Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use 'currentVersion' for lambda object to resolve the cdk nag issue #281

Merged
merged 1 commit into from May 8, 2024
Merged

Use 'currentVersion' for lambda object to resolve the cdk nag issue #281

merged 1 commit into from May 8, 2024

Conversation

alexiswl
Copy link
Member

@alexiswl alexiswl commented May 8, 2024

Related issue: aws/aws-cdk#20177

grantInvoke will use * for all lambda versions which breaks cdk-nag.

By using currentVersion attribute of the lambda obj we only grantInvoke for only the latest version of the lambda object, resolving the cdc-nag errors

@alexiswl alexiswl self-assigned this May 8, 2024
@victorskl victorskl linked an issue May 8, 2024 that may be closed by this pull request
Implement TSO v2 ILMN pipeline orchestration - baseline #135
Closed
@victorskl victorskl added the fix label May 8, 2024
victorskl
victorskl approved these changes May 8, 2024
View reviewed changes
Copy link
Member

@victorskl victorskl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

victorskl
victorskl reviewed May 8, 2024
View reviewed changes
.../stateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts
@@ -194,7 +194,7 @@ export class Cttsov2Icav2PipelineManagerConstruct extends Construct {
generate_trimmed_samplesheet_lambda_obj,
upload_samplesheet_to_cache_dir_lambda_obj,
].forEach((lambda_obj) => {
lambda_obj.grantInvoke(<iam.IRole>stateMachine.role);
lambda_obj.currentVersion.grantInvoke(<iam.IRole>stateMachine.role);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@williamputraintan @mmalenic @raylrui FYI, folks.

If we use currentVersion prop of Lambda, we can get away of cdk generating * to ARN. This is for cdk-nag AwsSolutions-IAM5 suppression.

@alexiswl alexiswl merged commit 0abbd06 into main May 8, 2024
2 checks passed
@alexiswl alexiswl deleted the bugfix/cttso-cdk-nag-lambda-invoke-fix branch May 8, 2024 01:36
@alexiswl
Copy link
Member Author

Ah this doesn't work as magically as one would have hoped.

Using current version is very specific -
Got this error in AWS Step functions

User: arn:aws:sts::843407916570:assumed-role/OrcaBusBeta-BclconvertInt-BclconvertInteropQcIcav2P-olRiObau8Dle/OfpsBsQSvUGVcbvTGeepNuvQApaXaOts is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:ap-southeast-2:843407916570:function:OrcaBusBeta-BclconvertInt-BclconvertInteropQcIcav2-WOdb9Nfb3N0C because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 04b41406-99a6-489a-b09a-2a0224262b21; Proxy: null)

Because step functions role has access to arn:aws:lambda:ap-southeast-2:843407916570:function:OrcaBusBeta-BclconvertInt-BclconvertInteropQcIcav2-WOdb9Nfb3N0C:1 not arn:aws:lambda:ap-southeast-2:843407916570:function:OrcaBusBeta-BclconvertInt-BclconvertInteropQcIcav2-WOdb9Nfb3N0C.

So when replacing definitions in step functions, rather than lambda_obj.functionArn, need to do lambda_obj.currentVersion.functionArn

@victorskl
Copy link
Member

Argh. CDK meow.! 😿 Must be reason, why CDK grant generate slash star it.

Go for it, Alexis. Suppress AwsSolutions-IAM5 nag like other would. All good.

https://github.com/umccr/orcabus/blob/3638b2c/test/stateless/deployment.test.ts#L131-L189

@reisingerf
Copy link
Member

Is it an issue passing the lambda_obj.currentVersion.functionArn to the step function?

@alexiswl
Copy link
Member Author

No it's not, it's just something to remember.

It does though, mean that everytime we update the lambda and deploy (manually), cdk will ask for permission first since we'll also be updating the role permissions of the step function

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorskl victorskl victorskl approved these changes

@reisingerf reisingerf reisingerf approved these changes

Assignees

@alexiswl alexiswl

Labels
fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement TSO v2 ILMN pipeline orchestration - baseline
3 participants
@alexiswl @victorskl @reisingerf