Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cognito): UserPool constructor adds an incorrect Lambda permission #19604

Closed
Tietew opened this issue Mar 29, 2022 · 2 comments · Fixed by #19622
Closed

(aws-cognito): UserPool constructor adds an incorrect Lambda permission #19604

Tietew opened this issue Mar 29, 2022 · 2 comments · Fixed by #19622
Assignees
@corymhall
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@Tietew
Copy link
Contributor

Tietew commented Mar 29, 2022

What is the problem?

When I specify lambdaTriggers in UserPool, the function's lambda permission should have a SourceArn condition with the UserPool's ARN.

But UserPool constructor adds a lambda permisson without SourceArn condition.
UserPool.addTrigger method adds a correct permission with SourceArn.

This seems to be caused that the constructor code calls addLambdaPermission before assigning this.userPoolArn.

Reproduction Steps

const handler = new lambda.Function(this, 'Handler', { ... });
new cognito.UserPool(this, 'UserPool', {
  lambdaTriggers: {
    postConfirmation: handler,
  },
  ...
});

What did you expect to happen?

Following Lambda::Permission resource is created:

    "HandlerPostConfirmationCognitoXXXXXXXX": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunction",
        "FunctionName": {
          "Fn::GetAtt": [
            "HandlerXXXXXXXX",
            "Arn"
          ]
        },
        "Principal": "cognito-idp.amazonaws.com",
        "SourceArn": {
          "Fn::GetAtt": [
            "UserPoolXXXXXXXX",
            "Arn"
          ]
        }
      },
      "Metadata": {
        "aws:cdk:path": "..."
      }
    },

What actually happened?

Following Lambda::Permission resource was created:

    "HandlerPostConfirmationCognitoXXXXXXXX": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunction",
        "FunctionName": {
          "Fn::GetAtt": [
            "HandlerXXXXXXXX",
            "Arn"
          ]
        },
        "Principal": "cognito-idp.amazonaws.com"
      },
      "Metadata": {
        "aws:cdk:path": "..."
      }
    },

CDK CLI Version

2.18.0

Framework Version

No response

Node.js Version

14.19.0

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response
@Tietew Tietew added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 29, 2022
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Mar 29, 2022
@corymhall
Copy link
Contributor

It looks like the solution might be to use Lazy with the sourceArn.

It seems like this issue impacts a significant number of customers, and I've tagged it as P1, which means it should be on our near-term roadmap.

We welcome community contributions! If you are able, we encourage you to contribute a bug fix or new feature to the CDK. If you decide to contribute, please start an engineering discussion in this issue to ensure there is a commonly understood design before submitting code. This will minimize the number of review cycles and get your code merged faster.

@corymhall corymhall added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Mar 29, 2022
Tietew added a commit to Tietew/aws-cdk that referenced this issue Mar 30, 2022
@Tietew
fix(aws-cognito): Lambda::Permission of lambdaTrigger should have a S…
8c29db4 
…ourceArn

Fixes aws#19604
@Tietew Tietew mentioned this issue Mar 30, 2022
Merged
4 tasks
Tietew added a commit to Tietew/aws-cdk that referenced this issue Mar 30, 2022
@Tietew
fix(aws-cognito): Lambda::Permission of lambdaTrigger should have a S…
0c37f25 
…ourceArn

Fixes aws#19604
@mergify mergify bot closed this as completed in #19622 Mar 31, 2022
mergify bot pushed a commit that referenced this issue Mar 31, 2022
@Tietew
fix(aws-cognito): Lambda::Permission of lambdaTrigger should have a S…
c62eeb7 
…ourceArn (#19622)

Fixes #19604


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

StevePotter pushed a commit to StevePotter/aws-cdk that referenced this issue Apr 27, 2022
@Tietew
fix(aws-cognito): Lambda::Permission of lambdaTrigger should have a S…
49b378a 
…ourceArn (aws#19622)

Fixes aws#19604


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws-cognito): Lambda::Permission of lambdaTrigger should have a SourceArn Tietew/aws-cdk
2 participants
@Tietew @corymhall