Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(lambda): support Lambda's new Invoke with Qualifier authorization strategy #19318

Merged
merged 42 commits into from Mar 24, 2022
Merged

fix(lambda): support Lambda's new Invoke with Qualifier authorization strategy #19318

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
2d6cfc8
feat(lambda): support Lambda's new IAM authorization behavior for ide…
madeline-k Mar 9, 2022
52c3b8d
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
madeline-k Mar 9, 2022
19cccd3
update unit test in iotevents-action
madeline-k Mar 10, 2022
8fed6d6
update tests in codedeploy
madeline-k Mar 10, 2022
2871fdb
update codepipeline-actions to use grantInvoke()
madeline-k Mar 10, 2022
ad9f3c8
update tests in kinesisfirehose-destinations
madeline-k Mar 10, 2022
b5a5297
update tests for iotevents-actions
madeline-k Mar 10, 2022
2733358
update lambda-destinations tests
madeline-k Mar 10, 2022
7c0a4e9
mark places in stepfunctions-tasks that need to be updated, but can't…
madeline-k Mar 10, 2022
fd28ea4
update custom resources to use grantInvoke
madeline-k Mar 10, 2022
6aefe6c
make "resourcearnsforgrantinvoke" public
kaizencc Mar 17, 2022
6e2d218
change lambda invoke policyu statements
kaizencc Mar 17, 2022
4e0f9e8
more invoke function changes
kaizencc Mar 17, 2022
7328c86
update integ tests
kaizencc Mar 17, 2022
a812c8a
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
kaizencc Mar 17, 2022
7d44613
warning is thrown when we call addpermission on an unqualified functi…
kaizencc Mar 17, 2022
c6cdffb
update env for integ test
kaizencc Mar 17, 2022
bdcf024
another test
kaizencc Mar 17, 2022
b63aff5
update redshift integ test
kaizencc Mar 18, 2022
1f34114
remove resource policy changes
kaizencc Mar 18, 2022
b6e4c69
revert custom resource integ test
kaizencc Mar 18, 2022
de3c99e
remove unnecessary import
kaizencc Mar 18, 2022
3257165
update grantinvoke in apigateway
kaizencc Mar 18, 2022
f7f819b
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
kaizencc Mar 18, 2022
ab8d994
integ test updates
kaizencc Mar 18, 2022
6b556e1
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
kaizencc Mar 18, 2022
4c62dbd
update integ test
kaizencc Mar 21, 2022
5c4cf62
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
kaizencc Mar 22, 2022
777c4ab
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
kaizencc Mar 23, 2022
3fe70c5
update api doc
kaizencc Mar 23, 2022
e2bd8d4
integ test update again
kaizencc Mar 23, 2022
32734a0
update kinesis integ test again
kaizencc Mar 23, 2022
123deba
update integ test in lambdalayerawscli
kaizencc Mar 23, 2022
ff441c7
update edge function
kaizencc Mar 23, 2022
5a0d80b
fix integ test in eks
kaizencc Mar 23, 2022
2931371
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
kaizencc Mar 23, 2022
aaa2638
more eks test changes
kaizencc Mar 23, 2022
b916728
update stepfunction-tasks integ tests that use lambda
kaizencc Mar 23, 2022
0c1e230
update ecs-service-extensions itneg test
kaizencc Mar 23, 2022
1dff4e2
appsync lambda integ test
kaizencc Mar 23, 2022
a417b9f
pipeline lambda function updates
kaizencc Mar 23, 2022
ebb9b53
Merge branch 'master' into update-lambda-grant-invoke-identity-policies
mergify[bot] Mar 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
28 changes: 22 additions & 6 deletions ...ages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json
View file
Open in desktop
Expand Up @@ -1051,12 +1051,28 @@
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99",
"Arn"
]
}
"Resource": [
{
"Fn::GetAtt": [
"nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"nameserviceTaskRecordManagerCleanupResourceProviderHandler08068F99",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts
View file
Open in desktop
Expand Up @@ -105,7 +105,7 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer {
this.role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', {
statements: [
new iam.PolicyStatement({
resources: [this.handler.functionArn],
resources: this.handler.resourceArnsForGrantInvoke,
actions: ['lambda:InvokeFunction'],
}),
],
Expand Down
28 changes: 22 additions & 6 deletions ...es/@aws-cdk/aws-apigateway/test/authorizers/integ.token-authorizer-iam-role.expected.json
View file
Open in desktop
Expand Up @@ -176,12 +176,28 @@
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyAuthorizerFunction70F1223E",
"Arn"
]
}
"Resource": [
{
"Fn::GetAtt": [
"MyAuthorizerFunction70F1223E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"MyAuthorizerFunction70F1223E",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-apigateway/test/authorizers/lambda.test.ts
View file
Open in desktop
Expand Up @@ -393,7 +393,7 @@ describe('lambda authorizer', () => {
PolicyDocument: {
Statement: [
{
Resource: stack.resolve(func.functionArn),
Resource: stack.resolve(func.resourceArnsForGrantInvoke),
Action: 'lambda:InvokeFunction',
Effect: 'Allow',
},
Expand Down Expand Up @@ -485,7 +485,7 @@ describe('lambda authorizer', () => {
PolicyDocument: {
Statement: [
{
Resource: stack.resolve(func.functionArn),
Resource: stack.resolve(func.resourceArnsForGrantInvoke),
Action: 'lambda:InvokeFunction',
Effect: 'Allow',
},
Expand Down
28 changes: 22 additions & 6 deletions packages/@aws-cdk/aws-appsync/test/integ.appsync-lambda.expected.json
View file
Open in desktop
Expand Up @@ -58,12 +58,28 @@
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"funcC3A0C2E2",
"Arn"
]
}
"Resource": [
{
"Fn::GetAtt": [
"funcC3A0C2E2",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"funcC3A0C2E2",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
Expand Down
2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts
View file
Open in desktop
Expand Up @@ -47,6 +47,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
public readonly role?: iam.IRole;
public readonly version: string;
public readonly architecture: lambda.Architecture;
public readonly resourceArnsForGrantInvoke: string[];

