From 2d6cfc84c8b8754cbb360d67e9fe87aa5874d81a Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 15:09:04 -0800 Subject: [PATCH 01/34] feat(lambda): support Lambda's new IAM authorization behavior for identity policies generated by grantInvoke() --- .../@aws-cdk/aws-lambda/lib/function-base.ts | 23 +++++++++++++++---- packages/@aws-cdk/aws-lambda/lib/function.ts | 5 ++++ .../aws-lambda/lib/singleton-lambda.ts | 4 ++++ .../@aws-cdk/aws-lambda/test/function.test.ts | 10 ++++++-- .../aws-lambda/test/singleton-lambda.test.ts | 7 +++--- 5 files changed, 39 insertions(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index b259476efad9d..0610c4f4d176e 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -242,6 +242,11 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC */ protected abstract readonly canCreatePermissions: boolean; + /** + * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke() + */ + protected abstract readonly resourceArnsForGrantInvoke: string[]; + /** * Whether the user decides to skip adding permissions. * The only use case is for cross-account, imported lambdas @@ -352,7 +357,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC grant = iam.Grant.addToPrincipalOrResource({ grantee, actions: ['lambda:InvokeFunction'], - resourceArns: [this.functionArn], + resourceArns: this.resourceArnsForGrantInvoke, // Fake resource-like object on which to call addToResourcePolicy(), which actually // calls addPermission() @@ -526,6 +531,10 @@ export abstract class QualifiedFunctionBase extends FunctionBase { return this.lambda.latestVersion; } + protected get resourceArnsForGrantInvoke() { + return [this.functionArn]; + } + public configureAsyncInvoke(options: EventInvokeConfigOptions): void { if (this.node.tryFindChild('EventInvokeConfig') !== undefined) { throw new Error(`An EventInvokeConfig has already been configured for the qualified function at ${this.node.path}`); @@ -578,11 +587,15 @@ class LatestVersion extends FunctionBase implements IVersion { return this.lambda.role; } - public addAlias(aliasName: string, options: AliasOptions = {}) { - return addAlias(this, this, aliasName, options); - } - public get edgeArn(): never { throw new Error('$LATEST function version cannot be used for Lambda@Edge'); } + + protected get resourceArnsForGrantInvoke() { + return [this.functionArn]; + } + + public addAlias(aliasName: string, options: AliasOptions = {}) { + return addAlias(this, this, aliasName, options); + } } diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts index 5bff57e1d43bc..516d21ba5a186 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function.ts @@ -421,6 +421,10 @@ export class Function extends FunctionBase { return this._currentVersion; } + protected get resourceArnsForGrantInvoke() { + return [this.functionArn, `${this.functionArn}:*`]; + } + /** @internal */ public static _VER_PROPS: { [key: string]: boolean } = {}; @@ -479,6 +483,7 @@ export class Function extends FunctionBase { protected readonly canCreatePermissions = attrs.sameEnvironment ?? this._isStackAccount(); protected readonly _skipPermissions = attrs.skipPermissions ?? false; + protected readonly resourceArnsForGrantInvoke = [this.functionArn, `${this.functionArn}:*`]; constructor(s: Construct, i: string) { super(s, i, { diff --git a/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts b/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts index 7ee0cf016e52d..e5fa6548a4626 100644 --- a/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts +++ b/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts @@ -117,6 +117,10 @@ export class SingletonFunction extends FunctionBase { return this.lambdaFunction.currentVersion; } + protected get resourceArnsForGrantInvoke() { + return [this.functionArn, `${this.functionArn}:*`]; + }; + /** * Adds an environment variable to this Lambda function. * If this is a ref to a Lambda function, this operation results in a no-op. diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index 9c01956493d8b..81edf78b9a0e7 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -983,7 +983,10 @@ describe('function', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + Resource: [ + { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':*']] }, + ], }, ], }, @@ -1116,7 +1119,10 @@ describe('function', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + Resource: [ + { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':*']] }, + ], }, ], }, diff --git a/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts b/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts index 3e6db8d6ea422..0f0a864a4c173 100644 --- a/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/singleton-lambda.test.ts @@ -182,9 +182,10 @@ describe('singleton lambda', () => { expect(statement.action).toEqual(['lambda:InvokeFunction']); expect(statement.principal).toEqual({ Service: ['events.amazonaws.com'] }); expect(statement.effect).toEqual('Allow'); - expect(statement.resource).toEqual([{ - 'Fn::GetAtt': ['SingletonLambda84c0de93353f42179b0b45b6c993251a840BCC38', 'Arn'], - }]); + expect(statement.resource).toEqual([ + { 'Fn::GetAtt': ['SingletonLambda84c0de93353f42179b0b45b6c993251a840BCC38', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['SingletonLambda84c0de93353f42179b0b45b6c993251a840BCC38', 'Arn'] }, ':*']] }, + ]); }); test('check edge compatibility', () => { From 19cccd3eb0f84788a2ac739911d4529173848a9b Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 16:23:01 -0800 Subject: [PATCH 02/34] update unit test in iotevents-action --- .../test/lambda/lambda-invoke-action.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts index 493114dbd3bb5..f5ca749e3bc5b 100644 --- a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts +++ b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/lambda-invoke-action.test.ts @@ -54,7 +54,7 @@ test('Default property', () => { Statement: [{ Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: 'arn:aws:lambda:us-east-1:123456789012:function:MyFn', + Resource: ['arn:aws:lambda:us-east-1:123456789012:function:MyFn', 'arn:aws:lambda:us-east-1:123456789012:function:MyFn:*'], }], }, Roles: [{ From 8fed6d66f9fef33c43dfd597aa12e2ff2140f34a Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 16:29:32 -0800 Subject: [PATCH 03/34] update tests in codedeploy --- .../test/lambda/deployment-group.test.ts | 40 +++++------- .../integ.deployment-group.expected.json | 64 ++++++++++++++----- 2 files changed, 64 insertions(+), 40 deletions(-) diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts b/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts index 365a03c4d5d30..c6ecfde1ae2de 100644 --- a/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts +++ b/packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts @@ -299,12 +299,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PreHook8B53F672', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', @@ -347,12 +345,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PreHook8B53F672', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', @@ -395,12 +391,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PostHookF2E49B30', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', @@ -443,12 +437,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => { PolicyDocument: { Statement: [{ Action: 'lambda:InvokeFunction', - Resource: { - 'Fn::GetAtt': [ - 'PostHookF2E49B30', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, ':*']] }, + ], Effect: 'Allow', }], Version: '2012-10-17', diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json b/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json index 2d9262dcf3212..acc0aa2d21eb1 100644 --- a/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json +++ b/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json @@ -72,13 +72,13 @@ ] } }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "HandlerServiceRoleFCDC14AE", "Arn" ] }, + "Handler": "index.handler", "Runtime": "nodejs10.x" }, "DependsOn": [ @@ -243,13 +243,13 @@ ] } }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "PreHookServiceRoleC724B9BA", "Arn" ] }, + "Handler": "index.handler", "Runtime": "nodejs10.x" }, "DependsOn": [ @@ -376,13 +376,13 @@ ] } }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "PostHookServiceRoleE8A6AAC2", "Arn" ] }, + "Handler": "index.handler", "Runtime": "nodejs10.x" }, "DependsOn": [ @@ -483,22 +483,54 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PreHook8B53F672", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "PreHook8B53F672", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PreHook8B53F672", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PostHookF2E49B30", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "PostHookF2E49B30", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PostHookF2E49B30", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -586,4 +618,4 @@ "Description": "Artifact hash for asset \"93dbd8c02dbfca9077c9d83cb6d3a94659988c7d143988da4a554033a58f963c\"" } } -} +} \ No newline at end of file From 2871fdbf23f86357be526ebeb4fac9670a5ceb60 Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 16:34:55 -0800 Subject: [PATCH 04/34] update codepipeline-actions to use grantInvoke() --- .../lib/lambda/invoke-action.ts | 5 +-- .../test/integ.lambda-pipeline.expected.json | 32 ++++++++++++++----- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts index 8740d8fafb9ff..79029a95641fa 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts +++ b/packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts @@ -115,10 +115,7 @@ export class LambdaInvokeAction extends Action { })); // allow pipeline to invoke this lambda functionn - options.role.addToPolicy(new iam.PolicyStatement({ - actions: ['lambda:InvokeFunction'], - resources: [this.props.lambda.functionArn], - })); + this.props.lambda.grantInvoke(options.role); // allow the Role access to the Bucket, if there are any inputs/outputs if ((this.actionProperties.inputs || []).length > 0) { diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json index 0990f457aae8f..757dc72b098b0 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json @@ -553,12 +553,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "LambdaFun98622869", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "LambdaFun98622869", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "LambdaFun98622869", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -862,13 +878,13 @@ "Code": { "ZipFile": "\n exports.handler = function () {\n console.log(\"Hello, world!