fix(custom-resource): provider framework lambda missing GetFunction permission

[samson-keung]

Issue # (if applicable)

Closes #26838.

Note that this is re-creating #32904 which was reverted due to it causing problem in the release process.

Reason for this change

In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic):

aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts

Lines 66 to 80 in 64b865b

	} catch {
	/**
	* The status of the Lambda function is checked every second for up to 300 seconds.
	* Exits the loop on 'Active' state and throws an error on 'Inactive' or 'Failed'.
	*
	* And now we wait.
	*/
	await waitUntilFunctionActiveV2({
	client: lambda,
	maxWaitTime: 300,
	}, {
	FunctionName: req.FunctionName,
	});
	return lambda.invoke(req);
	}

The polling uses the AWS SDK waitUntilFunctionActiveV2 function, which calls the Lambda GetFunction API:
https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57

However, the Provider Framework lambda does not have the lambda:GetFunction permission.

Why is the issue saying the lambda:GetFunctionConfiguration is needed instead of lambda:GetFunction?

At some point in time, the retry logic used waitUntilFunctionActive for polling, which use the GetFunctionConfiguration. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66

Description of changes

Added the lambda:GetFunction permission on the role used by the Provider Framework lambda.

Describe any new or updated permissions being added

The lambda:GetFunction permission is added.

Description of how you validated changes

There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test.

What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called GetFunction successfully and then it was also able to invoke the User Defined Handler lambda.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.83%. Comparing base (361c7d3) to head (7e10dd4).
Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33301   +/-   ##
=======================================
  Coverage   80.83%   80.83%           
=======================================
  Files         236      236           
  Lines       14253    14253           
  Branches     2490     2490           
=======================================
  Hits        11522    11522           
  Misses       2446     2446           
  Partials      285      285           

Flag	Coverage Δ
suite.unit	80.83% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	79.57% <ø> (ø)
packages/aws-cdk-lib/core	82.20% <ø> (ø)

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 7e10dd4
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.