-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use 'currentVersion' for lambda object to resolve the cdk nag issue #281
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@@ -194,7 +194,7 @@ export class Cttsov2Icav2PipelineManagerConstruct extends Construct { | |||
generate_trimmed_samplesheet_lambda_obj, | |||
upload_samplesheet_to_cache_dir_lambda_obj, | |||
].forEach((lambda_obj) => { | |||
lambda_obj.grantInvoke(<iam.IRole>stateMachine.role); | |||
lambda_obj.currentVersion.grantInvoke(<iam.IRole>stateMachine.role); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@williamputraintan @mmalenic @raylrui FYI, folks.
If we use currentVersion
prop of Lambda, we can get away of cdk generating *
to ARN. This is for cdk-nag AwsSolutions-IAM5
suppression.
Ah this doesn't work as magically as one would have hoped. Using current version is very specific -
Because step functions role has access to So when replacing definitions in step functions, rather than |
Argh. CDK meow.! 😿 Must be reason, why CDK grant generate slash star it. Go for it, Alexis. Suppress https://github.com/umccr/orcabus/blob/3638b2c/test/stateless/deployment.test.ts#L131-L189 |
Is it an issue passing the |
No it's not, it's just something to remember. It does though, mean that everytime we update the lambda and deploy (manually), cdk will ask for permission first since we'll also be updating the role permissions of the step function |
Related issue: aws/aws-cdk#20177
grantInvoke
will use*
for all lambda versions which breaks cdk-nag.By using
currentVersion
attribute of the lambda obj we only grantInvoke for only the latest version of the lambda object, resolving the cdc-nag errors