From c62eeb7162d85c8cb162f8c0ad4b93fb5bccf981 Mon Sep 17 00:00:00 2001 From: Tietew Date: Fri, 1 Apr 2022 01:28:34 +0900 Subject: [PATCH] fix(aws-cognito): Lambda::Permission of lambdaTrigger should have a SourceArn (#19622) Fixes #19604 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../@aws-cdk/aws-cognito/lib/user-pool.ts | 2 +- ...nteg.user-pool-custom-sender.expected.json | 8 +- ...teg.user-pool-explicit-props.expected.json | 80 ++++++++++++++++--- .../aws-cognito/test/user-pool.test.ts | 10 ++- 4 files changed, 85 insertions(+), 15 deletions(-) diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool.ts index a4157d629307d..21a41f4c8721c 100644 --- a/packages/@aws-cdk/aws-cognito/lib/user-pool.ts +++ b/packages/@aws-cdk/aws-cognito/lib/user-pool.ts @@ -936,7 +936,7 @@ export class UserPool extends UserPoolBase { const capitalize = name.charAt(0).toUpperCase() + name.slice(1); fn.addPermission(`${capitalize}Cognito`, { principal: new ServicePrincipal('cognito-idp.amazonaws.com'), - sourceArn: this.userPoolArn, + sourceArn: Lazy.string({ produce: () => this.userPoolArn }), }); } diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json index c28251be02c92..8bc2a5deae13f 100644 --- a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json +++ b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json @@ -60,7 +60,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "pool056F3F7E", + "Arn" + ] + } } }, "keyFEDD6EC0": { diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.expected.json b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.expected.json index 0811dc3173db4..bf01ef9d1faaf 100644 --- a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.expected.json +++ b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.expected.json @@ -61,7 +61,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "customMessageServiceRoleB4AE7F17": { @@ -125,7 +131,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "defineAuthChallengeServiceRole9E2D15DF": { @@ -189,7 +201,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "postAuthenticationServiceRole5B3B242A": { @@ -253,7 +271,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "postConfirmationServiceRole864BE5F9": { @@ -317,7 +341,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "preAuthenticationServiceRole9712F4D8": { @@ -381,7 +411,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "preSignUpServiceRole0A7E91EB": { @@ -445,7 +481,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "preTokenGenerationServiceRole430C3D14": { @@ -509,7 +551,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "userMigrationServiceRole091766B0": { @@ -573,7 +621,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "verifyAuthChallengeResponseServiceRole7077884C": { @@ -637,7 +691,13 @@ "Arn" ] }, - "Principal": "cognito-idp.amazonaws.com" + "Principal": "cognito-idp.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "myuserpool01998219", + "Arn" + ] + } } }, "myuserpoolsmsRole0E16FDD9": { diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts index b482d244ea6fa..25be5288800cf 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts @@ -335,7 +335,7 @@ describe('User Pool', () => { const fn = fooFunction(stack, 'preSignUp'); // WHEN - new UserPool(stack, 'Pool', { + const pool = new UserPool(stack, 'Pool', { lambdaTriggers: { preSignUp: fn, }, @@ -351,6 +351,7 @@ describe('User Pool', () => { Action: 'lambda:InvokeFunction', FunctionName: stack.resolve(fn.functionArn), Principal: 'cognito-idp.amazonaws.com', + SourceArn: stack.resolve(pool.userPoolArn), }); }); @@ -362,7 +363,7 @@ describe('User Pool', () => { const smsFn = fooFunction(stack, 'customSmsSender'); // WHEN - new UserPool(stack, 'Pool', { + const pool = new UserPool(stack, 'Pool', { customSenderKmsKey: kmsKey, lambdaTriggers: { customEmailSender: emailFn, @@ -387,11 +388,13 @@ describe('User Pool', () => { Action: 'lambda:InvokeFunction', FunctionName: stack.resolve(emailFn.functionArn), Principal: 'cognito-idp.amazonaws.com', + SourceArn: stack.resolve(pool.userPoolArn), }); Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { Action: 'lambda:InvokeFunction', FunctionName: stack.resolve(smsFn.functionArn), Principal: 'cognito-idp.amazonaws.com', + SourceArn: stack.resolve(pool.userPoolArn), }); }); @@ -479,6 +482,7 @@ describe('User Pool', () => { Action: 'lambda:InvokeFunction', FunctionName: stack.resolve(fn.functionArn), Principal: 'cognito-idp.amazonaws.com', + SourceArn: stack.resolve(pool.userPoolArn), }); }); }); @@ -1760,4 +1764,4 @@ function fooFunction(scope: Construct, name: string): lambda.IFunction { function fooKey(scope: Construct, name: string): kms.Key { return new kms.Key(scope, name); -} \ No newline at end of file +}