From 3a6975d811da7e6cae9d87400709f288f2bbeb99 Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Sat, 1 Feb 2025 00:39:05 +0000 Subject: [PATCH 1/9] Support FURL Dual Auth --- ...efaultTestDeployAssertE3E7D2A4.assets.json | 2 +- .../Stack1.assets.json | 6 +- .../Stack1.template.json | 42 ++++++ .../integ.function-url.js.snapshot/cdk.out | 2 +- .../integ.function-url.js.snapshot/integ.json | 2 +- .../manifest.json | 24 ++- .../integ.function-url.js.snapshot/tree.json | 70 ++++++++- .../aws-cdk-lambda-1.template.json | 18 ++- .../integ.lambda.js.snapshot/manifest.json | 15 ++ .../lambda-permissions.template.json | 72 ++++++--- .../aws-lambda/lib/function-base.ts | 31 ++++ .../aws-lambda/lib/function-url.ts | 6 + .../aws-cdk-lib/aws-lambda/lib/permission.ts | 9 ++ .../aws-lambda/test/function-url.test.ts | 114 +++++++++++++- .../aws-lambda/test/function.test.ts | 15 ++ .../us-east-1/aws-lambda-permission.json | 142 ++++++++++++++++++ 16 files changed, 528 insertions(+), 42 deletions(-) create mode 100644 tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json index 8bbe077289ad2..7fc0c7c6c51ec 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.assets.json index 16b9ed6375e38..4e67c98ca3f1f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.assets.json @@ -1,7 +1,7 @@ { - "version": "38.0.1", + "version": "39.0.0", "files": { - "a83c04aa3d13aae337040b2062567727e3c7b177081dda963df9493e460f7a58": { + "94e5f0d29230836ba26ec58c273b89045314948f0ef34bab27dac1d9a9e81b25": { "source": { "path": "Stack1.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "a83c04aa3d13aae337040b2062567727e3c7b177081dda963df9493e460f7a58.json", + "objectKey": "94e5f0d29230836ba26ec58c273b89045314948f0ef34bab27dac1d9a9e81b25.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.template.json index 84fdb041ee73e..2e25199d48d81 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/Stack1.template.json @@ -138,6 +138,20 @@ "Principal": "*" } }, + "NoAuthFunctionUrlsinvokefunction95ED1A84": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "NoAuthFunctionUrls65ABC157", + "Arn" + ] + }, + "InvokedViaFunctionUrl": true, + "Principal": "*" + } + }, "CorsFunctionUrlsServiceRole6227B597": { "Type": "AWS::IAM::Role", "Properties": { @@ -222,6 +236,20 @@ "Principal": "*" } }, + "CorsFunctionUrlsinvokefunctionC0E078FD": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "CorsFunctionUrlsD81CF424", + "Arn" + ] + }, + "InvokedViaFunctionUrl": true, + "Principal": "*" + } + }, "StreamFunctionUrlsServiceRoleAF76EC5D": { "Type": "AWS::IAM::Role", "Properties": { @@ -298,6 +326,20 @@ "FunctionUrlAuthType": "NONE", "Principal": "*" } + }, + "StreamFunctionUrlsinvokefunction7DC2262A": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "StreamFunctionUrlsAAB55C9C", + "Arn" + ] + }, + "InvokedViaFunctionUrl": true, + "Principal": "*" + } } }, "Outputs": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/cdk.out index c6e612584e352..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"38.0.1"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/integ.json index 4de529c8a139a..52f3892ffc9f0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "39.0.0", "testCases": { "IntegTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/manifest.json index b1f4b3c3087af..5b135ca820ca3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "39.0.0", "artifacts": { "Stack1.assets": { "type": "cdk:asset-manifest", @@ -16,10 +16,9 @@ "templateFile": "Stack1.template.json", "terminationProtection": false, "validateOnSynth": false, - "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a83c04aa3d13aae337040b2062567727e3c7b177081dda963df9493e460f7a58.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/94e5f0d29230836ba26ec58c273b89045314948f0ef34bab27dac1d9a9e81b25.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -83,6 +82,12 @@ "data": "NoAuthFunctionUrlsinvokefunctionurl832C0266" } ], + "/Stack1/NoAuthFunctionUrls/invoke-function": [ + { + "type": "aws:cdk:logicalId", + "data": "NoAuthFunctionUrlsinvokefunction95ED1A84" + } + ], "/Stack1/TheNoAuthFunctionUrls": [ { "type": "aws:cdk:logicalId", @@ -113,6 +118,12 @@ "data": "CorsFunctionUrlsinvokefunctionurl5E7D2994" } ], + "/Stack1/CorsFunctionUrls/invoke-function": [ + { + "type": "aws:cdk:logicalId", + "data": "CorsFunctionUrlsinvokefunctionC0E078FD" + } + ], "/Stack1/TheCorsFunctionUrls": [ { "type": "aws:cdk:logicalId", @@ -143,6 +154,12 @@ "data": "StreamFunctionUrlsinvokefunctionurl4FD8689D" } ], + "/Stack1/StreamFunctionUrls/invoke-function": [ + { + "type": "aws:cdk:logicalId", + "data": "StreamFunctionUrlsinvokefunction7DC2262A" + } + ], "/Stack1/TheStreamFunctionUrls": [ { "type": "aws:cdk:logicalId", @@ -179,7 +196,6 @@ "templateFile": "IntegTestDefaultTestDeployAssertE3E7D2A4.template.json", "terminationProtection": false, "validateOnSynth": false, - "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/tree.json index 4cc480c2d3d34..0e90cc20cc791 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.function-url.js.snapshot/tree.json @@ -273,6 +273,28 @@ "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", "version": "0.0.0" } + }, + "invoke-function": { + "id": "invoke-function", + "path": "Stack1/NoAuthFunctionUrls/invoke-function", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "NoAuthFunctionUrls65ABC157", + "Arn" + ] + }, + "invokedViaFunctionUrl": true, + "principal": "*" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", + "version": "0.0.0" + } } }, "constructInfo": { @@ -432,6 +454,28 @@ "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", "version": "0.0.0" } + }, + "invoke-function": { + "id": "invoke-function", + "path": "Stack1/CorsFunctionUrls/invoke-function", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "CorsFunctionUrlsD81CF424", + "Arn" + ] + }, + "invokedViaFunctionUrl": true, + "principal": "*" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", + "version": "0.0.0" + } } }, "constructInfo": { @@ -584,6 +628,28 @@ "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", "version": "0.0.0" } + }, + "invoke-function": { + "id": "invoke-function", + "path": "Stack1/StreamFunctionUrls/invoke-function", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", + "aws:cdk:cloudformation:props": { + "action": "lambda:InvokeFunction", + "functionName": { + "Fn::GetAtt": [ + "StreamFunctionUrlsAAB55C9C", + "Arn" + ] + }, + "invokedViaFunctionUrl": true, + "principal": "*" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", + "version": "0.0.0" + } } }, "constructInfo": { @@ -634,7 +700,7 @@ "path": "IntegTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -680,7 +746,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/aws-cdk-lambda-1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/aws-cdk-lambda-1.template.json index 14dd3c90378da..6d9d006078b72 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/aws-cdk-lambda-1.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/aws-cdk-lambda-1.template.json @@ -58,7 +58,6 @@ "Code": { "ZipFile": "foo" }, - "Description": "version-hash:328ef84696e962e6a3e0f3c7b7e62c5d", "Handler": "index.handler", "Role": { "Fn::GetAtt": [ @@ -85,7 +84,7 @@ } } }, - "MyLambdaCurrentVersionE7A382CC9ce8e408346691aecad19aa25bc70350": { + "MyLambdaCurrentVersionE7A382CC886b1d5a6670b1ccc617b858b07da0e5": { "Type": "AWS::Lambda::Version", "Properties": { "FunctionName": { @@ -104,7 +103,7 @@ }, "FunctionVersion": { "Fn::GetAtt": [ - "MyLambdaCurrentVersionE7A382CC9ce8e408346691aecad19aa25bc70350", + "MyLambdaCurrentVersionE7A382CC886b1d5a6670b1ccc617b858b07da0e5", "Version" ] }, @@ -148,6 +147,17 @@ "Principal": "*" } }, + "Aliasinvokefunction83AEC4F1": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Ref": "Alias325C5727" + }, + "InvokedViaFunctionUrl": true, + "Principal": "*" + } + }, "MySnapStartLambdaServiceRoleE0F04324": { "Type": "AWS::IAM::Role", "Properties": { @@ -188,7 +198,6 @@ }, "S3Key": "a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip" }, - "Description": "version-hash:cb4acf3f2fee0dc7ef3d57cc9e3c231f", "Handler": "example.Handler::handleRequest", "Role": { "Fn::GetAtt": [ @@ -248,7 +257,6 @@ }, "S3Key": "a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip" }, - "Description": "version-hash:522e22f485651f1644be7e317c07836f", "Handler": "example.Handler::handleRequest", "Role": { "Fn::GetAtt": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/manifest.json index 040ae25b4d5a1..41f3e4694f4d2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/manifest.json @@ -214,6 +214,12 @@ "data": "Aliasinvokefunctionurl4CA9917B" } ], + "/aws-cdk-lambda-1/Alias/invoke-function": [ + { + "type": "aws:cdk:logicalId", + "data": "Aliasinvokefunction83AEC4F1" + } + ], "/aws-cdk-lambda-1/MySnapStartLambda": [ { "type": "aws:cdk:analytics:construct", @@ -324,6 +330,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "MyLambdaCurrentVersionE7A382CC9ce8e408346691aecad19aa25bc70350": [ + { + "type": "aws:cdk:logicalId", + "data": "MyLambdaCurrentVersionE7A382CC9ce8e408346691aecad19aa25bc70350", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "aws-cdk-lambda-1" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.permissions.js.snapshot/lambda-permissions.