From 88b28d83fd1612d46e9533d621f2fadfb5039ee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Fri, 22 Jan 2021 09:34:53 +0900 Subject: [PATCH 01/46] feat(lambda-code-signing): create draft code --- .../aws-lambda/lib/code-signing-config.ts | 37 +++++++++++++++++++ packages/@aws-cdk/aws-lambda/lib/function.ts | 6 +++ 2 files changed, 43 insertions(+) create mode 100644 packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts new file mode 100644 index 0000000000000..2f0643b96a611 --- /dev/null +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -0,0 +1,37 @@ +import { Resource } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import { CfnCodeSigningConfig } from './lambda.generated'; + +export enum UntrustedArtifactOnDeployment { + ENFORCE = 'enforce', + WARN = 'warn', +} + +export interface CodeSigningConfigOptions { + signingProfileVersionArn: string[], + untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment, + description?: string +} + +export class CodeSigningConfig extends Resource { + public readonly codeSigningConfigArn: string; + + constructor(scope: Construct, id: string, props: CodeSigningConfigOptions) { + super(scope, id); + + if (props.signingProfileVersionArn.length > 20) { + throw new Error('Signing profile version arn is up to 20'); + } + + const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', { + allowedPublishers: { + signingProfileVersionArns: props.signingProfileVersionArn, + }, + codeSigningPolicies: { + untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment + }, + description: props.description + }); + this.codeSigningConfigArn = resource.ref; + } +} diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts index 0e56ee695d4e5..3f170e186a998 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function.ts @@ -19,6 +19,7 @@ import { CfnFunction } from './lambda.generated'; import { ILayerVersion } from './layers'; import { LogRetentionRetryOptions } from './log-retention'; import { Runtime } from './runtime'; +import { CodeSigningConfig } from 'aws-lambda/lib/code-signing-config'; /** * X-Ray Tracing Modes (https://docs.aws.amazon.com/lambda/latest/dg/API_TracingConfig.html) @@ -290,6 +291,8 @@ export interface FunctionOptions extends EventInvokeConfigOptions { * @default - AWS Lambda creates and uses an AWS managed customer master key (CMK). */ readonly environmentEncryption?: kms.IKey; + + readonly codeSigningConfig?: CodeSigningConfig; } export interface FunctionProps extends FunctionOptions { @@ -526,6 +529,8 @@ export class Function extends FunctionBase { private _logGroup?: logs.ILogGroup; + private readonly codeSigningConfig?: CodeSigningConfig; + /** * Environment variables for this function */ @@ -641,6 +646,7 @@ export class Function extends FunctionBase { }), kmsKeyArn: props.environmentEncryption?.keyArn, fileSystemConfigs, + codeSigningConfigArn: props.codeSigningConfig.codeSigningConfigArn }); resource.node.addDependency(this.role); From 747a414d91d5513c11170d528978d05911a5e892 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Thu, 28 Jan 2021 07:39:24 +0900 Subject: [PATCH 02/46] create base of Signer Profile --- .../@aws-cdk/aws-signer/lib/signer-profile.ts | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 packages/@aws-cdk/aws-signer/lib/signer-profile.ts diff --git a/packages/@aws-cdk/aws-signer/lib/signer-profile.ts b/packages/@aws-cdk/aws-signer/lib/signer-profile.ts new file mode 100644 index 0000000000000..b4762f03c359b --- /dev/null +++ b/packages/@aws-cdk/aws-signer/lib/signer-profile.ts @@ -0,0 +1,85 @@ +import { Construct, IResource, Resource } from '@aws-cdk/core'; +import { CfnSigningProfile } from './signer.generated'; + +export interface ISigningProfile extends IResource { + /** + * The ARN of the signing profile. + * @Attribute + */ + readonly signingProfileArn: string; + + /** + * The name of signing profile. + * @Attribute + */ + readonly signingProfileName: string; + + /** + * The version of signing profile. + * @Attribute + */ + readonly signingProfileVersion: string; + + /** + * The ARN of signing profile version. + * @Attribute + */ + readonly signingProfileVersionArn: string; +} + +export enum SignatureValidityPeriodTypes { + DAYS = 'DAYS', + MONTHS = 'MONTHS', + YEARS = 'YEARS', +} + +class SignatureValidityPeriodProperty { + readonly type: SignatureValidityPeriodTypes; + readonly value: number; + + constructor( type: SignatureValidityPeriodTypes, value: number ) { + this.type = type; + this.value = value; + } +} + +abstract class SigningProfileBase extends Resource implements ISigningProfile { + public abstract readonly signingProfileArn: string; + public abstract readonly signingProfileName: string; + public abstract readonly signingProfileVersion: string; + public abstract readonly signingProfileVersionArn: string; +} + +export interface SigningProfileProps { + /* + * The ID of a platform that is available for use by a signing profile. + */ + readonly platformId: string; + + /* + * The validity period override for any signature generated using + * this signing profile. If unspecified, the default is 135 months. + */ + readonly signatureValidityPeriod?: SignatureValidityPeriodProperty; +} + +export class SigningProfile extends SigningProfileBase { + public readonly signingProfileArn: string; + public readonly signingProfileName: string; + public readonly signingProfileVersion: string; + public readonly signingProfileVersionArn: string; + + constructor(scope: Construct, id: string, props: SigningProfileProps) { + super(scope, id); + + const resource = new CfnSigningProfile( this, 'Resource', { + platformId: props.platformId, + signatureValidityPeriod: props.signatureValidityPeriod, + } ); + + this.signingProfileArn = resource.attrArn; + this.signingProfileName = resource.attrProfileName; + this.signingProfileVersion = resource.attrProfileVersion; + this.signingProfileVersionArn = resource.attrProfileVersionArn; + } +} From b2b326331f4a6c51a1d98560885354325dee73f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Thu, 28 Jan 2021 07:53:05 +0900 Subject: [PATCH 03/46] modify lambda code signing config --- .../aws-lambda/lib/code-signing-config.ts | 35 ++++++++++++++----- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index 2f0643b96a611..b1419c6b07247 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -1,37 +1,54 @@ -import { Resource } from '@aws-cdk/core'; +import { IResource, Resource } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { CfnCodeSigningConfig } from './lambda.generated'; +import { SigningProfile } from '@aws-cdk/aws-signer'; export enum UntrustedArtifactOnDeployment { ENFORCE = 'enforce', WARN = 'warn', } -export interface CodeSigningConfigOptions { - signingProfileVersionArn: string[], +export interface ICodeSigningConfig extends IResource { + /** + * The ARN of Code Signing Config + * @Attribute CodeSigningConfigArn + */ + readonly codeSigningConfigArn: string; + + /** + * The id of Code Signing Config + * @Attribute CodeSigningConfigId + */ + readonly codeSigningConfigId: string; +} + +export interface CodeSigningConfigProps { + signingProfile: SigningProfile, untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment, description?: string } -export class CodeSigningConfig extends Resource { - public readonly codeSigningConfigArn: string; +export class CodeSigningConfig extends Resource implements ICodeSigningConfig{ + readonly codeSigningConfigArn: string; + readonly codeSigningConfigId: string; - constructor(scope: Construct, id: string, props: CodeSigningConfigOptions) { + constructor(scope: Construct, id: string, props: CodeSigningConfigProps) { super(scope, id); - if (props.signingProfileVersionArn.length > 20) { + if (props.signingProfile.length > 20) { throw new Error('Signing profile version arn is up to 20'); } const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', { allowedPublishers: { - signingProfileVersionArns: props.signingProfileVersionArn, + signingProfileVersionArns: props.signingProfile.signingProfileVersionArn, }, codeSigningPolicies: { untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment }, description: props.description }); - this.codeSigningConfigArn = resource.ref; + this.codeSigningConfigArn = resource.attrCodeSigningConfigArn; + this.codeSigningConfigId = resource.attrCodeSigningConfigId; } } From b1b3f40da24848a358a7533e8ec711a744c6af28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Wed, 3 Feb 2021 08:03:57 +0900 Subject: [PATCH 04/46] modify @Attribute => @attribute delete class SigningProfileBase execute `yarn pkglint` and fix 'maturity' in package.json --- .../aws-lambda/lib/code-signing-config.ts | 4 ++-- .../@aws-cdk/aws-signer/lib/signer-profile.ts | 19 ++++++------------- packages/@aws-cdk/aws-signer/package.json | 2 +- 3 files changed, 9 insertions(+), 16 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index b1419c6b07247..8282fa457b060 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -11,13 +11,13 @@ export enum UntrustedArtifactOnDeployment { export interface ICodeSigningConfig extends IResource { /** * The ARN of Code Signing Config - * @Attribute CodeSigningConfigArn + * @attribute CodeSigningConfigArn */ readonly codeSigningConfigArn: string; /** * The id of Code Signing Config - * @Attribute CodeSigningConfigId + * @attribute CodeSigningConfigId */ readonly codeSigningConfigId: string; } diff --git a/packages/@aws-cdk/aws-signer/lib/signer-profile.ts b/packages/@aws-cdk/aws-signer/lib/signer-profile.ts index b4762f03c359b..aa982f6cc89a9 100644 --- a/packages/@aws-cdk/aws-signer/lib/signer-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signer-profile.ts @@ -4,25 +4,25 @@ import { CfnSigningProfile } from './signer.generated'; export interface ISigningProfile extends IResource { /** * The ARN of the signing profile. - * @Attribute + * @attribute */ readonly signingProfileArn: string; /** * The name of signing profile. - * @Attribute + * @attribute */ readonly signingProfileName: string; /** * The version of signing profile. - * @Attribute + * @attribute */ readonly signingProfileVersion: string; /** * The ARN of signing profile version. - * @Attribute + * @attribute */ readonly signingProfileVersionArn: string; } @@ -37,19 +37,12 @@ class SignatureValidityPeriodProperty { readonly type: SignatureValidityPeriodTypes; readonly value: number; - constructor( type: SignatureValidityPeriodTypes, value: number ) { + constructor(type: SignatureValidityPeriodTypes, value: number) { this.type = type; this.value = value; } } -abstract class SigningProfileBase extends Resource implements ISigningProfile { - public abstract readonly signingProfileArn: string; - public abstract readonly signingProfileName: string; - public abstract readonly signingProfileVersion: string; - public abstract readonly signingProfileVersionArn: string; -} - export interface SigningProfileProps { /* * The ID of a platform that is available for use by a signing profile. @@ -63,7 +56,7 @@ export interface SigningProfileProps { readonly signatureValidityPeriod?: SignatureValidityPeriodProperty; } -export class SigningProfile extends SigningProfileBase { +export class SigningProfile extends Resource implements ISigningProfile { public readonly signingProfileArn: string; public readonly signingProfileName: string; public readonly signingProfileVersion: string; diff --git a/packages/@aws-cdk/aws-signer/package.json b/packages/@aws-cdk/aws-signer/package.json index 4d9d5cef26a04..687bd23662b48 100644 --- a/packages/@aws-cdk/aws-signer/package.json +++ b/packages/@aws-cdk/aws-signer/package.json @@ -88,7 +88,7 @@ "node": ">= 10.13.0 <13 || >=13.7.0" }, "stability": "experimental", - "maturity": "cfn-only", + "maturity": "experimental", "awscdkio": { "announce": false } From 4c88f713c47c4399f4716c5fb679abe4cca4de9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Wed, 3 Feb 2021 09:34:43 +0900 Subject: [PATCH 05/46] modify README using pkglint --- packages/@aws-cdk/aws-signer/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/@aws-cdk/aws-signer/README.md b/packages/@aws-cdk/aws-signer/README.md index 5482a0b23c900..e336a3465ebcb 100644 --- a/packages/@aws-cdk/aws-signer/README.md +++ b/packages/@aws-cdk/aws-signer/README.md @@ -9,6 +9,14 @@ > > [CFN Resources]: https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib +![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge) + +> The APIs of higher level constructs in this module are experimental and under active development. +> They are subject to non-backward compatible changes or removal in any future version. These are +> not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be +> announced in the release notes. This means that while you may use them, you may need to update +> your source code when upgrading to a newer version of this package. + --- From a943ba8c2503a7bdadba0891c421d1262d40c002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Thu, 4 Feb 2021 07:44:03 +0900 Subject: [PATCH 06/46] modify ci errors --- packages/@aws-cdk/aws-lambda/package.json | 2 ++ packages/@aws-cdk/aws-signer/test/signer.test.ts | 2 ++ 2 files changed, 4 insertions(+) diff --git a/packages/@aws-cdk/aws-lambda/package.json b/packages/@aws-cdk/aws-lambda/package.json index 3387ef50c2623..69955e8a9e594 100644 --- a/packages/@aws-cdk/aws-lambda/package.json +++ b/packages/@aws-cdk/aws-lambda/package.json @@ -99,6 +99,7 @@ "@aws-cdk/aws-logs": "0.0.0", "@aws-cdk/aws-s3": "0.0.0", "@aws-cdk/aws-s3-assets": "0.0.0", + "@aws-cdk/aws-signer": "0.0.0", "@aws-cdk/aws-sqs": "0.0.0", "@aws-cdk/core": "0.0.0", "@aws-cdk/cx-api": "0.0.0", @@ -119,6 +120,7 @@ "@aws-cdk/aws-logs": "0.0.0", "@aws-cdk/aws-s3": "0.0.0", "@aws-cdk/aws-s3-assets": "0.0.0", + "@aws-cdk/aws-signer": "0.0.0", "@aws-cdk/aws-sqs": "0.0.0", "@aws-cdk/core": "0.0.0", "@aws-cdk/cx-api": "0.0.0", diff --git a/packages/@aws-cdk/aws-signer/test/signer.test.ts b/packages/@aws-cdk/aws-signer/test/signer.test.ts index e394ef336bfb4..22215adfdfae0 100644 --- a/packages/@aws-cdk/aws-signer/test/signer.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signer.test.ts @@ -4,3 +4,5 @@ import {} from '../lib'; test('No tests are specified for this package', () => { expect(true).toBe(true); }); + +// TODO: Implement tests From 665df39bdb685fee334ac12ce01ea8b7bc073d56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Thu, 4 Feb 2021 08:09:20 +0900 Subject: [PATCH 07/46] add module export to aws-signer/lib/index --- packages/@aws-cdk/aws-signer/lib/index.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-signer/lib/index.ts b/packages/@aws-cdk/aws-signer/lib/index.ts index 9c56379e86c19..a3c22144a3b2d 100644 --- a/packages/@aws-cdk/aws-signer/lib/index.ts +++ b/packages/@aws-cdk/aws-signer/lib/index.ts @@ -1,2 +1,3 @@ // AWS::Signer CloudFormation Resources: export * from './signer.generated'; +export * from './signer-profile'; From 0aee381cc8c0b8c1c9975c76e001d40ad6ffe313 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Thu, 4 Feb 2021 09:40:02 +0900 Subject: [PATCH 08/46] add construct to dependancy --- packages/@aws-cdk/aws-signer/package.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/package.json b/packages/@aws-cdk/aws-signer/package.json index 687bd23662b48..8b2000221e7bc 100644 --- a/packages/@aws-cdk/aws-signer/package.json +++ b/packages/@aws-cdk/aws-signer/package.json @@ -79,10 +79,12 @@ "pkglint": "0.0.0" }, "dependencies": { - "@aws-cdk/core": "0.0.0" + "@aws-cdk/core": "0.0.0", + "constructs": "^3.2.0" }, "peerDependencies": { - "@aws-cdk/core": "0.0.0" + "@aws-cdk/core": "0.0.0", + "constructs": "^3.2.0" }, "engines": { "node": ">= 10.13.0 <13 || >=13.7.0" From f10b46ff30dcfaae84cd613f818e5f1d52da79ad Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Fri, 5 Feb 2021 06:29:12 +0900 Subject: [PATCH 09/46] make signingProfiles to list Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index 8282fa457b060..c6aa3b35de55b 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -23,7 +23,7 @@ export interface ICodeSigningConfig extends IResource { } export interface CodeSigningConfigProps { - signingProfile: SigningProfile, + signingProfiles: ISigningProfile[], untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment, description?: string } From 278c0ef4328944b87532b470c25506528ed3f88a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Fri, 5 Feb 2021 09:51:49 +0900 Subject: [PATCH 10/46] fix: build errors --- .../@aws-cdk/aws-signer/lib/signer-profile.ts | 121 +++++++++++++----- 1 file changed, 90 insertions(+), 31 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/lib/signer-profile.ts b/packages/@aws-cdk/aws-signer/lib/signer-profile.ts index aa982f6cc89a9..c085b7b774e6c 100644 --- a/packages/@aws-cdk/aws-signer/lib/signer-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signer-profile.ts @@ -1,6 +1,10 @@ -import { Construct, IResource, Resource } from '@aws-cdk/core'; +import { Construct } from 'constructs'; +import { Duration, IResource, Resource } from '@aws-cdk/core'; import { CfnSigningProfile } from './signer.generated'; +/** + * A Signer Profile + */ export interface ISigningProfile extends IResource { /** * The ARN of the signing profile. @@ -12,67 +16,122 @@ export interface ISigningProfile extends IResource { * The name of signing profile. * @attribute */ - readonly signingProfileName: string; + readonly signingProfileProfileName: string; /** * The version of signing profile. * @attribute */ - readonly signingProfileVersion: string; + readonly signingProfileProfileVersion: string; /** * The ARN of signing profile version. * @attribute */ - readonly signingProfileVersionArn: string; -} - -export enum SignatureValidityPeriodTypes { - DAYS = 'DAYS', - MONTHS = 'MONTHS', - YEARS = 'YEARS', -} - -class SignatureValidityPeriodProperty { - readonly type: SignatureValidityPeriodTypes; - readonly value: number; - - constructor(type: SignatureValidityPeriodTypes, value: number) { - this.type = type; - this.value = value; - } + readonly signingProfileProfileVersionArn: string; } +/** + * Construction properties for a Signer Profile object + */ export interface SigningProfileProps { - /* + /** * The ID of a platform that is available for use by a signing profile. */ readonly platformId: string; - /* + /** * The validity period override for any signature generated using * this signing profile. If unspecified, the default is 135 months. + * + * @default - 135 MONTHS + */ + readonly signatureValidityPeriod?: Duration; + + /** + * Physical name of this Signing Profile. + * + * @default - Assigned by CloudFormation (recommended). + */ + readonly signingProfileName?: string; +} + +/** + * A reference to a Signing Profile + */ +export interface SigningProfileAttributes { + /** + * The ARN of the signing profile. + */ + readonly signingProfileArn: string; + + /** + * The name of signing profile. */ - readonly signatureValidityPeriod?: SignatureValidityPeriodProperty; + readonly signingProfileProfileName: string; + + /** + * The version of signing profile. + */ + readonly signingProfileProfileVersion: string; + + /** + * The ARN of signing profile version. + */ + readonly signingProfileProfileVersionArn: string; } +/** + * Defines a Signer Profile. + * + * @resource AWS::Signer::SigningProfile + */ export class SigningProfile extends Resource implements ISigningProfile { + /** + * Creates a Signing Profile construct that represents an external Signing Profile. + * + * @param scope The parent creating construct (usually `this`). + * @param id The construct's name. + * @param attrs A `SigningProfileAttributes` object. + */ + public static fromSigningProfileAttributes( scope: Construct, id: string, attrs: SigningProfileAttributes): ISigningProfile { + class Import extends Resource implements ISigningProfile { + public readonly signingProfileArn = attrs.signingProfileArn; + public readonly signingProfileProfileName = attrs.signingProfileProfileName; + public readonly signingProfileProfileVersion = attrs.signingProfileProfileVersion; + public readonly signingProfileProfileVersionArn = attrs.signingProfileProfileVersionArn; + + constructor() { + super(scope, id); + } + } + return new Import(); + } + public readonly signingProfileArn: string; - public readonly signingProfileName: string; - public readonly signingProfileVersion: string; - public readonly signingProfileVersionArn: string; + public readonly signingProfileProfileName: string; + public readonly signingProfileProfileVersion: string; + public readonly signingProfileProfileVersionArn: string; constructor(scope: Construct, id: string, props: SigningProfileProps) { - super(scope, id); + super(scope, id, { + physicalName: props.signingProfileName, + }); const resource = new CfnSigningProfile( this, 'Resource', { platformId: props.platformId, - signatureValidityPeriod: props.signatureValidityPeriod, + signatureValidityPeriod: props.signatureValidityPeriod ? { + type: 'DAYS', + value: props.signatureValidityPeriod?.toDays(), + } : { + type: 'MONTH', + value: 135, + }, } ); this.signingProfileArn = resource.attrArn; - this.signingProfileName = resource.attrProfileName; - this.signingProfileVersion = resource.attrProfileVersion; - this.signingProfileVersionArn = resource.attrProfileVersionArn; + this.signingProfileProfileName = resource.attrProfileName; + this.signingProfileProfileVersion = resource.attrProfileVersion; + this.signingProfileProfileVersionArn = resource.attrProfileVersionArn; } } From 5a799db518a9984ab1647d2c4acbec80c42e0241 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Sat, 6 Feb 2021 15:17:06 +0900 Subject: [PATCH 11/46] add test --- packages/@aws-cdk/aws-signer/lib/index.ts | 2 +- .../{signer-profile.ts => signing-profile.ts} | 4 +- .../@aws-cdk/aws-signer/test/signer.test.ts | 90 ++++++++++++++++++- 3 files changed, 89 insertions(+), 7 deletions(-) rename packages/@aws-cdk/aws-signer/lib/{signer-profile.ts => signing-profile.ts} (99%) diff --git a/packages/@aws-cdk/aws-signer/lib/index.ts b/packages/@aws-cdk/aws-signer/lib/index.ts index a3c22144a3b2d..090dec21fac3b 100644 --- a/packages/@aws-cdk/aws-signer/lib/index.ts +++ b/packages/@aws-cdk/aws-signer/lib/index.ts @@ -1,3 +1,3 @@ // AWS::Signer CloudFormation Resources: export * from './signer.generated'; -export * from './signer-profile'; +export * from './signing-profile'; diff --git a/packages/@aws-cdk/aws-signer/lib/signer-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts similarity index 99% rename from packages/@aws-cdk/aws-signer/lib/signer-profile.ts rename to packages/@aws-cdk/aws-signer/lib/signing-profile.ts index c085b7b774e6c..375f674ac12e6 100644 --- a/packages/@aws-cdk/aws-signer/lib/signer-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -1,5 +1,5 @@ -import { Construct } from 'constructs'; import { Duration, IResource, Resource } from '@aws-cdk/core'; +import { Construct } from 'constructs'; import { CfnSigningProfile } from './signer.generated'; /** @@ -124,7 +124,7 @@ export class SigningProfile extends Resource implements ISigningProfile { type: 'DAYS', value: props.signatureValidityPeriod?.toDays(), } : { - type: 'MONTH', + type: 'MONTHS', value: 135, }, } ); diff --git a/packages/@aws-cdk/aws-signer/test/signer.test.ts b/packages/@aws-cdk/aws-signer/test/signer.test.ts index 22215adfdfae0..66058c3ccb545 100644 --- a/packages/@aws-cdk/aws-signer/test/signer.