Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Lambda): CodeSigningConfig UntrustedArtifactOnDeployment using incorrect string #13586

Closed
SimonJang opened this issue Mar 14, 2021 · 1 comment · Fixed by #13667
Closed

(Lambda): CodeSigningConfig UntrustedArtifactOnDeployment using incorrect string #13586

SimonJang opened this issue Mar 14, 2021 · 1 comment · Fixed by #13667
Assignees
@nija-at
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@SimonJang
Copy link

The enum UntrustedArtifactOnDeployment provided from the @aws-cdk/aws-lambda is incorrect.

Reproduction Steps

// Create a Signing profile
const signingProfile = new SigningProfile(this, 'code-signing-profile', {
	  platform: Platform.AWS_LAMBDA_SHA384_ECDSA,
	  signatureValidity: Duration.days(365)
});

// Create the Code signing configuration for AWS Lambda
const codeSigningConfig = new CodeSigningConfig(this, 'code-signing-lambda-configuration', {
	  untrustedArtifactOnDeployment: UntrustedArtifactOnDeployment.WARN, // fails
	  signingProfiles: [signingProfile]
});

The error is in the @aws-cdk/aws-lambda package. enforce should be Enforce and warn Warn

export declare enum UntrustedArtifactOnDeployment {
    /**
     * Lambda blocks the deployment request if signature validation checks fail.
     *
     * @stability stable
     */
    ENFORCE = "enforce",
    /**
     * Lambda allows the deployment of the code package, but issues a warning.
     *
     * Lambda issues a new Amazon CloudWatch metric, called a signature validation error and also stores the warning in CloudTrail.
     *
     * @stability stable
     */
    WARN = "warn"
}

What did you expect to happen?

Should deploy since the enum UntrustedArtifactOnDeployment is used from the @aws-cdk/aws-lambda package.

What actually happened?

Model validation failed (#/CodeSigningPolicies/UntrustedArtifactOnDeployment: #: only 1 subschema matches out of 2)
#/CodeSigningPolicies/UntrustedArtifactOnDeployment: failed validation constraint for keyword [enum] (#/CodeSigningPolicies/UntrustedArtifactOnDeployment)

Environment

  • CDK CLI Version : 1.93.0
  • Framework Version: 1.93.0
  • Node.js Version: v14.15.4
  • OS : Ubuntu 18.04.3 LTS
  • Language (Version): TypeScript

Other

The error is in the @aws-cdk/aws-lambda package. enforce should be Enforce and warn Warn

export declare enum UntrustedArtifactOnDeployment {
    /**
     * Lambda blocks the deployment request if signature validation checks fail.
     *
     * @stability stable
     */
    ENFORCE = "enforce",
    /**
     * Lambda allows the deployment of the code package, but issues a warning.
     *
     * Lambda issues a new Amazon CloudWatch metric, called a signature validation error and also stores the warning in CloudTrail.
     *
     * @stability stable
     */
    WARN = "warn"
}

Temporary workaround.

const codeSigningConfig = new CodeSigningConfig(this, 'code-signing-lambda-configuration', {
	  untrustedArtifactOnDeployment: 'Warn' as UntrustedArtifactOnDeployment.WARN,
	  signingProfiles: [signingProfile]
});

This is 🐛 Bug Report
@SimonJang SimonJang added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 14, 2021
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Mar 14, 2021
@nija-at nija-at added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Mar 18, 2021
nija-at pushed a commit that referenced this issue Mar 18, 2021
fix(lambda): incorrect values for prop UntrustedArtifactOnDeployment
4de51f7 
The allowed values for `UntrustedArtifactOnDeployment` in the
`AWS::Lambda::CodeSigningConfig` resource type are 'Warn' and 'Enforce'.

This was incorrectly set in the CDK.

fixes #13586
@nija-at nija-at mentioned this issue Mar 18, 2021
Merged
@mergify mergify bot closed this as completed in #13667 Mar 19, 2021
mergify bot pushed a commit that referenced this issue Mar 19, 2021
fix(lambda): incorrect values for prop UntrustedArtifactOnDeployment (#…
0757686 
…13667)

The allowed values for `UntrustedArtifactOnDeployment` in the
`AWS::Lambda::CodeSigningConfig` resource type are 'Warn' and 'Enforce'.

This was incorrectly set in the CDK.

fixes #13586


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

eladb pushed a commit that referenced this issue Mar 24, 2021
fix(lambda): incorrect values for prop UntrustedArtifactOnDeployment (#…
1d19246 
…13667)

The allowed values for `UntrustedArtifactOnDeployment` in the
`AWS::Lambda::CodeSigningConfig` resource type are 'Warn' and 'Enforce'.

This was incorrectly set in the CDK.

fixes #13586


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Aug 26, 2021
@hollanddd
fix(lambda): incorrect values for prop UntrustedArtifactOnDeployment (a…
c43e3ba 
…ws#13667)

The allowed values for `UntrustedArtifactOnDeployment` in the
`AWS::Lambda::CodeSigningConfig` resource type are 'Warn' and 'Enforce'.

This was incorrectly set in the CDK.

fixes aws#13586


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nija-at nija-at

Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(lambda): incorrect values for prop UntrustedArtifactOnDeployment aws/aws-cdk
2 participants
@SimonJang @nija-at