Merge branch 'main' into Issue-AWS242-27542

aws · Mar 6, 2023 · a329869 · a329869
2 parents 7a2804c + 29bdd6c
commit a329869
Show file tree

Hide file tree

Showing 67 changed files with 3,227 additions and 947 deletions.
diff --git a/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts b/packages/@aws-cdk/aws-apigateway/lib/authorizers/lambda.ts
@@ -7,6 +7,7 @@ import { CfnAuthorizer, CfnAuthorizerProps } from '../apigateway.generated';
 import { Authorizer, IAuthorizer } from '../authorizer';
 import { IRestApi } from '../restapi';
 
+
 /**
  * Base properties for all lambda authorizers
  */
@@ -122,22 +123,36 @@ abstract class LambdaAuthorizer extends Authorizer implements IAuthorizer {
    */
   protected setupPermissions() {
     if (!this.role) {
-      this.handler.addPermission(`${Names.uniqueId(this)}:Permissions`, {
-        principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
-        sourceArn: this.authorizerArn,
-      });
-    } else if (this.role instanceof iam.Role) { // i.e. not imported
-      this.role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', {
-        statements: [
-          new iam.PolicyStatement({
-            resources: this.handler.resourceArnsForGrantInvoke,
-            actions: ['lambda:InvokeFunction'],
-          }),
-        ],
-      }));
+      this.addDefaultPermisionRole();
+    } else if (iam.Role.isRole(this.role)) {
+      this.addLambdaInvokePermission(this.role);
     }
   }
 
+  /**
+   * Add Default Permission Role for handler
+   */
+  private addDefaultPermisionRole() :void {
+    this.handler.addPermission(`${Names.uniqueId(this)}:Permissions`, {
+      principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
+      sourceArn: this.authorizerArn,
+    });
+  }
+
+  /**
+   * Add Lambda Invoke Permission for LambdaAurhorizer's role
+   */
+  private addLambdaInvokePermission(role: iam.Role) :void {
+    role.attachInlinePolicy(new iam.Policy(this, 'authorizerInvokePolicy', {
+      statements: [
+        new iam.PolicyStatement({
+          resources: this.handler.resourceArnsForGrantInvoke,
+          actions: ['lambda:InvokeFunction'],
+        }),
+      ],
+    }));
+  }
+
   /**
    * Returns a token that resolves to the Rest Api Id at the time of synthesis.
    * Throws an error, during token resolution, if no RestApi is attached to this authorizer.

diff --git a/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.ts b/packages/@aws-cdk/aws-apigateway/test/authorizers/integ.request-authorizer.lit.ts
@@ -1,9 +1,7 @@
 import * as path from 'path';
 import * as lambda from '@aws-cdk/aws-lambda';
 import { App, Stack } from '@aws-cdk/core';
-import { MockIntegration, PassthroughBehavior, RestApi } from '../../lib';
-import { RequestAuthorizer } from '../../lib/authorizers';
-import { IdentitySource } from '../../lib/authorizers/identity-source';
+import { MockIntegration, PassthroughBehavior, RestApi, RequestAuthorizer, IdentitySource } from '../../lib';
 
 // Against the RestApi endpoint from the stack output, run
 // `curl -s -o /dev/null -w "%{http_code}" <url>` should return 401

diff --git a/packages/@aws-cdk/aws-apprunner/lib/service.ts b/packages/@aws-cdk/aws-apprunner/lib/service.ts
@@ -4,6 +4,7 @@ import * as iam from '@aws-cdk/aws-iam';
 import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 import * as ssm from '@aws-cdk/aws-ssm';
 import * as cdk from '@aws-cdk/core';
+import { Lazy } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnService } from './apprunner.generated';
 import { IVpcConnector } from './vpc-connector';
@@ -924,16 +925,6 @@ export class Service extends cdk.Resource {
    */
   readonly environment: { [key: string]: string } = {};
 
-  /**
-   * Environment variables for this service.
-   */
-  private environmentVariables: { [key: string]: string } = {};
-
-  /**
-   * Environment secrets for this service.
-   */
-  private environmentSecrets: { [key: string]: Secret; } = {};
-
   /**
    * Environment secrets for this service.
    */
@@ -981,17 +972,22 @@ export class Service extends cdk.Resource {
     this.source = source;
     this.props = props;
 
-    this.environmentVariables = this.getEnvironmentVariables();
-    this.environmentSecrets = this.getEnvironmentSecrets();
+    this.instanceRole = this.props.instanceRole;
+
+    const environmentVariables = this.getEnvironmentVariables();
+    const environmentSecrets = this.getEnvironmentSecrets();
+
+    for (const [key, value] of Object.entries(environmentVariables)) {
+      this.addEnvironmentVariable(key, value);
+    }
+    for (const [key, value] of Object.entries(environmentSecrets)) {
+      this.addSecret(key, value);
+    }
 
     // generate an IAM role only when ImageRepositoryType is ECR and props.accessRole is undefined
     this.accessRole = (this.source.imageRepository?.imageRepositoryType == ImageRepositoryType.ECR) ?
       this.props.accessRole ?? this.generateDefaultRole() : undefined;
 
