fix(integ-tests): apply correct IAM policy to waiterProvider (aws#28424)

### Description The following issue describes a bug where the IAM Policy is not correctly set to the calling Lambda when using `invokeFunction` and `waitForAssertions`. Normally, when the `waitForAssertions` method is invoked, the necessary Policy is granted to the `waiterProvider` using the `adPolicyStatementFromSdkCall` method. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L136 In the case of a Lambda function call, the API name and the Action name of the Policy are different (invoke => invokeFunction), so the `addPolicyStatementFromSdkCall` method cannot grant the correct Policy. The `LambdaInvokeFunction` is doing the correct Policy assignment to deal with this in the constructor. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L247 However, this is not done for the `waiterProvider`, resulting in an access denied error. This PR has been modified so that the correct Policy is granted to `waiterProvider`. fixes aws#27865 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
paulhcsun · Jan 5, 2024 · c02cc02 · c02cc02
1 parent 24cd6ec
commit c02cc02
Show file tree

Hide file tree

Showing 11 changed files with 1,400 additions and 2 deletions.
diff --git a/packages/@aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts b/packages/@aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts
@@ -214,7 +214,7 @@ export interface LambdaInvokeFunctionProps {
 
 /**
  * An AWS Lambda Invoke function API call.
- * Use this istead of the generic AwsApiCall in order to
+ * Use this instead of the generic AwsApiCall in order to
  * invoke a lambda function. This will automatically create
  * the correct permissions to invoke the function
  */
@@ -250,6 +250,20 @@ export class LambdaInvokeFunction extends AwsApiCall {
       arnFormat: ArnFormat.COLON_RESOURCE_NAME,
       resourceName: props.functionName,
     })]);
+
+    // If using `waitForAssertions`, do the same for `waiterProvider` as above.
+    // Aspects are used here because we do not know if the user is using `waitForAssertions` at this point.
+    Aspects.of(this).add({
+      visit(node: IConstruct) {
+        if (node instanceof AwsApiCall && node.waiterProvider) {
+          node.waiterProvider.addPolicyStatementFromSdkCall('Lambda', 'invokeFunction', [stack.formatArn({
+            service: 'lambda',
+            resource: 'function',
+            arnFormat: ArnFormat.COLON_RESOURCE_NAME,
+            resourceName: props.functionName,
+          })]);
+        }
+      },
+    });
   }
 }
-
diff --git a/...function-assertions.js.snapshot/AssertionsTestDefaultTestDeployAssertDC0672BB.assets.json b/...function-assertions.js.snapshot/AssertionsTestDefaultTestDeployAssertDC0672BB.assets.json