From 06ad31bbcf643ea05e987687affea28308c91583 Mon Sep 17 00:00:00 2001 From: exoego Date: Fri, 5 Jul 2024 16:28:36 +0900 Subject: [PATCH 1/3] fix(lambda): validate localMountPath format and length --- .../aws-cdk-lib/aws-lambda/lib/function.ts | 6 ++ .../aws-lambda/test/function.test.ts | 60 +++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index 45c67d9ea3d4b..cb5f9dc635e6a 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -913,6 +913,12 @@ export class Function extends FunctionBase { // add additional managed policies when necessary if (props.filesystem) { const config = props.filesystem.config; + if (!/^\/mnt\/[a-zA-Z0-9-_.]+$/.test(config.localMountPath)) { + throw new Error(`Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given ${config.localMountPath}.`); + } + if (config.localMountPath.length > 160) { + throw new Error(`Local mount path can not be longer than 160 characters but has ${config.localMountPath.length} characters.`); + } if (config.policies) { config.policies.forEach(p => { this.role?.addToPrincipalPolicy(p); diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index f3ad8836102e5..3617e3e3bb530 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -2923,6 +2923,66 @@ describe('function', () => { }); }); + test('validate localMountPath format when mounting efs', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, '/not-mnt/foo-bar'), + }); + }).toThrow(); + }); + + test('validate localMountPath length when mounting efs', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, `/mnt/${'a'.repeat(160)}`), + }); + }).toThrow(); + }); + test('correct security group is created when deployed in separate stacks', () => { const app = new cdk.App(); From 0e9cb467377fccf3f3b944a36dca22f07446e7f8 Mon Sep 17 00:00:00 2001 From: exoego Date: Thu, 8 Aug 2024 21:56:33 +0900 Subject: [PATCH 2/3] fix(lambda): assert error messages --- packages/aws-cdk-lib/aws-lambda/test/function.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index 3617e3e3bb530..9d371149e1769 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -2950,7 +2950,7 @@ describe('function', () => { code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, '/not-mnt/foo-bar'), }); - }).toThrow(); + }).toThrow('Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given /not-mnt/foo-bar'); }); test('validate localMountPath length when mounting efs', () => { @@ -2980,7 +2980,7 @@ describe('function', () => { code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, `/mnt/${'a'.repeat(160)}`), }); - }).toThrow(); + }).toThrow('Local mount path can not be longer than 160 characters but has 165 characters'); }); test('correct security group is created when deployed in separate stacks', () => { From bf7911dc4d3bfe1b0b50a91b75aa91cff850e3d2 Mon Sep 17 00:00:00 2001 From: exoego Date: Fri, 16 Aug 2024 12:45:43 +0900 Subject: [PATCH 3/3] fix(aws-lambda): skip unresolved token --- .../aws-cdk-lib/aws-lambda/lib/function.ts | 12 ++++--- .../aws-lambda/test/function.test.ts | 33 +++++++++++++++++++ 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index 939a96f29819f..8d282a4e44415 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -913,11 +913,13 @@ export class Function extends FunctionBase { // add additional managed policies when necessary if (props.filesystem) { const config = props.filesystem.config; - if (!/^\/mnt\/[a-zA-Z0-9-_.]+$/.test(config.localMountPath)) { - throw new Error(`Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given ${config.localMountPath}.`); - } - if (config.localMountPath.length > 160) { - throw new Error(`Local mount path can not be longer than 160 characters but has ${config.localMountPath.length} characters.`); + if (!Token.isUnresolved(config.localMountPath)) { + if (!/^\/mnt\/[a-zA-Z0-9-_.]+$/.test(config.localMountPath)) { + throw new Error(`Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given ${config.localMountPath}.`); + } + if (config.localMountPath.length > 160) { + throw new Error(`Local mount path can not be longer than 160 characters but has ${config.localMountPath.length} characters.`); + } } if (config.policies) { config.policies.forEach(p => { diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index 2b56f561b812d..a6d982ddf5bdf 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -2983,6 +2983,39 @@ describe('function', () => { }).toThrow('Local mount path can not be longer than 160 characters but has 165 characters'); }); + test('No error when local mount path is Tokenized and Unresolved', () => { + // GIVEN + const realLocalMountPath = '/not-mnt/foo-bar'; + const tokenizedLocalMountPath = cdk.Token.asString(new cdk.Intrinsic(realLocalMountPath)); + + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, tokenizedLocalMountPath), + }); + }).not.toThrow(); + }); + test('correct security group is created when deployed in separate stacks', () => { const app = new cdk.App();