-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(lambda): code signing config (#12656)
closes #12216 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information
Masaharu Komuro
authored
Feb 25, 2021
1 parent
09723f5
commit 778ea27
Showing
13 changed files
with
635 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
import { ISigningProfile } from '@aws-cdk/aws-signer'; | ||
import { IResource, Resource, Stack } from '@aws-cdk/core'; | ||
import { Construct } from 'constructs'; | ||
import { CfnCodeSigningConfig } from './lambda.generated'; | ||
|
||
/** | ||
* Code signing configuration policy for deployment validation failure. | ||
*/ | ||
export enum UntrustedArtifactOnDeployment { | ||
/** | ||
* Lambda blocks the deployment request if signature validation checks fail. | ||
*/ | ||
ENFORCE = 'enforce', | ||
|
||
/** | ||
* Lambda allows the deployment of the code package, but issues a warning. | ||
* Lambda issues a new Amazon CloudWatch metric, called a signature validation error and also stores the warning in CloudTrail. | ||
*/ | ||
WARN = 'warn', | ||
} | ||
|
||
/** | ||
* A Code Signing Config | ||
*/ | ||
export interface ICodeSigningConfig extends IResource { | ||
/** | ||
* The ARN of Code Signing Config | ||
* @attribute | ||
*/ | ||
readonly codeSigningConfigArn: string; | ||
|
||
/** | ||
* The id of Code Signing Config | ||
* @attribute | ||
*/ | ||
readonly codeSigningConfigId: string; | ||
} | ||
|
||
/** | ||
* Construction properties for a Code Signing Config object | ||
*/ | ||
export interface CodeSigningConfigProps { | ||
/** | ||
* List of signing profiles that defines a | ||
* trusted user who can sign a code package. | ||
*/ | ||
readonly signingProfiles: ISigningProfile[], | ||
|
||
/** | ||
* Code signing configuration policy for deployment validation failure. | ||
* If you set the policy to Enforce, Lambda blocks the deployment request | ||
* if signature validation checks fail. | ||
* If you set the policy to Warn, Lambda allows the deployment and | ||
* creates a CloudWatch log. | ||
* | ||
* @default UntrustedArtifactOnDeployment.WARN | ||
*/ | ||
readonly untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment, | ||
|
||
/** | ||
* Code signing configuration description. | ||
* | ||
* @default - No description. | ||
*/ | ||
readonly description?: string, | ||
} | ||
|
||
/** | ||
* Defines a Code Signing Config. | ||
* | ||
* @resource AWS::Lambda::CodeSigningConfig | ||
*/ | ||
export class CodeSigningConfig extends Resource implements ICodeSigningConfig { | ||
/** | ||
* Creates a Signing Profile construct that represents an external Signing Profile. | ||
* | ||
* @param scope The parent creating construct (usually `this`). | ||
* @param id The construct's name. | ||
* @param codeSigningConfigArn The ARN of code signing config. | ||
*/ | ||
public static fromCodeSigningConfigArn( scope: Construct, id: string, codeSigningConfigArn: string): ICodeSigningConfig { | ||
const codeSigningProfileId = Stack.of(scope).parseArn(codeSigningConfigArn).resourceName; | ||
if (!codeSigningProfileId) { | ||
throw new Error(`Code signing config ARN must be in the format 'arn:aws:lambda:<region>:<account>:code-signing-config:<codeSigningConfigArn>', got: '${codeSigningConfigArn}'`); | ||
} | ||
const assertedCodeSigningProfileId = codeSigningProfileId; | ||
class Import extends Resource implements ICodeSigningConfig { | ||
public readonly codeSigningConfigArn = codeSigningConfigArn; | ||
public readonly codeSigningConfigId = assertedCodeSigningProfileId; | ||
|
||
constructor() { | ||
super(scope, id); | ||
} | ||
} | ||
return new Import(); | ||
} | ||
|
||
public readonly codeSigningConfigArn: string; | ||
public readonly codeSigningConfigId: string; | ||
|
||
constructor(scope: Construct, id: string, props: CodeSigningConfigProps) { | ||
super(scope, id); | ||
|
||
const signingProfileVersionArns = props.signingProfiles.map(signingProfile => { | ||
return signingProfile.signingProfileVersionArn; | ||
}); | ||
|
||
const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', { | ||
allowedPublishers: { | ||
signingProfileVersionArns, | ||
}, | ||
codeSigningPolicies: { | ||
untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment ?? UntrustedArtifactOnDeployment.WARN, | ||
}, | ||
description: props.description, | ||
}); | ||
this.codeSigningConfigArn = resource.attrCodeSigningConfigArn; | ||
this.codeSigningConfigId = resource.attrCodeSigningConfigId; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
102 changes: 102 additions & 0 deletions
102
packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
import '@aws-cdk/assert/jest'; | ||
import * as signer from '@aws-cdk/aws-signer'; | ||
import * as cdk from '@aws-cdk/core'; | ||
import * as lambda from '../lib'; | ||
|
||
let app: cdk.App; | ||
let stack: cdk.Stack; | ||
beforeEach( () => { | ||
app = new cdk.App( {} ); | ||
stack = new cdk.Stack( app ); | ||
} ); | ||
|
||
describe('code signing config', () => { | ||
test('default', () => { | ||
const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; | ||
const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platform }); | ||
new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { | ||
signingProfiles: [signingProfile], | ||
}); | ||
|
||
expect(stack).toHaveResource('AWS::Lambda::CodeSigningConfig', { | ||
AllowedPublishers: { | ||
SigningProfileVersionArns: [{ | ||
'Fn::GetAtt': [ | ||
'SigningProfile2139A0F9', | ||
'ProfileVersionArn', | ||
], | ||
}], | ||
}, | ||
CodeSigningPolicies: { | ||
UntrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.WARN, | ||
}, | ||
}); | ||
}); | ||
|
||
test('with multiple signing profiles', () => { | ||
const signingProfile1 = new signer.SigningProfile(stack, 'SigningProfile1', { platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA }); | ||
const signingProfile2 = new signer.SigningProfile(stack, 'SigningProfile2', { platform: signer.Platform.AMAZON_FREE_RTOS_DEFAULT }); | ||
const signingProfile3 = new signer.SigningProfile(stack, 'SigningProfile3', { platform: signer.Platform.AWS_IOT_DEVICE_MANAGEMENT_SHA256_ECDSA }); | ||
new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { | ||
signingProfiles: [signingProfile1, signingProfile2, signingProfile3], | ||
}); | ||
|
||
expect(stack).toHaveResource('AWS::Lambda::CodeSigningConfig', { | ||
AllowedPublishers: { | ||
SigningProfileVersionArns: [ | ||
{ | ||
'Fn::GetAtt': [ | ||
'SigningProfile1D4191686', | ||
'ProfileVersionArn', | ||
], | ||
}, | ||
{ | ||
'Fn::GetAtt': [ | ||
'SigningProfile2E013C934', | ||
'ProfileVersionArn', | ||
], | ||
}, | ||
{ | ||
'Fn::GetAtt': [ | ||
'SigningProfile3A38DE231', | ||
'ProfileVersionArn', | ||
], | ||
}, | ||
], | ||
}, | ||
}); | ||
}); | ||
|
||
test('with description and with untrustedArtifactOnDeployment of "ENFORCE"', () => { | ||
const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; | ||
const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platform }); | ||
new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { | ||
signingProfiles: [signingProfile], | ||
untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE, | ||
description: 'test description', | ||
}); | ||
|
||
expect(stack).toHaveResource('AWS::Lambda::CodeSigningConfig', { | ||
CodeSigningPolicies: { | ||
UntrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE, | ||
}, | ||
Description: 'test description', | ||
}); | ||
}); | ||
|
||
test('import does not create any resources', () => { | ||
const codeSigningConfigId = 'aaa-xxxxxxxxxx'; | ||
const codeSigningConfigArn = `arn:aws:lambda:::code-signing-config:${codeSigningConfigId}`; | ||
const codeSigningConfig = lambda.CodeSigningConfig.fromCodeSigningConfigArn(stack, 'Imported', codeSigningConfigArn ); | ||
|
||
expect(codeSigningConfig.codeSigningConfigArn).toBe(codeSigningConfigArn); | ||
expect(codeSigningConfig.codeSigningConfigId).toBe(codeSigningConfigId); | ||
expect(stack).toCountResources('AWS::Lambda::CodeSigningConfig', 0); | ||
}); | ||
|
||
test('fail import with malformed code signing config arn', () => { | ||
const codeSigningConfigArn = 'arn:aws:lambda:::code-signing-config'; | ||
|
||
expect(() => lambda.CodeSigningConfig.fromCodeSigningConfigArn(stack, 'Imported', codeSigningConfigArn ) ).toThrow(/ARN must be in the format/); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.