fix(custom-resource): provider framework lambda missing GetFunction p…

…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
aws · Jan 24, 2025 · dc85ce9 · dc85ce9
1 parent a4f8fac
commit dc85ce9
Show file tree

Hide file tree

Showing 639 changed files with 33,524 additions and 31,124 deletions.
diff --git a/...replicas-provisioned.js.snapshot/aws-cdk-dynamodb-global-replicas-provisioned.assets.json b/...replicas-provisioned.js.snapshot/aws-cdk-dynamodb-global-replicas-provisioned.assets.json
diff --git a/...plicas-provisioned.js.snapshot/aws-cdk-dynamodb-global-replicas-provisioned.template.json b/...plicas-provisioned.js.snapshot/aws-cdk-dynamodb-global-replicas-provisioned.template.json
@@ -291,7 +291,7 @@
        {
         "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
        },
-       "/d0e51246341d2567827b1fdd35281e7e5d6bcd79ba28cf4873b65a573acb4f14.json"
+       "/c51ce487e06d6bef9c24c4a72e75dabb646e28c6ac74c4ba3426e7a5dd441b1c.json"
       ]
      ]
     }

diff --git a/...odbglobalreplicasprovisionedawscdkawsdynamodbReplicaProviderEA32CB30.nested.template.json b/...odbglobalreplicasprovisionedawscdkawsdynamodbReplicaProviderEA32CB30.nested.template.json
@@ -419,6 +419,24 @@
         }
        ]
       },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
+      },
       {
        "Action": "states:StartExecution",
        "Effect": "Allow",
@@ -570,6 +588,24 @@
          ]
         }
        ]
+      },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"
@@ -712,6 +748,24 @@
          ]
         }
        ]
+      },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"

diff --git a/...ot/awscdkdynamodbglobalreplicasprovisionedtestDefaultTestDeployAssertE7F91F54.assets.json b/...ot/awscdkdynamodbglobalreplicasprovisionedtestDefaultTestDeployAssertE7F91F54.assets.json
diff --git a/...mework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/cdk.out b/...mework-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/cdk.out
diff --git a/...ork-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/integ.json b/...ork-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/integ.json
diff --git a/...-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/manifest.json b/...-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/manifest.json
diff --git a/...work-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/tree.json b/...work-integ/test/aws-dynamodb/test/integ.global-replicas-provisioned.js.snapshot/tree.json
diff --git a/.../test/aws-dynamodb/test/integ.global.js.snapshot/cdk-dynamodb-global-20191121.assets.json b/.../test/aws-dynamodb/test/integ.global.js.snapshot/cdk-dynamodb-global-20191121.assets.json
diff --git a/...est/aws-dynamodb/test/integ.global.js.snapshot/cdk-dynamodb-global-20191121.template.json b/...est/aws-dynamodb/test/integ.global.js.snapshot/cdk-dynamodb-global-20191121.template.json
@@ -246,7 +246,7 @@
        {
         "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-eu-west-1"
        },
-       "/4d7e876e7ecbd787c769dbfe05917a92bbc63c8b98b3a2df7e1241181df05af3.json"
+       "/41871c36854ad8fb935ae46cbc99d707a2d39015497f4991e9334950f734d47d.json"
       ]
      ]
     }

diff --git a/.../@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/cdk.out b/.../@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/cdk.out
diff --git a/...ot/cdkdynamodbglobal20191121awscdkawsdynamodbReplicaProviderB281C954.nested.template.json b/...ot/cdkdynamodbglobal20191121awscdkawsdynamodbReplicaProviderB281C954.nested.template.json
@@ -275,6 +275,24 @@
         }
        ]
       },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
+      },
       {
        "Action": "states:StartExecution",
        "Effect": "Allow",
@@ -418,6 +436,24 @@
          ]
         }
        ]
+      },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"
@@ -552,6 +588,24 @@
          ]
         }
        ]
+      },
+      {
+       "Action": "lambda:GetFunction",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "IsCompleteHandler7073F4DA",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "OnEventHandler42BEBAE0",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"

diff --git a/...obal.js.snapshot/cdkdynamodbglobal20191121testDefaultTestDeployAssert469C3611.assets.json b/...obal.js.snapshot/cdkdynamodbglobal20191121testDefaultTestDeployAssert469C3611.assets.json
diff --git a/...ws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/integ.json b/...ws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.global.js.snapshot/integ.json
-Original file line number
+Diff line change
@@ Expand Up / @@ -291,7 +291,7 @@ @@
            {
             "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
            },
-           "/d0e51246341d2567827b1fdd35281e7e5d6bcd79ba28cf4873b65a573acb4f14.json"
+           "/c51ce487e06d6bef9c24c4a72e75dabb646e28c6ac74c4ba3426e7a5dd441b1c.json"
           ]
          ]
         }
@@ Expand Down @@