\");\n };\n " }, - "Handler": "index.handler", "Role": { "Fn::GetAtt": [ "LambdaFunServiceRoleF0979767", "Arn" ] }, + "Handler": "index.handler", "Runtime": "nodejs10.x" }, "DependsOn": [ @@ -877,4 +893,4 @@ ] } } -} +} \ No newline at end of file From ad9f3c87a9a0fb332a227fd3e17e4dc3c8b8a4cc Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 16:43:59 -0800 Subject: [PATCH 05/34] update tests in kinesisfirehose-destinations --- .../test/integ.s3-bucket.lit.expected.json | 64 ++++++++++++------- .../test/s3-bucket.test.ts | 5 +- 2 files changed, 44 insertions(+), 25 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json index 913dba1638ec3..380bb238b044e 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json +++ b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json @@ -110,7 +110,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParameters3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9S3Bucket4673BB1A" + "Ref": "AssetParametersbe270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824S3Bucket09A62232" }, "S3Key": { "Fn::Join": [ @@ -123,7 +123,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9S3VersionKey46E40510" + "Ref": "AssetParametersbe270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824S3VersionKeyA28118BE" } ] } @@ -136,7 +136,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9S3VersionKey46E40510" + "Ref": "AssetParametersbe270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824S3VersionKeyA28118BE" } ] } @@ -310,7 +310,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParameters5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19S3BucketFEDDFB43" + "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3Bucket0316BB8C" }, "S3Key": { "Fn::Join": [ @@ -323,7 +323,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19S3VersionKey244C2747" + "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872" } ] } @@ -336,7 +336,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19S3VersionKey244C2747" + "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872" } ] } @@ -592,12 +592,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "DataProcessorFunctionAD472B9A", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "DataProcessorFunctionAD472B9A", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": [ @@ -775,29 +791,29 @@ } }, "Parameters": { - "AssetParameters3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9S3Bucket4673BB1A": { + "AssetParametersbe270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824S3Bucket09A62232": { "Type": "String", - "Description": "S3 bucket for asset \"3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9\"" + "Description": "S3 bucket for asset \"be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824\"" }, - "AssetParameters3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9S3VersionKey46E40510": { + "AssetParametersbe270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824S3VersionKeyA28118BE": { "Type": "String", - "Description": "S3 key for asset version \"3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9\"" + "Description": "S3 key for asset version \"be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824\"" }, - "AssetParameters3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9ArtifactHashBD621721": { + "AssetParametersbe270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824ArtifactHash76F8FCF2": { "Type": "String", - "Description": "Artifact hash for asset \"3993fb4cd942505a050d08b09d5444e14c265cf9cd0fb8b0c5f621446b6cead9\"" + "Description": "Artifact hash for asset \"be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824\"" }, - "AssetParameters5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19S3BucketFEDDFB43": { + "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3Bucket0316BB8C": { "Type": "String", - "Description": "S3 bucket for asset \"5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19\"" + "Description": "S3 bucket for asset \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" }, - "AssetParameters5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19S3VersionKey244C2747": { + "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872": { "Type": "String", - "Description": "S3 key for asset version \"5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19\"" + "Description": "S3 key for asset version \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" }, - "AssetParameters5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19ArtifactHashC1C6FCBC": { + "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cArtifactHash0D892CC5": { "Type": "String", - "Description": "Artifact hash for asset \"5ee078f2a1957fe672d6cfd84faf49e07b8460758b5cd2669b3df1212a14cd19\"" + "Description": "Artifact hash for asset \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" } }, "Mappings": { diff --git a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts index 74d37d180f954..e4543a4215d3c 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts +++ b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/s3-bucket.test.ts @@ -333,7 +333,10 @@ describe('S3 destination', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: stack.resolve(lambdaFunction.functionArn), + Resource: [ + stack.resolve(lambdaFunction.functionArn), + { 'Fn::Join': ['', [stack.resolve(lambdaFunction.functionArn), ':*']] }, + ], }, ]), }, From b5a529727f400b26b867eb248ef28a126b7b914f Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 16:55:54 -0800 Subject: [PATCH 06/34] update tests for iotevents-actions --- .../integ.lambda-invoke-action.expected.json | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json index 7e5d5b881d01d..ab203f3fae7ca 100644 --- a/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json +++ b/packages/@aws-cdk/aws-iotevents-actions/test/lambda/integ.lambda-invoke-action.expected.json @@ -88,12 +88,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyFunction3BAA72D1", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "MyFunction3BAA72D1", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyFunction3BAA72D1", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" From 2733358efaf2484426f79ed67b017d183d04d60c Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 16:58:04 -0800 Subject: [PATCH 07/34] update lambda-destinations tests --- .../test/destinations.test.ts | 10 +++---- .../test/integ.destinations.expected.json | 28 +++++++++++++++---- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts index d30d292c7e510..5a94887c5673b 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts +++ b/packages/@aws-cdk/aws-lambda-destinations/test/destinations.test.ts @@ -90,12 +90,10 @@ test('lambda as destination', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { - 'Fn::GetAtt': [ - 'SuccessFunction93C61D39', - 'Arn', - ], - }, + Resource: [ + { 'Fn::GetAtt': ['SuccessFunction93C61D39', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['SuccessFunction93C61D39', 'Arn'] }, ':*']] }, + ], }, ], Version: '2012-10-17', diff --git a/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json b/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json index 009327c46da7e..1cf6517d6a7d2 100644 --- a/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json +++ b/packages/@aws-cdk/aws-lambda-destinations/test/integ.destinations.expected.json @@ -243,12 +243,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "OnSucces8F9C946B", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "OnSucces8F9C946B", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "OnSucces8F9C946B", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" From 7c0a4e9d761df4aa04284d07991f91051fe1afff Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Wed, 9 Mar 2022 17:02:47 -0800 Subject: [PATCH 08/34] mark places in stepfunctions-tasks that need to be updated, but can't just replace with a grantInvoke --- .../@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts | 1 + .../aws-stepfunctions-tasks/lib/lambda/invoke-function.ts | 1 + packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts | 1 + .../aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts | 1 + 4 files changed, 4 insertions(+) diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts index 5b90ce066c70d..95371623c9af3 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts @@ -58,6 +58,7 @@ export class EvaluateExpression extends sfn.TaskStateBase { this.evalFn = createEvalFn(this.props.runtime ?? lambda.Runtime.NODEJS_14_X, this); + // TODO - this should be updated, but I can't just replace it with a grantInvoke() this.taskPolicies = [ new iam.PolicyStatement({ resources: [this.evalFn.functionArn], diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts index 8644f94ba7de8..9854d4d54fbe5 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts @@ -32,6 +32,7 @@ export class InvokeFunction implements sfn.IStepFunctionsTask { } public bind(_task: sfn.Task): sfn.StepFunctionsTaskConfig { + // TODO - This also should be udpated return { resourceArn: this.lambdaFunction.functionArn, policyStatements: [new iam.PolicyStatement({ diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts index aea7ef4335ae4..c800d944bcad0 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts @@ -117,6 +117,7 @@ export class LambdaInvoke extends sfn.TaskStateBase { }, }; + // TODO - This also should be udpated to have the correct resources this.taskPolicies = [ new iam.PolicyStatement({ resources: [this.props.lambdaFunction.functionArn], diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts index a2623bb8c5d1a..be573a9fda54c 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts @@ -84,6 +84,7 @@ export class RunLambdaTask implements sfn.IStepFunctionsTask { } public bind(_task: sfn.Task): sfn.StepFunctionsTaskConfig { + // TODO - And this one return { resourceArn: getResourceArn('lambda', 'invoke', this.integrationPattern), policyStatements: [new iam.PolicyStatement({ From fd28ea4da87aea75e2ae6c3a21aba503fdd09b2a Mon Sep 17 00:00:00 2001 From: Madeline Kusters Date: Thu, 10 Mar 2022 11:34:57 -0800 Subject: [PATCH 09/34] update custom resources to use grantInvoke --- .../lib/provider-framework/waiter-state-machine.ts | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts b/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts index 6799fb3178123..b6bc6116c328c 100644 --- a/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts +++ b/packages/@aws-cdk/custom-resources/lib/provider-framework/waiter-state-machine.ts @@ -1,4 +1,4 @@ -import { Grant, IGrantable, PolicyStatement, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; +import { Grant, IGrantable, Role, ServicePrincipal } from '@aws-cdk/aws-iam'; import { IFunction } from '@aws-cdk/aws-lambda'; import { CfnResource, Duration, Stack } from '@aws-cdk/core'; @@ -49,14 +49,8 @@ export class WaiterStateMachine extends Construct { const role = new Role(this, 'Role', { assumedBy: new ServicePrincipal('states.amazonaws.com'), }); - role.addToPolicy(new PolicyStatement({ - actions: ['lambda:InvokeFunction'], - resources: [props.isCompleteHandler.functionArn], - })); - role.addToPolicy(new PolicyStatement({ - actions: ['lambda:InvokeFunction'], - resources: [props.timeoutHandler.functionArn], - })); + props.isCompleteHandler.grantInvoke(role); + props.timeoutHandler.grantInvoke(role); const definition = Stack.of(this).toJsonString({ StartAt: 'framework-isComplete-task', From 6aefe6c08af7492d939e1a3b63b150102bd32d81 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Thu, 17 Mar 2022 13:02:59 -0400 Subject: [PATCH 10/34] make "resourcearnsforgrantinvoke" public --- packages/@aws-cdk/aws-lambda/lib/function-base.ts | 6 +++--- packages/@aws-cdk/aws-lambda/lib/function.ts | 4 ++-- packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index 0610c4f4d176e..28ac29bfb0395 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -245,7 +245,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC /** * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke() */ - protected abstract readonly resourceArnsForGrantInvoke: string[]; + public abstract readonly resourceArnsForGrantInvoke: string[]; /** * Whether the user decides to skip adding permissions. @@ -531,7 +531,7 @@ export abstract class QualifiedFunctionBase extends FunctionBase { return this.lambda.latestVersion; } - protected get resourceArnsForGrantInvoke() { + public get resourceArnsForGrantInvoke() { return [this.functionArn]; } @@ -591,7 +591,7 @@ class LatestVersion extends FunctionBase implements IVersion { throw new Error('$LATEST function version cannot be used for Lambda@Edge'); } - protected get resourceArnsForGrantInvoke() { + public get resourceArnsForGrantInvoke() { return [this.functionArn]; } diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts index 516d21ba5a186..3e2c778be2891 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function.ts @@ -421,7 +421,7 @@ export class Function extends FunctionBase { return this._currentVersion; } - protected get resourceArnsForGrantInvoke() { + public get resourceArnsForGrantInvoke() { return [this.functionArn, `${this.functionArn}:*`]; } @@ -480,10 +480,10 @@ export class Function extends FunctionBase { public readonly role = role; public readonly permissionsNode = this.node; public readonly architecture = attrs.architecture ?? Architecture.X86_64; + public readonly resourceArnsForGrantInvoke = [this.functionArn, `${this.functionArn}:*`]; protected readonly canCreatePermissions = attrs.sameEnvironment ?? this._isStackAccount(); protected readonly _skipPermissions = attrs.skipPermissions ?? false; - protected readonly resourceArnsForGrantInvoke = [this.functionArn, `${this.functionArn}:*`]; constructor(s: Construct, i: string) { super(s, i, { diff --git a/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts b/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts index e5fa6548a4626..33365c81037a4 100644 --- a/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts +++ b/packages/@aws-cdk/aws-lambda/lib/singleton-lambda.ts @@ -117,7 +117,7 @@ export class SingletonFunction extends FunctionBase { return this.lambdaFunction.currentVersion; } - protected get resourceArnsForGrantInvoke() { + public get resourceArnsForGrantInvoke() { return [this.functionArn, `${this.functionArn}:*`]; }; From 6e2d218eee149ed159cbd16233fb35b01456396c Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Thu, 17 Mar 2022 16:09:15 -0400 Subject: [PATCH 11/34] change lambda invoke policyu statements --- .../aws-apigateway/lib/authorizers/lambda.ts | 2 +- .../integ.provider.expected.json | 290 +++++++++++++----- .../integration-test-fixtures/s3-file.ts | 2 +- .../waiter-state-machine.test.ts | 4 +- 4 files changed, 221 insertions(+), 77 deletions(-) diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts index f7be4f954d7e8..0fbf8f7a0c002 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts @@ -105,7 +105,7 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer { this.role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', { statements: [ new iam.PolicyStatement({ - resources: [this.handler.functionArn], + resources: [this.handler.functionArn], // TODO: maybe this one too actions: ['lambda:InvokeFunction'], }), ], diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json index aa0407ca5b164..494aa6b1206a3 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json @@ -131,7 +131,7 @@ ] }, "Handler": "index.onEvent", - "Runtime": "nodejs10.x" + "Runtime": "nodejs12.x" }, "DependsOn": [ "comamazonawscdkcustomresourcess3fileproviders3fileoneventServiceRoleDefaultPolicy10D24725", @@ -177,12 +177,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3fileproviders3fileonevent48293DE8", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3fileproviders3fileonevent48293DE8", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3fileproviders3fileonevent48293DE8", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -200,7 +216,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A" }, "S3Key": { "Fn::Join": [ @@ -213,7 +229,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -226,7 +242,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -540,22 +556,54 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "states:StartExecution", @@ -580,7 +628,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A" }, "S3Key": { "Fn::Join": [ @@ -593,7 +641,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -606,7 +654,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -690,22 +738,54 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -723,7 +803,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A" }, "S3Key": { "Fn::Join": [ @@ -736,7 +816,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -749,7 +829,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -830,22 +910,54 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -863,7 +975,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A" }, "S3Key": { "Fn::Join": [ @@ -876,7 +988,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -889,7 +1001,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -967,22 +1079,54 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviderframeworkisComplete63829575", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviderframeworkisComplete63829575", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviderframeworkisComplete63829575", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviderframeworkonTimeoutA1E1E5DC", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviderframeworkonTimeoutA1E1E5DC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviderframeworkonTimeoutA1E1E5DC", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -1046,17 +1190,17 @@ "Type": "String", "Description": "Artifact hash for asset \"192597c3e09c72bcb5fca6899fca0b42745cb003a702e275a7f96123a9baf590\"" }, - "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1": { + "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A": { "Type": "String", - "Description": "S3 bucket for asset \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + "Description": "S3 bucket for asset \"5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391\"" }, - "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F": { + "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6": { "Type": "String", - "Description": "S3 key for asset version \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + "Description": "S3 key for asset version \"5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391\"" }, - "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1ArtifactHashA521A16F": { + "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391ArtifactHashA391D940": { "Type": "String", - "Description": "Artifact hash for asset \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + "Description": "Artifact hash for asset \"5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391\"" }, "AssetParameters4bafad8d010ba693e235b77d2c6decfc2ac79a8208d4477cbb36d31caf7189e8S3Bucket0DB889DF": { "Type": "String", diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts index d70759be12b79..7b37e16fee6b1 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts @@ -82,7 +82,7 @@ class S3FileProvider extends CoreConstruct { this.provider = new cr.Provider(this, 's3file-provider', { onEventHandler: new lambda.Function(this, 's3file-on-event', { code: lambda.Code.fromAsset(path.join(__dirname, 's3-file-handler')), - runtime: lambda.Runtime.NODEJS_10_X, + runtime: lambda.Runtime.NODEJS_12_X, handler: 'index.onEvent', initialPolicy: [ new iam.PolicyStatement({ diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts index 7548f4e151041..514c1af72391b 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/waiter-state-machine.test.ts @@ -83,12 +83,12 @@ describe('state machine', () => { { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: stack.resolve(isCompleteHandler.functionArn), + Resource: stack.resolve(isCompleteHandler.resourceArnsForGrantInvoke), }, { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: stack.resolve(timeoutHandler.functionArn), + Resource: stack.resolve(timeoutHandler.resourceArnsForGrantInvoke), }, ], Version: '2012-10-17', From 4e0f9e887a96d23d441a0733bcb0abaf7aa18f31 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Thu, 17 Mar 2022 17:30:11 -0400 Subject: [PATCH 12/34] more invoke function changes --- packages/@aws-cdk/aws-lambda/lib/function-base.ts | 5 +++++ .../lib/evaluate-expression.ts | 3 +-- .../lib/lambda/invoke-function.ts | 3 +-- .../aws-stepfunctions-tasks/lib/lambda/invoke.ts | 3 +-- .../lib/lambda/run-lambda-task.ts | 3 +-- .../provider-framework/integ.provider.expected.json | 13 +------------ 6 files changed, 10 insertions(+), 20 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index 28ac29bfb0395..c0de1ec65c038 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -62,6 +62,11 @@ export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable { */ readonly architecture: Architecture; + /** + * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke() + */ + readonly resourceArnsForGrantInvoke: string[]; + /** * Adds an event source that maps to this AWS Lambda function. * @param id construct ID diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts index 95371623c9af3..654c13320372c 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/evaluate-expression.ts @@ -58,10 +58,9 @@ export class EvaluateExpression extends sfn.TaskStateBase { this.evalFn = createEvalFn(this.props.runtime ?? lambda.Runtime.NODEJS_14_X, this); - // TODO - this should be updated, but I can't just replace it with a grantInvoke() this.taskPolicies = [ new iam.PolicyStatement({ - resources: [this.evalFn.functionArn], + resources: this.evalFn.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], }), ]; diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts index 9854d4d54fbe5..7df2b839f63c7 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke-function.ts @@ -32,11 +32,10 @@ export class InvokeFunction implements sfn.IStepFunctionsTask { } public bind(_task: sfn.Task): sfn.StepFunctionsTaskConfig { - // TODO - This also should be udpated return { resourceArn: this.lambdaFunction.functionArn, policyStatements: [new iam.PolicyStatement({ - resources: [this.lambdaFunction.functionArn], + resources: this.lambdaFunction.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], })], metricPrefixSingular: 'LambdaFunction', diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts index c800d944bcad0..6917fa31f175b 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/invoke.ts @@ -117,10 +117,9 @@ export class LambdaInvoke extends sfn.TaskStateBase { }, }; - // TODO - This also should be udpated to have the correct resources this.taskPolicies = [ new iam.PolicyStatement({ - resources: [this.props.lambdaFunction.functionArn], + resources: this.props.lambdaFunction.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], }), ]; diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts index be573a9fda54c..372f1ced1dca1 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/lambda/run-lambda-task.ts @@ -84,11 +84,10 @@ export class RunLambdaTask implements sfn.IStepFunctionsTask { } public bind(_task: sfn.Task): sfn.StepFunctionsTaskConfig { - // TODO - And this one return { resourceArn: getResourceArn('lambda', 'invoke', this.integrationPattern), policyStatements: [new iam.PolicyStatement({ - resources: [this.lambdaFunction.functionArn], + resources: this.lambdaFunction.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], })], metricPrefixSingular: 'LambdaFunction', diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json index 494aa6b1206a3..9b17b3467f5b3 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json @@ -1052,18 +1052,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "states.", - { - "Ref": "AWS::Region" - }, - ".amazonaws.com" - ] - ] - } + "Service": "states.test-region.amazonaws.com" } } ], From 7328c86d94a2e28332a908a13d4da636382d2346 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Thu, 17 Mar 2022 17:30:55 -0400 Subject: [PATCH 13/34] update integ tests --- .../integ.aws-custom-resource.expected.