private readonly _edgeFunction: lambda.Function;

Expand All @@ -68,6 +69,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
this.permissionsNode = this._edgeFunction.permissionsNode;
this.version = lambda.extractQualifierFromArn(this.functionArn);
this.architecture = this._edgeFunction.architecture;
this.resourceArnsForGrantInvoke = this._edgeFunction.resourceArnsForGrantInvoke;

this.node.defaultChild = this._edgeFunction;
}
Expand Down
40 changes: 16 additions & 24 deletions packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts
View file
Open in desktop
Expand Up @@ -299,12 +299,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
PolicyDocument: {
Statement: [{
Action: 'lambda:InvokeFunction',
Resource: {
'Fn::GetAtt': [
'PreHook8B53F672',
'Arn',
],
},
Resource: [
{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] },
{ 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, ':*']] },
],
Effect: 'Allow',
}],
Version: '2012-10-17',
Expand Down Expand Up @@ -347,12 +345,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
PolicyDocument: {
Statement: [{
Action: 'lambda:InvokeFunction',
Resource: {
'Fn::GetAtt': [
'PreHook8B53F672',
'Arn',
],
},
Resource: [
{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] },
{ 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PreHook8B53F672', 'Arn'] }, ':*']] },
],
Effect: 'Allow',
}],
Version: '2012-10-17',
Expand Down Expand Up @@ -395,12 +391,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
PolicyDocument: {
Statement: [{
Action: 'lambda:InvokeFunction',
Resource: {
'Fn::GetAtt': [
'PostHookF2E49B30',
'Arn',
],
},
Resource: [
{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] },
{ 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, ':*']] },
],
Effect: 'Allow',
}],
Version: '2012-10-17',
Expand Down Expand Up @@ -443,12 +437,10 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
PolicyDocument: {
Statement: [{
Action: 'lambda:InvokeFunction',
Resource: {
'Fn::GetAtt': [
'PostHookF2E49B30',
'Arn',
],
},
Resource: [
{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] },
{ 'Fn::Join': ['', [{ 'Fn::GetAtt': ['PostHookF2E49B30', 'Arn'] }, ':*']] },
],
Effect: 'Allow',
}],
Version: '2012-10-17',
Expand Down
28 changes: 28 additions & 0 deletions packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json
View file
Open in desktop
Expand Up @@ -495,6 +495,34 @@
"PreHook8B53F672",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"PostHookF2E49B30",
"Arn"
]
},
":*"
]
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"PreHook8B53F672",
"Arn"
]
},
":*"
]
]
}
]
}
Expand Down
5 changes: 1 addition & 4 deletions packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts
View file
Open in desktop
Expand Up @@ -115,10 +115,7 @@ export class LambdaInvokeAction extends Action {
}));

// allow pipeline to invoke this lambda functionn
options.role.addToPolicy(new iam.PolicyStatement({
actions: ['lambda:InvokeFunction'],
resources: [this.props.lambda.functionArn],
}));
this.props.lambda.grantInvoke(options.role);

// allow the Role access to the Bucket, if there are any inputs/outputs
if ((this.actionProperties.inputs || []).length > 0) {
Expand Down
28 changes: 22 additions & 6 deletions packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json
View file
Open in desktop
Expand Up @@ -551,12 +551,28 @@
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"LambdaFun98622869",
"Arn"
]
}
"Resource": [
{
"Fn::GetAtt": [
"LambdaFun98622869",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"LambdaFun98622869",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
Expand Down