Skip to content

Commit

Permalink
move supported conditions to function-base and minor name changes
Browse files Browse the repository at this point in the history
  • Loading branch information
BenChaimberg committed May 18, 2021
1 parent 7c6c217 commit 35a6202
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 6 deletions.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-lambda/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ myRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("service-role/AWS
AWS Lambda supports resource-based policies for controlling access to Lambda
functions and layers on a per-resource basis. In particular, this allows you to
give permission to AWS services and other AWS accounts to modify and invoke your
resources. You can also restrict permissions given to AWS services by providing
functions. You can also restrict permissions given to AWS services by providing
a source account or ARN (representing the account and identifier of the resource
that accesses the function or layer).
Expand Down
8 changes: 5 additions & 3 deletions packages/@aws-cdk/aws-lambda/lib/function-base.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ import { IEventSource } from './event-source';
import { EventSourceMapping, EventSourceMappingOptions } from './event-source-mapping';
import { IVersion } from './lambda-version';
import { CfnPermission } from './lambda.generated';
import { Permission, PERMISSION_SUPPORTED_PRINCIPAL_CONDITIONS } from './permission';
import { Permission } from './permission';
import { addAlias } from './util';

const PERMISSION_SUPPORTED_PRINCIPAL_CONDITIONS = [{ operator: 'ArnLike', key: 'aws:SourceArn' }, { operator: 'StringEquals', key: 'aws:SourceAccount' }];

export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable {

/**
Expand Down Expand Up @@ -239,7 +241,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC
}

const principal = this.parsePermissionPrincipal(permission.principal);
const { sourceAccount, sourceArn } = this.parsePermissionPrincipalConditions(permission.principal) ?? {};
const { sourceAccount, sourceArn } = this.parseConditions(permission.principal) ?? {};
const action = permission.action ?? 'lambda:InvokeFunction';
const scope = permission.scope ?? this;

Expand Down Expand Up @@ -434,7 +436,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC
'Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal');
}

private parsePermissionPrincipalConditions(principal: iam.IPrincipal): { sourceAccount: string, sourceArn: string } | null {
private parseConditions(principal: iam.IPrincipal): { sourceAccount: string, sourceArn: string } | null {
if ('conditions' in principal) {
const conditions: iam.Conditions = (principal as iam.PrincipalWithConditions).policyFragment.conditions;
const conditionPairs = Object.entries(conditions)
Expand Down
2 changes: 0 additions & 2 deletions packages/@aws-cdk/aws-lambda/lib/permission.ts
Original file line number Diff line number Diff line change
Expand Up @@ -65,5 +65,3 @@ export interface Permission {
*/
readonly sourceArn?: string;
}

export const PERMISSION_SUPPORTED_PRINCIPAL_CONDITIONS = [{ operator: 'ArnLike', key: 'aws:SourceArn' }, { operator: 'StringEquals', key: 'aws:SourceAccount' }];

0 comments on commit 35a6202

Please sign in to comment.