArtifactHashDEC7863C": { "Type": "String", - "Description": "Artifact hash for asset \"593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90a\"" + "Description": "Artifact hash for asset \"b02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json index 7e5d5b881d01d..ab203f3fae7ca 100644 --- a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json +++ b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json @@ -88,12 +88,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyFunction3BAA72D1", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "MyFunction3BAA72D1", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyFunction3BAA72D1", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts index 493114dbd3bb5..f5ca749e3bc5b 100644 --- a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts +++ b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts @@ -54,7 +54,7 @@ test('Default property', () => { Statement: [{ Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: 'arn:aws:lambda:us-east-1:123456789012:function:MyFn', + Resource: ['arn:aws:lambda:us-east-1:123456789012:function:MyFn', 'arn:aws:lambda:us-east-1:123456789012:function:MyFn:*'], }], }, Roles: [{ diff --git a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json index 85c5efcd3e91c..27e27e08d68d7 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json +++ b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json @@ -310,7 +310,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3Bucket0316BB8C" + "Ref": "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3BucketA7AEF7D7" }, "S3Key": { "Fn::Join": [ @@ -323,7 +323,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872" + "Ref": "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3VersionKeyA7FD6E61" } ] } @@ -336,7 +336,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872" + "Ref": "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3VersionKeyA7FD6E61" } ] } @@ -578,12 +578,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "DataProcessorFunctionAD472B9A", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -758,17 +774,17 @@ "Type": "String", "Description": "Artifact hash for asset \"be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824\"" }, - "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3Bucket0316BB8C": { + "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3BucketA7AEF7D7": { "Type": "String", - "Description": "S3 bucket for asset \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" + "Description": "S3 bucket for asset \"9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7d\"" }, - "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872": { + "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3VersionKeyA7FD6E61": { "Type": "String", - "Description": "S3 key for asset version \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" + "Description": "S3 key for asset version \"9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7d\"" }, - "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cArtifactHash0D892CC5": { + "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dArtifactHashE49F8A6B": { "Type": "String", - "Description": "Artifact hash for asset \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" + "Description": "Artifact hash for asset \"9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7d\"" } }, "Mappings": { diff --git a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts index 74d37d180f954..e4543a4215d3c 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts +++ b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts @@ -333,7 +333,10 @@ describe('S3 destination', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: stack.resolve(lambdaFunction.functionArn), + Resource: [ + stack.resolve(lambdaFunction.functionArn), + { 'Fn::Join': ['', [stack.resolve(lambdaFunction.functionArn), ':*']] }, + ], }, ]), }, diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts index d30d292c7e510..5a94887c5673b 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts @@ -90,12 +90,10 @@ test('lambda as destination', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { - 'Fn::GetAtt': [ - 'SuccessFunction93C61D39', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['SuccessFunction93C61D39', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['SuccessFunction93C61D39', 'Arn'] }, ':*']] }, + ], }, ], Version: '2012-10-17', diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json b/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json index d66603d29ea09..16ab72abe7bb8 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json +++ b/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json @@ -243,12 +243,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "OnSucces8F9C946B", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "OnSucces8F9C946B", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "OnSucces8F9C946B", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index b259476efad9d..a4c8b73b46a9a 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -62,6 +62,14 @@ export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable { */ readonly architecture: Architecture; + /** + * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke(). + * + * This property is for cdk modules to consume only. You should not need to use this property. + * Instead, use grantInvoke() directly. + */ + readonly resourceArnsForGrantInvoke: string[]; + /** * Adds an event source that maps to this AWS Lambda function. * @param id construct ID @@ -242,6 +250,11 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC */ protected abstract readonly canCreatePermissions: boolean; + /** + * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke() + */ + public abstract readonly resourceArnsForGrantInvoke: string[]; + /** * Whether the user decides to skip adding permissions. * The only use case is for cross-account, imported lambdas @@ -352,7 +365,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC grant = iam.Grant.addToPrincipalOrResource({ grantee, actions: ['lambda:InvokeFunction'], - resourceArns: [this.functionArn], + resourceArns: this.resourceArnsForGrantInvoke, // Fake resource-like object on which to call addToResourcePolicy(), which actually // calls addPermission() @@ -526,6 +539,10 @@ export abstract class QualifiedFunctionBase extends FunctionBase { return this.lambda.latestVersion; } + public get resourceArnsForGrantInvoke() { + return [this.functionArn]; + } + public configureAsyncInvoke(options: EventInvokeConfigOptions): void { if (this.node.tryFindChild('EventInvokeConfig') !