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/custom-resources/test/aws-custom-resource/integ.aws-custom-resource.expected.json b/packages/@aws-cdk/custom-resources/test/aws-custom-resource/integ.aws-custom-resource.expected.json index 2cad60974266d..38a11e5519402 100644 --- a/packages/@aws-cdk/custom-resources/test/aws-custom-resource/integ.aws-custom-resource.expected.json +++ b/packages/@aws-cdk/custom-resources/test/aws-custom-resource/integ.aws-custom-resource.expected.json @@ -109,7 +109,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersbd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edbaS3BucketACF45CC2" + "Ref": "AssetParameters3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87S3Bucket36F31A16" }, "S3Key": { "Fn::Join": [ @@ -122,7 +122,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersbd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edbaS3VersionKeyBCA0A3F3" + "Ref": "AssetParameters3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87S3VersionKeyF80D542B" } ] } @@ -135,7 +135,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersbd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edbaS3VersionKeyBCA0A3F3" + "Ref": "AssetParameters3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87S3VersionKeyF80D542B" } ] } @@ -274,17 +274,17 @@ } }, "Parameters": { - "AssetParametersbd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edbaS3BucketACF45CC2": { + "AssetParameters3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87S3Bucket36F31A16": { "Type": "String", - "Description": "S3 bucket for asset \"bd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edba\"" + "Description": "S3 bucket for asset \"3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87\"" }, - "AssetParametersbd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edbaS3VersionKeyBCA0A3F3": { + "AssetParameters3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87S3VersionKeyF80D542B": { "Type": "String", - "Description": "S3 key for asset version \"bd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edba\"" + "Description": "S3 key for asset version \"3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87\"" }, - "AssetParametersbd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edbaArtifactHashF3AE56EF": { + "AssetParameters3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87ArtifactHash40DDF5EE": { "Type": "String", - "Description": "Artifact hash for asset \"bd060cb930079c194320bc9a045d159066215c3a4858c45bdb12a79ef9a1edba\"" + "Description": "Artifact hash for asset \"3744fa896361f81b76b1efde632ac07b1920ce09a4ca1ff15ab486f262a19b87\"" } }, "Outputs": { From 7d4461382636a7b0a7258bf072038727431a4403 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Thu, 17 Mar 2022 19:13:47 -0400 Subject: [PATCH 14/34] warning is thrown when we call addpermission on an unqualified function with lambda:invokefunction --- .../@aws-cdk/aws-lambda/lib/function-base.ts | 17 +++++- .../@aws-cdk/aws-lambda/test/function.test.ts | 61 ++++++++++++++++++- 2 files changed, 76 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index c0de1ec65c038..b3a4a825e6906 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -1,7 +1,7 @@ import * as cloudwatch from '@aws-cdk/aws-cloudwatch'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as iam from '@aws-cdk/aws-iam'; -import { ArnFormat, ConstructNode, IResource, Resource, Token } from '@aws-cdk/core'; +import { Annotations, ArnFormat, ConstructNode, IResource, Resource, Token } from '@aws-cdk/core'; import { AliasOptions } from './alias'; import { Architecture } from './architecture'; import { EventInvokeConfig, EventInvokeConfigOptions } from './event-invoke-config'; @@ -283,6 +283,13 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC * @param permission The permission to grant to this Lambda function. @see Permission for details. */ public addPermission(id: string, permission: Permission) { + this.addPermissionHelper(id, permission, false); + } + + /** + * @param qualified Whether or not the function is qualified (i.e. is an alias or a version) + */ + protected addPermissionHelper(id: string, permission: Permission, qualified?: boolean) { if (!this.canCreatePermissions) { // FIXME: @deprecated(v2) - throw an error if calling `addPermission` on a resource that doesn't support it. return; @@ -293,6 +300,10 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC const action = permission.action ?? 'lambda:InvokeFunction'; const scope = permission.scope ?? this; + if (['lambda:InvokeFunction', 'lambda:*'].includes(action) && !qualified) { + Annotations.of(this).addWarning('Lambda has changed their authorization strategy, which may affect resource permissions on unqualified arns. See https://github.com/aws/aws-cdk/issues/19273'); + } + new CfnPermission(scope, id, { action, principal, @@ -551,6 +562,10 @@ export abstract class QualifiedFunctionBase extends FunctionBase { ...options, }); } + + public addPermission(id: string, permission: Permission): void { + super.addPermissionHelper(id, permission, true); + } } /** diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index 81edf78b9a0e7..d886eb6f85855 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { Match, Template } from '@aws-cdk/assertions'; +import { Annotations, Match, Template } from '@aws-cdk/assertions'; import { ProfilingGroup } from '@aws-cdk/aws-codeguruprofiler'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as efs from '@aws-cdk/aws-efs'; @@ -435,6 +435,65 @@ describe('function', () => { // THEN Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0); }); + + describe('annotations on different IFunctions', () => { + let stack: cdk.Stack; + let fn: lambda.Function; + let warningMessage: string; + beforeEach(() => { + warningMessage = 'Lambda has changed their authorization strategy'; + stack = new cdk.Stack(); + fn = new lambda.Function(stack, 'MyLambda', { + code: lambda.Code.fromAsset(path.join(__dirname, 'my-lambda-handler')), + handler: 'index.handler', + runtime: lambda.Runtime.PYTHON_3_6, + }); + }); + + test('function', () => { + // WHEN + fn.addPermission('MyPermission', { + principal: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + // THEN + Annotations.fromStack(stack).hasWarning('*', Match.stringLikeRegexp(warningMessage)); + }); + + test('version', () => { + // GIVEN + const version = new lambda.Version(stack, 'MyVersion', { + lambda: fn, + }); + + //WHEN + version.addPermission('MyPermission', { + principal: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + // THEN + Annotations.fromStack(stack).hasNoWarning('*', Match.stringLikeRegexp(warningMessage)); + }); + + test('alias', () => { + // GIVEN + const version = new lambda.Version(stack, 'MyVersion', { + lambda: fn, + }); + const alias = new lambda.Alias(stack, 'MyAlias', { + aliasName: 'alias', + version, + }); + + //WHEN + alias.addPermission('MyPermission', { + principal: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + // THEN + Annotations.fromStack(stack).hasNoWarning('*', Match.stringLikeRegexp(warningMessage)); + }); + }); }); test('Lambda code can be read from a local directory via an asset', () => { From c6cdffbf45d56b814608f24ef0ba2d62a7294612 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Thu, 17 Mar 2022 19:20:54 -0400 Subject: [PATCH 15/34] update env for integ test --- .../test/provider-framework/integ.provider.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts index 64ec2bbb33987..4620d1c1e912c 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts @@ -7,7 +7,12 @@ import { S3File } from './integration-test-fixtures/s3-file'; class TestStack extends Stack { constructor(scope: Construct, id: string) { - super(scope, id); + super(scope, id, { + env: { + account: process.env.CDK_INTEG_ACCOUNT || process.env.CDK_DEFAULT_ACCOUNT, + region: process.env.CDK_INTEG_REGION || process.env.CDK_DEFAULT_REGION, + }, + }); const file2Contents = 'this file has a generated physical id'; const bucket = new s3.Bucket(this, 'MyBucket'); From bdcf024394e1a9fd0b0b87be23b3030bbb9375f7 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Thu, 17 Mar 2022 19:29:04 -0400 Subject: [PATCH 16/34] another test --- packages/@aws-cdk/aws-lambda/test/function.test.ts | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index d886eb6f85855..b7774be02b18f 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -493,6 +493,17 @@ describe('function', () => { // THEN Annotations.fromStack(stack).hasNoWarning('*', Match.stringLikeRegexp(warningMessage)); }); + + test('function without lambda:InvokeFunction', () => { + // WHEN + fn.addPermission('MyPermission', { + action: 'lambda.GetFunction', + principal: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + // THEN + Annotations.fromStack(stack).hasNoWarning('*', Match.stringLikeRegexp(warningMessage)); + }); }); }); From b63aff59530014a2394a39caa9f254069b669b95 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Fri, 18 Mar 2022 11:20:53 -0400 Subject: [PATCH 17/34] update redshift integ test --- .../test/integ.database.expected.json | 134 ++++++++++++------ 1 file changed, 91 insertions(+), 43 deletions(-) diff --git a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json index 6e909192a7f3d..1e74f6d3ed359 100644 --- a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json +++ b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json @@ -800,12 +800,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -825,7 +841,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A" }, "S3Key": { "Fn::Join": [ @@ -838,7 +854,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -851,7 +867,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -955,12 +971,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -980,7 +1012,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A" }, "S3Key": { "Fn::Join": [ @@ -993,7 +1025,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -1006,7 +1038,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -1167,7 +1199,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParameters85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066S3Bucket0B347C2E" + "Ref": "AssetParameters104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3bS3Bucket2B744261" }, "S3Key": { "Fn::Join": [ @@ -1180,7 +1212,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066S3VersionKey932D0479" + "Ref": "AssetParameters104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3bS3VersionKey26C2ED2C" } ] } @@ -1193,7 +1225,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066S3VersionKey932D0479" + "Ref": "AssetParameters104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3bS3VersionKey26C2ED2C" } ] } @@ -1261,12 +1293,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "QueryRedshiftDatabase3de5bea727da479686625efb56431b5f3DF81997", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -1286,7 +1334,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A" }, "S3Key": { "Fn::Join": [ @@ -1299,7 +1347,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -1312,7 +1360,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F" + "Ref": "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6" } ] } @@ -1396,29 +1444,29 @@ } }, "Parameters": { - "AssetParameters85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066S3Bucket0B347C2E": { + "AssetParameters104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3bS3Bucket2B744261": { "Type": "String", - "Description": "S3 bucket for asset \"85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066\"" + "Description": "S3 bucket for asset \"104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3b\"" }, - "AssetParameters85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066S3VersionKey932D0479": { + "AssetParameters104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3bS3VersionKey26C2ED2C": { "Type": "String", - "Description": "S3 key for asset version \"85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066\"" + "Description": "S3 key for asset version \"104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3b\"" }, - "AssetParameters85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066ArtifactHash78689978": { + "AssetParameters104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3bArtifactHash00C57864": { "Type": "String", - "Description": "Artifact hash for asset \"85597bcd6a07abd4673fe02c7e92e21df5859eee0d831e9db67f4d2e74d4d066\"" + "Description": "Artifact hash for asset \"104629e772240371441c4f76a71184cb01d6d09afe126b3ddc9243d03f78fb3b\"" }, - "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3BucketDC4B98B1": { + "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3BucketB4102E9A": { "Type": "String", - "Description": "S3 bucket for asset \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + "Description": "S3 bucket for asset \"5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391\"" }, - "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1S3VersionKeyA495226F": { + "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391S3VersionKeyC1EC3ED6": { "Type": "String", - "Description": "S3 key for asset version \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + "Description": "S3 key for asset version \"5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391\"" }, - "AssetParametersdaeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1ArtifactHashA521A16F": { + "AssetParameters5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391ArtifactHashA391D940": { "Type": "String", - "Description": "Artifact hash for asset \"daeb79e3cee39c9b902dc0d5c780223e227ed573ea60976252947adab5fb2be1\"" + "Description": "Artifact hash for asset \"5b47c8e4cbbce7e4a8085f1aa83ed9c4691b7f65927ba092d6620bbba925f391\"" } } -} +} \ No newline at end of file From 1f34114ac2c4239aa8ce5cd71f657c86d51f3312 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Fri, 18 Mar 2022 14:04:39 -0400 Subject: [PATCH 18/34] remove resource policy changes --- .../@aws-cdk/aws-lambda/lib/function-base.ts | 15 ---- .../@aws-cdk/aws-lambda/test/function.test.ts | 72 +------------------ 2 files changed, 1 insertion(+), 86 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index b3a4a825e6906..3106352b2a5d2 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -283,13 +283,6 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC * @param permission The permission to grant to this Lambda function. @see Permission for details. */ public addPermission(id: string, permission: Permission) { - this.addPermissionHelper(id, permission, false); - } - - /** - * @param qualified Whether or not the function is qualified (i.e. is an alias or a version) - */ - protected addPermissionHelper(id: string, permission: Permission, qualified?: boolean) { if (!this.canCreatePermissions) { // FIXME: @deprecated(v2) - throw an error if calling `addPermission` on a resource that doesn't support it. return; @@ -300,10 +293,6 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC const action = permission.action ?? 'lambda:InvokeFunction'; const scope = permission.scope ?? this; - if (['lambda:InvokeFunction', 'lambda:*'].includes(action) && !qualified) { - Annotations.of(this).addWarning('Lambda has changed their authorization strategy, which may affect resource permissions on unqualified arns. See https://github.com/aws/aws-cdk/issues/19273'); - } - new CfnPermission(scope, id, { action, principal, @@ -562,10 +551,6 @@ export abstract class QualifiedFunctionBase extends FunctionBase { ...options, }); } - - public addPermission(id: string, permission: Permission): void { - super.addPermissionHelper(id, permission, true); - } } /** diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index b7774be02b18f..81edf78b9a0e7 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { Annotations, Match, Template } from '@aws-cdk/assertions'; +import { Match, Template } from '@aws-cdk/assertions'; import { ProfilingGroup } from '@aws-cdk/aws-codeguruprofiler'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as efs from '@aws-cdk/aws-efs'; @@ -435,76 +435,6 @@ describe('function', () => { // THEN Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0); }); - - describe('annotations on different IFunctions', () => { - let stack: cdk.Stack; - let fn: lambda.Function; - let warningMessage: string; - beforeEach(() => { - warningMessage = 'Lambda has changed their authorization strategy'; - stack = new cdk.Stack(); - fn = new lambda.Function(stack, 'MyLambda', { - code: lambda.Code.fromAsset(path.join(__dirname, 'my-lambda-handler')), - handler: 'index.handler', - runtime: lambda.Runtime.PYTHON_3_6, - }); - }); - - test('function', () => { - // WHEN - fn.addPermission('MyPermission', { - principal: new iam.ServicePrincipal('lambda.amazonaws.com'), - }); - - // THEN - Annotations.fromStack(stack).hasWarning('*', Match.stringLikeRegexp(warningMessage)); - }); - - test('version', () => { - // GIVEN - const version = new lambda.Version(stack, 'MyVersion', { - lambda: fn, - }); - - //WHEN - version.addPermission('MyPermission', { - principal: new iam.ServicePrincipal('lambda.amazonaws.com'), - }); - - // THEN - Annotations.fromStack(stack).hasNoWarning('*', Match.stringLikeRegexp(warningMessage)); - }); - - test('alias', () => { - // GIVEN - const version = new lambda.Version(stack, 'MyVersion', { - lambda: fn, - }); - const alias = new lambda.Alias(stack, 'MyAlias', { - aliasName: 'alias', - version, - }); - - //WHEN - alias.addPermission('MyPermission', { - principal: new iam.ServicePrincipal('lambda.amazonaws.com'), - }); - - // THEN - Annotations.fromStack(stack).hasNoWarning('*', Match.stringLikeRegexp(warningMessage)); - }); - - test('function without lambda:InvokeFunction', () => { - // WHEN - fn.addPermission('MyPermission', { - action: 'lambda.GetFunction', - principal: new iam.ServicePrincipal('lambda.amazonaws.com'), - }); - - // THEN - Annotations.fromStack(stack).hasNoWarning('*', Match.stringLikeRegexp(warningMessage)); - }); - }); }); test('Lambda code can be read from a local directory via an asset', () => { From b6e4c69b9620d2052150da3bf385b27990ed857b Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Fri, 18 Mar 2022 14:32:56 -0400 Subject: [PATCH 19/34] revert custom resource integ test --- .../integ.provider.expected.json | 15 +++++++++++++-- .../test/provider-framework/integ.provider.ts | 7 +------ .../integration-test-fixtures/s3-file.ts | 2 +- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json index 9b17b3467f5b3..39b0d4695b077 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json @@ -131,7 +131,7 @@ ] }, "Handler": "index.onEvent", - "Runtime": "nodejs12.x" + "Runtime": "nodejs10.x" }, "DependsOn": [ "comamazonawscdkcustomresourcess3fileproviders3fileoneventServiceRoleDefaultPolicy10D24725", @@ -1052,7 +1052,18 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "Service": "states.test-region.amazonaws.com" + "Service": { + "Fn::Join": [ + "", + [ + "states.", + { + "Ref": "AWS::Region" + }, + ".amazonaws.com" + ] + ] + } } } ], diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts index 4620d1c1e912c..64ec2bbb33987 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.ts @@ -7,12 +7,7 @@ import { S3File } from './integration-test-fixtures/s3-file'; class TestStack extends Stack { constructor(scope: Construct, id: string) { - super(scope, id, { - env: { - account: process.env.CDK_INTEG_ACCOUNT || process.env.CDK_DEFAULT_ACCOUNT, - region: process.env.CDK_INTEG_REGION || process.env.CDK_DEFAULT_REGION, - }, - }); + super(scope, id); const file2Contents = 'this file has a generated physical id'; const bucket = new s3.Bucket(this, 'MyBucket'); diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts b/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts index 7b37e16fee6b1..d70759be12b79 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integration-test-fixtures/s3-file.ts @@ -82,7 +82,7 @@ class S3FileProvider extends CoreConstruct { this.provider = new cr.Provider(this, 's3file-provider', { onEventHandler: new lambda.Function(this, 's3file-on-event', { code: lambda.Code.fromAsset(path.join(__dirname, 's3-file-handler')), - runtime: lambda.Runtime.NODEJS_12_X, + runtime: lambda.Runtime.NODEJS_10_X, handler: 'index.onEvent', initialPolicy: [ new iam.PolicyStatement({ From de3c99e6de097b158b33c92dcd768a8d72b91f6d Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Fri, 18 Mar 2022 14:33:38 -0400 Subject: [PATCH 20/34] remove unnecessary import --- packages/@aws-cdk/aws-lambda/lib/function-base.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index 3106352b2a5d2..c0de1ec65c038 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -1,7 +1,7 @@ import * as cloudwatch from '@aws-cdk/aws-cloudwatch'; import * as ec2 from '@aws-cdk/aws-ec2'; import * as iam from '@aws-cdk/aws-iam'; -import { Annotations, ArnFormat, ConstructNode, IResource, Resource, Token } from '@aws-cdk/core'; +import { ArnFormat, ConstructNode, IResource, Resource, Token } from '@aws-cdk/core'; import { AliasOptions } from './alias'; import { Architecture } from './architecture'; import { EventInvokeConfig, EventInvokeConfigOptions } from './event-invoke-config'; From 32571654151a90e8bfb84ae72725ac0a9dd030e0 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Fri, 18 Mar 2022 15:05:10 -0400 Subject: [PATCH 21/34] update grantinvoke in apigateway --- .../aws-apigateway/lib/authorizers/lambda.ts | 2 +- ...eg.token-authorizer-iam-role.expected.json | 28 +++++++++++++++---- .../test/authorizers/lambda.test.ts | 4 +-- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts index 0fbf8f7a0c002..85ac3c901f3a5 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts @@ -105,7 +105,7 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer { this.role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', { statements: [ new iam.PolicyStatement({ - resources: [this.handler.functionArn], // TODO: maybe this one too + resources: this.handler.resourceArnsForGrantInvoke, actions: ['lambda:InvokeFunction'], }), ], diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json index eda922f948d66..d5cca0c564f32 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json @@ -176,12 +176,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyAuthorizerFunction70F1223E", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyAuthorizerFunction70F1223E", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts index a4eea0f56892d..f215a5143b54b 100644 --- a/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts +++ b/packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts @@ -393,7 +393,7 @@ describe('lambda authorizer', () => { PolicyDocument: { Statement: [ { - Resource: stack.resolve(func.functionArn), + Resource: stack.resolve(func.resourceArnsForGrantInvoke), Action: 