From 6136d9e79d8f47faf7258f381143b3b313e26490 Mon Sep 17 00:00:00 2001 From: Samson Keung Date: Thu, 24 Oct 2024 10:10:44 -0700 Subject: [PATCH 1/3] chore(scheduler-alpha): unit test schedule with Lambda version as target (#31872) ### Issue # (if applicable) None. ### Reason for this change Missing this test case. ### Description of changes Adding a unit test to verify `Schedule` works with Lambda Version and correct permissions are added. ### Description of how you validated changes Unit test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../test/lambda-invoke.test.ts | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts index 2fcb2a8d30629..1a61970f411d5 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts @@ -85,6 +85,63 @@ describe('schedule target', () => { }); }); + test('creates IAM role and IAM policy for lambda version', () => { + const lambdaVersion = new lambda.Version(stack, 'MyLambdaVersion', { + lambda: func, + }); + const lambdaTarget = new LambdaInvoke(lambdaVersion, {}); + + new Schedule(stack, 'MyScheduleDummy', { + schedule: expr, + target: lambdaTarget, + }); + + Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0); + + Template.fromStack(stack).hasResource('AWS::Scheduler::Schedule', { + Properties: { + Target: { + Arn: { + Ref: 'MyLambdaVersion2EF97E33', + }, + RoleArn: { 'Fn::GetAtt': ['SchedulerRoleForTarget1441a743A31888', 'Arn'] }, + RetryPolicy: {}, + }, + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: { + Ref: 'MyLambdaVersion2EF97E33', + }, + }, + ], + }, + Roles: [{ Ref: 'SchedulerRoleForTarget1441a743A31888' }], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Effect: 'Allow', + Condition: { StringEquals: { 'aws:SourceAccount': '123456789012' } }, + Principal: { + Service: 'scheduler.amazonaws.com', + }, + Action: 'sts:AssumeRole', + }, + ], + }, + }); + }); + test('creates IAM policy for provided IAM role', () => { const targetExecutionRole = new Role(stack, 'ProvidedTargetRole', { assumedBy: new AccountRootPrincipal(), From 886283e25e9ad2b4af766048d613e5a1ebe9deac Mon Sep 17 00:00:00 2001 From: Samson Keung Date: Thu, 24 Oct 2024 10:44:27 -0700 Subject: [PATCH 2/3] chore(scheduler-alpha): unit test schedule with Lambda alias as target (#31873) ### Issue # (if applicable) None ### Reason for this change Missing this test case. ### Description of changes Adding a unit test to verify `Schedule` works with Lambda Alias and correct permissions are added. ### Description of how you validated changes Unit test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../test/lambda-invoke.test.ts | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts index 1a61970f411d5..24de4674aa16e 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/lambda-invoke.test.ts @@ -286,6 +286,68 @@ describe('schedule target', () => { }); }); + test('creates IAM role and IAM policy for lambda alias', () => { + const lambdaVersion = new lambda.Version(stack, 'MyLambdaVersion', { + lambda: func, + }); + const lambdaAlias = new lambda.Alias(stack, 'MyLambdaAlias', { + version: lambdaVersion, + aliasName: 'SomeAliasName', + }); + + const lambdaTarget = new LambdaInvoke(lambdaAlias, {}); + + new Schedule(stack, 'MyScheduleDummy', { + schedule: expr, + target: lambdaTarget, + }); + + Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 0); + + Template.fromStack(stack).hasResource('AWS::Scheduler::Schedule', { + Properties: { + Target: { + Arn: { + Ref: 'MyLambdaAliasD26C43B4', + }, + RoleArn: { 'Fn::GetAtt': ['SchedulerRoleForTarget1441a743A31888', 'Arn'] }, + RetryPolicy: {}, + }, + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: { + Ref: 'MyLambdaAliasD26C43B4', + }, + }, + ], + }, + Roles: [{ Ref: 'SchedulerRoleForTarget1441a743A31888' }], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Version: '2012-10-17', + Statement: [ + { + Effect: 'Allow', + Condition: { StringEquals: { 'aws:SourceAccount': '123456789012' } }, + Principal: { + Service: 'scheduler.amazonaws.com', + }, + Action: 'sts:AssumeRole', + }, + ], + }, + }); + }); + test('creates IAM policy for imported role for lambda function in the same account', () => { const importedRole = Role.fromRoleArn(stack, 'ImportedRole', 'arn:aws:iam::123456789012:role/someRole'); From 4f29c1d04533b68535c1a5706855066d1d1ea577 Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Thu, 24 Oct 2024 19:44:15 +0100 Subject: [PATCH 3/3] fix: enable node-fips compatible body checksums for S3 (#31883) ### Issue # (if applicable) Internal reference: D166315367 ### Reason for this change In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. However by default the S3 client is using an MD5 checksum for content integrity checking. This causes any S3 upload operation to fail with a cryptography error. ### Description of changes We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior of the AWS SDKv3 and is a safe choice for all users. ### Description of how you validated changes For non-FIPS users, we have verified functionality via cli-integ-tests. For FIPS users, we have manually verified `cdk deploy` is now working in a FIPS enabled environment. We have also verified the configuration with the affected customer. