Skip to content

Commit 4cf3e82

Browse files
samson-keungmoelasmar
samson-keung
authored and
moelasmar
committed
fix(custom-resource): provider framework lambda missing GetFunction permission (#32904)
### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
1 parent 57b0edf commit 4cf3e82

File tree

639 files changed

+33524
-31124
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

639 files changed

+33524
-31124
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/aws-cdk-dynamodb-global-replicas-provisioned.assets.json

+5-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/aws-cdk-dynamodb-global-replicas-provisioned.template.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -291,7 +291,7 @@
291291
{
292292
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
293293
},
294-
"/d0e51246341d2567827b1fdd35281e7e5d6bcd79ba28cf4873b65a573acb4f14.json"
294+
"/c51ce487e06d6bef9c24c4a72e75dabb646e28c6ac74c4ba3426e7a5dd441b1c.json"
295295
]
296296
]
297297
}

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/awscdkdynamodbglobalreplicasprovisionedawscdkawsdynamodbReplicaProviderEA32CB30.nested.template.json

+54
Original file line numberDiff line numberDiff line change
@@ -419,6 +419,24 @@
419419
}
420420
]
421421
},
422+
{
423+
"Action": "lambda:GetFunction",
424+
"Effect": "Allow",
425+
"Resource": [
426+
{
427+
"Fn::GetAtt": [
428+
"IsCompleteHandler7073F4DA",
429+
"Arn"
430+
]
431+
},
432+
{
433+
"Fn::GetAtt": [
434+
"OnEventHandler42BEBAE0",
435+
"Arn"
436+
]
437+
}
438+
]
439+
},
422440
{
423441
"Action": "states:StartExecution",
424442
"Effect": "Allow",
@@ -570,6 +588,24 @@
570588
]
571589
}
572590
]
591+
},
592+
{
593+
"Action": "lambda:GetFunction",
594+
"Effect": "Allow",
595+
"Resource": [
596+
{
597+
"Fn::GetAtt": [
598+
"IsCompleteHandler7073F4DA",
599+
"Arn"
600+
]
601+
},
602+
{
603+
"Fn::GetAtt": [
604+
"OnEventHandler42BEBAE0",
605+
"Arn"
606+
]
607+
}
608+
]
573609
}
574610
],
575611
"Version": "2012-10-17"
@@ -712,6 +748,24 @@
712748
]
713749
}
714750
]
751+
},
752+
{
753+
"Action": "lambda:GetFunction",
754+
"Effect": "Allow",
755+
"Resource": [
756+
{
757+
"Fn::GetAtt": [
758+
"IsCompleteHandler7073F4DA",
759+
"Arn"
760+
]
761+
},
762+
{
763+
"Fn::GetAtt": [
764+
"OnEventHandler42BEBAE0",
765+
"Arn"
766+
]
767+
}
768+
]
715769
}
716770
],
717771
"Version": "2012-10-17"

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/awscdkdynamodbglobalreplicasprovisionedtestDefaultTestDeployAssertE7F91F54.assets.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/cdk.out

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/integ.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/manifest.json

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/tree.json

+55-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/cdk-dynamodb-global-20191121.assets.json

+5-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/cdk-dynamodb-global-20191121.template.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -246,7 +246,7 @@
246246
{
247247
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1"
248248
},
249-
"/4d7e876e7ecbd787c769dbfe05917a92bbc63c8b98b3a2df7e1241181df05af3.json"
249+
"/41871c36854ad8fb935ae46cbc99d707a2d39015497f4991e9334950f734d47d.json"
250250
]
251251
]
252252
}

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/cdk.out

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/cdkdynamodbglobal20191121awscdkawsdynamodbReplicaProviderB281C954.nested.template.json

+54
Original file line numberDiff line numberDiff line change
@@ -275,6 +275,24 @@
275275
}
276276
]
277277
},
278+
{
279+
"Action": "lambda:GetFunction",
280+
"Effect": "Allow",
281+
"Resource": [
282+
{
283+
"Fn::GetAtt": [
284+
"IsCompleteHandler7073F4DA",
285+
"Arn"
286+
]
287+
},
288+
{
289+
"Fn::GetAtt": [
290+
"OnEventHandler42BEBAE0",
291+
"Arn"
292+
]
293+
}
294+
]
295+
},
278296
{
279297
"Action": "states:StartExecution",
280298
"Effect": "Allow",
@@ -418,6 +436,24 @@
418436
]
419437
}
420438
]
439+
},
440+
{
441+
"Action": "lambda:GetFunction",
442+
"Effect": "Allow",
443+
"Resource": [
444+
{
445+
"Fn::GetAtt": [
446+
"IsCompleteHandler7073F4DA",
447+
"Arn"
448+
]
449+
},
450+
{
451+
"Fn::GetAtt": [
452+
"OnEventHandler42BEBAE0",
453+
"Arn"
454+
]
455+
}
456+
]
421457
}
422458
],
423459
"Version": "2012-10-17"
@@ -552,6 +588,24 @@
552588
]
553589
}
554590
]
591+
},
592+
{
593+
"Action": "lambda:GetFunction",
594+
"Effect": "Allow",
595+
"Resource": [
596+
{
597+
"Fn::GetAtt": [
598+
"IsCompleteHandler7073F4DA",
599+
"Arn"
600+
]
601+
},
602+
{
603+
"Fn::GetAtt": [
604+
"OnEventHandler42BEBAE0",
605+
"Arn"
606+
]
607+
}
608+
]
555609
}
556610
],
557611
"Version": "2012-10-17"

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/cdkdynamodbglobal20191121testDefaultTestDeployAssert469C3611.assets.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/integ.json

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)