fix(triggers): permissions race condition (#19455)

fixes #19272 > Adding a dependency on the permissions should be good enough We are planning to use triggers as an e2e test which would run on every deployment. I wanted to reduce the moving parts and avoid an IAM change each time. Therefore I opted for widening the permission to all versions. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jul 7, 2022 · 8ebb81b · 8ebb81b
1 parent d644c00
commit 8ebb81b
Show file tree

Hide file tree

Showing 10 changed files with 169 additions and 168 deletions.
diff --git a/packages/@aws-cdk/triggers/lib/trigger.ts b/packages/@aws-cdk/triggers/lib/trigger.ts
@@ -86,7 +86,7 @@ export class Trigger extends Construct implements ITrigger {
         {
           Effect: 'Allow',
           Action: ['lambda:InvokeFunction'],
-          Resource: [handlerArn],
+          Resource: [`${props.handler.functionArn}:*`],
         },
       ],
     });

diff --git a/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.assets.json b/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.assets.json
@@ -1,28 +1,28 @@
 {
   "version": "20.0.0",
   "files": {
-    "6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2": {
+    "f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a": {
       "source": {
-        "path": "asset.6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2",
+        "path": "asset.f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a",
         "packaging": "zip"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2.zip",
+          "objectKey": "f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "6bb39f8bdf6e500ea85c95a13e1f30987a51708e29cb763a3a5c88e37ce9b690": {
+    "7701977a8021a9eaa249c838112381b8da272518c33b9ff336e889c3ce55be79": {
       "source": {
         "path": "MyStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "6bb39f8bdf6e500ea85c95a13e1f30987a51708e29cb763a3a5c88e37ce9b690.json",
+          "objectKey": "7701977a8021a9eaa249c838112381b8da272518c33b9ff336e889c3ce55be79.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.template.json b/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/MyStack.template.json
@@ -119,7 +119,18 @@
          ],
          "Resource": [
           {
-           "Ref": "MyFunctionCurrentVersion197490AF2cb2bc11080c1ef11d3b49c1f1603957"
+           "Fn::Join": [
+            "",
+            [
+             {
+              "Fn::GetAtt": [
+               "MyFunction3BAA72D1",
+               "Arn"
+              ]
+             },
+             ":*"
+            ]
+           ]
           }
          ]
         }
@@ -134,7 +145,7 @@
    "Properties": {
     "Code": {
      "S3Bucket": {
-      "Ref": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3Bucket2EB34879"
+      "Ref": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3Bucket93FB8681"
      },
      "S3Key": {
       "Fn::Join": [
@@ -147,7 +158,7 @@
            "Fn::Split": [
             "||",
             {
-             "Ref": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B"
+             "Ref": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E"
             }
            ]
           }
@@ -160,7 +171,7 @@
            "Fn::Split": [
             "||",
             {
-             "Ref": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B"
+             "Ref": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E"
             }
            ]
           }
@@ -187,17 +198,17 @@
   }
  },
  "Parameters": {
-  "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3Bucket2EB34879": {
+  "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3Bucket93FB8681": {
    "Type": "String",
-   "Description": "S3 bucket for asset \"6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2\""
+   "Description": "S3 bucket for asset \"f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a\""
   },
-  "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B": {
+  "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E": {
    "Type": "String",
-   "Description": "S3 key for asset version \"6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2\""
+   "Description": "S3 key for asset version \"f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a\""
   },
-  "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2ArtifactHash29DBC1FA": {
+  "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aArtifactHashE7245343": {
    "Type": "String",
-   "Description": "Artifact hash for asset \"6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2\""
+   "Description": "Artifact hash for asset \"f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a\""
   }
  }
 }
diff --git a/.../asset.6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2/__entrypoint__.js b/.../asset.6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2/__entrypoint__.js
diff --git a/.../asset.f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a/__entrypoint__.js b/.../asset.f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a/__entrypoint__.js
diff --git a/...244a3b039122c2c00a5137efb845e2/index.d.ts → ...9fe7f93c6eb60e338c56224decd68a/index.d.ts b/...244a3b039122c2c00a5137efb845e2/index.d.ts → ...9fe7f93c6eb60e338c56224decd68a/index.d.ts
diff --git a/...d5244a3b039122c2c00a5137efb845e2/index.js → ...639fe7f93c6eb60e338c56224decd68a/index.js b/...d5244a3b039122c2c00a5137efb845e2/index.js → ...639fe7f93c6eb60e338c56224decd68a/index.js
diff --git a/...d5244a3b039122c2c00a5137efb845e2/index.ts → ...639fe7f93c6eb60e338c56224decd68a/index.ts b/...d5244a3b039122c2c00a5137efb845e2/index.ts → ...639fe7f93c6eb60e338c56224decd68a/index.ts
@@ -15,7 +15,7 @@ export const invoke: InvokeFunction = async functionName => {
 };
 
 export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent) {
-  console.log({ event });
+  console.log({ ...event, ResponseURL: '...' });
 
   if (event.RequestType === 'Delete') {
     console.log('not calling trigger on DELETE');

diff --git a/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/manifest.json b/packages/@aws-cdk/triggers/test/triggers.integ.snapshot/manifest.json
@@ -19,13 +19,13 @@
           {
             "type": "aws:cdk:asset",
             "data": {
-              "path": "asset.6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2",
-              "id": "6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2",
+              "path": "asset.f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a",
+              "id": "f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a",
               "packaging": "zip",
-              "sourceHash": "6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2",
-              "s3BucketParameter": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3Bucket2EB34879",
-              "s3KeyParameter": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B",
-              "artifactHashParameter": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2ArtifactHash29DBC1FA"
+              "sourceHash": "f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a",
+              "s3BucketParameter": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3Bucket93FB8681",
+              "s3KeyParameter": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E",
+              "artifactHashParameter": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aArtifactHashE7245343"
             }
           }
         ],
@@ -77,31 +77,22 @@
             "data": "AWSCDKTriggerCustomResourceProviderCustomResourceProviderHandler97BECD91"
           }
         ],
-        "/MyStack/AssetParameters/6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2/S3Bucket": [
+        "/MyStack/AssetParameters/f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a/S3Bucket": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3Bucket2EB34879"
+            "data": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3Bucket93FB8681"
           }
         ],
-        "/MyStack/AssetParameters/6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2/S3VersionKey": [
+        "/MyStack/AssetParameters/f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a/S3VersionKey": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2S3VersionKey03A4DC8B"
+            "data": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aS3VersionKey64A4A72E"
           }
         ],
-        "/MyStack/AssetParameters/6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2/ArtifactHash": [
+        "/MyStack/AssetParameters/f942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68a/ArtifactHash": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "AssetParameters6b78a08a66c707ed36509dde1cebf8e7d5244a3b039122c2c00a5137efb845e2ArtifactHash29DBC1FA"
-          }
-        ],
-        "MyFunctionCurrentVersion197490AFd41a8aa4109c7b22dd39d6bef408da46": [
-          {
-            "type": "aws:cdk:logicalId",
-            "data": "MyFunctionCurrentVersion197490AFd41a8aa4109c7b22dd39d6bef408da46",
-            "trace": [
-              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
-            ]
+            "data": "AssetParametersf942cf8dea09e8b74bc8da73a643a8b2639fe7f93c6eb60e338c56224decd68aArtifactHashE7245343"
           }
         ]
       },