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.permissions.js.snapshot/lambda-permissions.template.json index 7c414ded62508..b963482f218f9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.permissions.js.snapshot/lambda-permissions.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.permissions.js.snapshot/lambda-permissions.template.json @@ -155,6 +155,26 @@ "Statement": [ { "Action": "lambda:InvokeFunctionUrl", + "Condition": { + "StringEquals": { + "lambda:FunctionUrlAuthType": "AWS_IAM" + } + }, + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyLambdaCCE802FB", + "Arn" + ] + } + }, + { + "Action": "lambda:InvokeFunction", + "Condition": { + "Bool": { + "lambda:InvokedViaFunctionUrl": true + } + }, "Effect": "Allow", "Resource": { "Fn::GetAtt": [ @@ -167,12 +187,6 @@ "Action": "lambda:InvokeFunction", "Effect": "Allow", "Resource": [ - { - "Fn::GetAtt": [ - "MyLambdaCCE802FB", - "Arn" - ] - }, { "Fn::Join": [ "", @@ -183,31 +197,41 @@ "Arn" ] }, - ":", - { - "Fn::GetAtt": [ - "v192FF9954", - "Version" - ] - } + ":$LATEST" ] ] }, { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "MyLambdaCCE802FB", - "Arn" - ] - }, - ":$LATEST" - ] + "Fn::GetAtt": [ + "MyLambdaCCE802FB", + "Arn" ] } ] + }, + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "MyLambdaCCE802FB", + "Arn" + ] + }, + ":", + { + "Fn::GetAtt": [ + "v192FF9954", + "Version" + ] + } + ] + ] + } } ], "Version": "2012-10-17" diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts index 646cf08f488dc..47e35a3133157 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts @@ -407,6 +407,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC sourceArn: permission.sourceArn ?? sourceArn, principalOrgId: permission.organizationId ?? principalOrgID, functionUrlAuthType: permission.functionUrlAuthType, + invokedViaFunctionUrl: permission.invokedViaFunctionUrl, }); } @@ -540,6 +541,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC */ public grantInvokeUrl(grantee: iam.IGrantable): iam.Grant { const identifier = `InvokeFunctionUrl${grantee.grantPrincipal}`; // calls the .toString() of the principal + const identifierDualAuth = identifier + '-DualAuth'; // Memoize the result so subsequent grantInvoke() calls are idempotent let grant = this._functionUrlInvocationGrants[identifier]; @@ -547,6 +549,18 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC grant = this.grant(grantee, identifier, 'lambda:InvokeFunctionUrl', [this.functionArn], { functionUrlAuthType: FunctionUrlAuthType.AWS_IAM, }); + + // return if failed + if (!grant.success) { + return grant; + } + + // proceed to grant invokefunction for FURL Dual auth + grant = this.grant(grantee, identifierDualAuth, 'lambda:InvokeFunction', [this.functionArn], + { + invokedViaFunctionUrl: true, + }); + this._functionUrlInvocationGrants[identifier] = grant; } return grant; @@ -611,6 +625,22 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC return this.stack.splitArn(this.functionArn, ArnFormat.SLASH_RESOURCE_NAME).account === this.stack.account; } + /** + * Given permission overrides in lambda resource base policy, return equivalent condition for IAM policy statement + * @param permission Permission override for lambda resource base policy + * @returns condition for IAM policy statement, or undefined + */ + private permissionToCondition(permission?: Partial): Record>|undefined { + if (!permission) return undefined; + let condition:Record> = {}; + // eslint-disable-next-line dot-notation + permission.functionUrlAuthType ? condition['StringEquals'] = { 'lambda:FunctionUrlAuthType': permission.functionUrlAuthType } : undefined; + // eslint-disable-next-line dot-notation + permission.invokedViaFunctionUrl ? condition['Bool'] = { 'lambda:InvokedViaFunctionUrl': permission.invokedViaFunctionUrl } : undefined; + + return condition; + } + private grant( grantee: iam.IGrantable, identifier:string, @@ -622,6 +652,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC grantee, actions: [action], resourceArns, + conditions: this.permissionToCondition(permissionOverrides), // Fake resource-like object on which to call addToResourcePolicy(), which actually // calls addPermission() diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function-url.ts b/packages/aws-cdk-lib/aws-lambda/lib/function-url.ts index aeaca0775895c..b800f1904bdeb 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function-url.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function-url.ts @@ -265,6 +265,12 @@ export class FunctionUrl extends Resource implements IFunctionUrl { action: 'lambda:InvokeFunctionUrl', functionUrlAuthType: props.authType, }); + + props.function.addPermission('invoke-function', { + principal: new iam.AnyPrincipal(), + action: 'lambda:InvokeFunction', + invokedViaFunctionUrl: true, + }); } } diff --git a/packages/aws-cdk-lib/aws-lambda/lib/permission.ts b/packages/aws-cdk-lib/aws-lambda/lib/permission.ts index ecd6e066aa289..4edeee5295983 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/permission.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/permission.ts @@ -88,4 +88,13 @@ export interface Permission { * @default - No functionUrlAuthType */ readonly functionUrlAuthType?: FunctionUrlAuthType; + + /** + * The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. + * When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs. + * + * @default - false + */ + readonly invokedViaFunctionUrl?: boolean; + } diff --git a/packages/aws-cdk-lib/aws-lambda/test/function-url.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function-url.test.ts index 9c6bb414dc95f..123520056abbb 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function-url.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function-url.test.ts @@ -160,7 +160,7 @@ describe('FunctionUrl', () => { }).toThrow(/FunctionUrl CORS maxAge should be less than or equal to 86400 secs/); }); - test('grantInvokeUrl: adds appropriate permissions', () => { + test('DUAL AUTH: grantInvokeUrl: adds appropriate permissions', () => { // GIVEN const stack = new cdk.Stack(); const role = new iam.Role(stack, 'Role', { @@ -193,8 +193,120 @@ describe('FunctionUrl', () => { ], }, }, + { + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'MyLambdaCCE802FB', + 'Arn', + ], + }, + Condition: { + Bool: { + 'lambda:InvokedViaFunctionUrl': true, + }, + }, + }, + ], + }, + }); + }); + + test('DUAL AUTH: auth type None should add approprate resource policy', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new lambda.Function(stack, 'MyLambda', { + code: new lambda.InlineCode('hello()'), + handler: 'index.hello', + runtime: lambda.Runtime.NODEJS_LATEST, + }); + + // WHEN + new lambda.FunctionUrl(stack, 'FunctionUrl', { + function: fn, + authType: lambda.FunctionUrlAuthType.NONE, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunctionUrl', + FunctionName: { + 'Fn::GetAtt': [ + 'MyLambdaCCE802FB', + 'Arn', + ], + }, + Principal: '*', + FunctionUrlAuthType: 'NONE', + }); + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunction', + FunctionName: { + 'Fn::GetAtt': [ + 'MyLambdaCCE802FB', + 'Arn', + ], + }, + Principal: '*', + InvokedViaFunctionUrl: true, + }); + }); + + test('DUAL AUTH: auth type IAM with reference princial should add approprate resource policy', () => { + // GIVEN + const stack = new cdk.Stack(); + const fn = new lambda.Function(stack, 'MyLambda', { + code: new lambda.InlineCode('hello()'), + handler: 'index.hello', + runtime: lambda.Runtime.NODEJS_LATEST, + }); + + // WHEN + const fnurl = new lambda.FunctionUrl(stack, 'FunctionUrl', { + function: fn, + authType: lambda.FunctionUrlAuthType.AWS_IAM, + }); + + const testRole = iam.Role.fromRoleArn(stack, 'arn-test', 'arn:aws:iam::1234:role/Test', { + mutable: false, + }); + + fnurl.grantInvokeUrl(testRole); + fn.grantInvoke(testRole); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunctionUrl', + FunctionName: { + 'Fn::GetAtt': [ + 'MyLambdaCCE802FB', + 'Arn', + ], + }, + Principal: 'arn:aws:iam::1234:role/Test', + FunctionUrlAuthType: 'AWS_IAM', + }); + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunction', + FunctionName: { + 'Fn::GetAtt': [ + 'MyLambdaCCE802FB', + 'Arn', + ], + }, + Principal: 'arn:aws:iam::1234:role/Test', + InvokedViaFunctionUrl: true, + }); + Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', { + Action: 'lambda:InvokeFunction', + FunctionName: { + 'Fn::GetAtt': [ + 'MyLambdaCCE802FB', + 'Arn', ], }, + Principal: 'arn:aws:iam::1234:role/Test', }); }); diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index 6f8dc3c09255e..27b09b950e124 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -3833,6 +3833,21 @@ describe('function', () => { ], }, }, + { + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'MyLambdaCCE802FB', + 'Arn', + ], + }, + Condition: { + Bool: { + 'lambda:InvokedViaFunctionUrl': true, + }, + }, + }, ], }, }); diff --git a/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json new file mode 100644 index 0000000000000..fbcdba494a4ea --- /dev/null +++ b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json @@ -0,0 +1,142 @@ +{ + "typeName": "AWS::Lambda::Permission", + "description": "Resource Type definition for AWS::Lambda::Permission", + "nonPublicProperties": ["/properties/InvokedViaFunctionUrl"], + "additionalProperties": false, + "properties": { + "Id": { + "description": "A statement identifier that differentiates the statement from others in the same policy.", + "type": "string", + "pattern": "^.*$", + "minLength": 1, + "maxLength": 256 + }, + "Action": { + "description": "The action that the principal can use on the function.", + "type": "string", + "pattern": "^(lambda:[*]|lambda:[a-zA-Z]+|[*])$", + "minLength": 1, + "maxLength": 256 + }, + "EventSourceToken": { + "description": "For Alexa Smart Home functions, a token that must be supplied by the invoker.", + "type": "string", + "pattern": "^[a-zA-Z0-9._\\-]+$", + "minLength": 1, + "maxLength": 256 + }, + "FunctionName": { + "description": "The name of the Lambda function, version, or alias.", + "type": "string", + "pattern": "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?$", + "minLength": 1, + "maxLength": 140 + }, + "FunctionUrlAuthType": { + "description": "The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint.", + "type": "string", + "enum": [ + "AWS_IAM", + "NONE" + ] + }, + "InvokedViaFunctionUrl": { + "description": "The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs.", + "type": "boolean" + }, + "Principal": { + "description": "The AWS service or account that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.", + "type": "string", + "pattern": "^.*$", + "minLength": 1, + "maxLength": 256 + }, + "PrincipalOrgID": { + "description": "The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.", + "type": "string", + "pattern": "^o-[a-z0-9]{10,32}$", + "minLength": 12, + "maxLength": 34 + }, + "SourceAccount": { + "description": "For Amazon S3, the ID of the account that owns the resource. Use this together with SourceArn to ensure that the resource is owned by the specified account. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.", + "type": "string", + "pattern": "^\\d{12}$", + "minLength": 12, + "maxLength": 12 + }, + "SourceArn": { + "description": "For AWS services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.", + "type": "string", + "pattern": "^arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\\-])+:([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1})?:(\\d{12})?:(.*)$", + "minLength": 12, + "maxLength": 1024 + } + }, + "required": [ + "FunctionName", + "Action", + "Principal" + ], + "tagging": { + "taggable": false, + "tagOnCreate": false, + "tagUpdatable": false, + "cloudFormationSystemTags": false + }, + "createOnlyProperties": [ + "/properties/FunctionName", + "/properties/FunctionUrlAuthType", + "/properties/InvokedViaFunctionUrl", + "/properties/SourceAccount", + "/properties/SourceArn", + "/properties/Principal", + "/properties/PrincipalOrgID", + "/properties/Action", + "/properties/EventSourceToken" + ], + "primaryIdentifier": [ + "/properties/FunctionName", + "/properties/Id" + ], + "propertyTransform": { + "/properties/Principal": "$join([\"^arn:aws[a-zA-Z-]*:iam::\",Principal,\":[a-zA-Z-]*\"]) $OR Principal" + }, + "readOnlyProperties": [ + "/properties/Id" + ], + "handlers": { + "create": { + "permissions": [ + "lambda:AddPermission" + ] + }, + "read": { + "permissions": [ + "lambda:GetPolicy" + ] + }, + "delete": { + "permissions": [ + "lambda:RemovePermission" + ] + }, + "list": { + "handlerSchema": { + "properties": { + "FunctionName": { + "description": "The name of the Lambda function, version, or alias.", + "type": "string", + "pattern": "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?$", + "minLength": 1, + "maxLength": 140 + } + }, + "required": ["FunctionName"] + }, + "permissions": [ + "lambda:GetPolicy" + ] + } + } +} From fba1a049f02f91a00c48256bbd62c8f0cd07ad27 Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Wed, 23 Apr 2025 17:35:39 -0700 Subject: [PATCH 2/9] Update README.md --- packages/aws-cdk-lib/aws-lambda/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packages/aws-cdk-lib/aws-lambda/README.md b/packages/aws-cdk-lib/aws-lambda/README.md index c8ac76bf30311..a76a183f048c6 100644 --- a/packages/aws-cdk-lib/aws-lambda/README.md +++ b/packages/aws-cdk-lib/aws-lambda/README.md @@ -642,6 +642,15 @@ new CfnOutput(this, 'TheUrl', { }); ``` +### Important Function URL Permission Update - May 2025 +Starting May 2025, Function URL invocation will require two permissions +- lambda:InvokeFunctionUrl +- lambda:InvokeFunction (New) + +CDK has updated `grantInvokeUrl` and `addFunctionUrl` for `authtype: None` to add both permission above. + +If your existing CDK stack uses `grantInvokeUrl` or `addFunctionUrl` with `authtype: None`, your next deployment will automatically add the `lambda:InvokeFunction` permission without requiring any code changes. This ensures your Function URLs continue working seamlessly. No additional actions are needed. + ### CORS configuration for Function URLs If you want your Function URLs to be invokable from a web page in browser, you From bb97010289b38b00c30394e37f49c650efe7b70f Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Mon, 22 Sep 2025 12:15:01 -0700 Subject: [PATCH 3/9] rerun integ --- ...04591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip | Bin 128 -> 236 bytes .../aws-cdk-lambda-1.assets.json | 10 +- .../aws-cdk-lambda-1.template.json | 7 +- .../test/integ.lambda.js.snapshot/cdk.out | 2 +- .../test/integ.lambda.js.snapshot/integ.json | 4 +- .../integ.lambda.js.snapshot/manifest.json | 488 ++++++++++++++++- .../test/integ.lambda.js.snapshot/tree.json | 2 +- .../integ.permissions.js.snapshot/cdk.out | 2 +- .../integ.permissions.js.snapshot/integ.json | 4 +- .../lambda-permissions.assets.json | 8 +- .../lambda-permissions.template.json | 52 +- .../manifest.json | 500 +++++++++++++++++- .../integ.permissions.js.snapshot/tree.json | 2 +- packages/aws-cdk-lib/aws-lambda/README.md | 8 +- 14 files changed, 1030 insertions(+), 59 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/asset.a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/asset.a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip index d2385b82de490f0cbbee9cd3c0c790b50a0a088a..eae53ec32da7ae41f34ca2ad18e5d75b4057561c 100644 GIT binary patch literal 236 zcmWIWW@Zs#U|`^2II{Ya&kY}@YBwOyA1ornkeQc~TA^1^85+XLz--X&A1&JLA6;6( z&A`Z_y{T7&`kL^=Qf literal 128 zcmWN?%MrpL5CG77s-OYGZ&{Xf11tzLDjC5XtX|*cUFALdc!{>wIS(oCecc{)?*H2- z?Rh-qJWH0B-bQCJTQm-j6s-0Y3=l&`CPx$;`k;a)@+ljggSE)fR Date: Mon, 22 Sep 2025 12:20:17 -0700 Subject: [PATCH 4/9] nit --- packages/aws-cdk-lib/aws-lambda/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-lambda/README.md b/packages/aws-cdk-lib/aws-lambda/README.md index bfc962eec9e59..a21bc217a509a 100644 --- a/packages/aws-cdk-lib/aws-lambda/README.md +++ b/packages/aws-cdk-lib/aws-lambda/README.md @@ -642,8 +642,8 @@ new CfnOutput(this, 'TheUrl', { }); ``` -### Important Function URL Permission Update - Sep 2025 -Starting Sep 2025, Function URL invocation will require two permissions +### Important Function URL Permission Update - Oct 2025 +Starting Oct 2025, Function URL invocation will require two permissions - lambda:InvokeFunctionUrl - lambda:InvokeFunction (New) From 99bdb8499c74345159bcee5079001c02bc649aec Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Mon, 22 Sep 2025 14:08:03 -0700 Subject: [PATCH 5/9] integ test update --- .../cdk.out | 2 +- ...cloudfront-function-url-origin.assets.json | 9 +- ...oudfront-function-url-origin.template.json | 14 + .../integ.json | 5 +- .../manifest.json | 542 +++++++++++++++++- ...efaultTestDeployAssert6BBA15BA.assets.json | 5 +- .../tree.json | 315 +--------- ...nt-response-completion-timeout.assets.json | 6 +- ...