== undefined) { throw new Error(`An EventInvokeConfig has already been configured for the qualified function at ${this.node.path}`); @@ -578,11 +595,15 @@ class LatestVersion extends FunctionBase implements IVersion { return this.lambda.role; } - public addAlias(aliasName: string, options: AliasOptions = {}) { - return addAlias(this, this, aliasName, options); - } - public get edgeArn(): never { throw new Error('$LATEST function version cannot be used for Lambda@Edge'); } + + public get resourceArnsForGrantInvoke() { + return [this.functionArn]; + } + + public addAlias(aliasName: string, options: AliasOptions = {}) { + return addAlias(this, this, aliasName, options); + } } diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts index 5bff57e1d43bc..3e2c778be2891 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function.ts @@ -421,6 +421,10 @@ export class Function extends FunctionBase { return this._currentVersion; } + public get resourceArnsForGrantInvoke() { + return [this.functionArn, `${this.functionArn}:*`]; + } + /** @internal */ public static _VER_PROPS: { [key: string]: boolean } = {}; @@ -476,6 +480,7 @@ export class Function extends FunctionBase { public readonly role = role; public readonly permissionsNode = this.node; public readonly architecture = attrs.architecture ?? Architecture.X86_64; + public readonly resourceArnsForGrantInvoke = [this.functionArn, `${this.functionArn}:*`]; protected readonly canCreatePermissions = attrs.sameEnvironment ?? this._isStackAccount(); protected readonly _skipPermissions = attrs.skipPermissions ?? false; diff --git a/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts b/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts index 7ee0cf016e52d..33365c81037a4 100644 --- a/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts +++ b/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts @@ -117,6 +117,10 @@ export class SingletonFunction extends FunctionBase { return this.lambdaFunction.currentVersion; } + public get resourceArnsForGrantInvoke() { + return [this.functionArn, `${this.functionArn}:*`]; + }; + /** * Adds an environment variable to this Lambda function. * If this is a ref to a Lambda function, this operation results in a no-op. diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index 9c01956493d8b..81edf78b9a0e7 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -983,7 +983,10 @@ describe('function', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + Resource: [ + { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':*']] }, + ], }, ], }, @@ -1116,7 +1119,10 @@ describe('function', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + Resource: [ + { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':*']] }, + ], }, ], }, diff --git a/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts b/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts index 3e6db8d6ea422..0f0a864a4c173 100644 --- a/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts @@ -182,9 +182,10 @@ describe('singleton lambda', () => { expect(statement.action).toEqual(['lambda:InvokeFunction']); expect(statement.principal).toEqual({ Service: ['events.amazonaws.com'] }); expect(statement.effect).toEqual('Allow'); - expect(statement.resource).toEqual([{ - 'Fn::GetAtt': ['SingletonLambda84c0de93353f42179b0b45b6c993251a840BCC38', 'Arn'], - }]); + expect(statement.resource).toEqual([ + { 'Fn::GetAtt': ['SingletonLambda84c0de93353f42179b0b45b6c993251a840BCC38', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['SingletonLambda84c0de93353f42179b0b45b6c993251a840BCC38', 'Arn'] }, ':*']] }, + ]); }); test('check edge compatibility', () => { diff --git a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json index 696de88a365bf..096fb4b074160 100644 --- a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json +++ b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json @@ -20,11 +20,11 @@ "VpcPublicSubnet1Subnet5C2D37C4": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.0.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1a", + "CidrBlock": "10.0.0.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { @@ -129,11 +129,11 @@ "VpcPublicSubnet2Subnet691E08A3": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.32.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1b", + "CidrBlock": "10.0.32.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { @@ -238,11 +238,11 @@ "VpcPublicSubnet3SubnetBE12F0B6": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.64.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1c", + "CidrBlock": "10.0.64.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { @@ -347,11 +347,11 @@ "VpcPrivateSubnet1Subnet536B997A": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.96.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1a", + "CidrBlock": "10.0.96.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { @@ -417,11 +417,11 @@ "VpcPrivateSubnet2Subnet3788AAA1": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.128.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1b", + "CidrBlock": "10.0.128.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { @@ -487,11 +487,11 @@ "VpcPrivateSubnet3SubnetF258B56E": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.160.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1c", + "CidrBlock": "10.0.160.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { @@ -800,12 +800,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -955,12 +971,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -1256,12 +1288,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts index 5b90ce066c70d..654c13320372c 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts @@ -60,7 +60,7 @@ export class EvaluateExpression extends sfn.TaskStateBase { this.taskPolicies = [ new iam.PolicyStatement({ - resources: [this.evalFn.functionArn], + resources: this.evalFn.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], }), ]; diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts index 8644f94ba7de8..7df2b839f63c7 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts @@ -35,7 +35,7 @@ export class InvokeFunction implements sfn.IStepFunctionsTask { return { resourceArn: this.lambdaFunction.functionArn, policyStatements: [new iam.PolicyStatement({ - resources: [this.lambdaFunction.functionArn], + resources: this.lambdaFunction.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], })], metricPrefixSingular: 'LambdaFunction', diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts index aea7ef4335ae4..6917fa31f175b 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts @@ -119,7 +119,7 @@ export class LambdaInvoke extends sfn.TaskStateBase { this.taskPolicies = [ new iam.PolicyStatement({ - resources: [this.props.lambdaFunction.functionArn], + resources: this.props.lambdaFunction.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], }), ]; diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts index a2623bb8c5d1a..372f1ced1dca1 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts @@ -87,7 +87,7 @@ export class RunLambdaTask implements sfn.IStepFunctionsTask { return { resourceArn: getResourceArn('lambda', 'invoke', this.integrationPattern), policyStatements: [new iam.PolicyStatement({ - resources: [this.lambdaFunction.functionArn], + resources: this.lambdaFunction.