-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(lambda): warn if you use function.grantInvoke
while also using currentVersion
#19464
Changes from 7 commits
cafdc6b
d6c183f
e6b4610
50bbab1
ef23549
7204adc
be42368
1b7f94b
3c250f3
3b03c84
bae6a87
465279d
f974469
0fc25bd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
import * as path from 'path'; | ||
import { Match, Template } from '@aws-cdk/assertions'; | ||
import { Annotations, Match, Template } from '@aws-cdk/assertions'; | ||
import { ProfilingGroup } from '@aws-cdk/aws-codeguruprofiler'; | ||
import * as ec2 from '@aws-cdk/aws-ec2'; | ||
import * as efs from '@aws-cdk/aws-efs'; | ||
|
@@ -435,6 +435,103 @@ describe('function', () => { | |
// THEN | ||
Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0); | ||
}); | ||
|
||
describe('annotations on different IFunctions', () => { | ||
let stack: cdk.Stack; | ||
let fn: lambda.Function; | ||
let warningMessage: string; | ||
beforeEach(() => { | ||
warningMessage = 'AWS Lambda has changed their authorization strategy'; | ||
stack = new cdk.Stack(); | ||
fn = new lambda.Function(stack, 'MyLambda', { | ||
code: lambda.Code.fromAsset(path.join(__dirname, 'my-lambda-handler')), | ||
handler: 'index.handler', | ||
runtime: lambda.Runtime.PYTHON_3_6, | ||
}); | ||
}); | ||
|
||
test('function', () => { | ||
// WHEN | ||
fn.addPermission('MyPermission', { | ||
principal: new iam.ServicePrincipal('lambda.amazonaws.com'), | ||
}); | ||
|
||
// THEN | ||
Annotations.fromStack(stack).hasWarning('/Default/MyLambda', Match.stringLikeRegexp(warningMessage)); | ||
}); | ||
|
||
test('version', () => { | ||
// GIVEN | ||
const version = new lambda.Version(stack, 'MyVersion', { | ||
lambda: fn, | ||
}); | ||
|
||
// WHEN | ||
version.addPermission('MyPermission', { | ||
principal: new iam.ServicePrincipal('lambda.amazonaws.com'), | ||
}); | ||
|
||
// THEN | ||
Annotations.fromStack(stack).hasNoWarning('/Default/MyVersion', Match.stringLikeRegexp(warningMessage)); | ||
}); | ||
|
||
test('latest version', () => { | ||
// WHEN | ||
fn.latestVersion.addPermission('MyPermission', { | ||
principal: new iam.ServicePrincipal('lambda.amazonaws.com'), | ||
}); | ||
|
||
// THEN | ||
// cannot add permissions on latest version, so no warning necessary | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Is this actually something people do? What's the value over just adding permissions to the function? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this actually something people do? IDK, but I'm reading from the /**
* The $LATEST version of a function, useful when attempting to create aliases.
*/ At any rate you cannot add permissions to $LATEST. |
||
Annotations.fromStack(stack).hasNoWarning('/Default/MyLambda/$LATEST', Match.stringLikeRegexp(warningMessage)); | ||
}); | ||
|
||
test('alias', () => { | ||
// GIVEN | ||
const version = new lambda.Version(stack, 'MyVersion', { | ||
lambda: fn, | ||
}); | ||
const alias = new lambda.Alias(stack, 'MyAlias', { | ||
aliasName: 'alias', | ||
version, | ||
}); | ||
|
||
// WHEN | ||
alias.addPermission('MyPermission', { | ||
principal: new iam.ServicePrincipal('lambda.amazonaws.com'), | ||
}); | ||
|
||
// THEN | ||
Annotations.fromStack(stack).hasNoWarning('/Default/MyAlias', Match.stringLikeRegexp(warningMessage)); | ||
}); | ||
|
||
test('alias on latest version', () => { | ||
// GIVEN | ||
const alias = new lambda.Alias(stack, 'MyAlias', { | ||
aliasName: 'alias', | ||
version: fn.latestVersion, | ||
}); | ||
|
||
// WHEN | ||
alias.addPermission('MyPermission', { | ||
principal: new iam.ServicePrincipal('lambda.amazonaws.com'), | ||
}); | ||
|
||
// THEN | ||
Annotations.fromStack(stack).hasNoWarning('/Default/MyAlias', Match.stringLikeRegexp(warningMessage)); | ||
}); | ||
|
||
test('function without lambda:InvokeFunction', () => { | ||
// WHEN | ||
fn.addPermission('MyPermission', { | ||
action: 'lambda.GetFunction', | ||
principal: new iam.ServicePrincipal('lambda.amazonaws.com'), | ||
}); | ||
|
||
// THEN | ||
Annotations.fromStack(stack).hasNoWarning('/Default/MyLambda', Match.stringLikeRegexp(warningMessage)); | ||
}); | ||
}); | ||
}); | ||
|
||
test('Lambda code can be read from a local directory via an asset', () => { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like it will add the warning always, even if you're not using aliases or versions at all. Do I have that right?
If so, that is probably overly spammy. I'd prefer adding the warning if we detect the following:
grantInvoke
is called on the function; ANDcurrentVersion
is called/has been calledIf combine those, you're probably doing something wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am happy to do this, but what about the scenarios that this will miss? I'm thinking:
Shoudn't we warn users who do this that they should grantInvoke on the version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To minimize the amount of support requests, I'd prefer to err on the side of caution: tell people when they're definitely doing something wrong, rather than when they might be doing something wrong.
So: I don't want false positives. We can talk about how to reduce false negatives.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There might be ways, we might care to invest in them (we might also not).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay! I think I've done exactly as you've described. Moved this from reducing false negatives to reducing false positives.
There is an
addVersion()
on Functions that is@deprecated
in favor ofcurrentVersion
so I decided not to warn those users. I think@deprecated
is signal enough that you should not be using it. But open to feedback here.