Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudfront LambdaEdge: ARNs must start with "arn:" and have at least 6 components: #26167

Closed
y0x opened this issue Jun 29, 2023 · 3 comments
Closed

Cloudfront LambdaEdge: ARNs must start with "arn:" and have at least 6 components: #26167

y0x opened this issue Jun 29, 2023 · 3 comments
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@y0x
Copy link

y0x commented Jun 29, 2023

Describe the bug

Currently building the cloudfront-authorization-at-edge example in CDK with PYTHON and I´m running into an issue that does not seem to exist when using CDK with typescript. A collegue of mine also reported that he had the same issue with cdk java. This is also the reason why I have opened the issue here and not the the cloudfront-authorization-at-edge repository.

The bug (occurs during synth time):

Using a CfnApplication resource to reference from the serverless application repository that will generate 6 Lambda@Edge functions.

auth_at_edge: CfnApplication = CfnApplication(
            self,
            "AuthorizationAtEdge",
            location={
                "applicationId": "arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge",
                "semanticVersion": "2.1.6",
            },
            parameters={
                "CreateCloudFrontDistribution": "false",
                "UserPoolArn": user_pool.user_pool_arn,
                "UserPoolClientId": user_pool_client.user_pool_client_id,
                "HttpHeaders": json.dumps(
                    {
                        "Content-Security-Policy": "default-src 'self' img-src 'self' style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com; object-src 'self'; connect-src 'self' https://*.amazonaws.com https://*.amazoncognito.com wss://*.amazonaws.com",
                        "Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
                        "Referrer-Policy": "same-origin",
                        "X-XSS-Protection": "1; mode=block",
                        "X-Frame-Options": "DENY",
                        "X-Content-Type-Options": "nosniff",
                    }
                ),
                "CookieSettings": json.dumps(
                    {
                        "idToken": f"Domain=.{site_domain}; Secure; SameSite=Lax",
                        "accessToken": f"Domain=.{site_domain}; Secure; SameSite=Lax",
                        "refreshToken": f"Domain=.{site_domain}; Secure; SameSite=Lax",
                        "nonce": f"Domain=.{site_domain}; Secure; HttpOnly; Max-Age=300; SameSite=Lax",
                    }
                ),
            },
        )

This resource generates a CF-Stack with outputs like:

Key: CheckAuthHandler
Value: arn:aws:lambda:us-east-1:xxx:function:xxdemoappD34XXXX-CheckAuthHandler-XXXX

And this 6 times, above just one as example.

Next step is to generate a function_version: IVersion based on the CF-Outputs, like:

check_auth_handler_version: IVersion = Version.from_version_arn(
            self,
            "CheckAuthHandlerVersion",
            auth_at_edge.get_att(attribute_name="Outputs.CheckAuthHandler").to_string(),
        )

# export to make accessible in cloudfront stack
self.auth_at_edge_lambda_versions: dict[str, IVersion] = {
            "check_auth_handler": check_auth_handler_version,
            "http_headers_handler": http_headers_handler_version,
            "code_update_handler": code_update_handler_version,
            "parse_auth_handler": parse_auth_handler_version,
            "refresh_auth_handler": refresh_auth_handler_version,
            "sign_out_handler": sign_out_handler_version,
            "user_pool_client_update_handler": user_pool_client_update_handler_version,
        }

This is necessary because the cloudfront distribution expects LambdaEdge functions to be passed in as IVersion objects, see here

edge_lambdas: Sequence[EdgeLambda] = [
            EdgeLambda(
                function_version=auth_at_edge_lambda_versions["check_auth_handler"],
                event_type=LambdaEdgeEventType.VIEWER_REQUEST,
            ),
            EdgeLambda(
                function_version=auth_at_edge_lambda_versions["http_headers_handler"],
                event_type=LambdaEdgeEventType.ORIGIN_RESPONSE,
            ),
        ]

distribution: Distribution = Distribution(
            self,
            "SiteDistribution",
            certificate=cert,
            default_root_object="index.html",
            domain_names=[site_domain],
            # log_bucket=cloudfront_log_bucket,
            price_class=PriceClass.PRICE_CLASS_ALL,
            minimum_protocol_version=SecurityPolicyProtocol.TLS_V1_2_2021,
            error_responses=[
                ErrorResponse(
                    http_status=403,
                    response_http_status=403,
                    response_page_path="/error.html",
                    ttl=Duration.minutes(30),
                )
            ],
            default_behavior=BehaviorOptions(
                origin=S3Origin(frontend_bucket),
                compress=True,
                allowed_methods=AllowedMethods.ALLOW_GET_HEAD,
                viewer_protocol_policy=ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                edge_lambdas=edge_lambdas,
            ),
        )

This results in:

jsii.errors.JavaScriptError:
Error: ARNs must start with "arn:" and have at least 6 components: <aws_cdk.Reference object at 0x7ff5abe76e30>

Expected Behavior

I expected the cloudfront distribution is able to be generated like it does in my CDK Typescript example that is build up almost the same.

