From 89d722c0648fa9083b4cdeb82ac3934718452c62 Mon Sep 17 00:00:00 2001 From: James Fleming Date: Sun, 17 May 2020 19:42:33 +0000 Subject: [PATCH] fix(lambda): add execution permissions to provided IAM roles --- .../integ.eks-cluster.defaults.expected.json | 12 +++++++++ .../test/integ.eks-cluster.lit.expected.json | 12 +++++++++ .../test/integ.eks-helm.lit.expected.json | 24 +++++++++++++++++ .../test/integ.eks-kubectl.lit.expected.json | 12 +++++++++ .../test/integ.eks-spot.expected.json | 12 +++++++++ packages/@aws-cdk/aws-lambda/lib/function.ts | 4 ++- .../@aws-cdk/aws-lambda/test/test.lambda.ts | 27 +++++++++++++++++++ 7 files changed, 102 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.defaults.expected.json b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.defaults.expected.json index f98225e84b35e..1cbdd41005fe5 100644 --- a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.defaults.expected.json +++ b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.defaults.expected.json @@ -683,6 +683,18 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + }, { "Fn::Join": [ "", diff --git a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.lit.expected.json b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.lit.expected.json index 254e46a33dfd5..4d63e1711d139 100644 --- a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.lit.expected.json +++ b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.lit.expected.json @@ -683,6 +683,18 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + }, { "Fn::Join": [ "", diff --git a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-helm.lit.expected.json b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-helm.lit.expected.json index ba37ddbe77d70..ce086c92f1e81 100644 --- a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-helm.lit.expected.json +++ b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-helm.lit.expected.json @@ -547,6 +547,30 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + }, { "Fn::Join": [ "", diff --git a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-kubectl.lit.expected.json b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-kubectl.lit.expected.json index fd726b6e62f29..7d3b72ac3d513 100644 --- a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-kubectl.lit.expected.json +++ b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-kubectl.lit.expected.json @@ -547,6 +547,18 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + }, { "Fn::Join": [ "", diff --git a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-spot.expected.json b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-spot.expected.json index 56f7f71864838..74cae364ad282 100644 --- a/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-spot.expected.json +++ b/packages/@aws-cdk/aws-eks-legacy/test/integ.eks-spot.expected.json @@ -521,6 +521,18 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + }, { "Fn::Join": [ "", diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts index f66a67f07e336..0d890c8f61b85 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function.ts @@ -477,8 +477,10 @@ export class Function extends FunctionBase { this.role = props.role || new iam.Role(this, 'ServiceRole', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), - managedPolicies, }); + for (const policy of managedPolicies) { + this.role.addManagedPolicy(policy); + } this.grantPrincipal = this.role; for (const statement of (props.initialPolicy || [])) { diff --git a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts index 6a697833e4700..e654fd1bcca81 100644 --- a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts +++ b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts @@ -61,6 +61,33 @@ export = { test.done(); }, + 'default function with provided role gets execution permissions'(test: Test) { + const stack = new cdk.Stack(); + + const myRole = new iam.Role(stack, 'MyRole', { + assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), + }); + + const myVpc = new ec2.Vpc(stack, 'MyVpc', {}); + + new lambda.Function(stack, 'MyLambda', { + code: new lambda.InlineCode('foo'), + handler: 'index.handler', + runtime: lambda.Runtime.NODEJS_10_X, + role: myRole, + vpc: myVpc, + }); + + expect(stack).to(haveResource('AWS::IAM::Role', { + 'ManagedPolicyArns': [ + // tslint:disable-next-line:max-line-length + { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']] }, + // tslint:disable-next-line:max-line-length + { 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole']] }, + ], + })); + test.done(); + }, 'adds policy permissions'(test: Test) { const stack = new cdk.Stack(); new lambda.Function(stack, 'MyLambda', {