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/integ-runner/package.json | 3 +- packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 20 +++++++++++ packages/aws-cdk/lib/api/aws-auth/sdk.ts | 13 ++++++- packages/aws-cdk/package.json | 2 +- yarn.lock | 38 +++++--------------- 5 files changed, 43 insertions(+), 33 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index fef13773ed7aa..5ab742258adbd 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -74,9 +74,8 @@ "@aws-cdk/cloud-assembly-schema": "^38.0.0", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", - "cdk-assets": "^2.154.0", + "cdk-assets": "^2.155.17", "@aws-cdk/aws-service-spec": "^0.1.29", - "@aws-cdk/cdk-cli-wrapper": "0.0.0", "aws-cdk": "0.0.0", "chalk": "^4", diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 0e959c0a2a5ee..34f5825b5ff4e 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -80,6 +80,7 @@ Flags come in three types: | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-cdkaws-rdssetcorrectvaluefordatabaseinstancereadreplicainstanceresourceid) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | 2.161.0 | (fix) | | [@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics](#aws-cdkcorecfnincluderejectcomplexresourceupdatecreatepolicyintrinsics) | When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values. | 2.161.0 | (fix) | | [@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy](#aws-cdkaws-stepfunctions-tasksfixrunecstaskpolicy) | When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN. | 2.163.0 | (fix) | +| [@aws-cdk/aws-dynamodb:resourcePolicyPerReplica](#aws-cdkaws-dynamodbresourcepolicyperreplica) | When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas | V2NEXT | (fix) | @@ -143,6 +144,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false, "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false, "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true, "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true, "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true, "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true, @@ -1509,4 +1511,22 @@ When this feature flag is enabled, if the task definition is created in the stac | 2.163.0 | `false` | `true` | +### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica + +*When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix) + +If this flag is not set, the default behavior for `TableV2` is to use a different `resourcePolicy` for each replica. + +If this flag is set to false, the behavior is that each replica shares the same `resourcePolicy` as the source table. +This will prevent you from creating a new table which has an additional replica and a resource policy. + +This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + + diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts index 6a78965620c01..fab6d1d3ce4b0 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts @@ -174,7 +174,18 @@ export class SDK implements ISDK { } public s3(): AWS.S3 { - return this.wrapServiceErrorHandling(new AWS.S3(this.config)); + return this.wrapServiceErrorHandling(new AWS.S3({ + // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. + // However by default the S3 client is using an MD5 checksum for content integrity checking. + // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use), + // in practice it is just easier to use an allowed checksum mechanism. + // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. + // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior + // of the AWS SDKv3 and is a safe choice for all users. + s3DisableBodySigning: false, + computeChecksums: false, + ...this.config, + })); } public route53(): AWS.Route53 { diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 506da385ff312..202ac715eb2bb 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -104,7 +104,7 @@ "archiver": "^5.3.2", "aws-sdk": "^2.1691.0", "camelcase": "^6.3.0", - "cdk-assets": "^2.155.0", + "cdk-assets": "^2.155.17", "cdk-from-cfn": "^0.162.0", "chalk": "^4", "chokidar": "^3.6.0", diff --git a/yarn.lock b/yarn.lock index a14ce1ed93150..f5c2805c1038d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -67,17 +67,10 @@ jsonschema "^1.4.1" semver "^7.6.3" -"@aws-cdk/cx-api@^2.158.0": - version "2.159.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094" - integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w== - dependencies: - semver "^7.6.3" - -"@aws-cdk/cx-api@^2.160.0": - version "2.160.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59" - integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw== +"@aws-cdk/cx-api@^2.163.1": + version "2.163.1" + resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e" + integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w== dependencies: semver "^7.6.3" @@ -6794,26 +6787,13 @@ case@1.6.3, case@^1.6.3: resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9" integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ== -cdk-assets@^2.154.0: - version "2.154.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead" - integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw== - dependencies: - "@aws-cdk/cloud-assembly-schema" "^38.0.0" - "@aws-cdk/cx-api" "^2.158.0" - archiver "^5.3.2" - aws-sdk "^2.1691.0" - glob "^7.2.3" - mime "^2.6.0" - yargs "^16.2.0" - -cdk-assets@^2.155.0: - version "2.155.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf" - integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA== +cdk-assets@^2.155.17: + version "2.155.17" + resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5" + integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA== dependencies: "@aws-cdk/cloud-assembly-schema" "^38.0.1" - "@aws-cdk/cx-api" "^2.160.0" + "@aws-cdk/cx-api" "^2.163.1" archiver "^5.3.2" aws-sdk "^2.1691.0" glob "^7.2.3"