Skip to content

Commit

Permalink
add GetFunction permission to Provider Framework lambda
Browse files Browse the repository at this point in the history
  • Loading branch information
@samson-keung
samson-keung committed Jan 14, 2025
1 parent c7d6fb6 commit 802391a
Show file tree
Hide file tree
Showing 2 changed files with 106 additions and 4 deletions.
18 changes: 16 additions & 2 deletions packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,20 @@ export class Provider extends Construct implements ICustomResourceProvider {
};
}

private addPermissions(frameworkLambda: lambda.Function, arnOfUserDefinedHandlerLambda: lambda.IFunction) {
arnOfUserDefinedHandlerLambda.grantInvoke(frameworkLambda);

/*
lambda:GetFunction is needed as the framework Lambda use it to poll the state of User Defined
Handler until it is ACTIVE state
*/
frameworkLambda.addToRolePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['lambda:GetFunction'],
resources: [arnOfUserDefinedHandlerLambda.functionArn],
}));
}

private createFunction(entrypoint: string, name?: string) {
const fn = new lambda.Function(this, `framework-${entrypoint}`, {
code: lambda.Code.fromAsset(RUNTIME_HANDLER_PATH, {
Expand All @@ -272,11 +286,11 @@ export class Provider extends Construct implements ICustomResourceProvider {
});

fn.addEnvironment(consts.USER_ON_EVENT_FUNCTION_ARN_ENV, this.onEventHandler.functionArn);
this.onEventHandler.grantInvoke(fn);
this.addPermissions(fn, this.onEventHandler);

if (this.isCompleteHandler) {
fn.addEnvironment(consts.USER_IS_COMPLETE_FUNCTION_ARN_ENV, this.isCompleteHandler.functionArn);
this.isCompleteHandler.grantInvoke(fn);
this.addPermissions(fn, this.isCompleteHandler);
}

return fn;
Expand Down
92 changes: 90 additions & 2 deletions packages/aws-cdk-lib/custom-resources/test/provider-framework/provider.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -478,14 +478,58 @@ describe('role', () => {
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
const template = Template.fromStack(stack);
template.hasResourceProperties('AWS::Lambda::Function', {
Role: {
'Fn::GetAtt': [
'MyRoleF48FFE04',
'Arn',
],
},
});
template.hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [
{
Action: 'lambda:InvokeFunction',
Effect: 'Allow',
Resource: [
{
'Fn::GetAtt': [
'MyHandler6B74D312',
'Arn',
],
},
{
'Fn::Join': [
'',
[
{
'Fn::GetAtt': [
'MyHandler6B74D312',
'Arn',
],
},
':*',
],
],
},
],
},
{
Action: 'lambda:GetFunction',
Effect: 'Allow',
Resource: {
'Fn::GetAtt': [
'MyHandler6B74D312',
'Arn',
],
},
},
],
Version: '2012-10-17',
},
});
});

it('uses default role otherwise', () => {
Expand All @@ -502,14 +546,58 @@ describe('role', () => {
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
const template = Template.fromStack(stack);
template.hasResourceProperties('AWS::Lambda::Function', {
Role: {
'Fn::GetAtt': [
'MyProviderframeworkonEventServiceRole8761E48D',
'Arn',
],
},
});
template.hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [
{
Action: 'lambda:InvokeFunction',
Effect: 'Allow',
Resource: [
{
'Fn::GetAtt': [
'MyHandler6B74D312',
'Arn',
],
},
{
'Fn::Join': [
'',
[
{
'Fn::GetAtt': [
'MyHandler6B74D312',
'Arn',
],
},
':*',
],
],
},
],
},
{
Action: 'lambda:GetFunction',
Effect: 'Allow',
Resource: {
'Fn::GetAtt': [
'MyHandler6B74D312',
'Arn',
],
},
},
],
Version: '2012-10-17',
},
});
});
});

Expand Down

0 comments on commit 802391a

Please sign in to comment.