Current Behavior

$ cdk deploy --context stage=$STAGE --profile $DEPLOY_PROFILE --require-approval never --all
jsii.errors.JavaScriptError: 
  Error: ARNs must start with "arn:" and have at least 6 components: <aws_cdk.Reference object at 0x7ff5abe76e30>
      at parseArnShape (/tmp/jsii-kernel-mlUw1S/node_modules/aws-cdk-lib/core/lib/arn.js:352:19)
      at Arn.split (/tmp/jsii-kernel-mlUw1S/node_modules/aws-cdk-lib/core/lib/arn.js:172:28)
      at Stack.splitArn (/tmp/jsii-kernel-mlUw1S/node_modules/aws-cdk-lib/core/lib/stack.js:501:26)
      at new Distribution (/tmp/jsii-kernel-mlUw1S/node_modules/aws-cdk-lib/aws-cloudfront/lib/distribution.js:62:61)
      at Kernel._create (/tmp/tmp6_ytd0b2/lib/program.js:9964:29)
      at Kernel.create (/tmp/tmp6_ytd0b2/lib/program.js:9693:29)
      at KernelHost.processRequest (/tmp/tmp6_ytd0b2/lib/program.js:11544:36)
      at KernelHost.run (/tmp/tmp6_ytd0b2/lib/program.js:11504:22)
      at Immediate._onImmediate (/tmp/tmp6_ytd0b2/lib/program.js:11505:46)
      at process.processImmediate (node:internal/timers:476:21)

The above exception was the direct cause of the following exception:
Traceback (most recent call last):
  File "/builds/xxx/templates/cdk-python-cloudfront/app.py", line 19, in <module>
    Application(
  File "/usr/local/lib/python3.10/site-packages/jsii/_runtime.py", line 112, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/builds/xxx/templates/cdk-python-cloudfront/infrastructure/application.py", line 49, in __init__
    cloudfront: Cloudfront = Cloudfront(
  File "/usr/local/lib/python3.10/site-packages/jsii/_runtime.py", line 112, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/builds/xxx/templates/cdk-python-cloudfront/infrastructure/resources/cloudfront.py", line 130, in __init__
    distribution: Distribution = Distribution(
  File "/usr/local/lib/python3.10/site-packages/jsii/_runtime.py", line 112, in __call__
    inst = super().__call__(*args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/aws_cdk/aws_cloudfront/__init__.py", line 21061, in __init__
    jsii.create(self.__class__, self, [scope, id, props])
  File "/usr/local/lib/python3.10/site-packages/jsii/_kernel/__init__.py", line 334, in create
    response = self.provider.create(
  File "/usr/local/lib/python3.10/site-packages/jsii/_kernel/providers/process.py", line [363](https://xxxx/templates/cdk-python-cloudfront/-/jobs/399270#L363), in create
    return self._process.send(request, CreateResponse)
  File "/usr/local/lib/python3.10/site-packages/jsii/_kernel/providers/process.py", line 340, in send
    raise RuntimeError(resp.error) from JavaScriptError(resp.stack)
RuntimeError: ARNs must start with "arn:" and have at least 6 components: <aws_cdk.Reference object at 0x7ff5abe76e30>
Subprocess exited with error 1

Reproduction Steps

See above

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.83.0

Framework Version

No response

Node.js Version

16x

OS

public.ecr.aws/docker/library/python:3.10.11-slim

Language

Python, Java

Language Version

python 3.10

Other information

No response
@y0x y0x added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 29, 2023
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Jun 29, 2023
@y0x y0x changed the title Cloudfront LambdaEdge: Different behaviour between Typescript and Python Cloudfront LambdaEdge: ARNs must start with "arn:" and have at least 6 components: Jun 29, 2023
@peterwoodworth
Copy link
Contributor

How are you defining the certificate?

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 29, 2023
@github-actions
Copy link

github-actions bot commented Jul 1, 2023

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jul 1, 2023
@y0x y0x closed this as completed Jul 3, 2023
@github-actions
Copy link

github-actions bot commented Jul 3, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Jul 26, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @y0x @peterwoodworth