-response-completion-timeout.template.json | 14 + .../manifest.json | 58 +- .../tree.json | 2 +- 11 files changed, 634 insertions(+), 338 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/cdk.out index 1f0068d32659a..523a9aac37cbf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.assets.json index a912697d800b4..7a8742aa7db12 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.assets.json @@ -1,15 +1,16 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { - "9a6c172119a86bf65d38c8185c145afbebd67b5e50d54fca1f3c2229b41cdcd0": { + "bc69af4a54ff919d10a47a3e8fd1abf3e4f4ab53a5f9fdb0f8d521c901cde9b4": { + "displayName": "integ-cloudfront-function-url-origin Template", "source": { "path": "integ-cloudfront-function-url-origin.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-cb5ccfea": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "9a6c172119a86bf65d38c8185c145afbebd67b5e50d54fca1f3c2229b41cdcd0.json", + "objectKey": "bc69af4a54ff919d10a47a3e8fd1abf3e4f4ab53a5f9fdb0f8d521c901cde9b4.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.template.json index f3b95cb007d78..be57409d6a5fd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ-cloudfront-function-url-origin.template.json @@ -76,6 +76,20 @@ "Principal": "*" } }, + "MyFunctioninvokefunction98962B85": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "MyFunction3BAA72D1", + "Arn" + ] + }, + "InvokedViaFunctionUrl": true, + "Principal": "*" + } + }, "Distribution830FAC52": { "Type": "AWS::CloudFront::Distribution", "Properties": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ.json index 146e82f912b8d..b59ba9235032e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "testCases": { "rest-api-origin/DefaultTest": { "stacks": [ @@ -8,5 +8,6 @@ "assertionStack": "rest-api-origin/DefaultTest/DeployAssert", "assertionStackName": "restapioriginDefaultTestDeployAssert6BBA15BA" } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/manifest.json index fe34de633eada..7fc97de2f1de8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "48.0.0", "artifacts": { "integ-cloudfront-function-url-origin.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9a6c172119a86bf65d38c8185c145afbebd67b5e50d54fca1f3c2229b41cdcd0.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/bc69af4a54ff919d10a47a3e8fd1abf3e4f4ab53a5f9fdb0f8d521c901cde9b4.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,6 +34,38 @@ "integ-cloudfront-function-url-origin.assets" ], "metadata": { + "/integ-cloudfront-function-url-origin/MyFunction": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "code": "*", + "handler": "*", + "runtime": "*" + } + } + ], + "/integ-cloudfront-function-url-origin/MyFunction/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/integ-cloudfront-function-url-origin/MyFunction/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/integ-cloudfront-function-url-origin/MyFunction/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -46,6 +78,15 @@ "data": "MyFunction3BAA72D1" } ], + "/integ-cloudfront-function-url-origin/MyFunction/FunctionUrl": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "function": "*", + "authType": "NONE" + } + } + ], "/integ-cloudfront-function-url-origin/MyFunction/FunctionUrl/Resource": [ { "type": "aws:cdk:logicalId", @@ -58,6 +99,22 @@ "data": "MyFunctioninvokefunctionurl171A3163" } ], + "/integ-cloudfront-function-url-origin/MyFunction/invoke-function": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunctioninvokefunction98962B85" + } + ], + "/integ-cloudfront-function-url-origin/Distribution": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "defaultBehavior": { + "origin": "*" + } + } + } + ], "/integ-cloudfront-function-url-origin/Distribution/Resource": [ { "type": "aws:cdk:logicalId", @@ -132,6 +189,485 @@ "properties": { "file": "tree.json" } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": false, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + } + } + } } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/restapioriginDefaultTestDeployAssert6BBA15BA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/restapioriginDefaultTestDeployAssert6BBA15BA.assets.json index 5e494c6aa6b59..99dc33ee6c343 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/restapioriginDefaultTestDeployAssert6BBA15BA.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/restapioriginDefaultTestDeployAssert6BBA15BA.assets.json @@ -1,13 +1,14 @@ { - "version": "36.0.0", + "version": "48.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "restapioriginDefaultTestDeployAssert6BBA15BA Template", "source": { "path": "restapioriginDefaultTestDeployAssert6BBA15BA.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-d8d86b35": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/tree.json index 9de612a777a06..e42b2319a6bd8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin.js.snapshot/tree.json @@ -1,314 +1 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "integ-cloudfront-function-url-origin": { - "id": "integ-cloudfront-function-url-origin", - "path": "integ-cloudfront-function-url-origin", - "children": { - "MyFunction": { - "id": "MyFunction", - "path": "integ-cloudfront-function-url-origin/MyFunction", - "children": { - "ServiceRole": { - "id": "ServiceRole", - "path": "integ-cloudfront-function-url-origin/MyFunction/ServiceRole", - "children": { - "ImportServiceRole": { - "id": "ImportServiceRole", - "path": "integ-cloudfront-function-url-origin/MyFunction/ServiceRole/ImportServiceRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "integ-cloudfront-function-url-origin/MyFunction/ServiceRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "managedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "integ-cloudfront-function-url-origin/MyFunction/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::Lambda::Function", - "aws:cdk:cloudformation:props": { - "code": { - "zipFile": "exports.handler = async () => {};" - }, - "handler": "index.handler", - "role": { - "Fn::GetAtt": [ - "MyFunctionServiceRole3C357FF2", - "Arn" - ] - }, - "runtime": "nodejs20.x" - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", - "version": "0.0.0" - } - }, - "FunctionUrl": { - "id": "FunctionUrl", - "path": "integ-cloudfront-function-url-origin/MyFunction/FunctionUrl", - "children": { - "Resource": { - "id": "Resource", - "path": "integ-cloudfront-function-url-origin/MyFunction/FunctionUrl/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::Lambda::Url", - "aws:cdk:cloudformation:props": { - "authType": "NONE", - "targetFunctionArn": { - "Fn::GetAtt": [ - "MyFunction3BAA72D1", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnUrl", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.FunctionUrl", - "version": "0.0.0" - } - }, - "invoke-function-url": { - "id": "invoke-function-url", - "path": "integ-cloudfront-function-url-origin/MyFunction/invoke-function-url", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::Lambda::Permission", - "aws:cdk:cloudformation:props": { - "action": "lambda:InvokeFunctionUrl", - "functionName": { - "Fn::GetAtt": [ - "MyFunction3BAA72D1", - "Arn" - ] - }, - "functionUrlAuthType": "NONE", - "principal": "*" - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.CfnPermission", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_lambda.Function", - "version": "0.0.0" - } - }, - "Distribution": { - "id": "Distribution", - "path": "integ-cloudfront-function-url-origin/Distribution", - "children": { - "Origin1": { - "id": "Origin1", - "path": "integ-cloudfront-function-url-origin/Distribution/Origin1", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Resource": { - "id": "Resource", - "path": "integ-cloudfront-function-url-origin/Distribution/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CloudFront::Distribution", - "aws:cdk:cloudformation:props": { - "distributionConfig": { - "enabled": true, - "origins": [ - { - "domainName": { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - "/", - { - "Fn::GetAtt": [ - "MyFunctionFunctionUrlFF6DE78C", - "FunctionUrl" - ] - } - ] - } - ] - }, - "id": "integcloudfrontfunctionurloriginDistributionOrigin19836FF4B", - "customOriginConfig": { - "originSslProtocols": [ - "TLSv1.2" - ], - "originProtocolPolicy": "https-only" - } - } - ], - "defaultCacheBehavior": { - "pathPattern": "*", - "targetOriginId": "integcloudfrontfunctionurloriginDistributionOrigin19836FF4B", - "cachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", - "compress": true, - "viewerProtocolPolicy": "allow-all" - }, - "httpVersion": "http2", - "ipv6Enabled": true - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudfront.CfnDistribution", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_cloudfront.Distribution", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "integ-cloudfront-function-url-origin/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "integ-cloudfront-function-url-origin/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "rest-api-origin": { - "id": "rest-api-origin", - "path": "rest-api-origin", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "rest-api-origin/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "rest-api-origin/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "rest-api-origin/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "rest-api-origin/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "rest-api-origin/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"integ-cloudfront-function-url-origin":{"id":"integ-cloudfront-function-url-origin","path":"integ-cloudfront-function-url-origin","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"MyFunction":{"id":"MyFunction","path":"integ-cloudfront-function-url-origin/MyFunction","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.Function","version":"0.0.0","metadata":[{"code":"*","handler":"*","runtime":"*"}]},"children":{"ServiceRole":{"id":"ServiceRole","path":"integ-cloudfront-function-url-origin/MyFunction/ServiceRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"},"managedPolicies":[{"managedPolicyArn":"*"}]}]},"children":{"ImportServiceRole":{"id":"ImportServiceRole","path":"integ-cloudfront-function-url-origin/MyFunction/ServiceRole/ImportServiceRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"integ-cloudfront-function-url-origin/MyFunction/ServiceRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]}]}}}}},"Resource":{"id":"Resource","path":"integ-cloudfront-function-url-origin/MyFunction/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnFunction","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Function","aws:cdk:cloudformation:props":{"code":{"zipFile":"exports.handler = async () => {};"},"handler":"index.handler","role":{"Fn::GetAtt":["MyFunctionServiceRole3C357FF2","Arn"]},"runtime":"nodejs20.x"}}},"FunctionUrl":{"id":"FunctionUrl","path":"integ-cloudfront-function-url-origin/MyFunction/FunctionUrl","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.FunctionUrl","version":"0.0.0","metadata":[{"function":"*","authType":"NONE"}]},"children":{"Resource":{"id":"Resource","path":"integ-cloudfront-function-url-origin/MyFunction/FunctionUrl/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnUrl","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Url","aws:cdk:cloudformation:props":{"authType":"NONE","targetFunctionArn":{"Fn::GetAtt":["MyFunction3BAA72D1","Arn"]}}}}}},"invoke-function-url":{"id":"invoke-function-url","path":"integ-cloudfront-function-url-origin/MyFunction/invoke-function-url","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnPermission","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Permission","aws:cdk:cloudformation:props":{"action":"lambda:InvokeFunctionUrl","functionName":{"Fn::GetAtt":["MyFunction3BAA72D1","Arn"]},"functionUrlAuthType":"NONE","principal":"*"}}},"invoke-function":{"id":"invoke-function","path":"integ-cloudfront-function-url-origin/MyFunction/invoke-function","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnPermission","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Permission","aws:cdk:cloudformation:props":{"action":"lambda:InvokeFunction","functionName":{"Fn::GetAtt":["MyFunction3BAA72D1","Arn"]},"invokedViaFunctionUrl":true,"principal":"*"}}}}},"Distribution":{"id":"Distribution","path":"integ-cloudfront-function-url-origin/Distribution","constructInfo":{"fqn":"aws-cdk-lib.aws_cloudfront.Distribution","version":"0.0.0","metadata":[{"defaultBehavior":{"origin":"*"}}]},"children":{"Origin1":{"id":"Origin1","path":"integ-cloudfront-function-url-origin/Distribution/Origin1","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"Resource":{"id":"Resource","path":"integ-cloudfront-function-url-origin/Distribution/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_cloudfront.CfnDistribution","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::CloudFront::Distribution","aws:cdk:cloudformation:props":{"distributionConfig":{"enabled":true,"origins":[{"domainName":{"Fn::Select":[2,{"Fn::Split":["/",{"Fn::GetAtt":["MyFunctionFunctionUrlFF6DE78C","FunctionUrl"]}]}]},"id":"integcloudfrontfunctionurloriginDistributionOrigin19836FF4B","customOriginConfig":{"originSslProtocols":["TLSv1.2"],"originProtocolPolicy":"https-only"}}],"defaultCacheBehavior":{"pathPattern":"*","targetOriginId":"integcloudfrontfunctionurloriginDistributionOrigin19836FF4B","cachePolicyId":"658327ea-f89d-4fab-a63d-7e88639e58f6","compress":true,"viewerProtocolPolicy":"allow-all"},"httpVersion":"http2","ipv6Enabled":true}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"integ-cloudfront-function-url-origin/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"integ-cloudfront-function-url-origin/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"rest-api-origin":{"id":"rest-api-origin","path":"rest-api-origin","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"rest-api-origin/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"rest-api-origin/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"rest-api-origin/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"rest-api-origin/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"rest-api-origin/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.assets.json index 4a57c56b2998f..32f2d8c617d57 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.assets.json @@ -1,16 +1,16 @@ { "version": "48.0.0", "files": { - "fce5ba9671d1ea9abce1ac791616e045bbd5e41cedf0132dabd628463a77f4f2": { + "9c289d60470f68875668a8e9e273c09b19510554e6a5d404bf2addff843aeb85": { "displayName": "integ-cloudfront-response-completion-timeout Template", "source": { "path": "integ-cloudfront-response-completion-timeout.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region-c26d69b3": { + "current_account-current_region-24f2f588": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "fce5ba9671d1ea9abce1ac791616e045bbd5e41cedf0132dabd628463a77f4f2.json", + "objectKey": "9c289d60470f68875668a8e9e273c09b19510554e6a5d404bf2addff843aeb85.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.template.json index ac95cb730a7e3..b686a8487202f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/integ-cloudfront-response-completion-timeout.template.json @@ -95,6 +95,20 @@ "Principal": "*" } }, + "FunctioninvokefunctionE13A6513": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "Function76856677", + "Arn" + ] + }, + "InvokedViaFunctionUrl": true, + "Principal": "*" + } + }, "Distribution830FAC52": { "Type": "AWS::CloudFront::Distribution", "Properties": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/manifest.json index 114e7898e8ad8..4b5c2ce5b827a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/fce5ba9671d1ea9abce1ac791616e045bbd5e41cedf0132dabd628463a77f4f2.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9c289d60470f68875668a8e9e273c09b19510554e6a5d404bf2addff843aeb85.