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signer.test.ts @@ -1,8 +1,90 @@ import '@aws-cdk/assert/jest'; -import {} from '../lib'; +import * as cdk from '@aws-cdk/core'; +import * as signer from '../lib'; -test('No tests are specified for this package', () => { - expect(true).toBe(true); -}); +test( 'No tests are specified for this package', () => { + expect( true ).toBe( true ); +} ); + +const EXAMPLE_PLATFORM_ID = 'AWSLambda-SHA384-ECDSA'; // TODO: Implement tests +let app: cdk.App; +let stack: cdk.Stack; +beforeEach( () => { + app = new cdk.App( {} ); + stack = new cdk.Stack( app ); +} ); + +describe('signing profile', () => { + test( 'default', () => { + const platformId = EXAMPLE_PLATFORM_ID; + new signer.SigningProfile( stack, 'SigningProfile', { platformId } ); + + expect(stack).toHaveResource('AWS::Signer::SigningProfile', { + PlatformId: platformId, + SignatureValidityPeriod: { + Type: 'MONTHS', + Value: 135, + }, + }); + }); + + test( 'default with signature validity period', () => { + const platformId = EXAMPLE_PLATFORM_ID; + new signer.SigningProfile( stack, 'SigningProfile', { + platformId, + signatureValidityPeriod: cdk.Duration.days( 7 ), + } ); + + expect(stack).toHaveResource('AWS::Signer::SigningProfile', { + PlatformId: platformId, + SignatureValidityPeriod: { + Type: 'DAYS', + Value: 7, + }, + }); + }); + + test( 'default with some tags', () => { + const platformId = EXAMPLE_PLATFORM_ID; + const signing = new signer.SigningProfile( stack, 'SigningProfile', { platformId } ); + + cdk.Tags.of(signing).add('tag1', 'value1'); + cdk.Tags.of(signing).add('tag2', 'value2'); + cdk.Tags.of(signing).add('tag3', ''); + + expect(stack).toHaveResource('AWS::Signer::SigningProfile', { + PlatformId: platformId, + SignatureValidityPeriod: { + Type: 'MONTHS', + Value: 135, + }, + Tags: [ + { + Key: 'tag1', + Value: 'value1', + }, + { + Key: 'tag2', + Value: 'value2', + }, + { + Key: 'tag3', + Value: '', + }, + ], + }); + }); + + test( 'import does not create any resources', () => { + signer.SigningProfile.fromSigningProfileAttributes(stack, 'Imported', { + signingProfileArn: '*', + signingProfileProfileName: '*', + signingProfileProfileVersion: '*', + signingProfileProfileVersionArn: '*', + } ); + + expect(stack).toMatchTemplate({}); + }); +}); From 54217e0093c851ca3993595d54d432774cce22bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Sat, 6 Feb 2021 16:39:00 +0900 Subject: [PATCH 12/46] fix aws-lambda build errors --- .../aws-lambda/lib/code-signing-config.ts | 100 +++++++++++++++--- packages/@aws-cdk/aws-lambda/lib/function.ts | 20 +++- packages/@aws-cdk/aws-lambda/lib/index.ts | 1 + .../aws-signer/lib/signing-profile.ts | 4 +- .../@aws-cdk/aws-signer/test/signer.test.ts | 5 - 5 files changed, 106 insertions(+), 24 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index c6aa3b35de55b..d759e98556b13 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -1,13 +1,26 @@ -import { IResource, Resource } from '@aws-cdk/core'; +import { ISigningProfile } from '@aws-cdk/aws-signer'; +import { IResource, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { CfnCodeSigningConfig } from './lambda.generated'; -import { SigningProfile } from '@aws-cdk/aws-signer'; +/** + * Code signing configuration policy for deployment validation failure. + */ export enum UntrustedArtifactOnDeployment { + /** + * Lambda blocks the deployment request if signature validation checks fail. + */ ENFORCE = 'enforce', + + /** + * Lambda allows the deployment and creates a CloudWatch log. + */ WARN = 'warn', } +/** + * A Code Signing Config + */ export interface ICodeSigningConfig extends IResource { /** * The ARN of Code Signing Config @@ -22,31 +35,92 @@ export interface ICodeSigningConfig extends IResource { readonly codeSigningConfigId: string; } +/** + * Construction properties for a Code Signing Config object + */ export interface CodeSigningConfigProps { - signingProfiles: ISigningProfile[], - untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment, - description?: string + /** + * List of signing profiles that defines a + * trusted user who can sign a code package. + */ + readonly signingProfiles: ISigningProfile[], + + /** + * Code signing configuration policy for deployment validation failure. + * If you set the policy to Enforce, Lambda blocks the deployment request + * if signature validation checks fail. + * If you set the policy to Warn, Lambda allows the deployment and + * creates a CloudWatch log. + * + * @default - UntrustedArtifactOnDeployment.WARN + */ + readonly untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment, + + /** + * Code signing configuration description. + * + * @default - No description. + */ + readonly description?: string + + /** + * Physical name of this Code Signing Config. + * + * @default - Assigned by CloudFormation (recommended). + */ + readonly codeSigningConfigName?: string; } -export class CodeSigningConfig extends Resource implements ICodeSigningConfig{ +/** + * Defines a Code Signing Config. + * + * @resource AWS::Lambda::CodeSigningConfig + */ +export class CodeSigningConfig extends Resource implements ICodeSigningConfig { + /** + * Creates a Signing Profile construct that represents an external Signing Profile. + * + * @param scope The parent creating construct (usually `this`). + * @param id The construct's name. + * @param codeSigningConfigArn The ARN of code signing config. + */ + public static fromCodeSigningConfigArn( scope: Construct, id: string, codeSigningConfigArn: string): ICodeSigningConfig { + class Import extends Resource implements ICodeSigningConfig { + public readonly codeSigningConfigArn = codeSigningConfigArn; + public readonly codeSigningConfigId: string; + + constructor( codeSigningProfileId: string ) { + super(scope, id); + this.codeSigningConfigId = codeSigningProfileId; + } + } + const codeSigningProfileId = Stack.of(scope).parseArn(codeSigningConfigArn).resourceName; + if (!codeSigningProfileId) { + throw new Error(`Code signing config ARN must be in the format 'arn:aws:lambda:::code-signing-config:', got: '${codeSigningConfigArn}'`); + } + return new Import(codeSigningProfileId); + } + readonly codeSigningConfigArn: string; readonly codeSigningConfigId: string; constructor(scope: Construct, id: string, props: CodeSigningConfigProps) { - super(scope, id); + super(scope, id, { + physicalName: props.codeSigningConfigName, + }); - if (props.signingProfile.length > 20) { - throw new Error('Signing profile version arn is up to 20'); - } + const signingProfileVersionArns = props.signingProfiles.map( signingProfile => { + return signingProfile.signingProfileProfileVersionArn; + } ); const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', { allowedPublishers: { - signingProfileVersionArns: props.signingProfile.signingProfileVersionArn, + signingProfileVersionArns, }, codeSigningPolicies: { - untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment + untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment || UntrustedArtifactOnDeployment.WARN, }, - description: props.description + description: props.description, }); this.codeSigningConfigArn = resource.attrCodeSigningConfigArn; this.codeSigningConfigId = resource.attrCodeSigningConfigId; diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts index 3f170e186a998..f5668c1ceeb76 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function.ts @@ -8,6 +8,7 @@ import * as sqs from '@aws-cdk/aws-sqs'; import { Annotations, CfnResource, Duration, Fn, Lazy, Names, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { Code, CodeConfig } from './code'; +import { ICodeSigningConfig } from './code-signing-config'; import { EventInvokeConfigOptions } from './event-invoke-config'; import { IEventSource } from './event-source'; import { FileSystem } from './filesystem'; @@ -19,7 +20,6 @@ import { CfnFunction } from './lambda.generated'; import { ILayerVersion } from './layers'; import { LogRetentionRetryOptions } from './log-retention'; import { Runtime } from './runtime'; -import { CodeSigningConfig } from 'aws-lambda/lib/code-signing-config'; /** * X-Ray Tracing Modes (https://docs.aws.amazon.com/lambda/latest/dg/API_TracingConfig.html) @@ -292,7 +292,12 @@ export interface FunctionOptions extends EventInvokeConfigOptions { */ readonly environmentEncryption?: kms.IKey; - readonly codeSigningConfig?: CodeSigningConfig; + /** + * Code signing config associated with this function + * + * @default - Not Sign the Code + */ + readonly codeSigningConfig?: ICodeSigningConfig; } export interface FunctionProps extends FunctionOptions { @@ -529,7 +534,12 @@ export class Function extends FunctionBase { private _logGroup?: logs.ILogGroup; - private readonly codeSigningConfig?: CodeSigningConfig; + /** + * Code signing config associated with this function + * + * @default - Not Sign the Code + */ + public readonly codeSigningConfig?: ICodeSigningConfig; /** * Environment variables for this function @@ -616,6 +626,8 @@ export class Function extends FunctionBase { }]; } + this.codeSigningConfig = props.codeSigningConfig; + const resource: CfnFunction = new CfnFunction(this, 'Resource', { functionName: this.physicalName, description: props.description, @@ -646,7 +658,7 @@ export class Function extends FunctionBase { }), kmsKeyArn: props.environmentEncryption?.keyArn, fileSystemConfigs, - codeSigningConfigArn: props.codeSigningConfig.codeSigningConfigArn + codeSigningConfigArn: this.codeSigningConfig?.codeSigningConfigArn, }); resource.node.addDependency(this.role); diff --git a/packages/@aws-cdk/aws-lambda/lib/index.ts b/packages/@aws-cdk/aws-lambda/lib/index.ts index 1ba17427c5210..2d936755d6ad1 100644 --- a/packages/@aws-cdk/aws-lambda/lib/index.ts +++ b/packages/@aws-cdk/aws-lambda/lib/index.ts @@ -16,6 +16,7 @@ export * from './event-source-mapping'; export * from './destination'; export * from './event-invoke-config'; export * from './scalable-attribute-api'; +export * from './code-signing-config'; export * from './log-retention'; diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index 375f674ac12e6..f9e96804337d3 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -32,7 +32,7 @@ export interface ISigningProfile extends IResource { } /** - * Construction properties for a Signer Profile object + * Construction properties for a Signing Profile object */ export interface SigningProfileProps { /** @@ -82,7 +82,7 @@ export interface SigningProfileAttributes { } /** - * Defines a Signer Profile. + * Defines a Signing Profile. * * @resource AWS::Signer::SigningProfile */ diff --git a/packages/@aws-cdk/aws-signer/test/signer.test.ts b/packages/@aws-cdk/aws-signer/test/signer.test.ts index 66058c3ccb545..30babd2c21dd6 100644 --- a/packages/@aws-cdk/aws-signer/test/signer.