'lambda:InvokeFunction', Effect: 'Allow', }, @@ -485,7 +485,7 @@ describe('lambda authorizer', () => { PolicyDocument: { Statement: [ { - Resource: stack.resolve(func.functionArn), + Resource: stack.resolve(func.resourceArnsForGrantInvoke), Action: 'lambda:InvokeFunction', Effect: 'Allow', }, From ab8d99413867dbf1bf819e7dc231cc7885cbc331 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Fri, 18 Mar 2022 15:44:22 -0400 Subject: [PATCH 22/34] integ test updates --- .../integ.deployment-group.expected.json | 22 ++++++---------- .../test/integ.database.expected.json | 25 +++++++++++-------- .../integ.provider.expected.json | 10 ++++---- 3 files changed, 28 insertions(+), 29 deletions(-) diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json b/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json index acc0aa2d21eb1..e9b096abe09f9 100644 --- a/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json +++ b/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json @@ -484,6 +484,12 @@ "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ + { + "Fn::GetAtt": [ + "PostHookF2E49B30", + "Arn" + ] + }, { "Fn::GetAtt": [ "PreHook8B53F672", @@ -496,25 +502,13 @@ [ { "Fn::GetAtt": [ - "PreHook8B53F672", + "PostHookF2E49B30", "Arn" ] }, ":*" ] ] - } - ] - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PostHookF2E49B30", - "Arn" - ] }, { "Fn::Join": [ @@ -522,7 +516,7 @@ [ { "Fn::GetAtt": [ - "PostHookF2E49B30", + "PreHook8B53F672", "Arn" ] }, diff --git a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json index 44060236daf61..1e74f6d3ed359 100644 --- a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json +++ b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json @@ -1163,18 +1163,23 @@ }, { "Action": [ - "secretsmanager:DescribeSecret", - "secretsmanager:GetSecretValue" + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" ], "Effect": "Allow", - "Resource": [ - { - "Ref": "ClusterSecretAttachment769E6258" - }, - { - "Ref": "UserSecretAttachment02022609" - } - ] + "Resource": { + "Ref": "ClusterSecretAttachment769E6258" + } + }, + { + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" + ], + "Effect": "Allow", + "Resource": { + "Ref": "UserSecretAttachment02022609" + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json index 1200d385e06a9..39b0d4695b077 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json @@ -62,12 +62,12 @@ "Statement": [ { "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*", - "s3:PutObject*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], "Effect": "Allow", "Resource": "*" @@ -444,8 +444,8 @@ "Statement": [ { "Action": [ - "s3:GetBucket*", "s3:GetObject*", + "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", From 4c62dbd002c6d3c827615c458f5b83db74361599 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Mon, 21 Mar 2022 10:02:38 -0400 Subject: [PATCH 23/34] update integ test --- .../integ.provider.expected.json | 94 +++++++------------ 1 file changed, 35 insertions(+), 59 deletions(-) diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json index 39b0d4695b077..f3fb18962e862 100644 --- a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json +++ b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json @@ -62,12 +62,12 @@ "Statement": [ { "Action": [ - "s3:GetObject*", + "s3:Abort*", + "s3:DeleteObject*", "s3:GetBucket*", + "s3:GetObject*", "s3:List*", - "s3:DeleteObject*", - "s3:PutObject*", - "s3:Abort*" + "s3:PutObject*" ], "Effect": "Allow", "Resource": "*" @@ -444,8 +444,8 @@ "Statement": [ { "Action": [ - "s3:GetObject*", "s3:GetBucket*", + "s3:GetObject*", "s3:List*" ], "Effect": "Allow", @@ -557,6 +557,12 @@ "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, { "Fn::GetAtt": [ "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", @@ -569,25 +575,13 @@ [ { "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", "Arn" ] }, ":*" ] ] - } - ] - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", - "Arn" - ] }, { "Fn::Join": [ @@ -595,7 +589,7 @@ [ { "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", "Arn" ] }, @@ -739,6 +733,12 @@ "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, { "Fn::GetAtt": [ "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", @@ -751,25 +751,13 @@ [ { "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", "Arn" ] }, ":*" ] ] - } - ] - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", - "Arn" - ] }, { "Fn::Join": [ @@ -777,7 +765,7 @@ [ { "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", "Arn" ] }, @@ -911,6 +899,12 @@ "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "Arn" + ] + }, { "Fn::GetAtt": [ "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", @@ -923,25 +917,13 @@ [ { "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", + "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", "Arn" ] }, ":*" ] ] - } - ] - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", - "Arn" - ] }, { "Fn::Join": [ @@ -949,7 +931,7 @@ [ { "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviders3assertiscomplete6AC08EF9", + "comamazonawscdkcustomresourcess3assertproviders3assertoneventF1EEF783", "Arn" ] }, @@ -1086,6 +1068,12 @@ "Arn" ] }, + { + "Fn::GetAtt": [ + "comamazonawscdkcustomresourcess3assertproviderframeworkonTimeoutA1E1E5DC", + "Arn" + ] + }, { "Fn::Join": [ "", @@ -1099,18 +1087,6 @@ ":*" ] ] - } - ] - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "comamazonawscdkcustomresourcess3assertproviderframeworkonTimeoutA1E1E5DC", - "Arn" - ] }, { "Fn::Join": [ From 3fe70c5ff9ba3d16405732fbe6f17ce690c4eb6b Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Tue, 22 Mar 2022 20:51:36 -0400 Subject: [PATCH 24/34] update api doc --- packages/@aws-cdk/aws-lambda/lib/function-base.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts index c0de1ec65c038..a4c8b73b46a9a 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function-base.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function-base.ts @@ -63,7 +63,10 @@ export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable { readonly architecture: Architecture; /** - * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke() + * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke(). + * + * This property is for cdk modules to consume only. You should not need to use this property. + * Instead, use grantInvoke() directly. */ readonly resourceArnsForGrantInvoke: string[]; From e2bd8d4e1c0a0eb12b806f345b2e160f3bb448a9 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Tue, 22 Mar 2022 20:51:48 -0400 Subject: [PATCH 25/34] integ test update again --- .../test/integ.database.expected.json | 37 ++++++++----------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json index 1e74f6d3ed359..096fb4b074160 100644 --- a/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json +++ b/packages/@aws-cdk/aws-redshift/test/integ.database.expected.json @@ -20,11 +20,11 @@ "VpcPublicSubnet1Subnet5C2D37C4": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.0.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1a", + "CidrBlock": "10.0.0.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { @@ -129,11 +129,11 @@ "VpcPublicSubnet2Subnet691E08A3": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.32.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1b", + "CidrBlock": "10.0.32.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { @@ -238,11 +238,11 @@ "VpcPublicSubnet3SubnetBE12F0B6": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.64.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1c", + "CidrBlock": "10.0.64.0/19", "MapPublicIpOnLaunch": true, "Tags": [ { @@ -347,11 +347,11 @@ "VpcPrivateSubnet1Subnet536B997A": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.96.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1a", + "CidrBlock": "10.0.96.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { @@ -417,11 +417,11 @@ "VpcPrivateSubnet2Subnet3788AAA1": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.128.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1b", + "CidrBlock": "10.0.128.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { @@ -487,11 +487,11 @@ "VpcPrivateSubnet3SubnetF258B56E": { "Type": "AWS::EC2::Subnet", "Properties": { - "CidrBlock": "10.0.160.0/19", "VpcId": { "Ref": "Vpc8378EB38" }, "AvailabilityZone": "test-region-1c", + "CidrBlock": "10.0.160.0/19", "MapPublicIpOnLaunch": false, "Tags": [ { @@ -1163,23 +1163,18 @@ }, { "Action": [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret" + "secretsmanager:DescribeSecret", + "secretsmanager:GetSecretValue" ], "Effect": "Allow", - "Resource": { - "Ref": "ClusterSecretAttachment769E6258" - } - }, - { - "Action": [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret" - ], - "Effect": "Allow", - "Resource": { - "Ref": "UserSecretAttachment02022609" - } + "Resource": [ + { + "Ref": "ClusterSecretAttachment769E6258" + }, + { + "Ref": "UserSecretAttachment02022609" + } + ] } ], "Version": "2012-10-17" From 32734a0f1905b1302302f115c3aaca300635ff90 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Tue, 22 Mar 2022 21:02:47 -0400 Subject: [PATCH 26/34] update kinesis integ test again --- .../test/integ.s3-bucket.lit.expected.json | 33 +++++-------------- 1 file changed, 9 insertions(+), 24 deletions(-) diff --git a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json index 0711087053634..27e27e08d68d7 100644 --- a/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json +++ b/packages/@aws-cdk/aws-kinesisfirehose-destinations/test/integ.s3-bucket.lit.expected.json @@ -310,7 +310,7 @@ "Properties": { "Code": { "S3Bucket": { - "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3Bucket0316BB8C" + "Ref": "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3BucketA7AEF7D7" }, "S3Key": { "Fn::Join": [ @@ -323,7 +323,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872" + "Ref": "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3VersionKeyA7FD6E61" } ] } @@ -336,7 +336,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872" + "Ref": "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3VersionKeyA7FD6E61" } ] } @@ -600,21 +600,6 @@ ] } ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Key961B73FD", - "Arn" - ] - } } ], "Version": "2012-10-17" @@ -789,17 +774,17 @@ "Type": "String", "Description": "Artifact hash for asset \"be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824\"" }, - "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3Bucket0316BB8C": { + "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3BucketA7AEF7D7": { "Type": "String", - "Description": "S3 bucket for asset \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" + "Description": "S3 bucket for asset \"9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7d\"" }, - "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cS3VersionKey8CD7D872": { + "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dS3VersionKeyA7FD6E61": { "Type": "String", - "Description": "S3 key for asset version \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" + "Description": "S3 key for asset version \"9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7d\"" }, - "AssetParameters335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543cArtifactHash0D892CC5": { + "AssetParameters9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7dArtifactHashE49F8A6B": { "Type": "String", - "Description": "Artifact hash for asset \"335bb1977cc537dc87b06d6ac0ec54a99badae8502ad34d4c7e149def466543c\"" + "Description": "Artifact