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -37,13 +37,27 @@ "/integ-cloudfront-response-completion-timeout/Function": [ { "type": "aws:cdk:analytics:construct", - "data": "*" + "data": { + "runtime": "*", + "handler": "*", + "code": "*" + } } ], "/integ-cloudfront-response-completion-timeout/Function/ServiceRole": [ { "type": "aws:cdk:analytics:construct", - "data": "*" + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } } ], "/integ-cloudfront-response-completion-timeout/Function/ServiceRole/ImportServiceRole": [ @@ -67,7 +81,9 @@ "/integ-cloudfront-response-completion-timeout/Function/LogGroup": [ { "type": "aws:cdk:analytics:construct", - "data": "*" + "data": { + "logGroupName": "*" + } } ], "/integ-cloudfront-response-completion-timeout/Function/LogGroup/Resource": [ @@ -79,7 +95,10 @@ "/integ-cloudfront-response-completion-timeout/Function/FunctionUrl": [ { "type": "aws:cdk:analytics:construct", - "data": "*" + "data": { + "function": "*", + "authType": "NONE" + } } ], "/integ-cloudfront-response-completion-timeout/Function/FunctionUrl/Resource": [ @@ -94,18 +113,41 @@ "data": "FunctioninvokefunctionurlA70D8F37" } ], + "/integ-cloudfront-response-completion-timeout/Function/invoke-function": [ + { + "type": "aws:cdk:logicalId", + "data": "FunctioninvokefunctionE13A6513" + } + ], "/integ-cloudfront-response-completion-timeout/Distribution": [ { "type": "aws:cdk:analytics:construct", - "data": "*" + "data": { + "defaultBehavior": { + "origin": "*" + }, + "additionalBehaviors": "*" + } }, { "type": "aws:cdk:analytics:method", - "data": "*" + "data": { + "addBehavior": [ + "*", + {}, + {} + ] + } }, { "type": "aws:cdk:analytics:method", - "data": "*" + "data": { + "addBehavior": [ + "*", + {}, + {} + ] + } } ], "/integ-cloudfront-response-completion-timeout/Distribution/Resource": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/tree.json index 42332b6f9f2d6..8223575fa5206 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.origin-response-completion-timeout.js.snapshot/tree.json @@ -1 +1 @@ -{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"children":{"integ-cloudfront-response-completion-timeout":{"id":"integ-cloudfront-response-completion-timeout","path":"integ-cloudfront-response-completion-timeout","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"children":{"Function":{"id":"Function","path":"integ-cloudfront-response-completion-timeout/Function","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2","metadata":["*"]},"children":{"ServiceRole":{"id":"ServiceRole","path":"integ-cloudfront-response-completion-timeout/Function/ServiceRole","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2","metadata":["*"]},"children":{"ImportServiceRole":{"id":"ImportServiceRole","path":"integ-cloudfront-response-completion-timeout/Function/ServiceRole/ImportServiceRole","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2","metadata":["*"]}},"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/ServiceRole/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]}]}}}}},"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Function","aws:cdk:cloudformation:props":{"code":{"zipFile":"exports.handler = async () => ({ statusCode: 200, body: \"Hello from Lambda!\" });"},"handler":"index.handler","role":{"Fn::GetAtt":["FunctionServiceRole675BB04A","Arn"]},"runtime":"nodejs18.x"}}},"LogGroup":{"id":"LogGroup","path":"integ-cloudfront-response-completion-timeout/Function/LogGroup","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/LogGroup/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"logGroupName":{"Fn::Join":["",["/aws/lambda/",{"Ref":"Function76856677"}]]},"retentionInDays":731}}}}},"FunctionUrl":{"id":"FunctionUrl","path":"integ-cloudfront-response-completion-timeout/Function/FunctionUrl","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/FunctionUrl/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Url","aws:cdk:cloudformation:props":{"authType":"NONE","targetFunctionArn":{"Fn::GetAtt":["Function76856677","Arn"]}}}}}},"invoke-function-url":{"id":"invoke-function-url","path":"integ-cloudfront-response-completion-timeout/Function/invoke-function-url","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Permission","aws:cdk:cloudformation:props":{"action":"lambda:InvokeFunctionUrl","functionName":{"Fn::GetAtt":["Function76856677","Arn"]},"functionUrlAuthType":"NONE","principal":"*"}}}}},"Distribution":{"id":"Distribution","path":"integ-cloudfront-response-completion-timeout/Distribution","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2","metadata":["*","*","*"]},"children":{"Origin1":{"id":"Origin1","path":"integ-cloudfront-response-completion-timeout/Distribution/Origin1","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"Origin2":{"id":"Origin2","path":"integ-cloudfront-response-completion-timeout/Distribution/Origin2","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"Origin3":{"id":"Origin3","path":"integ-cloudfront-response-completion-timeout/Distribution/Origin3","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Distribution/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"attributes":{"aws:cdk:cloudformation:type":"AWS::CloudFront::Distribution","aws:cdk:cloudformation:props":{"distributionConfig":{"enabled":true,"origins":[{"domainName":"example.com","id":"integcloudfrontresponsecompletiontimeoutDistributionOrigin1B68EA04D","customOriginConfig":{"originSslProtocols":["TLSv1.2"],"originProtocolPolicy":"https-only","originReadTimeout":60},"responseCompletionTimeout":120},{"domainName":{"Fn::Select":[2,{"Fn::Split":["/",{"Fn::GetAtt":["FunctionFunctionUrl08F79AC9","FunctionUrl"]}]}]},"id":"integcloudfrontresponsecompletiontimeoutDistributionOrigin24E64923B","customOriginConfig":{"originSslProtocols":["TLSv1.2"],"originProtocolPolicy":"https-only","originReadTimeout":30},"responseCompletionTimeout":90},{"domainName":"api.example.com","id":"integcloudfrontresponsecompletiontimeoutDistributionOrigin36D3F546F","customOriginConfig":{"originSslProtocols":["TLSv1.2"],"originProtocolPolicy":"https-only"},"responseCompletionTimeout":300}],"defaultCacheBehavior":{"pathPattern":"*","targetOriginId":"integcloudfrontresponsecompletiontimeoutDistributionOrigin1B68EA04D","cachePolicyId":"658327ea-f89d-4fab-a63d-7e88639e58f6","compress":true,"viewerProtocolPolicy":"allow-all"},"cacheBehaviors":[{"pathPattern":"/api/*","targetOriginId":"integcloudfrontresponsecompletiontimeoutDistributionOrigin24E64923B","cachePolicyId":"658327ea-f89d-4fab-a63d-7e88639e58f6","compress":true,"viewerProtocolPolicy":"allow-all"},{"pathPattern":"/files/*","targetOriginId":"integcloudfrontresponsecompletiontimeoutDistributionOrigin36D3F546F","cachePolicyId":"658327ea-f89d-4fab-a63d-7e88639e58f6","compress":true,"viewerProtocolPolicy":"allow-all"}],"httpVersion":"http2","ipv6Enabled":true}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"integ-cloudfront-response-completion-timeout/BootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"integ-cloudfront-response-completion-timeout/CheckBootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}},"CloudFrontResponseCompletionTimeoutTest":{"id":"CloudFrontResponseCompletionTimeoutTest","path":"CloudFrontResponseCompletionTimeoutTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/DeployAssert","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"integ-cloudfront-response-completion-timeout":{"id":"integ-cloudfront-response-completion-timeout","path":"integ-cloudfront-response-completion-timeout","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"Function":{"id":"Function","path":"integ-cloudfront-response-completion-timeout/Function","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.Function","version":"0.0.0","metadata":[{"runtime":"*","handler":"*","code":"*"}]},"children":{"ServiceRole":{"id":"ServiceRole","path":"integ-cloudfront-response-completion-timeout/Function/ServiceRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"},"managedPolicies":[{"managedPolicyArn":"*"}]}]},"children":{"ImportServiceRole":{"id":"ImportServiceRole","path":"integ-cloudfront-response-completion-timeout/Function/ServiceRole/ImportServiceRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/ServiceRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]}]}}}}},"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnFunction","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Function","aws:cdk:cloudformation:props":{"code":{"zipFile":"exports.handler = async () => ({ statusCode: 200, body: \"Hello from Lambda!