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signer.test.ts @@ -2,13 +2,8 @@ import '@aws-cdk/assert/jest'; import * as cdk from '@aws-cdk/core'; import * as signer from '../lib'; -test( 'No tests are specified for this package', () => { - expect( true ).toBe( true ); -} ); - const EXAMPLE_PLATFORM_ID = 'AWSLambda-SHA384-ECDSA'; -// TODO: Implement tests let app: cdk.App; let stack: cdk.Stack; beforeEach( () => { From dbbbd21b9e838f33b06e7e6afb8e7a5d07e68d01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Sat, 6 Feb 2021 17:39:57 +0900 Subject: [PATCH 13/46] add test of lambda code-signing-config --- .../aws-lambda/lib/code-signing-config.ts | 4 +- .../test/code-signing-config.test.ts | 110 ++++++++++++++++++ 2 files changed, 112 insertions(+), 2 deletions(-) create mode 100644 packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index d759e98556b13..bde6757d8a918 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -109,9 +109,9 @@ export class CodeSigningConfig extends Resource implements ICodeSigningConfig { physicalName: props.codeSigningConfigName, }); - const signingProfileVersionArns = props.signingProfiles.map( signingProfile => { + const signingProfileVersionArns = props.signingProfiles.map(signingProfile => { return signingProfile.signingProfileProfileVersionArn; - } ); + }); const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', { allowedPublishers: { diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts new file mode 100644 index 0000000000000..41a278040a03e --- /dev/null +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -0,0 +1,110 @@ +import '@aws-cdk/assert/jest'; +import * as signer from '@aws-cdk/aws-signer'; +import * as cdk from '@aws-cdk/core'; +import * as lambda from '../lib'; + +const EXAMPLE_PLATFORM_ID = 'AWSLambda-SHA384-ECDSA'; + +let app: cdk.App; +let stack: cdk.Stack; +beforeEach( () => { + app = new cdk.App( {} ); + stack = new cdk.Stack( app ); +} ); + +describe('code signing config', () => { + test('default', () => { + const platformId = EXAMPLE_PLATFORM_ID; + const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platformId }); + new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { + signingProfiles: [signingProfile], + }); + + expect(stack).toHaveResource('AWS::Lambda::CodeSigningConfig', { + AllowedPublishers: { + SigningProfileVersionArns: [{ + 'Fn::GetAtt': [ + 'SigningProfile2139A0F9', + 'ProfileVersionArn', + ], + }], + }, + CodeSigningPolicies: { + UntrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.WARN, + }, + }); + }); + + test('with multiple signing profiles', () => { + const platformId = EXAMPLE_PLATFORM_ID; + const signingProfile1 = new signer.SigningProfile(stack, 'SigningProfile1', { platformId }); + const signingProfile2 = new signer.SigningProfile(stack, 'SigningProfile2', { platformId }); + const signingProfile3 = new signer.SigningProfile(stack, 'SigningProfile3', { platformId }); + new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { + signingProfiles: [signingProfile1, signingProfile2, signingProfile3], + }); + + expect(stack).toHaveResource('AWS::Lambda::CodeSigningConfig', { + AllowedPublishers: { + SigningProfileVersionArns: [ + { + 'Fn::GetAtt': [ + 'SigningProfile1D4191686', + 'ProfileVersionArn', + ], + }, + { + 'Fn::GetAtt': [ + 'SigningProfile2E013C934', + 'ProfileVersionArn', + ], + }, + { + 'Fn::GetAtt': [ + 'SigningProfile3A38DE231', + 'ProfileVersionArn', + ], + }, + ], + }, + CodeSigningPolicies: { + UntrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.WARN, + }, + }); + }); + + test('with description and with untrustedArtifactOnDeployment of "ENFORCE"', () => { + const platformId = EXAMPLE_PLATFORM_ID; + const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platformId }); + new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { + signingProfiles: [signingProfile], + untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE, + description: 'test description', + }); + + expect(stack).toHaveResource('AWS::Lambda::CodeSigningConfig', { + AllowedPublishers: { + SigningProfileVersionArns: [{ + 'Fn::GetAtt': [ + 'SigningProfile2139A0F9', + 'ProfileVersionArn', + ], + }], + }, + CodeSigningPolicies: { + UntrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE, + }, + Description: 'test description', + }); + }); + + test('import dose not create any resources', () => { + const codeSigningConfigId = 'aaa-xxxxxxxxxx'; + const codeSigningConfigArn = `arn:aws:lambda:::code-signing-config:${codeSigningConfigId}`; + const codeSigningConfig = lambda.CodeSigningConfig.fromCodeSigningConfigArn(stack, 'Imported', codeSigningConfigArn ); + + expect(codeSigningConfig.codeSigningConfigArn).toBe(codeSigningConfigArn); + expect(codeSigningConfig.codeSigningConfigId).toBe(codeSigningConfigId); + expect(stack).toMatchTemplate({}); + }); +}); From befb9dd14377597e38853bae6fed611e37e9c2b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Sat, 6 Feb 2021 17:53:29 +0900 Subject: [PATCH 14/46] modify signingProfile.fromSignginProfileAttributes --- .../aws-signer/lib/signing-profile.ts | 32 ++++++++++--------- .../@aws-cdk/aws-signer/test/signer.test.ts | 26 +++++++++------ 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index f9e96804337d3..9044f2317b4f5 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -1,4 +1,4 @@ -import { Duration, IResource, Resource } from '@aws-cdk/core'; +import { Duration, IResource, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { CfnSigningProfile } from './signer.generated'; @@ -60,11 +60,6 @@ export interface SigningProfileProps { * A reference to a Signing Profile */ export interface SigningProfileAttributes { - /** - * The ARN of the signing profile. - */ - readonly signingProfileArn: string; - /** * The name of signing profile. */ @@ -74,11 +69,6 @@ export interface SigningProfileAttributes { * The version of signing profile. */ readonly signingProfileProfileVersion: string; - - /** - * The ARN of signing profile version. - */ - readonly signingProfileProfileVersionArn: string; } /** @@ -96,16 +86,28 @@ export class SigningProfile extends Resource implements ISigningProfile { */ public static fromSigningProfileAttributes( scope: Construct, id: string, attrs: SigningProfileAttributes): ISigningProfile { class Import extends Resource implements ISigningProfile { - public readonly signingProfileArn = attrs.signingProfileArn; + public readonly signingProfileArn: string; public readonly signingProfileProfileName = attrs.signingProfileProfileName; public readonly signingProfileProfileVersion = attrs.signingProfileProfileVersion; - public readonly signingProfileProfileVersionArn = attrs.signingProfileProfileVersionArn; + public readonly signingProfileProfileVersionArn: string; - constructor() { + constructor(signingProfileArn: string, signingProfileProfileVersionArn: string) { super(scope, id); + this.signingProfileArn = signingProfileArn; + this.signingProfileProfileVersionArn = signingProfileProfileVersionArn; } } - return new Import(); + const signingProfileArn = Stack.of(scope).formatArn({ + service: 'signer', + resource: '', + resourceName: `/signing-profiles/${attrs.signingProfileProfileName}`, + }); + const signingProfileProfileVersionArn = Stack.of(scope).formatArn({ + service: 'signer', + resource: '', + resourceName: `/signing-profiles/${attrs.signingProfileProfileName}/${attrs.signingProfileProfileVersion}`, + }); + return new Import(signingProfileArn, signingProfileProfileVersionArn); } public readonly signingProfileArn: string; diff --git a/packages/@aws-cdk/aws-signer/test/signer.test.ts b/packages/@aws-cdk/aws-signer/test/signer.test.ts index 30babd2c21dd6..3d536898ed68d 100644 --- a/packages/@aws-cdk/aws-signer/test/signer.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signer.test.ts @@ -72,14 +72,22 @@ describe('signing profile', () => { }); }); - test( 'import does not create any resources', () => { - signer.SigningProfile.fromSigningProfileAttributes(stack, 'Imported', { - signingProfileArn: '*', - signingProfileProfileName: '*', - signingProfileProfileVersion: '*', - signingProfileProfileVersionArn: '*', - } ); + describe('import', () => { + test('from signingProfileProfileName and signingProfileProfileVersion', () => { + const signingProfileProfileName = 'test'; + const signingProfileProfileVersion = 'xxxxxxxx'; + const signingProfile = signer.SigningProfile.fromSigningProfileAttributes(stack, 'Imported', { + signingProfileProfileName, + signingProfileProfileVersion, + }); - expect(stack).toMatchTemplate({}); - }); + expect(signingProfile.signingProfileArn).toBe( + `arn:\${Token[AWS.Partition.3]}:signer:\${Token[AWS.Region.4]}:\${Token[AWS.AccountId.0]}://signing-profiles/${signingProfileProfileName}`, + ); + expect(signingProfile.signingProfileProfileVersionArn).toBe( + `arn:\${Token[AWS.Partition.3]}:signer:\${Token[AWS.Region.4]}:\${Token[AWS.AccountId.0]}://signing-profiles/${signingProfileProfileName}/${signingProfileProfileVersion}`, + ); + expect(stack).toMatchTemplate({}); + }); + } ); }); From d0903535df1fa0494f70f6be888fb9a34c1e7472 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 9 Feb 2021 07:42:26 +0900 Subject: [PATCH 15/46] Update packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index bde6757d8a918..aefdc68a47348 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -24,7 +24,7 @@ export enum UntrustedArtifactOnDeployment { export interface ICodeSigningConfig extends IResource { /** * The ARN of Code Signing Config - * @attribute CodeSigningConfigArn + * @attribute */ readonly codeSigningConfigArn: string; From acaf8c2286714a269a7c6d3d92bf388768328ce4 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 9 Feb 2021 07:42:41 +0900 Subject: [PATCH 16/46] Update packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index aefdc68a47348..70881154ae533 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -30,7 +30,7 @@ export interface ICodeSigningConfig extends IResource { /** * The id of Code Signing Config - * @attribute CodeSigningConfigId + * @attribute */ readonly codeSigningConfigId: string; } From 30c64796fb465eca12a83d49f36662cd188882e9 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 9 Feb 2021 07:44:26 +0900 Subject: [PATCH 17/46] Update packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index 70881154ae533..3d3ddbb0df5e3 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -101,8 +101,8 @@ export class CodeSigningConfig extends Resource implements ICodeSigningConfig { return new Import(codeSigningProfileId); } - readonly codeSigningConfigArn: string; - readonly codeSigningConfigId: string; + public readonly codeSigningConfigArn: string; + public readonly codeSigningConfigId: string; constructor(scope: Construct, id: string, props: CodeSigningConfigProps) { super(scope, id, { From 02d57b305a04ef5d07249f812cd986bd078643d9 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 9 Feb 2021 07:50:51 +0900 Subject: [PATCH 18/46] Update packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index 3d3ddbb0df5e3..f33612eb99ece 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -118,7 +118,7 @@ export class CodeSigningConfig extends Resource implements ICodeSigningConfig { signingProfileVersionArns, }, codeSigningPolicies: { - untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment || UntrustedArtifactOnDeployment.WARN, + untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment ?? UntrustedArtifactOnDeployment.WARN, }, description: props.description, }); From 7c2117e5aa3591e47ca77e56f2ef5ab125581f60 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 9 Feb 2021 07:53:05 +0900 Subject: [PATCH 19/46] Update packages/@aws-cdk/aws-signer/lib/signing-profile.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-signer/lib/signing-profile.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index 9044f2317b4f5..04dd1c1c6138a 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -41,10 +41,10 @@ export interface SigningProfileProps { readonly platformId: string; /** - * The validity period override for any signature generated using - * this signing profile. If unspecified, the default is 135 months. + * The validity period for signatures generated using + * this signing profile. * - * @default - 135 MONTHS + * @default - 135 months */ readonly signatureValidityPeriod?: Duration; From d254142db81234c743756853a35ae1c303aec766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B0=8F=E5=AE=A4=E3=80=80=E9=9B=85=E6=98=A5?