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], })], metricPrefixSingular: 'LambdaFunction', diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json index ed1d507956dc8..50ea79608b669 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json @@ -1162,7 +1162,7 @@ }, "/", { - "Ref": "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3BucketE126985C" + "Ref": "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3Bucket5BEEED81" }, "/", { @@ -1172,7 +1172,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3VersionKey74D769A9" + "Ref": "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3VersionKeyD7F17160" } ] } @@ -1185,7 +1185,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3VersionKey74D769A9" + "Ref": "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3VersionKeyD7F17160" } ] } @@ -1241,7 +1241,7 @@ }, "/", { - "Ref": "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3BucketFA655285" + "Ref": "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3Bucket91C98648" }, "/", { @@ -1251,7 +1251,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3VersionKeyAF468AE1" + "Ref": "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3VersionKey8051CFBE" } ] } @@ -1264,7 +1264,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3VersionKeyAF468AE1" + "Ref": "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3VersionKey8051CFBE" } ] } @@ -1307,11 +1307,11 @@ "ClusterSecurityGroupId" ] }, - "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3Bucket51F4CFE7Ref": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket694141C5Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, - "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey30F71929Ref": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey89E46F11Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" }, "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketF38DB26BRef": { "Ref": "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998" @@ -1461,7 +1461,7 @@ "Properties": { "Content": { "S3Bucket": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, "S3Key": { "Fn::Join": [ @@ -1474,7 +1474,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -1487,7 +1487,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -1539,12 +1539,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "SingletonLambda8693BB64968944B69AAFB0CC9EB8757CB6182A5B", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "SingletonLambda8693BB64968944B69AAFB0CC9EB8757CB6182A5B", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SingletonLambda8693BB64968944B69AAFB0CC9EB8757CB6182A5B", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -2154,17 +2170,17 @@ "Type": "String", "Description": "Artifact hash for asset \"a70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D": { "Type": "String", - "Description": "S3 bucket for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 bucket for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936": { "Type": "String", - "Description": "S3 key for asset version \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 key for asset version \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95ArtifactHash16B60F6C": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27ArtifactHash934284DB": { "Type": "String", - "Description": "Artifact hash for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "Artifact hash for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998": { "Type": "String", @@ -2202,29 +2218,29 @@ "Type": "String", "Description": "Artifact hash for asset \"b866fb0fd5a9b4215d1e23188632d74c01f3195f6f9d706134b197b400afb680\"" }, - "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3BucketE126985C": { + "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3Bucket5BEEED81": { "Type": "String", - "Description": "S3 bucket for asset \"1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7f\"" + "Description": "S3 bucket for asset \"2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1\"" }, - "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3VersionKey74D769A9": { + "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3VersionKeyD7F17160": { "Type": "String", - "Description": "S3 key for asset version \"1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7f\"" + "Description": "S3 key for asset version \"2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1\"" }, - "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fArtifactHash886B1296": { + "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1ArtifactHash74CF0762": { "Type": "String", - "Description": "Artifact hash for asset \"1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7f\"" + "Description": "Artifact hash for asset \"2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1\"" }, - "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3BucketFA655285": { + "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3Bucket91C98648": { "Type": "String", - "Description": "S3 bucket for asset \"7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8\"" + "Description": "S3 bucket for asset \"a0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47e\"" }, - "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3VersionKeyAF468AE1": { + "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3VersionKey8051CFBE": { "Type": "String", - "Description": "S3 key for asset version \"7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8\"" + "Description": "S3 key for asset version \"a0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47e\"" }, - "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8ArtifactHashC46EC4DB": { + "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eArtifactHash6EFA2AF6": { "Type": "String", - "Description": "Artifact hash for asset \"7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8\"" + "Description": "Artifact hash for asset \"a0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47e\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json index 39a3502ba6c80..9a5de368628cd 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json @@ -121,12 +121,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Evalda2d1181604e4a4586941a6abd7fe42dF371675D", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Evalda2d1181604e4a4586941a6abd7fe42dF371675D", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Evalda2d1181604e4a4586941a6abd7fe42dF371675D", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json index 913ae3d5cd0c3..70549c1ed2ef2 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json @@ -218,6 +218,34 @@ "Handler886CB40B", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CallbackHandler4434C38D", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Handler886CB40B", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json index b899d5f9701ff..06d010a158e56 