\" });"},"handler":"index.handler","role":{"Fn::GetAtt":["FunctionServiceRole675BB04A","Arn"]},"runtime":"nodejs18.x"}}},"LogGroup":{"id":"LogGroup","path":"integ-cloudfront-response-completion-timeout/Function/LogGroup","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.LogGroup","version":"0.0.0","metadata":[{"logGroupName":"*"}]},"children":{"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/LogGroup/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_logs.CfnLogGroup","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Logs::LogGroup","aws:cdk:cloudformation:props":{"logGroupName":{"Fn::Join":["",["/aws/lambda/",{"Ref":"Function76856677"}]]},"retentionInDays":731}}}}},"FunctionUrl":{"id":"FunctionUrl","path":"integ-cloudfront-response-completion-timeout/Function/FunctionUrl","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.FunctionUrl","version":"0.0.0","metadata":[{"function":"*","authType":"NONE"}]},"children":{"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Function/FunctionUrl/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnUrl","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Url","aws:cdk:cloudformation:props":{"authType":"NONE","targetFunctionArn":{"Fn::GetAtt":["Function76856677","Arn"]}}}}}},"invoke-function-url":{"id":"invoke-function-url","path":"integ-cloudfront-response-completion-timeout/Function/invoke-function-url","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnPermission","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Permission","aws:cdk:cloudformation:props":{"action":"lambda:InvokeFunctionUrl","functionName":{"Fn::GetAtt":["Function76856677","Arn"]},"functionUrlAuthType":"NONE","principal":"*"}}},"invoke-function":{"id":"invoke-function","path":"integ-cloudfront-response-completion-timeout/Function/invoke-function","constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnPermission","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Permission","aws:cdk:cloudformation:props":{"action":"lambda:InvokeFunction","functionName":{"Fn::GetAtt":["Function76856677","Arn"]},"invokedViaFunctionUrl":true,"principal":"*"}}}}},"Distribution":{"id":"Distribution","path":"integ-cloudfront-response-completion-timeout/Distribution","constructInfo":{"fqn":"aws-cdk-lib.aws_cloudfront.Distribution","version":"0.0.0","metadata":[{"defaultBehavior":{"origin":"*"},"additionalBehaviors":"*"},{"addBehavior":["*",{},{}]},{"addBehavior":["*",{},{}]}]},"children":{"Origin1":{"id":"Origin1","path":"integ-cloudfront-response-completion-timeout/Distribution/Origin1","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"Origin2":{"id":"Origin2","path":"integ-cloudfront-response-completion-timeout/Distribution/Origin2","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"Origin3":{"id":"Origin3","path":"integ-cloudfront-response-completion-timeout/Distribution/Origin3","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"Resource":{"id":"Resource","path":"integ-cloudfront-response-completion-timeout/Distribution/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_cloudfront.CfnDistribution","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::CloudFront::Distribution","aws:cdk:cloudformation:props":{"distributionConfig":{"enabled":true,"origins":[{"domainName":"example.com","id":"integcloudfrontresponsecompletiontimeoutDistributionOrigin1B68EA04D","customOriginConfig":{"originSslProtocols":["TLSv1.2"],"originProtocolPolicy":"https-only","originReadTimeout":60},"responseCompletionTimeout":120},{"domainName":{"Fn::Select":[2,{"Fn::Split":["/",{"Fn::GetAtt":["FunctionFunctionUrl08F79AC9","FunctionUrl"]}]}]},"id":"integcloudfrontresponsecompletiontimeoutDistributionOrigin24E64923B","customOriginConfig":{"originSslProtocols":["TLSv1.2"],"originProtocolPolicy":"https-only","originReadTimeout":30},"responseCompletionTimeout":90},{"domainName":"api.example.com","id":"integcloudfrontresponsecompletiontimeoutDistributionOrigin36D3F546F","customOriginConfig":{"originSslProtocols":["TLSv1.2"],"originProtocolPolicy":"https-only"},"responseCompletionTimeout":300}],"defaultCacheBehavior":{"pathPattern":"*","targetOriginId":"integcloudfrontresponsecompletiontimeoutDistributionOrigin1B68EA04D","cachePolicyId":"658327ea-f89d-4fab-a63d-7e88639e58f6","compress":true,"viewerProtocolPolicy":"allow-all"},"cacheBehaviors":[{"pathPattern":"/api/*","targetOriginId":"integcloudfrontresponsecompletiontimeoutDistributionOrigin24E64923B","cachePolicyId":"658327ea-f89d-4fab-a63d-7e88639e58f6","compress":true,"viewerProtocolPolicy":"allow-all"},{"pathPattern":"/files/*","targetOriginId":"integcloudfrontresponsecompletiontimeoutDistributionOrigin36D3F546F","cachePolicyId":"658327ea-f89d-4fab-a63d-7e88639e58f6","compress":true,"viewerProtocolPolicy":"allow-all"}],"httpVersion":"http2","ipv6Enabled":true}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"integ-cloudfront-response-completion-timeout/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"integ-cloudfront-response-completion-timeout/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"CloudFrontResponseCompletionTimeoutTest":{"id":"CloudFrontResponseCompletionTimeoutTest","path":"CloudFrontResponseCompletionTimeoutTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"CloudFrontResponseCompletionTimeoutTest/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file From 34c3b69c0b201265697c37454379d271a17cffd2 Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Mon, 22 Sep 2025 14:25:32 -0700 Subject: [PATCH 6/9] fix: Convert asset.a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip to Git LFS pointer --- .gitattributes | 1 + ...8504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip | Bin 236 -> 128 bytes 2 files changed, 1 insertion(+) diff --git a/.gitattributes b/.gitattributes index 82a425fd00cfb..c810cb40d45b3 100644 --- a/.gitattributes +++ b/.gitattributes @@ -20,3 +20,4 @@ packages/@aws-cdk/*-alpha/test/*.snapshot/asset.*/bootstrap filter=lfs diff=lfs packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-large-file/asset*/large* filter=lfs diff=lfs merge=lfs -text packages/@aws-cdk/*-alpha/test/*.snapshot/asset*.zip filter=lfs diff=lfs merge=lfs -text packages/@aws-cdk-testing/framework-integ/test/**/*.snapshot/asset*.zip filter=lfs diff=lfs merge=lfs -text +packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/asset.a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip filter=lfs diff=lfs merge=lfs -text diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/asset.a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/asset.a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip index eae53ec32da7ae41f34ca2ad18e5d75b4057561c..d2385b82de490f0cbbee9cd3c0c790b50a0a088a 100644 GIT binary patch literal 128 zcmWN?%MrpL5CG77s-OYGZ&{Xf11tzLDjC5XtX|*cUFALdc!{>wIS(oCecc{)?*H2- z?Rh-qJWH0B-bQCJTQm-j6s-0Y3=l&`CPx$;`k;a)@+ljggSE)fR`kL^=Qf From 7227bb2b50419aa2c2e0d26e032ce372bdf04b90 Mon Sep 17 00:00:00 2001 From: Roger Zhang Date: Mon, 29 Sep 2025 11:35:59 -0700 Subject: [PATCH 7/9] addres feedback --- .../aws-lambda/lib/function-base.ts | 72 ++++++--- .../us-east-1/aws-lambda-permission.json | 142 ------------------ 2 files changed, 47 insertions(+), 167 deletions(-) delete mode 100644 tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts index 7eb861b1a3f85..2254bce347bac 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts @@ -541,25 +541,62 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC */ public grantInvokeUrl(grantee: iam.IGrantable): iam.Grant { const identifier = `InvokeFunctionUrl${grantee.grantPrincipal}`; // calls the .toString() of the principal - const identifierDualAuth = identifier + '-DualAuth'; + const identifierDualAuth = `${identifier}-DualAuth`; // Memoize the result so subsequent grantInvoke() calls are idempotent let grant = this._functionUrlInvocationGrants[identifier]; if (!grant) { - grant = this.grant(grantee, identifier, 'lambda:InvokeFunctionUrl', [this.functionArn], { - functionUrlAuthType: FunctionUrlAuthType.AWS_IAM, - }); + // Build conditions for function URL with AWS_IAM auth type + const functionUrlConditions: Record> = { + StringEquals: { + 'lambda:FunctionUrlAuthType': FunctionUrlAuthType.AWS_IAM, + }, + }; + + grant = this.grant( + grantee, + identifier, + 'lambda:InvokeFunctionUrl', + [this.functionArn], + { + functionUrlAuthType: FunctionUrlAuthType.AWS_IAM, + }, + functionUrlConditions, + ); - // return if failed + // raise if failed if (!grant.success) { - return grant; + throw new ValidationError( + 'Failed to grant Lambda function URL invoke permissions. This can happen when:\n' + + '- The Lambda function is imported from a different account without proper configuration\n' + + '- The Lambda function is using $LATEST version which cannot be modified\n' + + '- The function lacks permission to create new resource policies\n\n' + + 'To fix this issue:\n' + + '- If importing from the same account, use `Function.fromFunctionAttributes()` with `sameEnvironment: true`\n' + + '- If importing from a different account with existing permissions, use `skipPermissions: true`\n' + + '- Ensure you are not trying to grant permissions on the $LATEST version directly', + this, + ); } + // Build conditions for dual auth (invoked via function URL) + const dualAuthConditions: Record> = { + Bool: { + 'lambda:InvokedViaFunctionUrl': true, + }, + }; + // proceed to grant invokefunction for FURL Dual auth - grant = this.grant(grantee, identifierDualAuth, 'lambda:InvokeFunction', [this.functionArn], + grant = this.grant( + grantee, + identifierDualAuth, + 'lambda:InvokeFunction', + [this.functionArn], { invokedViaFunctionUrl: true, - }); + }, + dualAuthConditions, + ); this._functionUrlInvocationGrants[identifier] = grant; } @@ -625,34 +662,19 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC return this.stack.splitArn(this.functionArn, ArnFormat.SLASH_RESOURCE_NAME).account === this.stack.account; } - /** - * Given permission overrides in lambda resource base policy, return equivalent condition for IAM policy statement - * @param permission Permission override for lambda resource base policy - * @returns condition for IAM policy statement, or undefined - */ - private permissionToCondition(permission?: Partial): Record>|undefined { - if (!permission) return undefined; - let condition:Record> = {}; - // eslint-disable-next-line dot-notation - permission.functionUrlAuthType ? condition['StringEquals'] = { 'lambda:FunctionUrlAuthType': permission.functionUrlAuthType } : undefined; - // eslint-disable-next-line dot-notation - permission.invokedViaFunctionUrl ? condition['Bool'] = { 'lambda:InvokedViaFunctionUrl': permission.invokedViaFunctionUrl } : undefined; - - return condition; - } - private grant( grantee: iam.IGrantable, identifier:string, action: string, resourceArns: string[], permissionOverrides?: Partial, + conditions?: Record>, ): iam.Grant { const grant = iam.Grant.addToPrincipalOrResource({ grantee, actions: [action], resourceArns, - conditions: this.permissionToCondition(permissionOverrides), + conditions, // Fake resource-like object on which to call addToResourcePolicy(), which actually // calls addPermission() diff --git a/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json deleted file mode 100644 index fbcdba494a4ea..0000000000000 --- a/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-permission.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "typeName": "AWS::Lambda::Permission", - "description": "Resource Type definition for AWS::Lambda::Permission", - "nonPublicProperties": ["/properties/InvokedViaFunctionUrl"], - "additionalProperties": false, - "properties": { - "Id": { - "description": "A statement identifier that differentiates the statement from others in the same policy.", - "type": "string", - "pattern": "^.*$", - "minLength": 1, - "maxLength": 256 - }, - "Action": { - "description": "The action that the principal can use on the function.", - "type": "string", - "pattern": "^(lambda:[*]|lambda:[a-zA-Z]+|[*])$", - "minLength": 1, - "maxLength": 256 - }, - "EventSourceToken": { - "description": "For Alexa Smart Home functions, a token that must be supplied by the invoker.", - "type": "string", - "pattern": "^[a-zA-Z0-9._\\-]+$", - "minLength": 1, - "maxLength": 256 - }, - "FunctionName": { - "description": "The name of the Lambda function, version, or alias.", - "type": "string", - "pattern": "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?$", - "minLength": 1, - "maxLength": 140 - }, - "FunctionUrlAuthType": { - "description": "The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint.", - "type": "string", - "enum": [ - "AWS_IAM", - "NONE" - ] - }, - "InvokedViaFunctionUrl": { - "description": "The condition key for limiting the scope of lambda:InvokeFunction action to Function URL only. When set to true, it restricts the principal in this policy to perform invokes for the resource only via Function URLs.", - "type": "boolean" - }, - "Principal": { - "description": "The AWS service or account that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.", - "type": "string", - "pattern": "^.*$", - "minLength": 1, - "maxLength": 256 - }, - "PrincipalOrgID": { - "description": "The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.", - "type": "string", - "pattern": "^o-[a-z0-9]{10,32}$", - "minLength": 12, - "maxLength": 34 - }, - "SourceAccount": { - "description": "For Amazon S3, the ID of the account that owns the resource. Use this together with SourceArn to ensure that the resource is owned by the specified account. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.", - "type": "string", - "pattern": "^\\d{12}$", - "minLength": 12, - "maxLength": 12 - }, - "SourceArn": { - "description": "For AWS services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.", - "type": "string", - "pattern": "^arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\\-])+:([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1})?:(\\d{12})?:(.*)$", - "minLength": 12, - "maxLength": 1024 - } - }, - "required": [ - "FunctionName", - "Action", - "Principal" - ], - "tagging": { - "taggable": false, - "tagOnCreate": false, - "tagUpdatable": false, - "cloudFormationSystemTags": false - }, - "createOnlyProperties": [ - "/properties/FunctionName", - "/properties/FunctionUrlAuthType", - "/properties/InvokedViaFunctionUrl", - "/properties/SourceAccount", - "/properties/SourceArn", - "/properties/Principal", - "/properties/PrincipalOrgID", - "/properties/Action", - "/properties/EventSourceToken" - ], - "primaryIdentifier": [ - "/properties/FunctionName", - "/properties/Id" - ], - "propertyTransform": { - "/properties/Principal": "$join([\"^arn:aws[a-zA-Z-]*:iam::\",Principal,\":[a-zA-Z-]*\"]) $OR Principal" - }, - "readOnlyProperties": [ - "/properties/Id" - ], - "handlers": { - "create": { - "permissions": [ - "lambda:AddPermission" - ] - }, - "read": { - "permissions": [ - "lambda:GetPolicy" - ] - }, - "delete": { - "permissions": [ - "lambda:RemovePermission" - ] - }, - "list": { - "handlerSchema": { - "properties": { - "FunctionName": { - "description": "The name of the Lambda function, version, or alias.", - "type": "string", - "pattern": "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?$", - "minLength": 1, - "maxLength": 140 - } - }, - "required": ["FunctionName"] - }, - "permissions": [ - "lambda:GetPolicy" - ] - } - } -} From cb320fe71625a53f40776fc9a67e6ed71994736e Mon Sep 17 00:00:00 2001 From: Vishaal Mehrishi Date: Wed, 1 Oct 2025 10:21:54 +0200 Subject: [PATCH 8/9] Remove grant.success check since it is unreachable in the function URL code Co-authored-by: Roger Zhang --- .../aws-cdk-lib/aws-lambda/lib/function-base.ts | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts index 2254bce347bac..6feccafb942c3 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts @@ -564,21 +564,6 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC functionUrlConditions, ); - // raise if failed - if (!grant.success) { - throw new ValidationError( - 'Failed to grant Lambda function URL invoke permissions. This can happen when:\n' + - '- The Lambda function is imported from a different account without proper configuration\n' + - '- The Lambda function is using $LATEST version which cannot be modified\n' + - '- The function lacks permission to create new resource policies\n\n' + - 'To fix this issue:\n' + - '- If importing from the same account, use `Function.fromFunctionAttributes()` with `sameEnvironment: true`\n' + - '- If importing from a different account with existing permissions, use `skipPermissions: true`\n' + - '- Ensure you are not trying to grant permissions on the $LATEST version directly', - this, - ); - } - // Build conditions for dual auth (invoked via function URL) const dualAuthConditions: Record> = { Bool: { From 7e669eaf4d80f2ccf026a023c1327c4ed389ef4d Mon Sep 17 00:00:00 2001 From: kumvprat Date: Mon, 13 Oct 2025 14:35:50 +0200 Subject: [PATCH 9/9] chore: update .gitattributes as existing rules cover the file explicitly added --- .gitattributes | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitattributes b/.gitattributes index c810cb40d45b3..82a425fd00cfb 100644 --- a/.gitattributes +++ b/.gitattributes @@ -20,4 +20,3 @@ packages/@aws-cdk/*-alpha/test/*.snapshot/asset.*/bootstrap filter=lfs diff=lfs packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-large-file/asset*/large* filter=lfs diff=lfs merge=lfs -text packages/@aws-cdk/*-alpha/test/*.snapshot/asset*.zip filter=lfs diff=lfs merge=lfs -text packages/@aws-cdk-testing/framework-integ/test/**/*.snapshot/asset*.zip filter=lfs diff=lfs merge=lfs -text -packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda.js.snapshot/asset.a37d3ef54c18e7738fe5dc008504591bd3b1f14c6a09ee91eac6d55f7ca5ba5f.zip filter=lfs diff=lfs merge=lfs -text