= <> Date: Tue, 9 Feb 2021 07:58:21 +0900 Subject: [PATCH 20/46] So physical name is not configurable, deleted codeSigningConfigName from CodeSigningConfigProps --- .../@aws-cdk/aws-lambda/lib/code-signing-config.ts | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index bde6757d8a918..80c7046e5a7af 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -61,14 +61,7 @@ export interface CodeSigningConfigProps { * * @default - No description. */ - readonly description?: string - - /** - * Physical name of this Code Signing Config. - * - * @default - Assigned by CloudFormation (recommended). - */ - readonly codeSigningConfigName?: string; + readonly description?: string, } /** @@ -105,9 +98,7 @@ export class CodeSigningConfig extends Resource implements ICodeSigningConfig { readonly codeSigningConfigId: string; constructor(scope: Construct, id: string, props: CodeSigningConfigProps) { - super(scope, id, { - physicalName: props.codeSigningConfigName, - }); + super(scope, id); const signingProfileVersionArns = props.signingProfiles.map(signingProfile => { return signingProfile.signingProfileProfileVersionArn; From 21c7383f7e0d939d56267b9c09a879c159a04fe1 Mon Sep 17 00:00:00 2001 From: hedrall <> Date: Tue, 9 Feb 2021 09:56:29 +0900 Subject: [PATCH 21/46] add readme of signing profile --- packages/@aws-cdk/aws-signer/README.md | 24 +++++++++++++++++-- ...signer.test.ts => signing-profile.test.ts} | 0 2 files changed, 22 insertions(+), 2 deletions(-) rename packages/@aws-cdk/aws-signer/test/{signer.test.ts => signing-profile.test.ts} (100%) diff --git a/packages/@aws-cdk/aws-signer/README.md b/packages/@aws-cdk/aws-signer/README.md index e336a3465ebcb..45b8d38fde6d4 100644 --- a/packages/@aws-cdk/aws-signer/README.md +++ b/packages/@aws-cdk/aws-signer/README.md @@ -21,8 +21,28 @@ -This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aws-cdk) project. +Define a Signer SigningProfile: ```ts -import signer = require('@aws-cdk/aws-signer'); +import * as signer from '@aws-cdk/aws-signer'; + +const signingProfile = new signer.SigningProfile(this, 'SigningProfile', { + platformId: 'AWSLambda-SHA384-ECDSA' +} ); ``` + +> **Note**: To get the list of available platforms, you can run aws-cli command of `aws signer list-signing-platforms` + +Define a Signer SigningProfile with validity period: + +Specifies the duration in the period that the signing profile is valid. + +```ts +import * as cdk from '@aws-cdk/aws-core'; + +const signingProfile = new signer.SigningProfile(this, 'SignginProfile', { + platformId: 'AWSLambda-SHA384-ECDSA', + signatureValidityPeriod: cdk.Duration.days(365), // Default to 135 months +}) +``` + diff --git a/packages/@aws-cdk/aws-signer/test/signer.test.ts b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts similarity index 100% rename from packages/@aws-cdk/aws-signer/test/signer.test.ts rename to packages/@aws-cdk/aws-signer/test/signing-profile.test.ts From 342c5fcfae066ef5f4f2f9c19434241b929ff4e9 Mon Sep 17 00:00:00 2001 From: hedrall <> Date: Wed, 10 Feb 2021 06:53:01 +0900 Subject: [PATCH 22/46] add readme of lambda code signing cconfig --- packages/@aws-cdk/aws-lambda/README.md | 23 +++++++++++++++++++++++ packages/@aws-cdk/aws-signer/README.md | 4 ++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/README.md b/packages/@aws-cdk/aws-lambda/README.md index 5b7ee7cd3240e..73ec43e51c57e 100644 --- a/packages/@aws-cdk/aws-lambda/README.md +++ b/packages/@aws-cdk/aws-lambda/README.md @@ -460,3 +460,26 @@ Language-specific higher level constructs are provided in separate modules: * `@aws-cdk/aws-lambda-nodejs`: [Github](https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-lambda-nodejs) & [CDK Docs](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-lambda-nodejs-readme.html) * `@aws-cdk/aws-lambda-python`: [Github](https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-lambda-python) & [CDK Docs](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-lambda-python-readme.html) + +## Code Signing + +Code signing for AWS Lambda helps to ensure that only trusted code runs in your Lambda functions. +You can enable code signing for a function to config `CodeSigningConfig` with `SigningProfile`. + +```typescript +import * as signer from '@aws-cdk/aws-signer'; + +const signerProfile = signer.SigningProfile(this, 'SigningProfile', { + platformId: 'xxxxxx' +}); + +const codeSigningConfig = new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { + signingProfiles: [signingProfile], +}); + +new lambda.Function(this, 'Function', { + codeSigningConfig, + // ... +}); +``` + diff --git a/packages/@aws-cdk/aws-signer/README.md b/packages/@aws-cdk/aws-signer/README.md index 45b8d38fde6d4..a3663c4ebdfef 100644 --- a/packages/@aws-cdk/aws-signer/README.md +++ b/packages/@aws-cdk/aws-signer/README.md @@ -27,7 +27,7 @@ Define a Signer SigningProfile: import * as signer from '@aws-cdk/aws-signer'; const signingProfile = new signer.SigningProfile(this, 'SigningProfile', { - platformId: 'AWSLambda-SHA384-ECDSA' + platformId: 'xxxxxx' } ); ``` @@ -41,7 +41,7 @@ Specifies the duration in the period that the signing profile is valid. import * as cdk from '@aws-cdk/aws-core'; const signingProfile = new signer.SigningProfile(this, 'SignginProfile', { - platformId: 'AWSLambda-SHA384-ECDSA', + platformId: 'xxxxxx', signatureValidityPeriod: cdk.Duration.days(365), // Default to 135 months }) ``` From ce82641348195fe3eeb3d02ef2ee2906123708d8 Mon Sep 17 00:00:00 2001 From: hedrall <> Date: Wed, 10 Feb 2021 07:25:14 +0900 Subject: [PATCH 23/46] modify test of signing profile --- .../aws-signer/test/signing-profile.test.ts | 34 ++++++++++++++++--- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts index 3d536898ed68d..a90a816c17705 100644 --- a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts @@ -81,12 +81,36 @@ describe('signing profile', () => { signingProfileProfileVersion, }); - expect(signingProfile.signingProfileArn).toBe( - `arn:\${Token[AWS.Partition.3]}:signer:\${Token[AWS.Region.4]}:\${Token[AWS.AccountId.0]}://signing-profiles/${signingProfileProfileName}`, - ); - expect(signingProfile.signingProfileProfileVersionArn).toBe( - `arn:\${Token[AWS.Partition.3]}:signer:\${Token[AWS.Region.4]}:\${Token[AWS.AccountId.0]}://signing-profiles/${signingProfileProfileName}/${signingProfileProfileVersion}`, + expect(stack.resolve(signingProfile.signingProfileArn)).toStrictEqual( + { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':signer:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + `://signing-profiles/${signingProfileProfileName}`, + ], + ], + }, ); + expect(stack.resolve(signingProfile.signingProfileProfileVersionArn)).toStrictEqual({ + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':signer:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + `://signing-profiles/${signingProfileProfileName}/${signingProfileProfileVersion}`, + ], + ], + }); expect(stack).toMatchTemplate({}); }); } ); From b43dc0234b7b54f4ed3d61c56a6b43bc86a0a2c6 Mon Sep 17 00:00:00 2001 From: hedrall <> Date: Wed, 10 Feb 2021 07:40:43 +0900 Subject: [PATCH 24/46] add test of lambda with code signing config --- packages/@aws-cdk/aws-lambda/package.json | 3 +- .../@aws-cdk/aws-lambda/test/function.test.ts | 38 +++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/package.json b/packages/@aws-cdk/aws-lambda/package.json index 69955e8a9e594..5da4b06d249d3 100644 --- a/packages/@aws-cdk/aws-lambda/package.json +++ b/packages/@aws-cdk/aws-lambda/package.json @@ -171,7 +171,8 @@ "props-default-doc:@aws-cdk/aws-lambda.Permission.sourceArn", "docs-public-apis:@aws-cdk/aws-lambda.ResourceBindOptions", "docs-public-apis:@aws-cdk/aws-lambda.VersionAttributes", - "props-physical-name:@aws-cdk/aws-lambda.EventInvokeConfigProps" + "props-physical-name:@aws-cdk/aws-lambda.EventInvokeConfigProps", + "props-physical-name:@aws-cdk/aws-lambda.CodeSigningConfigProps" ] }, "stability": "stable", diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index 707b32428912b..eff4b11e4725c 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -9,6 +9,7 @@ import * as kms from '@aws-cdk/aws-kms'; import * as logs from '@aws-cdk/aws-logs'; import * as s3 from '@aws-cdk/aws-s3'; import * as sqs from '@aws-cdk/aws-sqs'; +import * as signer from '@aws-cdk/aws-signer'; import * as cdk from '@aws-cdk/core'; import * as constructs from 'constructs'; import * as _ from 'lodash'; @@ -1989,6 +1990,43 @@ describe('function', () => { }); }); }); + + describe('code signing config', () => { + test('default', () => { + const stack = new cdk.Stack(); + + const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { + platformId: 'xxx', + }); + + const codeSigningConfig = new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { + signingProfiles: [signingProfile], + }); + + new lambda.Function(stack, 'MyLambda', { + code: new lambda.InlineCode('foo'), + handler: 'index.handler', + runtime: lambda.Runtime.NODEJS_10_X, + codeSigningConfig, + }); + + expect(stack).toHaveResource('AWS::Lambda::Function', { + Properties: { + Code: { ZipFile: 'foo' }, + Handler: 'index.handler', + Role: { 'Fn::GetAtt': ['MyLambdaServiceRole4539ECB6', 'Arn'] }, + Runtime: 'nodejs10.x', + CodeSigningConfigArn: { + 'Fn::GetAtt': [ + 'CodeSigningConfigD8D41C10', + 'CodeSigningConfigArn', + ], + }, + }, + DependsOn: ['MyLambdaServiceRole4539ECB6'], + }, ResourcePart.CompleteDefinition); + }); + }); }); function newTestLambda(scope: constructs.Construct) { From 225c05ab392b3dc8cd357b0a20f1a0d438d10585 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 16 Feb 2021 09:52:16 +0900 Subject: [PATCH 25/46] Update packages/@aws-cdk/aws-lambda/README.md Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/README.md b/packages/@aws-cdk/aws-lambda/README.md index 15851f930833e..a80ce72d9ae59 100644 --- a/packages/@aws-cdk/aws-lambda/README.md +++ b/packages/@aws-cdk/aws-lambda/README.md @@ -495,7 +495,9 @@ Language-specific higher level constructs are provided in separate modules: ## Code Signing Code signing for AWS Lambda helps to ensure that only trusted code runs in your Lambda functions. -You can enable code signing for a function to config `CodeSigningConfig` with `SigningProfile`. +When enabled, AWS Lambda checks every code deployment and verifies that the code package is signed by a trusted source. +For more information, see [Configuring code signing for AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html). +The following code configures a function with code signing. ```typescript import * as signer from '@aws-cdk/aws-signer'; @@ -513,4 +515,3 @@ new lambda.Function(this, 'Function', { // ... }); ``` - From 1c3ce916fe85b3cfe97d88a30d670bff7bea1a3d Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 16 Feb 2021 09:53:47 +0900 Subject: [PATCH 26/46] Update packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index 35945fc0b81ef..37606bfce6303 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -52,7 +52,7 @@ export interface CodeSigningConfigProps { * If you set the policy to Warn, Lambda allows the deployment and * creates a CloudWatch log. * - * @default - UntrustedArtifactOnDeployment.WARN + * @default UntrustedArtifactOnDeployment.WARN */ readonly untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment, From 7b6202a5db28d27b2bff2d68ffe7687a247805a8 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 16 Feb 2021 09:56:04 +0900 Subject: [PATCH 27/46] Update packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index 37606bfce6303..6c98d6e7e1c96 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -13,7 +13,8 @@ export enum UntrustedArtifactOnDeployment { ENFORCE = 'enforce', /** - * Lambda allows the deployment and creates a CloudWatch log. + * Lambda allows the deployment of the code package, but issues a warning. + * Lambda issues a new Amazon CloudWatch metric, called a signature validation error and also stores the warning in CloudTrail. */ WARN = 'warn', } From 4fe3cbe19a507558afc1d7629d53b9da84f102e8 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Tue, 16 Feb 2021 09:59:41 +0900 Subject: [PATCH 28/46] Update packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts index 41a278040a03e..c993ae8167138 100644 --- a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -98,7 +98,7 @@ describe('code signing config', () => { }); }); - test('import dose not create any resources', () => { + test('import does not create any resources', () => { const codeSigningConfigId = 'aaa-xxxxxxxxxx'; const codeSigningConfigArn = `arn:aws:lambda:::code-signing-config:${codeSigningConfigId}`; const codeSigningConfig = lambda.CodeSigningConfig.fromCodeSigningConfigArn(stack, 'Imported', codeSigningConfigArn ); From 55e69a77789fb9b9ecb2539fc165e8b0ec030db6 Mon Sep 17 00:00:00 2001 From: hedrall Date: Wed, 17 Feb 2021 08:51:52 +0900 Subject: [PATCH 29/46] change platformId to platform enum like class --- .../aws-lambda/lib/code-signing-config.ts | 2 +- .../test/code-signing-config.test.ts | 17 +++---- .../@aws-cdk/aws-lambda/test/function.test.ts | 2 +- .../aws-signer/lib/signing-profile.ts | 45 +++++++++++++++++-- .../aws-signer/test/signing-profile.test.ts | 20 ++++----- 5 files changed, 60 insertions(+), 26 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index 6c98d6e7e1c96..f77dbe482f047 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -14,7 +14,7 @@ export enum UntrustedArtifactOnDeployment { /** * Lambda allows the deployment of the code package, but issues a warning. - * Lambda issues a new Amazon CloudWatch metric, called a signature validation error and also stores the warning in CloudTrail. + * Lambda issues a new Amazon CloudWatch metric, called a signature validation error and also stores the warning in CloudTrail. */ WARN = 'warn', } diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts index c993ae8167138..db2f7860d212e 100644 --- a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -3,8 +3,6 @@ import * as signer from '@aws-cdk/aws-signer'; import * as cdk from '@aws-cdk/core'; import * as lambda from '../lib'; -const EXAMPLE_PLATFORM_ID = 'AWSLambda-SHA384-ECDSA'; - let app: cdk.App; let stack: cdk.Stack; beforeEach( () => { @@ -14,8 +12,8 @@ beforeEach( () => { describe('code signing config', () => { test('default', () => { - const platformId = EXAMPLE_PLATFORM_ID; - const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platformId }); + const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; + const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platform }); new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { signingProfiles: [signingProfile], }); @@ -36,10 +34,9 @@ describe('code signing config', () => { }); test('with multiple signing profiles', () => { - const platformId = EXAMPLE_PLATFORM_ID; - const signingProfile1 = new signer.SigningProfile(stack, 'SigningProfile1', { platformId }); - const signingProfile2 = new signer.SigningProfile(stack, 'SigningProfile2', { platformId }); - const signingProfile3 = new signer.SigningProfile(stack, 'SigningProfile3', { platformId }); + const signingProfile1 = new signer.SigningProfile(stack, 'SigningProfile1', { platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA }); + const signingProfile2 = new signer.SigningProfile(stack, 'SigningProfile2', { platform: signer.Platform.AMAZON_FREE_RTOS_DEFAULT }); + const signingProfile3 = new signer.SigningProfile(stack, 'SigningProfile3', { platform: signer.Platform.AWS_IOT_DEVICE_MANAGEMENT_SHA256_ECDSA }); new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { signingProfiles: [signingProfile1, signingProfile2, signingProfile3], }); @@ -74,8 +71,8 @@ describe('code signing config', () => { }); test('with description and with untrustedArtifactOnDeployment of "ENFORCE"', () => { - const platformId = EXAMPLE_PLATFORM_ID; - const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platformId }); + const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; + const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { platform }); new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { signingProfiles: [signingProfile], untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE, diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index 07fd9c97d21ff..ab241c0b88f42 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -2010,7 +2010,7 @@ describe('function', () => { const stack = new cdk.Stack(); const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', { - platformId: 'xxx', + platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA, }); const codeSigningConfig = new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index 04dd1c1c6138a..ddde5eb6cb83f 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -2,6 +2,44 @@ import { Duration, IResource, Resource, Stack } from '@aws-cdk/core'; import { Construct } from 'constructs'; import { CfnSigningProfile } from './signer.generated'; +/** + * Platforms that are allowed with signing config. + * @see https://docs.aws.amazon.com/signer/latest/developerguide/gs-platform.html + */ +export class Platform { + /** + * Specification of signature format and signing algorithms for AWS IoT Device. + */ + public static readonly AWS_IOT_DEVICE_MANAGEMENT_SHA256_ECDSA = new Platform('AWSIoTDeviceManagement-SHA256-ECDSA'); + + /** + * Specification of signature format and signing algorithms for AWS Lambda. + */ + public static readonly AWS_LAMBDA_SHA384_ECDSA = new Platform('AWSLambda-SHA384-ECDSA'); + + /** + * Specification of signature format and signing algorithms with + * SHA1 hash and RSA encryption for Amazon FreeRTOS. + */ + public static readonly AMAZON_FREE_RTOS_TI_CC3220SF = new Platform('AmazonFreeRTOS-TI-CC3220SF'); + + /** + * Specification of signature format and signing algorithms with + * SHA256 hash and ECDSA encryption for Amazon FreeRTOS. + */ + public static readonly AMAZON_FREE_RTOS_DEFAULT = new Platform('AmazonFreeRTOS-Default'); + + /** + * The id of signing platform. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-signer-signingprofile.html#cfn-signer-signingprofile-platformid + */ + public readonly platformId: string; + + private constructor(platformId: string) { + this.platformId = platformId; + } +} + /** * A Signer Profile */ @@ -36,9 +74,10 @@ export interface ISigningProfile extends IResource { */ export interface SigningProfileProps { /** - * The ID of a platform that is available for use by a signing profile. + * The Signing Platform available for signing profile. + * @see https://docs.aws.amazon.com/signer/latest/developerguide/gs-platform.html */ - readonly platformId: string; + readonly platform: Platform; /** * The validity period for signatures generated using @@ -121,7 +160,7 @@ export class SigningProfile extends Resource implements ISigningProfile { }); const resource = new CfnSigningProfile( this, 'Resource', { - platformId: props.platformId, + platformId: props.platform.platformId, signatureValidityPeriod: props.signatureValidityPeriod ? { type: 'DAYS', value: props.signatureValidityPeriod?.toDays(), diff --git a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts index a90a816c17705..287a576e8d020 100644 --- a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts @@ -2,8 +2,6 @@ import '@aws-cdk/assert/jest'; import * as cdk from '@aws-cdk/core'; import * as signer from '../lib'; -const EXAMPLE_PLATFORM_ID = 'AWSLambda-SHA384-ECDSA'; - let app: cdk.App; let stack: cdk.Stack; beforeEach( () => { @@ -13,11 +11,11 @@ beforeEach( () => { describe('signing profile', () => { test( 'default', () => { - const platformId = EXAMPLE_PLATFORM_ID; - new signer.SigningProfile( stack, 'SigningProfile', { platformId } ); + const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; + new signer.SigningProfile( stack, 'SigningProfile', { platform } ); expect(stack).toHaveResource('AWS::Signer::SigningProfile', { - PlatformId: platformId, + PlatformId: platform.platformId, SignatureValidityPeriod: { Type: 'MONTHS', Value: 135, @@ -26,14 +24,14 @@ describe('signing profile', () => { }); test( 'default with signature validity period', () => { - const platformId = EXAMPLE_PLATFORM_ID; + const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; new signer.SigningProfile( stack, 'SigningProfile', { - platformId, + platform, signatureValidityPeriod: cdk.Duration.days( 7 ), } ); expect(stack).toHaveResource('AWS::Signer::SigningProfile', { - PlatformId: platformId, + PlatformId: platform.platformId, SignatureValidityPeriod: { Type: 'DAYS', Value: 7, @@ -42,15 +40,15 @@ describe('signing profile', () => { }); test( 'default with some tags', () => { - const platformId = EXAMPLE_PLATFORM_ID; - const signing = new signer.SigningProfile( stack, 'SigningProfile', { platformId } ); + const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; + const signing = new signer.SigningProfile( stack, 'SigningProfile', { platform } ); cdk.Tags.of(signing).add('tag1', 'value1'); cdk.Tags.of(signing).add('tag2', 'value2'); cdk.Tags.of(signing).add('tag3', ''); expect(stack).toHaveResource('AWS::Signer::SigningProfile', { - PlatformId: platformId, + PlatformId: platform.platformId, SignatureValidityPeriod: { Type: 'MONTHS', Value: 135, From 53240eeacdb248237372143061219228d9e73e88 Mon Sep 17 00:00:00 2001 From: hedrall Date: Mon, 22 Feb 2021 09:24:46 +0900 Subject: [PATCH 30/46] delete code not need --- packages/@aws-cdk/aws-lambda/lib/function.ts | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts index c19dcb96d730c..8d487276a6176 100644 --- a/packages/@aws-cdk/aws-lambda/lib/function.ts +++ b/packages/@aws-cdk/aws-lambda/lib/function.ts @@ -534,13 +534,6 @@ export class Function extends FunctionBase { private _logGroup?: logs.ILogGroup; - /** - * Code signing config associated with this function - * - * @default - Not Sign the Code - */ - public readonly codeSigningConfig?: ICodeSigningConfig; - /** * Environment variables for this function */ @@ -626,8 +619,6 @@ export class Function extends FunctionBase { }]; } - this.codeSigningConfig = props.codeSigningConfig; - const resource: CfnFunction = new CfnFunction(this, 'Resource', { functionName: this.physicalName, description: props.description, @@ -658,7 +649,7 @@ export class Function extends FunctionBase { }), kmsKeyArn: props.environmentEncryption?.keyArn, fileSystemConfigs, - codeSigningConfigArn: this.codeSigningConfig?.codeSigningConfigArn, + codeSigningConfigArn: props.codeSigningConfig?.codeSigningConfigArn, }); resource.node.addDependency(this.role); From b0334248e3af898eb599624e908d5e8f023b971d Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:24:59 +0900 Subject: [PATCH 31/46] Update packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts Co-authored-by: Niranjan Jayakar --- .../aws-lambda/lib/code-signing-config.ts | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index f77dbe482f047..ecc4da2886ca7 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -79,20 +79,19 @@ export class CodeSigningConfig extends Resource implements ICodeSigningConfig { * @param codeSigningConfigArn The ARN of code signing config. */ public static fromCodeSigningConfigArn( scope: Construct, id: string, codeSigningConfigArn: string): ICodeSigningConfig { + const codeSigningProfileId = Stack.of(scope).parseArn(codeSigningConfigArn).resourceName; + if (!codeSigningProfileId) { + throw new Error(`Code signing config ARN must be in the format 'arn:aws:lambda:::code-signing-config:', got: '${codeSigningConfigArn}'`); + } class Import extends Resource implements ICodeSigningConfig { public readonly codeSigningConfigArn = codeSigningConfigArn; - public readonly codeSigningConfigId: string; + public readonly codeSigningConfigId = codeSigningProfileId; - constructor( codeSigningProfileId: string ) { + constructor() { super(scope, id); - this.codeSigningConfigId = codeSigningProfileId; } } - const codeSigningProfileId = Stack.of(scope).parseArn(codeSigningConfigArn).resourceName; - if (!codeSigningProfileId) { - throw new Error(`Code signing config ARN must be in the format 'arn:aws:lambda:::code-signing-config:', got: '${codeSigningConfigArn}'`); - } - return new Import(codeSigningProfileId); + return new Import(); } public readonly codeSigningConfigArn: string; From 7351a7eb6ed77e6776d8c5861c7956002adb249a Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:34:10 +0900 Subject: [PATCH 32/46] Update packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts index db2f7860d212e..619fc7d493128 100644 --- a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -64,9 +64,6 @@ describe('code signing config', () => { }, ], }, - CodeSigningPolicies: { - UntrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.WARN, - }, }); }); From 817225d8a41c50fe2d21005e4a8d14147c9cfdea Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:35:05 +0900 Subject: [PATCH 33/46] Update packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts Co-authored-by: Niranjan Jayakar --- .../@aws-cdk/aws-lambda/test/code-signing-config.test.ts | 8 -------- 1 file changed, 8 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts index 619fc7d493128..6215a510fca64 100644 --- a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -77,14 +77,6 @@ describe('code signing config', () => { }); expect(stack).toHaveResource('AWS::Lambda::CodeSigningConfig', { - AllowedPublishers: { - SigningProfileVersionArns: [{ - 'Fn::GetAtt': [ - 'SigningProfile2139A0F9', - 'ProfileVersionArn', - ], - }], - }, CodeSigningPolicies: { UntrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE, }, From 2bf5cdc7dc729754260d690d472c8919cdc26214 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:36:56 +0900 Subject: [PATCH 34/46] Update packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts index 6215a510fca64..60d750d0d5c37 100644 --- a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -91,6 +91,6 @@ describe('code signing config', () => { expect(codeSigningConfig.codeSigningConfigArn).toBe(codeSigningConfigArn); expect(codeSigningConfig.codeSigningConfigId).toBe(codeSigningConfigId); - expect(stack).toMatchTemplate({}); + expect(stack).toCountResources('AWS::Lambda::CodeSigningConfig', 0); }); }); From 6a90c8e7eda2422ba1605a7cae271ff34e89795d Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:38:40 +0900 Subject: [PATCH 35/46] Update packages/@aws-cdk/aws-lambda/test/function.test.ts Co-authored-by: Niranjan Jayakar --- .../@aws-cdk/aws-lambda/test/function.test.ts | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/test/function.test.ts b/packages/@aws-cdk/aws-lambda/test/function.test.ts index ab241c0b88f42..50cf6b0c9b72b 100644 --- a/packages/@aws-cdk/aws-lambda/test/function.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/function.test.ts @@ -2025,20 +2025,13 @@ describe('function', () => { }); expect(stack).toHaveResource('AWS::Lambda::Function', { - Properties: { - Code: { ZipFile: 'foo' }, - Handler: 'index.handler', - Role: { 'Fn::GetAtt': ['MyLambdaServiceRole4539ECB6', 'Arn'] }, - Runtime: 'nodejs10.x', - CodeSigningConfigArn: { - 'Fn::GetAtt': [ - 'CodeSigningConfigD8D41C10', - 'CodeSigningConfigArn', - ], - }, + CodeSigningConfigArn: { + 'Fn::GetAtt': [ + 'CodeSigningConfigD8D41C10', + 'CodeSigningConfigArn', + ], }, - DependsOn: ['MyLambdaServiceRole4539ECB6'], - }, ResourcePart.CompleteDefinition); + }); }); }); }); From afc9cdc72b43a3212bb54fcb6dd9b45a19a431a4 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:46:57 +0900 Subject: [PATCH 36/46] Update packages/@aws-cdk/aws-signer/README.md Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-signer/README.md | 32 ++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/README.md b/packages/@aws-cdk/aws-signer/README.md index a3663c4ebdfef..83f8ceeecd826 100644 --- a/packages/@aws-cdk/aws-signer/README.md +++ b/packages/@aws-cdk/aws-signer/README.md @@ -21,7 +21,36 @@ -Define a Signer SigningProfile: +AWS Signer is a fully managed code-signing service to ensure the trust and integrity of your code. Organizations validate code against +a digital signature to confirm that the code is unaltered and from a trusted publisher. For more information, see [What Is AWS +Signer?](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html) + +## Table of Contents + +- [Signing Platform](#signing-platform) +- [Signing Profile](#signing-profile) + +## Signing Platform + +A signing platform is a predefined set of instructions that specifies the signature format and signing algorithms that AWS Signer should use +to sign a zip file. For more information go to [Signing Platforms in AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/gs-platform.html). + +AWS Signer provides a pre-defined set of signing platforms. They are available in the CDK as - + +```ts +Platform.AWS_IOT_DEVICE_MANAGEMENT_SHA256_ECDSA +Platform.AWS_LAMBDA_SHA384_ECDSA +Platform.AMAZON_FREE_RTOS_TI_CC3220SF +Platform.AMAZON_FREE_RTOS_DEFAULT +``` + +## Signing Profile + +A signing profile is a code-signing template that can be used to pre-define the signature specifications for a signing job. +A signing profile includes a signing platform to designate the file type to be signed, the signature format, and the signature algorithms. +For more information, visit [Signing Profiles in AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/gs-profile.html). + +The following code sets up a signing profile - ```ts import * as signer from '@aws-cdk/aws-signer'; @@ -45,4 +74,3 @@ const signingProfile = new signer.SigningProfile(this, 'SignginProfile', { signatureValidityPeriod: cdk.Duration.days(365), // Default to 135 months }) ``` - From fa08a952a3fc3038a6111bea1b83d91173bafb28 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:49:33 +0900 Subject: [PATCH 37/46] Update packages/@aws-cdk/aws-signer/lib/signing-profile.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-signer/lib/signing-profile.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index ddde5eb6cb83f..9131a7e6e04b0 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -52,21 +52,21 @@ export interface ISigningProfile extends IResource { /** * The name of signing profile. - * @attribute + * @attribute signingProfileProfileName */ - readonly signingProfileProfileName: string; + readonly signingProfileName: string; /** * The version of signing profile. - * @attribute + * @attribute signingProfileProfileVersion */ - readonly signingProfileProfileVersion: string; + readonly signingProfileVersion: string; /** * The ARN of signing profile version. - * @attribute + * @attribute signingProfileProfileVersionArn */ - readonly signingProfileProfileVersionArn: string; + readonly signingProfileVersionArn: string; } /** From f64672671ba6a16b3bd587c7efeeb6d23362038d Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:50:29 +0900 Subject: [PATCH 38/46] Update packages/@aws-cdk/aws-signer/lib/signing-profile.ts Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-signer/lib/signing-profile.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index 9131a7e6e04b0..39012f80cefe6 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -102,12 +102,12 @@ export interface SigningProfileAttributes { /** * The name of signing profile. */ - readonly signingProfileProfileName: string; + readonly signingProfileName: string; /** * The version of signing profile. */ - readonly signingProfileProfileVersion: string; + readonly signingProfileVersion: string; } /** From fa40904c9abd4bec9acf4ec66eb6803956f26400 Mon Sep 17 00:00:00 2001 From: Masaharu Komuro Date: Wed, 24 Feb 2021 06:52:44 +0900 Subject: [PATCH 39/46] Update packages/@aws-cdk/aws-lambda/README.md Co-authored-by: Niranjan Jayakar --- packages/@aws-cdk/aws-lambda/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-lambda/README.md b/packages/@aws-cdk/aws-lambda/README.md index aaf72677f797f..97f1f86551fe2 100644 --- a/packages/@aws-cdk/aws-lambda/README.md +++ b/packages/@aws-cdk/aws-lambda/README.md @@ -501,7 +501,7 @@ The following code configures a function with code signing. import * as signer from '@aws-cdk/aws-signer'; const signerProfile = signer.SigningProfile(this, 'SigningProfile', { - platformId: 'xxxxxx' + platform: Platform.AWS_LAMBDA_SHA384_ECDSA }); const codeSigningConfig = new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', { From 7573c5e21388aaaec7fe880ab39abaf00dc2ceac Mon Sep 17 00:00:00 2001 From: hedrall Date: Wed, 24 Feb 2021 07:07:48 +0900 Subject: [PATCH 40/46] Fixed name inconsistencies of signer profile due to changes --- .../aws-signer/lib/signing-profile.ts | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index 39012f80cefe6..3f57d23c705d9 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -126,33 +126,33 @@ export class SigningProfile extends Resource implements ISigningProfile { public static fromSigningProfileAttributes( scope: Construct, id: string, attrs: SigningProfileAttributes): ISigningProfile { class Import extends Resource implements ISigningProfile { public readonly signingProfileArn: string; - public readonly signingProfileProfileName = attrs.signingProfileProfileName; - public readonly signingProfileProfileVersion = attrs.signingProfileProfileVersion; - public readonly signingProfileProfileVersionArn: string; + public readonly signingProfileName = attrs.signingProfileName; + public readonly signingProfileVersion = attrs.signingProfileVersion; + public readonly signingProfileVersionArn: string; constructor(signingProfileArn: string, signingProfileProfileVersionArn: string) { super(scope, id); this.signingProfileArn = signingProfileArn; - this.signingProfileProfileVersionArn = signingProfileProfileVersionArn; + this.signingProfileVersionArn = signingProfileProfileVersionArn; } } const signingProfileArn = Stack.of(scope).formatArn({ service: 'signer', resource: '', - resourceName: `/signing-profiles/${attrs.signingProfileProfileName}`, + resourceName: `/signing-profiles/${attrs.signingProfileName}`, }); - const signingProfileProfileVersionArn = Stack.of(scope).formatArn({ + const SigningProfileVersionArn = Stack.of(scope).formatArn({ service: 'signer', resource: '', - resourceName: `/signing-profiles/${attrs.signingProfileProfileName}/${attrs.signingProfileProfileVersion}`, + resourceName: `/signing-profiles/${attrs.signingProfileName}/${attrs.signingProfileVersion}`, }); - return new Import(signingProfileArn, signingProfileProfileVersionArn); + return new Import(signingProfileArn, SigningProfileVersionArn); } public readonly signingProfileArn: string; - public readonly signingProfileProfileName: string; - public readonly signingProfileProfileVersion: string; - public readonly signingProfileProfileVersionArn: string; + public readonly signingProfileName: string; + public readonly signingProfileVersion: string; + public readonly signingProfileVersionArn: string; constructor(scope: Construct, id: string, props: SigningProfileProps) { super(scope, id, { @@ -171,8 +171,8 @@ export class SigningProfile extends Resource implements ISigningProfile { } ); this.signingProfileArn = resource.attrArn; - this.signingProfileProfileName = resource.attrProfileName; - this.signingProfileProfileVersion = resource.attrProfileVersion; - this.signingProfileProfileVersionArn = resource.attrProfileVersionArn; + this.signingProfileName = resource.attrProfileName; + this.signingProfileVersion = resource.attrProfileVersion; + this.signingProfileVersionArn = resource.attrProfileVersionArn; } } From a2b0e3fc8e8531151733181e2bd655827a00c02e Mon