custom-resources: Custom resource provider framework not passing ResponseURL to user function
#21058
Comments
okonos
added
bug
github-actions
bot
added
the
@aws-cdk/custom-resources
peterwoodworth
added
effort/small
… `ResponseURL` to user function (#21065) #20889 included a change that broke the custom resource framework by not including the necessary presigned URL. This includes the presigned URL, and fixes the issue. This PR does not include test changes because this is the runtime code. Closes #21058 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
… `ResponseURL` to user function (#21065) #20889 included a change that broke the custom resource framework by not including the necessary presigned URL. This includes the presigned URL, and fixes the issue. This PR does not include test changes because this is the runtime code. Closes #21058 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… `ResponseURL` to user function (#21065) #20889 included a change that broke the custom resource framework by not including the necessary presigned URL. This includes the presigned URL, and fixes the issue. This PR does not include test changes because this is the runtime code. Closes #21058 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Note that there is a difference between Custom Resources written directly for CloudFormation, and Lambda Functions written for the Custom Resource Provider Framework! They look similar, but they are different. When you use the Custom Resource Provider Framework, your Lambda Function is not responsible for writing the response object. The framework does. You only have to make your Lambda function succeed or fail, as usual. See the documentation:
The documentation page proceeds to list a set of properties that are in the input. You will see that Yes, we included We are going to remove |
… `ResponseURL` to user function (aws#21065) aws#20889 included a change that broke the custom resource framework by not including the necessary presigned URL. This includes the presigned URL, and fixes the issue. This PR does not include test changes because this is the runtime code. Closes aws#21058 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
You've taken CloudFormation's own interface, changed it in a breaking way, but actually forgot to make said change, and now you're blaming everyone else for following one set of documentation over another set which until now was entirely redundant. Anyone who knows how to write a lambda backed custom resource without CDK can fall into this trap. Summarily neutering this functionality is definitely a shark-jumping breaking change. (In fact, learning about this today explains heaps about mysterious behaviour I didn't have the brain cells to fully investigate previously). |
|
Exisiting Custom resources are breaking in 2.31.0. This is a BREAKING change to CDK. @rix0rrr , you need to think about how to resolve this in a different way, becuase this BREAKS a lot of code. |
|
CDK 2.31.0 has a breaking change that prevents Lambda backed Custom resources from working.. |
|
While i agree in principal that there is a security weakness, its impact is minor to trivial. and compared to the serious impact that this is causing with a breaking change that this needs to be reverted. Perhaps a property in the custom resource handler that lets you set the behavior not to send the URL? It might in fact be something better set as a flag. |
|
Ok.. trouble over..; this has been rolled back in 2.31.1 Thanks.. I guess now we can have a chat about how to work through this. |
|
@rix0rrr Thanks. Having spent a lot of time writing custom resources in the past, I didn't read the docs carefully enough. The change breaking backwards compatibility is a valid concern, though. @mrpackethead It has not actually been rolled back, the input is still sanitized in |
|
@okonos , i have to go and have a look closer.. This might still be a problem for me. if its not returning the URL i've got a lot of Lambdas that are going to break. so, i'll be stuck at 2.30.0 |
|
@okonos is correct, the We will update the docs to clarify this soon. |
|
even that "rollback" doesn't fix the problem. just makes it |
|
@rix0rrr and @comcalvi .. This is a breaking change. that is anti the no breaking change promise of CDK2.0. While i agree that perhaps there is a better way to do this, we need to do this in a staged sensible way. There are thousands of custom lambdas that Just dont' work now with 2.31.0.. Irrispective of the docs being wrong or right. |
|
https://aws.amazon.com/blogs/developer/announcing-aws-cloud-development-kit-v2-developer-preview/ In AWS CDK v2, we no longer make intentional breaking changes to any APIs in minor version releases. Instead, we’re introducing a new lifecycle in which new, experimental construct libraries go through an incubation period as a library completely independent from the main aws-cdk-lib library. The packages are distributed with a name clearly indicating their experimental status, like @aws-cdk-experiments/aws-xxx, and are versioned with a version number 0.x to clearly indicate their pre-release status. Only after the new package has matured and has been put through its paces in several real-world scenarios will we include it into aws-cdk-lib as a stable module. This means that every method, class, and property in aws-cdk-lib is guaranteed to exist until the next major version update, and you can update to new minor versions at any time without having to touch your code. |
… `ResponseURL` to user function (aws#21065) aws#20889 included a change that broke the custom resource framework by not including the necessary presigned URL. We attempted to fix this with aws#21065 but it didn't resolve the issue and aws#21109 reverted the attempted fix. This changes explicitly includes the presigned URL, as well as adding tests to ensure the URL is passed to the downstream Lambda Function. Closes aws#21058
… `ResponseURL` to user function (#21117) #20889 included a change that broke the custom resource framework by not including the necessary presigned URL. We attempted to fix this with #21065 but it didn't resolve the issue and #21109 reverted the attempted fix. This changes explicitly includes the presigned URL, as well as adding tests to ensure the URL is passed to the downstream Lambda Function. Closes #21058 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
|
Apologies for the confusion everyone. We have just merged another fix for this (see #21117) and are expecting to ship it with the next release. |
… `ResponseURL` to user function (#21117) aws#20889 included a change that broke the custom resource framework by not including the necessary presigned URL. We attempted to fix this with #21065 but it didn't resolve the issue and #21109 reverted the attempted fix. This changes explicitly includes the presigned URL, as well as adding tests to ensure the URL is passed to the downstream Lambda Function. Closes #21058 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit ddfca48) # Conflicts: # packages/@aws-cdk/custom-resources/lib/provider-framework/runtime/framework.ts
… `ResponseURL` to user function (#21117) #20889 included a change that broke the custom resource framework by not including the necessary presigned URL. We attempted to fix this with #21065 but it didn't resolve the issue and #21109 reverted the attempted fix. This changes explicitly includes the presigned URL, as well as adding tests to ensure the URL is passed to the downstream Lambda Function. Closes #21058 ---- * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Hi everyone, we released CDK versions |
|
@kaizencc , that looks like its working in a trivial test case i have. Theres some good ideas here that need exploring though, and it might be possible to improve how we use the custom resources moving forward. |
|
@mrpackethead, happy that it looks like we have rolled back any breaking changes with the latest release. We have some internal ideas for improvements here (keeping it vague because I actually wasn't involved in those discussions :)) but I think it would be awesome if you could open a new github issue describing some of the improvements listed in this thread -- this thread is closed, so there's less visibility, and there's a lot of clutter regarding our treatment of breaking changes :). |
Describe the bug
According to AWS custom resource reference,
ResponseURLis a required request field.The behavior of custom resource provider framework was changed in
2.31.0to not pass it to user function. It's discussed in #20899.Without
ResponseURL, the provider function fails trying to send the response to CloudFormation.It works as expected in version
2.30.0.Expected Behavior
Custom resource should be created without errors.
Current Behavior
Custom resource creation fails with following error (Golang function, the
ResponseURLin the event it receives is an empty string):Reproduction Steps
Sample custom resource function from:
https://pkg.go.dev/github.com/aws/aws-lambda-go/cfn#readme-sample-function
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.31.0 (build b67950d)
Framework Version
No response
Node.js Version
v16.15.1
OS
Ubuntu
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: