feat(lambda): refactor Function URL permissions

[kumvprat]

Issue # (if applicable)

Closes #.

Reason for this change

This change is tracking https://github.com/aws/aws-cdk-private/pull/278

Lambda is introducing dual auth on function URL(FURL). Which requires both allow on lambda:InvokeFunction and lambda:InvokeFunctionUrl (Dual Auth) to allow a function to be invoked through FURL. Before it only require allow on lambda:InvokeFunctionUrl.

Please notice this is a breaking change on Lambda side so few integration test's snapshot will need to be overwrite.

Description of changes

aws-lambda.FunctionUrl()with FunctionUrlAuthType.NONE will create a FURL resource and add dual auth to allow same user experience as before. (this function only add allow on lambda:InvokeFunctionUrl before)

aws-lambda.FunctionUrl.grantInvokeUrl(grantee) Will grant dual auth to the grantee, to insure user will still able to invoke their FURL.

Also, a new prop invokedViaFunctionUrl is introduce on lambda:InvokeFunction, the dual auth granted above will set lambda:InvokeFunction: true. And when this prop is set to true, this permission will only allow the principal to invoke lambda function through FURL. This additional permission will not allow the granted principal to invoke Lambda directly without FURL. If user need this permission, they will still need to call lambda.Function.grantInvoke(grantee) directly.

Describe any new or updated permissions being added

As mentioned above, grantInvokeUrl will add an additional permission lambda:InvokeFunction to allow FURL invoke without the need for code change after dual auth goes live.

Example

  testroleDefaultPolicy884631E2:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: lambda:InvokeFunction //new permission for dual auth
            Effect: Allow
            Resource:
              - Fn::GetAtt:
                  - fn5FF616E3
                  - Arn
              - Fn::Join:
                  - ""
                  - - Fn::GetAtt:
                        - fn5FF616E3
                        - Arn
                    - :*
            Condition:
              - Bool: 
                  - lambda:InvokedViaFunctionUrl:true // only valid for invoke through FURL
          - Action: lambda:InvokeFunctionUrl //existing permission
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - fn5FF616E3
                - Arn
        Version: "2012-10-17"
      PolicyName: testroleDefaultPolicy884631E2
      Roles:
        - Ref: testroleB50A37BE

Description of how you validated changes

New test cases are added
Integration test snapshot are updated.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[kumvprat]

Exemption Request : Changes bring a new default behaviour, will not require test updates

[vishaalmehrishi]

Reviewed thoroughly in the private repo with the service team. Approved since this is a clone of that PR.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[kumvprat]

@Mergifyio requeue

[mergify]

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

[kumvprat]

@Mergifyio queue

[mergify]

queue

🛑 There are no queue conditions matching

There are queue conditions defined in the configuration, but none matches. The pull request has not been embarked.

Details:

• Queue default-merge:

• -closed
• -merged
• label~=no-squash
• #approved-reviews-by>=1
• #changes-requested-reviews-by=0
• -approved-reviews-by~=author
• -label~=(blocked|do-not-merge)
• -title~=(WIP|wip)
• check-success=build
• check-success=validate-pr
• any of:
  • -label~=pr/needs-integration-tests-deployment
  • check-success=integration_test_deployment

• Queue priority-squash:

• -closed
• -merged
• label~=priority-pr
• #approved-reviews-by>=1
• #changes-requested-reviews-by=0
• -approved-reviews-by~=author
• -label~=(blocked|do-not-merge|no-squash)
• -title~=(WIP|wip)
• base!=release
• check-success=build
• check-success=validate-pr
• any of:
  • -label~=pr/needs-integration-tests-deployment
  • check-success=integration_test_deployment

• Queue default-squash:

• -closed
• -merged
• #approved-reviews-by>=1
• #changes-requested-reviews-by=0
• -approved-reviews-by~=author
• -label~=(blocked|do-not-merge|no-squash|priority-pr)
• -title~=(WIP|wip)
• base!=release
• check-success=build
• check-success=validate-pr
• any of:
  • -label~=pr/needs-integration-tests-deployment
  • check-success=integration_test_deployment

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.