hash for asset \"9d04b6e97fcffe55f90ce717ab61c19d06df5a0c5c364c765216bf31a9c98d7d\"" } }, "Mappings": { From 123deba11f9c2b4e19438d5b8e16c7c70757177f Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Tue, 22 Mar 2022 21:26:34 -0400 Subject: [PATCH 27/34] update integ test in lambdalayerawscli --- .../test/integ.awscli-layer.expected.json | 102 +++++++++++++----- 1 file changed, 75 insertions(+), 27 deletions(-) diff --git a/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json b/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json index 8be04c1e89ab7..d9411d0b44b0d 100644 --- a/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json +++ b/packages/@aws-cdk/lambda-layer-awscli/test/integ.awscli-layer.expected.json @@ -5,7 +5,7 @@ "Properties": { "Content": { "S3Bucket": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, "S3Key": { "Fn::Join": [ @@ -18,7 +18,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -31,7 +31,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -175,12 +175,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Lambdapython36B64E8A5D", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Lambdapython36B64E8A5D", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Lambdapython36B64E8A5D", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -404,12 +420,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Lambdapython3780349E0A", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Lambdapython3780349E0A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Lambdapython3780349E0A", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -633,12 +665,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Lambdapython39426A0480", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Lambdapython39426A0480", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Lambdapython39426A0480", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -733,17 +781,17 @@ } }, "Parameters": { - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D": { "Type": "String", - "Description": "S3 bucket for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 bucket for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936": { "Type": "String", - "Description": "S3 key for asset version \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 key for asset version \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95ArtifactHash16B60F6C": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27ArtifactHash934284DB": { "Type": "String", - "Description": "Artifact hash for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "Artifact hash for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, "AssetParameters5dff6208ccd5fb196bb0354fd6e47faa8431a789e6125d20386586fef761ed48S3Bucket1DD21439": { "Type": "String", From ff441c74810b4f71fcd4eded252eb9c01dcdb6c9 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Tue, 22 Mar 2022 22:06:08 -0400 Subject: [PATCH 28/34] update edge function --- .../@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts b/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts index e095984ed2081..126db00ecc323 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts @@ -47,6 +47,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion { public readonly role?: iam.IRole; public readonly version: string; public readonly architecture: lambda.Architecture; + public readonly resourceArnsForGrantInvoke: string[]; private readonly _edgeFunction: lambda.Function; @@ -68,6 +69,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion { this.permissionsNode = this._edgeFunction.permissionsNode; this.version = lambda.extractQualifierFromArn(this.functionArn); this.architecture = this._edgeFunction.architecture; + this.resourceArnsForGrantInvoke = this._edgeFunction.resourceArnsForGrantInvoke; this.node.defaultChild = this._edgeFunction; } From 5a0d80b4fb618a832d3540eed51e78acbd28dced Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Wed, 23 Mar 2022 11:14:24 -0400 Subject: [PATCH 29/34] fix integ test in eks --- .../test/integ.alb-controller.expected.json | 30 ++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json index b46c3360007da..43e945111d8da 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json @@ -1988,12 +1988,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "IngressPingerFunction54746D9B", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "IngressPingerFunction54746D9B", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "IngressPingerFunction54746D9B", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -2268,7 +2284,7 @@ "Type": "String", "Description": "S3 key for asset version \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" }, - "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88ArtifactHash5B7180F8": { + "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9ArtifactHashA7B6B572": { "Type": "String", "Description": "Artifact hash for asset \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" }, From aaa2638eaff9963af1ca6df0efcc6606f050715f Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Wed, 23 Mar 2022 13:23:21 -0400 Subject: [PATCH 30/34] more eks test changes --- .../test/integ.alb-controller.expected.json | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json index 43e945111d8da..b8bc3541bb0cd 100644 --- a/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json +++ b/packages/@aws-cdk/aws-eks/test/integ.alb-controller.expected.json @@ -1100,7 +1100,7 @@ }, "/", { - "Ref": "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3Bucket6B6D2051" + "Ref": "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3Bucket1FB496C9" }, "/", { @@ -1110,7 +1110,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3VersionKey41E00248" + "Ref": "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3VersionKey412AA341" } ] } @@ -1123,7 +1123,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3VersionKey41E00248" + "Ref": "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3VersionKey412AA341" } ] } @@ -1175,7 +1175,7 @@ }, "/", { - "Ref": "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3BucketDF00C8B8" + "Ref": "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3Bucket30803CC9" }, "/", { @@ -1185,7 +1185,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3VersionKey9504F126" + "Ref": "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3VersionKeyCAAA61AB" } ] } @@ -1198,7 +1198,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3VersionKey9504F126" + "Ref": "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3VersionKeyCAAA61AB" } ] } @@ -1241,11 +1241,11 @@ "ClusterSecurityGroupId" ] }, - "referencetoawscdkeksclusteralbcontrollertestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3Bucket1FA2468ERef": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "referencetoawscdkeksclusteralbcontrollertestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket916394C8Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, - "referencetoawscdkeksclusteralbcontrollertestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey22C96426Ref": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "referencetoawscdkeksclusteralbcontrollertestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey639D7E45Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" }, "referencetoawscdkeksclusteralbcontrollertestAssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3Bucket65F5BE5ARef": { "Ref": "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998" @@ -2216,17 +2216,17 @@ "Type": "String", "Description": "Artifact hash for asset \"a70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D": { "Type": "String", - "Description": "S3 bucket for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 bucket for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936": { "Type": "String", - "Description": "S3 key for asset version \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 key for asset version \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95ArtifactHash16B60F6C": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27ArtifactHash934284DB": { "Type": "String", - "Description": "Artifact hash for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "Artifact hash for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998": { "Type": "String", @@ -2276,29 +2276,29 @@ "Type": "String", "Description": "Artifact hash for asset \"5f49893093e1ad14831626016699156d48da5f0890f19eb930bc3c46cf5f636d\"" }, - "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3Bucket6B6D2051": { + "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3Bucket1FB496C9": { "Type": "String", - "Description": "S3 bucket for asset \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" + "Description": "S3 bucket for asset \"712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9\"" }, - "AssetParametersbaac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88S3VersionKey41E00248": { + "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9S3VersionKey412AA341": { "Type": "String", - "Description": "S3 key for asset version \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" + "Description": "S3 key for asset version \"712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9\"" }, "AssetParameters712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9ArtifactHashA7B6B572": { "Type": "String", - "Description": "Artifact hash for asset \"baac0f9c3fa157fdefb24f5722cf1776b897344d12e3dc620c62499051d29c88\"" + "Description": "Artifact hash for asset \"712e670f4e8905b5bf48e7a7fc59cce8d2d81e350618d910eaae52d3e93579b9\"" }, - "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3BucketDF00C8B8": { + "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3Bucket30803CC9": { "Type": "String", - "Description": "S3 bucket for asset \"593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90a\"" + "Description": "S3 bucket for asset \"b02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2\"" }, - "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aS3VersionKey9504F126": { + "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2S3VersionKeyCAAA61AB": { "Type": "String", - "Description": "S3 key for asset version \"593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90a\"" + "Description": "S3 key for asset version \"b02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2\"" }, - "AssetParameters593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90aArtifactHashF51483B1": { + "AssetParametersb02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2ArtifactHashDEC7863C": { "Type": "String", - "Description": "Artifact hash for asset \"593e1554d936515ed816bde018bcb82c771146f0ba63531b011d8addb5c3a90a\"" + "Description": "Artifact hash for asset \"b02782818b74bd22aefbc8f68291d7c3c5f66f69b40cb21db82e38b460678ba2\"" } } } \ No newline at end of file From b916728cb6b53c42538de8d6e0757263025ab122 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Wed, 23 Mar 2022 15:00:08 -0400 Subject: [PATCH 31/34] update stepfunction-tasks integ tests that use lambda --- .../integ.start-job-run.expected.json | 90 +++++++++++-------- .../integ.evaluate-expression.expected.json | 28 ++++-- .../integ.invoke-function.expected.json | 28 ++++++ .../test/lambda/integ.invoke.expected.json | 28 ++++++ .../integ.invoke.payload.only.expected.json | 28 ++++++ .../lambda/integ.run-lambda.expected.json | 28 ++++++ 6 files changed, 187 insertions(+), 43 deletions(-) diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json index ed1d507956dc8..50ea79608b669 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/emrcontainers/integ.start-job-run.expected.json @@ -1162,7 +1162,7 @@ }, "/", { - "Ref": "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3BucketE126985C" + "Ref": "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3Bucket5BEEED81" }, "/", { @@ -1172,7 +1172,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3VersionKey74D769A9" + "Ref": "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3VersionKeyD7F17160" } ] } @@ -1185,7 +1185,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3VersionKey74D769A9" + "Ref": "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3VersionKeyD7F17160" } ] } @@ -1241,7 +1241,7 @@ }, "/", { - "Ref": "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3BucketFA655285" + "Ref": "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3Bucket91C98648" }, "/", { @@ -1251,7 +1251,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3VersionKeyAF468AE1" + "Ref": "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3VersionKey8051CFBE" } ] } @@ -1264,7 +1264,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3VersionKeyAF468AE1" + "Ref": "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3VersionKey8051CFBE" } ] } @@ -1307,11 +1307,11 @@ "ClusterSecurityGroupId" ] }, - "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3Bucket51F4CFE7Ref": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket694141C5Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, - "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey30F71929Ref": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey89E46F11Ref": { + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" }, "referencetoawsstepfunctionstasksemrcontainersstartjobrunintegtestAssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketF38DB26BRef": { "Ref": "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998" @@ -1461,7 +1461,7 @@ "Properties": { "Content": { "S3Bucket": { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D" }, "S3Key": { "Fn::Join": [ @@ -1474,7 +1474,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -1487,7 +1487,7 @@ "Fn::Split": [ "||", { - "Ref": "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2" + "Ref": "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936" } ] } @@ -1539,12 +1539,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "SingletonLambda8693BB64968944B69AAFB0CC9EB8757CB6182A5B", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "SingletonLambda8693BB64968944B69AAFB0CC9EB8757CB6182A5B", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SingletonLambda8693BB64968944B69AAFB0CC9EB8757CB6182A5B", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" @@ -2154,17 +2170,17 @@ "Type": "String", "Description": "Artifact hash for asset \"a70c48e7047fb793b2378668accb1dc2d92f2d7b1fff80c9c718f4964dc69cb8\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3BucketE02B5488": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3Bucket940CB35D": { "Type": "String", - "Description": "S3 bucket for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 bucket for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95S3VersionKey4D8E71F2": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27S3VersionKey248C9936": { "Type": "String", - "Description": "S3 key for asset version \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "S3 key for asset version \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, - "AssetParametersf331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95ArtifactHash16B60F6C": { + "AssetParametersd78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27ArtifactHash934284DB": { "Type": "String", - "Description": "Artifact hash for asset \"f331b32a8ad8983464106a58e420e7bc7e6341ba2ffb8ac9ad350d7e32845d95\"" + "Description": "Artifact hash for asset \"d78148e12051f01bfd7332d83ccd5c159c8106d3b878d178f7eb093fabafab27\"" }, "AssetParametersea17febe6d04c66048f3e8e060c71685c0cb53122abceff44842d27bc0d4a03eS3BucketD3288998": { "Type": "String", @@ -2202,29 +2218,29 @@ "Type": "String", "Description": "Artifact hash for asset \"b866fb0fd5a9b4215d1e23188632d74c01f3195f6f9d706134b197b400afb680\"" }, - "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3BucketE126985C": { + "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3Bucket5BEEED81": { "Type": "String", - "Description": "S3 bucket for asset \"1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7f\"" + "Description": "S3 bucket for asset \"2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1\"" }, - "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fS3VersionKey74D769A9": { + "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1S3VersionKeyD7F17160": { "Type": "String", - "Description": "S3 key for asset version \"1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7f\"" + "Description": "S3 key for asset version \"2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1\"" }, - "AssetParameters1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7fArtifactHash886B1296": { + "AssetParameters2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1ArtifactHash74CF0762": { "Type": "String", - "Description": "Artifact hash for asset \"1debb21f2bff2f2f663c53666a77906d007535fc526cfc690ca6a1033015be7f\"" + "Description": "Artifact hash for asset \"2daac167596520ae78884b19c51078420864f0dbaed10dc7d68927e0f9f8f3d1\"" }, - "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3BucketFA655285": { + "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3Bucket91C98648": { "Type": "String", - "Description": "S3 bucket for asset \"7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8\"" + "Description": "S3 bucket for asset \"a0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47e\"" }, - "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8S3VersionKeyAF468AE1": { + "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eS3VersionKey8051CFBE": { "Type": "String", - "Description": "S3 key for asset version \"7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8\"" + "Description": "S3 key for asset version \"a0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47e\"" }, - "AssetParameters7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8ArtifactHashC46EC4DB": { + "AssetParametersa0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47eArtifactHash6EFA2AF6": { "Type": "String", - "Description": "Artifact hash for asset \"7917c5d56b6c0688fd999c8aaa4bf0bb95abd89208df9ab2f075ddbf1cdf54e8\"" + "Description": "Artifact hash for asset \"a0c3cdfbc06ef95d340baf52d0c1a88f573ee45813d1552c057f6c6017b5e47e\"" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json index 39a3502ba6c80..9a5de368628cd 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json @@ -121,12 +121,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Evalda2d1181604e4a4586941a6abd7fe42dF371675D", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "Evalda2d1181604e4a4586941a6abd7fe42dF371675D", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Evalda2d1181604e4a4586941a6abd7fe42dF371675D", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json index 913ae3d5cd0c3..70549c1ed2ef2 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke-function.expected.json @@ -218,6 +218,34 @@ "Handler886CB40B", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CallbackHandler4434C38D", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "Handler886CB40B", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json index b899d5f9701ff..06d010a158e56 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.expected.json @@ -148,6 +148,34 @@ "submitJobLambdaEFB00F3C", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "checkJobStateLambda4618B7B7", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "submitJobLambdaEFB00F3C", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json index cdf0eaadec424..0853de4a89c45 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.invoke.payload.only.expected.json @@ -148,6 +148,34 @@ "submitJobLambdaEFB00F3C", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "checkJobStateLambda4618B7B7", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "submitJobLambdaEFB00F3C", + "Arn" + ] + }, + ":*" + ] + ] } ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json index 365683e89340a..1023c2caf6167 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/integ.run-lambda.expected.json @@ -148,6 +148,34 @@ "submitJobLambdaEFB00F3C", "Arn" ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "checkJobStateLambda4618B7B7", + "Arn" + ] + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "submitJobLambdaEFB00F3C", + "Arn" + ] + }, + ":*" + ] + ] } ] } From 0c1e230550ef226d2964f0e21d13c7f927841bc7 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Wed, 23 Mar 2022 16:04:42 -0400 Subject: [PATCH 32/34] update ecs-service-extensions itneg test --- .../test/integ.assign-public-ip.expected.json | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json b/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json index 0ea88dfb2d4e9..dd7f3d375b03a 100644 --- a/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json +++ b/packages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json @@ -1051,12 +1051,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" From 1dff4e2229391baf646d1207c7a050214e19e4bb Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Wed, 23 Mar 2022 17:43:46 -0400 Subject: [PATCH 33/34] appsync lambda integ test --- .../test/integ.appsync-lambda.expected.json | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json index f4bd20a97d90e..c3c4e3e186912 100644 --- a/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json +++ b/packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json @@ -58,12 +58,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "funcC3A0C2E2", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "funcC3A0C2E2", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "funcC3A0C2E2", + "Arn" + ] + }, + ":*" + ] + ] + } + ] } ], "Version": "2012-10-17" From a417b9f394fe7bad92966d1f9506da4def4940b5 Mon Sep 17 00:00:00 2001 From: kaizen3031593 Date: Wed, 23 Mar 2022 18:32:55 -0400 Subject: [PATCH 34/34] pipeline lambda function updates --- .../test/compliance/security-check.test.ts | 28 ++++++++-- .../integ.pipeline-security.expected.json | 56 +++++++++++++++---- 2 files changed, 66 insertions(+), 18 deletions(-) diff --git a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts index d2ea77f45ff7d..f8c53a40e3e37 100644 --- a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts +++ b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts @@ -165,12 +165,28 @@ behavior('pipeline created with auto approve tags and lambda/codebuild w/ valid { Action: 'lambda:InvokeFunction', Effect: 'Allow', - Resource: { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, + Resource: [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + ':*', + ], + ], + }, + ], }, ]), }, diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json index 84aaaf68dabde..1d9619be9c0c9 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json @@ -1908,12 +1908,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "sns:Publish", @@ -2210,12 +2226,28 @@ { "Action": "lambda:InvokeFunction", "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - } + "Resource": [ + { + "Fn::GetAtt": [ + "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", + "Arn" + ] + }, + ":*" + ] + ] + } + ] }, { "Action": "sns:Publish",