-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(pipelines): 'ConfirmPermissionsBroadening' incorrectly invokes la…
…mbda for AWS CLI v2 (#21462) Whenever our pipelines use the construct we get the following error: ``` An error occurred (InvalidRequestContentException) when calling the Invoke operation: Could not parse request body into json: Could not parse payload into json: Unexpected character ('>' (code 62)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false') ``` Turns out for AWS CLI v2 you need to specify a flag to send in raw text input. Documentation here https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html Explained here https://medium.com/cloud-recipes/use-cli-binary-format-flag-with-aws-cli-version-2-34d590479280 ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information
1 parent
a02ef9c
commit a913d60
Showing
13 changed files
with
187 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
...security.integ.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{} |
File renamed without changes.
1 change: 1 addition & 0 deletions
1
...napshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.d.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
export declare function handler(event: AWSLambda.CloudFormationCustomResourceEvent): Promise<void>; |
File renamed without changes.
82 changes: 82 additions & 0 deletions
82
....snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
// eslint-disable-next-line import/no-extraneous-dependencies | ||
import { S3 } from 'aws-sdk'; | ||
|
||
const AUTO_DELETE_OBJECTS_TAG = 'aws-cdk:auto-delete-objects'; | ||
|
||
const s3 = new S3(); | ||
|
||
export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent) { | ||
switch (event.RequestType) { | ||
case 'Create': | ||
return; | ||
case 'Update': | ||
return onUpdate(event); | ||
case 'Delete': | ||
return onDelete(event.ResourceProperties?.BucketName); | ||
} | ||
} | ||
|
||
async function onUpdate(event: AWSLambda.CloudFormationCustomResourceEvent) { | ||
const updateEvent = event as AWSLambda.CloudFormationCustomResourceUpdateEvent; | ||
const oldBucketName = updateEvent.OldResourceProperties?.BucketName; | ||
const newBucketName = updateEvent.ResourceProperties?.BucketName; | ||
const bucketNameHasChanged = newBucketName != null && oldBucketName != null && newBucketName !== oldBucketName; | ||
|
||
/* If the name of the bucket has changed, CloudFormation will try to delete the bucket | ||
and create a new one with the new name. So we have to delete the contents of the | ||
bucket so that this operation does not fail. */ | ||
if (bucketNameHasChanged) { | ||
return onDelete(oldBucketName); | ||
} | ||
} | ||
|
||
/** | ||
* Recursively delete all items in the bucket | ||
* | ||
* @param bucketName the bucket name | ||
*/ | ||
async function emptyBucket(bucketName: string) { | ||
const listedObjects = await s3.listObjectVersions({ Bucket: bucketName }).promise(); | ||
const contents = [...listedObjects.Versions ?? [], ...listedObjects.DeleteMarkers ?? []]; | ||
if (contents.length === 0) { | ||
return; | ||
} | ||
|
||
const records = contents.map((record: any) => ({ Key: record.Key, VersionId: record.VersionId })); | ||
await s3.deleteObjects({ Bucket: bucketName, Delete: { Objects: records } }).promise(); | ||
|
||
if (listedObjects?.IsTruncated) { | ||
await emptyBucket(bucketName); | ||
} | ||
} | ||
|
||
async function onDelete(bucketName?: string) { | ||
if (!bucketName) { | ||
throw new Error('No BucketName was provided.'); | ||
} | ||
if (!await isBucketTaggedForDeletion(bucketName)) { | ||
process.stdout.write(`Bucket does not have '${AUTO_DELETE_OBJECTS_TAG}' tag, skipping cleaning.\n`); | ||
return; | ||
} | ||
try { | ||
await emptyBucket(bucketName); | ||
} catch (e) { | ||
if (e.code !== 'NoSuchBucket') { | ||
throw e; | ||
} | ||
// Bucket doesn't exist. Ignoring | ||
} | ||
} | ||
|
||
/** | ||
* The bucket will only be tagged for deletion if it's being deleted in the same | ||
* deployment as this Custom Resource. | ||
* | ||
* If the Custom Resource is every deleted before the bucket, it must be because | ||
* `autoDeleteObjects` has been switched to false, in which case the tag would have | ||
* been removed before we get to this Delete event. | ||
*/ | ||
async function isBucketTaggedForDeletion(bucketName: string) { | ||
const response = await s3.getBucketTagging({ Bucket: bucketName }).promise(); | ||
return response.TagSet.some(tag => tag.Key === AUTO_DELETE_OBJECTS_TAG && tag.Value === 'true'); | ||
} |
11 changes: 3 additions & 8 deletions
11
packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/integ.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,11 @@ | ||
{ | ||
"version": "20.0.0", | ||
"testCases": { | ||
"integ.pipeline-security": { | ||
"PipelineSecurityTest/DefaultTest": { | ||
"stacks": [ | ||
"PipelineSecurityStack" | ||
], | ||
"diffAssets": false, | ||
"stackUpdateWorkflow": true | ||
"assertionStack": "PipelineSecurityTestDefaultTestDeployAssertEE246BCA" | ||
} | ||
}, | ||
"synthContext": { | ||
"@aws-cdk/core:newStyleStackSynthesis": "true" | ||
}, | ||
"enableLookups": false | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.