-    // generalte an IAM role only when environmentSecrets has values and props.instanceRole is undefined
-    this.instanceRole = (Object.keys(this.environmentSecrets).length > 0 && !this.props.instanceRole) ?
-      this.createInstanceRole() : this.props.instanceRole;
-
     if (this.source.codeRepository?.codeConfiguration.configurationSource == ConfigurationSourceType.REPOSITORY &&
       this.source.codeRepository?.codeConfiguration.configurationValues) {
       throw new Error('configurationValues cannot be provided if the ConfigurationSource is Repository');
@@ -1001,7 +997,7 @@ export class Service extends cdk.Resource {
       instanceConfiguration: {
         cpu: this.props.cpu?.unit,
         memory: this.props.memory?.unit,
-        instanceRoleArn: this.instanceRole?.roleArn,
+        instanceRoleArn: Lazy.string({ produce: () => this.instanceRole?.roleArn }),
       },
       sourceConfiguration: {
         authenticationConfiguration: this.renderAuthenticationConfiguration(),
@@ -1036,13 +1032,19 @@ export class Service extends cdk.Resource {
    * This method adds an environment variable to the App Runner service.
    */
   public addEnvironmentVariable(name: string, value: string) {
+    if (name.startsWith('AWSAPPRUNNER')) {
+      throw new Error(`Environment variable key ${name} with a prefix of AWSAPPRUNNER is not allowed`);
+    }
     this.variables.push({ name: name, value: value });
   }
 
   /**
    * This method adds a secret as environment variable to the App Runner service.
    */
   public addSecret(name: string, secret: Secret) {
+    if (name.startsWith('AWSAPPRUNNER')) {
+      throw new Error(`Environment secret key ${name} with a prefix of AWSAPPRUNNER is not allowed`);
+    }
     if (!this.instanceRole) {
       this.instanceRole = this.createInstanceRole();
     }
@@ -1130,36 +1132,22 @@ export class Service extends cdk.Resource {
       port: props.port,
       buildCommand: props.buildCommand,
       runtime: props.runtime.name,
-      runtimeEnvironmentVariables: this.renderEnvironmentVariables(),
-      runtimeEnvironmentSecrets: this.renderEnvironmentSecrets(),
+      runtimeEnvironmentVariables: Lazy.any({ produce: () => this.renderEnvironmentVariables() }),
+      runtimeEnvironmentSecrets: Lazy.any({ produce: () => this.renderEnvironmentSecrets() }),
       startCommand: props.startCommand,
     };
   }
 
   private renderEnvironmentVariables(): EnvironmentVariable[] | undefined {
-    if (Object.keys(this.environmentVariables).length > 0) {
-      for (const [key, value] of Object.entries(this.environmentVariables)) {
-        if (key.startsWith('AWSAPPRUNNER')) {
-          throw new Error(`Environment variable key ${key} with a prefix of AWSAPPRUNNER is not allowed`);
-        }
-        this.variables.push({ name: key, value: value });
-      }
+    if (this.variables.length > 0) {
       return this.variables;
     } else {
       return undefined;
     }
   }
 
   private renderEnvironmentSecrets(): EnvironmentSecret[] | undefined {
-    if (Object.keys(this.environmentSecrets).length > 0 && this.instanceRole) {
-      for (const [key, value] of Object.entries(this.environmentSecrets)) {
-        if (key.startsWith('AWSAPPRUNNER')) {
-          throw new Error(`Environment secret key ${key} with a prefix of AWSAPPRUNNER is not allowed`);
-        }
-
-        value.grantRead(this.instanceRole);
-        this.secrets.push({ name: key, value: value.arn });
-      }
+    if (this.secrets.length > 0 && this.instanceRole) {
       return this.secrets;
     } else {
       return undefined;
@@ -1171,8 +1159,8 @@ export class Service extends cdk.Resource {
       imageConfiguration: {
         port: repo.imageConfiguration?.port?.toString(),
         startCommand: repo.imageConfiguration?.startCommand,
-        runtimeEnvironmentVariables: this.renderEnvironmentVariables(),
-        runtimeEnvironmentSecrets: this.renderEnvironmentSecrets(),
+        runtimeEnvironmentVariables: Lazy.any({ produce: () => this.renderEnvironmentVariables() }),
+        runtimeEnvironmentSecrets: Lazy.any({ produce: () => this.renderEnvironmentSecrets() }),
       },
     });
   }

diff --git a/...-vars.js.snapshot/AppRunnerLaterSecretsEnvVarsDefaultTestDeployAssert07867A67.assets.json b/...-vars.js.snapshot/AppRunnerLaterSecretsEnvVarsDefaultTestDeployAssert07867A67.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "30.1.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "AppRunnerLaterSecretsEnvVarsDefaultTestDeployAssert07867A67.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...ars.js.snapshot/AppRunnerLaterSecretsEnvVarsDefaultTestDeployAssert07867A67.template.json b/...ars.js.snapshot/AppRunnerLaterSecretsEnvVarsDefaultTestDeployAssert07867A67.template.json
@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...ages/@aws-cdk/aws-apprunner/test/integ.service-later-secrets-env-vars.js.snapshot/cdk.out b/...ages/@aws-cdk/aws-apprunner/test/integ.service-later-secrets-env-vars.js.snapshot/cdk.out
@@ -0,0 +1 @@
+{"version":"30.1.0"}
diff --git a/...ice-later-secrets-env-vars.js.snapshot/integ-apprunner-later-secrets-env-vars.assets.json b/...ice-later-secrets-env-vars.js.snapshot/integ-apprunner-later-secrets-env-vars.assets.json
@@ -0,0 +1,19 @@
+{
+  "version": "30.1.0",
+  "files": {
+    "7cbdc4561bb7693ec11f95d96ee8a14d99732d386c66f27cb36e08a108d4ef30": {
+      "source": {
+        "path": "integ-apprunner-later-secrets-env-vars.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "7cbdc4561bb7693ec11f95d96ee8a14d99732d386c66f27cb36e08a108d4ef30.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}