Skip to content

Commit

Permalink
add feedback from Luca
Browse files Browse the repository at this point in the history
  • Loading branch information
@msambol
msambol committed Oct 13, 2023
1 parent 901a510 commit 0ad557f
Show file tree
Hide file tree
Showing 7 changed files with 204 additions and 12 deletions.
4 changes: 2 additions & 2 deletions ...k-integ/test/aws-lambda/test/integ.permissions.js.snapshot/lambda-permissions.assets.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

55 changes: 55 additions & 0 deletions ...integ/test/aws-lambda/test/integ.permissions.js.snapshot/lambda-permissions.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,18 @@
"PrincipalOrgID": "o-xxxxxxxxxx"
}
},
"MyLambdaFunctionUrlC2055677": {
"Type": "AWS::Lambda::Url",
"Properties": {
"AuthType": "AWS_IAM",
"TargetFunctionArn": {
"Fn::GetAtt": [
"MyLambdaCCE802FB",
"Arn"
]
}
}
},
"MyLambdaInvokemcfVL7pJA0SB0Bm8yGhELN3cZ1c8fYqVoNxjNP4pYCE95D85164": {
"Type": "AWS::Lambda::Permission",
"Properties": {
Expand All @@ -104,6 +116,49 @@
},
"Principal": "apigateway.amazonaws.com"
}
},
"MyRoleF48FFE04": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"MyRoleDefaultPolicyA36BE1DD": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunctionUrl",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyLambdaCCE802FB",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyRoleDefaultPolicyA36BE1DD",
"Roles": [
{
"Ref": "MyRoleF48FFE04"
}
]
}
}
},
"Parameters": {
Expand Down
20 changes: 19 additions & 1 deletion ...-testing/framework-integ/test/aws-lambda/test/integ.permissions.js.snapshot/manifest.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

117 changes: 117 additions & 0 deletions ...-cdk-testing/framework-integ/test/aws-lambda/test/integ.permissions.js.snapshot/tree.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.permissions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ fn.grantInvoke(new iam.AnyPrincipal().inOrganization('o-yyyyyyyyyy'));

fn.grantInvoke(new iam.OrganizationPrincipal('o-xxxxxxxxxx'));

const fnUrl = fn.addFunctionUrl();
const role = new iam.Role(stack, 'MyRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
fnUrl.grantInvokeUrl(role);

fn.grantInvokeCompositePrincipal(new iam.CompositePrincipal(
new iam.OrganizationPrincipal('o-zzzzzzzzzz'),
new iam.ServicePrincipal('apigateway.amazonaws.com'),
Expand Down
6 changes: 4 additions & 2 deletions packages/aws-cdk-lib/aws-lambda/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -249,14 +249,16 @@ const servicePrincipalWithConditions = servicePrincipal.withConditions({
fn.grantInvoke(servicePrincipalWithConditions);
```

### Grant function access to CompositePrincipal
### Grant function access to a CompositePrincipal

To grant invoke permissions to a `CompositePrincipal` use the `grantInvokeCompositePrincipal` method:

```ts
declare const fn: lambda.Function;
const compositePrincipal = new iam.CompositePrincipal(
new iam.OrganizationPrincipal('o-zzzzzzzzzz'),
new iam.ServicePrincipal('apigateway.amazonaws.com'),
)
);

fn.grantInvokeCompositePrincipal(compositePrincipal);
```
Expand Down
8 changes: 1 addition & 7 deletions packages/aws-cdk-lib/aws-lambda/lib/function-base.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,13 +458,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC
* Grant multiple principals the ability to invoke this Lambda via CompositePrincipal
*/
public grantInvokeCompositePrincipal(compositePrincipals: iam.CompositePrincipal): iam.Grant[] {
let grants: iam.Grant[] = [];

compositePrincipals.principals.forEach((principal) => {
grants.push(this.grantInvoke(principal));
});

return grants;
return compositePrincipals.principals.map((principal) => this.grantInvoke(principal));
}

public addEventSource(source: IEventSource) {
Expand Down

0 comments on commit 0ad557f

Please sign in to comment.