Sep 17 00:00:00 2001 From: hedrall Date: Wed, 24 Feb 2021 07:22:44 +0900 Subject: [PATCH 41/46] Fixed name inconsistencies of code signing config due to changes --- packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts index ecc4da2886ca7..0472eb5d048f5 100644 --- a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts +++ b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts @@ -83,9 +83,10 @@ export class CodeSigningConfig extends Resource implements ICodeSigningConfig { if (!codeSigningProfileId) { throw new Error(`Code signing config ARN must be in the format 'arn:aws:lambda:::code-signing-config:', got: '${codeSigningConfigArn}'`); } + const assertedCodeSigningProfileId = codeSigningProfileId; class Import extends Resource implements ICodeSigningConfig { public readonly codeSigningConfigArn = codeSigningConfigArn; - public readonly codeSigningConfigId = codeSigningProfileId; + public readonly codeSigningConfigId = assertedCodeSigningProfileId; constructor() { super(scope, id); @@ -101,7 +102,7 @@ export class CodeSigningConfig extends Resource implements ICodeSigningConfig { super(scope, id); const signingProfileVersionArns = props.signingProfiles.map(signingProfile => { - return signingProfile.signingProfileProfileVersionArn; + return signingProfile.signingProfileVersionArn; }); const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', { From e7be9b8c544bdf108b5c2387153c5738eea99b95 Mon Sep 17 00:00:00 2001 From: hedrall Date: Wed, 24 Feb 2021 07:43:23 +0900 Subject: [PATCH 42/46] Fixed remaining name mismatches. Add test case of code signing config that fail import with malformed code signing config arn. Add ignore 'resource-attribute' rule to package.json in signer package. --- .../aws-lambda/test/code-signing-config.test.ts | 6 ++++++ packages/@aws-cdk/aws-signer/package.json | 7 +++++++ .../aws-signer/test/signing-profile.test.ts | 14 +++++++------- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts index 60d750d0d5c37..1d078f85e2684 100644 --- a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -93,4 +93,10 @@ describe('code signing config', () => { expect(codeSigningConfig.codeSigningConfigId).toBe(codeSigningConfigId); expect(stack).toCountResources('AWS::Lambda::CodeSigningConfig', 0); }); + + test('fail import with malformed code signing config arn', () => { + const codeSigningConfigArn = 'arn:aws:lambda:::code-signing-config'; + + expect(() => lambda.CodeSigningConfig.fromCodeSigningConfigArn(stack, 'Imported', codeSigningConfigArn ) ).toThrow(); + }); }); diff --git a/packages/@aws-cdk/aws-signer/package.json b/packages/@aws-cdk/aws-signer/package.json index f01a984dfdd28..50f8ac8867cdf 100644 --- a/packages/@aws-cdk/aws-signer/package.json +++ b/packages/@aws-cdk/aws-signer/package.json @@ -96,5 +96,12 @@ }, "publishConfig": { "tag": "latest" + }, + "awslint": { + "exclude": [ + "resource-attribute:@aws-cdk/aws-signer.SigningProfile.signingProfileProfileName", + "resource-attribute:@aws-cdk/aws-signer.SigningProfile.signingProfileProfileVersion", + "resource-attribute:@aws-cdk/aws-signer.SigningProfile.signingProfileProfileVersionArn" + ] } } diff --git a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts index 287a576e8d020..6a9c8a2a88066 100644 --- a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts @@ -72,11 +72,11 @@ describe('signing profile', () => { describe('import', () => { test('from signingProfileProfileName and signingProfileProfileVersion', () => { - const signingProfileProfileName = 'test'; - const signingProfileProfileVersion = 'xxxxxxxx'; + const signingProfileName = 'test'; + const signingProfileVersion = 'xxxxxxxx'; const signingProfile = signer.SigningProfile.fromSigningProfileAttributes(stack, 'Imported', { - signingProfileProfileName, - signingProfileProfileVersion, + signingProfileName, + signingProfileVersion, }); expect(stack.resolve(signingProfile.signingProfileArn)).toStrictEqual( @@ -90,12 +90,12 @@ describe('signing profile', () => { { Ref: 'AWS::Region' }, ':', { Ref: 'AWS::AccountId' }, - `://signing-profiles/${signingProfileProfileName}`, + `://signing-profiles/${signingProfileName}`, ], ], }, ); - expect(stack.resolve(signingProfile.signingProfileProfileVersionArn)).toStrictEqual({ + expect(stack.resolve(signingProfile.signingProfileVersionArn)).toStrictEqual({ 'Fn::Join': [ '', [ @@ -105,7 +105,7 @@ describe('signing profile', () => { { Ref: 'AWS::Region' }, ':', { Ref: 'AWS::AccountId' }, - `://signing-profiles/${signingProfileProfileName}/${signingProfileProfileVersion}`, + `://signing-profiles/${signingProfileName}/${signingProfileVersion}`, ], ], }); From dbac3807c6ca8295478f0cd1a65075ba8f268e0d Mon Sep 17 00:00:00 2001 From: hedrall Date: Wed, 24 Feb 2021 07:47:38 +0900 Subject: [PATCH 43/46] change name of propertiy signatureValidityPeriod to signatureValidity --- packages/@aws-cdk/aws-signer/README.md | 2 +- packages/@aws-cdk/aws-signer/lib/signing-profile.ts | 6 +++--- packages/@aws-cdk/aws-signer/test/signing-profile.test.ts | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/README.md b/packages/@aws-cdk/aws-signer/README.md index 83f8ceeecd826..685822356a94e 100644 --- a/packages/@aws-cdk/aws-signer/README.md +++ b/packages/@aws-cdk/aws-signer/README.md @@ -71,6 +71,6 @@ import * as cdk from '@aws-cdk/aws-core'; const signingProfile = new signer.SigningProfile(this, 'SignginProfile', { platformId: 'xxxxxx', - signatureValidityPeriod: cdk.Duration.days(365), // Default to 135 months + signatureValidity: cdk.Duration.days(365), // Default to 135 months }) ``` diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index 3f57d23c705d9..26fd4df3cd4de 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -85,7 +85,7 @@ export interface SigningProfileProps { * * @default - 135 months */ - readonly signatureValidityPeriod?: Duration; + readonly signatureValidity?: Duration; /** * Physical name of this Signing Profile. @@ -161,9 +161,9 @@ export class SigningProfile extends Resource implements ISigningProfile { const resource = new CfnSigningProfile( this, 'Resource', { platformId: props.platform.platformId, - signatureValidityPeriod: props.signatureValidityPeriod ? { + signatureValidityPeriod: props.signatureValidity ? { type: 'DAYS', - value: props.signatureValidityPeriod?.toDays(), + value: props.signatureValidity?.toDays(), } : { type: 'MONTHS', value: 135, diff --git a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts index 6a9c8a2a88066..6148a6be70bda 100644 --- a/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts +++ b/packages/@aws-cdk/aws-signer/test/signing-profile.test.ts @@ -27,7 +27,7 @@ describe('signing profile', () => { const platform = signer.Platform.AWS_LAMBDA_SHA384_ECDSA; new signer.SigningProfile( stack, 'SigningProfile', { platform, - signatureValidityPeriod: cdk.Duration.days( 7 ), + signatureValidity: cdk.Duration.days( 7 ), } ); expect(stack).toHaveResource('AWS::Signer::SigningProfile', { From 07247d2a1ee84e60d556193afc89156a072fa26c Mon Sep 17 00:00:00 2001 From: hedrall Date: Wed, 24 Feb 2021 07:49:33 +0900 Subject: [PATCH 44/46] apply suggested readme change of signing profile --- packages/@aws-cdk/aws-signer/README.md | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/README.md b/packages/@aws-cdk/aws-signer/README.md index 685822356a94e..159d1989d0800 100644 --- a/packages/@aws-cdk/aws-signer/README.md +++ b/packages/@aws-cdk/aws-signer/README.md @@ -60,17 +60,4 @@ const signingProfile = new signer.SigningProfile(this, 'SigningProfile', { } ); ``` -> **Note**: To get the list of available platforms, you can run aws-cli command of `aws signer list-signing-platforms` - -Define a Signer SigningProfile with validity period: - -Specifies the duration in the period that the signing profile is valid. - -```ts -import * as cdk from '@aws-cdk/aws-core'; - -const signingProfile = new signer.SigningProfile(this, 'SignginProfile', { - platformId: 'xxxxxx', - signatureValidity: cdk.Duration.days(365), // Default to 135 months -}) -``` +A signing profile is valid by default for 135 months. This can be modified by specifying the `signatureValidityPeriod` property. From 5fff48cfdaf00d31b36407acc1eaa8f8f3505829 Mon Sep 17 00:00:00 2001 From: Niranjan Jayakar Date: Thu, 25 Feb 2021 11:35:37 +0000 Subject: [PATCH 45/46] fix the linter violation --- packages/@aws-cdk/aws-signer/lib/signing-profile.ts | 6 +++--- packages/@aws-cdk/aws-signer/package.json | 7 ------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts index 26fd4df3cd4de..8a0d14c3d194a 100644 --- a/packages/@aws-cdk/aws-signer/lib/signing-profile.ts +++ b/packages/@aws-cdk/aws-signer/lib/signing-profile.ts @@ -52,19 +52,19 @@ export interface ISigningProfile extends IResource { /** * The name of signing profile. - * @attribute signingProfileProfileName + * @attribute ProfileName */ readonly signingProfileName: string; /** * The version of signing profile. - * @attribute signingProfileProfileVersion + * @attribute ProfileVersion */ readonly signingProfileVersion: string; /** * The ARN of signing profile version. - * @attribute signingProfileProfileVersionArn + * @attribute ProfileVersionArn */ readonly signingProfileVersionArn: string; } diff --git a/packages/@aws-cdk/aws-signer/package.json b/packages/@aws-cdk/aws-signer/package.json index 50f8ac8867cdf..f01a984dfdd28 100644 --- a/packages/@aws-cdk/aws-signer/package.json +++ b/packages/@aws-cdk/aws-signer/package.json @@ -96,12 +96,5 @@ }, "publishConfig": { "tag": "latest" - }, - "awslint": { - "exclude": [ - "resource-attribute:@aws-cdk/aws-signer.SigningProfile.signingProfileProfileName", - "resource-attribute:@aws-cdk/aws-signer.SigningProfile.signingProfileProfileVersion", - "resource-attribute:@aws-cdk/aws-signer.SigningProfile.signingProfileProfileVersionArn" - ] } } From 3427ea1da4e079dc7557be5d1d6046df5576d966 Mon Sep 17 00:00:00 2001 From: Niranjan Jayakar Date: Thu, 25 Feb 2021 11:42:05 +0000 Subject: [PATCH 46/46] Apply suggestions from code review --- packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts | 2 +- packages/@aws-cdk/aws-signer/README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts index 1d078f85e2684..3e123ab5d5d89 100644 --- a/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts +++ b/packages/@aws-cdk/aws-lambda/test/code-signing-config.test.ts @@ -97,6 +97,6 @@ describe('code signing config', () => { test('fail import with malformed code signing config arn', () => { const codeSigningConfigArn = 'arn:aws:lambda:::code-signing-config'; - expect(() => lambda.CodeSigningConfig.fromCodeSigningConfigArn(stack, 'Imported', codeSigningConfigArn ) ).toThrow(); + expect(() => lambda.CodeSigningConfig.fromCodeSigningConfigArn(stack, 'Imported', codeSigningConfigArn ) ).toThrow(/ARN must be in the format/); }); }); diff --git a/packages/@aws-cdk/aws-signer/README.md b/packages/@aws-cdk/aws-signer/README.md index 159d1989d0800..925261fd4be52 100644 --- a/packages/@aws-cdk/aws-signer/README.md +++ b/packages/@aws-cdk/aws-signer/README.md @@ -50,13 +50,13 @@ A signing profile is a code-signing template that can be used to pre-define the A signing profile includes a signing platform to designate the file type to be signed, the signature format, and the signature algorithms. For more information, visit [Signing Profiles in AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/gs-profile.html). -The following code sets up a signing profile - +The following code sets up a signing profile for signing lambda code bundles - ```ts import * as signer from '@aws-cdk/aws-signer'; const signingProfile = new signer.SigningProfile(this, 'SigningProfile', { - platformId: 'xxxxxx' + platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA, } ); ```