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json @@ -148,6 +148,34 @@ "submitJobLambdaEFB00F3C", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "checkJobStateLambda4618B7B7", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "submitJobLambdaEFB00F3C", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json index cdf0eaadec424..0853de4a89c45 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json @@ -148,6 +148,34 @@ "submitJobLambdaEFB00F3C", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "checkJobStateLambda4618B7B7", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "submitJobLambdaEFB00F3C", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json index 365683e89340a..1023c2caf6167 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json @@ -148,6 +148,34 @@ "submitJobLambdaEFB00F3C", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "checkJobStateLambda4618B7B7", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "submitJobLambdaEFB00F3C", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts b/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts index 6799fb3178123..b6bc6116c328c 100644 --- a/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts +++ b/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts @@ -1,4 +1,4 @@ -import { Grant, IGrantable, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; +import { Grant, IGrantable, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; import { IFunction } from '@aws-cdk/aws-lambda'; import { CfnResource, Duration, Stack } from '@aws-cdk/core'; @@ -49,14 +49,8 @@ export class WaiterStateMachine extends Construct { const role = new Role(this, 'Role', { assumedBy: new ServicePrincipal('states.amazonaws.com'), }); - role.addToPolicy(new PolicyStatement({ - actions: ['lambda:InvokeFunction'], - resources: [props.isCompleteHandler.functionArn], - })); - role.addToPolicy(new PolicyStatement({ - actions: ['lambda:InvokeFunction'], - resources: [props.timeoutHandler.functionArn], - })); + props.isCompleteHandler.grantInvoke(role); + props.timeoutHandler.grantInvoke(role); const definition = Stack.of(this).toJsonString({ StartAt: 'framework-isComplete-task', diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json index 29758b347aa05..646f935ff4ea6 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json @@ -176,12 +176,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3fileproviders3fileonevent48293DE8", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3fileproviders3fileonevent48293DE8", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3fileproviders3fileonevent48293DE8", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -551,6 +567,34 @@ "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + ":*" + ] + ] } ] }, @@ -699,6 +743,34 @@ "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + ":*" + ] + ] } ] } @@ -837,6 +909,34 @@ "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + ":*" + ] + ] } ] } @@ -972,6 +1072,34 @@ "comamazonawscdkcustomresourcess3assertproviderframeworkonTimeoutA1E1E5DC", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviderframeworkisComplete63829575", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviderframeworkonTimeoutA1E1E5DC", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts index 7548f4e151041..514c1af72391b 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts @@ -83,12 +83,12 @@ describe('state machine', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: stack.resolve(isCompleteHandler.functionArn), + Resource: stack.resolve(isCompleteHandler.resourceArnsForGrantInvoke), }, { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: stack.resolve(timeoutHandler.functionArn), + Resource: stack.resolve(timeoutHandler.resourceArnsForGrantInvoke), }, ], Version: '2012-10-17', diff --git a/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json b/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json index 8be04c1e89ab7..d9411d0b44b0d 100644 --- a/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json +++ b/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json @@ -5,7 +5,7 @@ "Properties": { "Content": { "S3Bucket": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, "S3Key": { "Fn::Join": [ @@ -18,7 +18,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -31,7 +31,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -175,12 +175,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Lambdapython36B64E8A5D", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Lambdapython36B64E8A5D", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Lambdapython36B64E8A5D", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -404,12 +420,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Lambdapython3780349E0A", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Lambdapython3780349E0A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Lambdapython3780349E0A", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -633,12 +665,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Lambdapython39426A0480", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Lambdapython39426A0480", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Lambdapython39426A0480", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -733,17 +781,17 @@ } }, "Parameters": { - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D": { "Type": "String", - "Description": "S3 bucket for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 bucket for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936": { "Type": "String", - "Description": "S3 key for asset version \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 key for asset version \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95ArtifactHash16B60F6C": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27ArtifactHash934284DB": { "Type": "String", - "Description": "Artifact hash for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "Artifact hash for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, "AssetParameters5dff6208ccd5fb196bb0354fd6e47faa8431a789e6125d20386586fef761ed48S3Bucket1DD21439": { "Type": "String", diff --git a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts index d2ea77f45ff7d..f8c53a40e3e37 100644 --- a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts +++ b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts @@ -165,12 +165,28 @@ behavior('pipeline created with auto approve tags and lambda/codebuild w/ valid { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, + Resource: [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + ':*', + ], + ], + }, + ], }, ]), }, diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json index 84aaaf68dabde..1d9619be9c0c9 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json @@ -1908,12 +1908,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "sns:Publish", @@ -2210,12 +2226,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "sns:Publish",