From a073e9302dbd4213275e99c86476ab8152af7caf Mon Sep 17 00:00:00 2001 From: Eli Polonsky Date: Wed, 27 Nov 2024 15:36:37 +0200 Subject: [PATCH 1/2] fix(cli): lambda hotswap fails if `lambda:GetFunctionConfiguration` action is not allowed (#32301) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes https://github.com/aws/aws-cdk/issues/32219 ### Reason for this change In SDKv3, the standard `waitUntilFunctionUpdated` function invokes the `GetFunctionConfiguration` API, as opposed to SDKv2, which invoked `GetFunction`. This means that consumers of SDKv3 must allow the `lambda:GetFunctionConfiguration` action in their IAM role policy. ### Description of changes Use a different waiter function provided by the SDK, which invokes `GetFunction` instead of `GetFunctionConfiguration`, and thus restoring required IAM permissions to what they were in SDKv2. See https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdatedV2.ts#L10 > As opposed to https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdated.ts#L13 ### Description of how you validated changes Manul test. Assumed a role with the following policies: ![Screenshot 2024-11-27 at 9 34 25](https://github.com/user-attachments/assets/69415c37-6fe8-44d3-972c-1373ec55f46e) ```console ❯ cdk deploy --hotswap [09:29:11] ✨ Synthesis time: 2.72s ⚠️ The --hotswap and --hotswap-fallback flags deliberately introduce CloudFormation drift to speed up deployments ⚠️ They should only be used for development - never use them for your production Stacks! AwsCdkPlaygroundStack: deploying... [1/1] ✨ hotswapping resources: ✨ Lambda Function 'AwsCdkPlaygroundStack-Function76856677-7Rl7hiwwO5LQ' ❌ AwsCdkPlaygroundStack failed: TimeoutError: Resource is not in the expected state due to waiter status: TIMEOUT. Waiter has timed out. ``` Then, run the CLI from the PR. ```console ❯ /Users/epolon/dev/src/github.com/aws/aws-cdk/packages/aws-cdk/bin/cdk deploy --hotswap [10:03:00] ✨ Synthesis time: 3.46s ⚠️ The --hotswap and --hotswap-fallback flags deliberately introduce CloudFormation drift to speed up deployments ⚠️ They should only be used for development - never use them for your production Stacks! AwsCdkPlaygroundStack: deploying... [1/1] ✨ hotswapping resources: ✨ Lambda Function 'AwsCdkPlaygroundStack-Function76856677-7Rl7hiwwO5LQ' ✨ Lambda Function 'AwsCdkPlaygroundStack-Function76856677-7Rl7hiwwO5LQ' hotswapped! ✅ AwsCdkPlaygroundStack ✨ Deployment time: 12.72s Stack ARN: arn:aws:cloudformation:us-east-1:01234567890:stack/AwsCdkPlaygroundStack/22f2b380-a7cd-11ef-badd-0e08a8e0b5b1 ✨ Total time: 16.19s >>> elapsed time 23s ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/aws-cdk/lib/api/aws-auth/sdk.ts | 4 ++-- .../aws-cdk/test/api/hotswap/hotswap-test-setup.ts | 8 +++++--- ...ambda-functions-docker-hotswap-deployments.test.ts | 6 +++--- .../lambda-functions-hotswap-deployments.test.ts | 11 +++++------ 4 files changed, 15 insertions(+), 14 deletions(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts index 9d28ed7958bd6..945b5f4513ad2 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts @@ -246,7 +246,7 @@ import { UpdateFunctionConfigurationCommand, type UpdateFunctionConfigurationCommandInput, type UpdateFunctionConfigurationCommandOutput, - waitUntilFunctionUpdated, + waitUntilFunctionUpdatedV2, } from '@aws-sdk/client-lambda'; import { GetHostedZoneCommand, @@ -841,7 +841,7 @@ export class SDK { delaySeconds: number, input: UpdateFunctionConfigurationCommandInput, ): Promise => { - return waitUntilFunctionUpdated( + return waitUntilFunctionUpdatedV2( { client, maxDelay: delaySeconds, diff --git a/packages/aws-cdk/test/api/hotswap/hotswap-test-setup.ts b/packages/aws-cdk/test/api/hotswap/hotswap-test-setup.ts index 8a5020b290170..7fbc2a4ab92d0 100644 --- a/packages/aws-cdk/test/api/hotswap/hotswap-test-setup.ts +++ b/packages/aws-cdk/test/api/hotswap/hotswap-test-setup.ts @@ -1,6 +1,6 @@ import * as cxapi from '@aws-cdk/cx-api'; import { ListStackResourcesCommand, StackResourceSummary, StackStatus } from '@aws-sdk/client-cloudformation'; -import { GetFunctionConfigurationCommand } from '@aws-sdk/client-lambda'; +import { GetFunctionCommand } from '@aws-sdk/client-lambda'; import { ICloudFormationClient, SuccessfulDeployStackResult } from '../../../lib/api'; import { HotswapMode, HotswapPropertyOverrides } from '../../../lib/api/hotswap/common'; import * as deployments from '../../../lib/api/hotswap-deployments'; @@ -109,8 +109,10 @@ export class HotswapMockSdkProvider extends MockSdkProvider { constructor(rootStackName?: string) { super(); - mockLambdaClient.on(GetFunctionConfigurationCommand).resolves({ - LastUpdateStatus: 'Successful', + mockLambdaClient.on(GetFunctionCommand).resolves({ + Configuration: { + LastUpdateStatus: 'Successful', + }, }); mockCloudFormationClient.on(ListStackResourcesCommand).callsFake((input) => { diff --git a/packages/aws-cdk/test/api/hotswap/lambda-functions-docker-hotswap-deployments.test.ts b/packages/aws-cdk/test/api/hotswap/lambda-functions-docker-hotswap-deployments.test.ts index bf42795ae497f..023627a429a04 100644 --- a/packages/aws-cdk/test/api/hotswap/lambda-functions-docker-hotswap-deployments.test.ts +++ b/packages/aws-cdk/test/api/hotswap/lambda-functions-docker-hotswap-deployments.test.ts @@ -1,4 +1,4 @@ -import { UpdateFunctionCodeCommand, waitUntilFunctionUpdated } from '@aws-sdk/client-lambda'; +import { UpdateFunctionCodeCommand, waitUntilFunctionUpdatedV2 } from '@aws-sdk/client-lambda'; import * as setup from './hotswap-test-setup'; import { HotswapMode } from '../../../lib/api/hotswap/common'; import { mockLambdaClient } from '../../util/mock-sdk'; @@ -9,7 +9,7 @@ jest.mock('@aws-sdk/client-lambda', () => { return { ...original, - waitUntilFunctionUpdated: jest.fn(), + waitUntilFunctionUpdatedV2: jest.fn(), }; }); @@ -116,7 +116,7 @@ describe.each([HotswapMode.FALL_BACK, HotswapMode.HOTSWAP_ONLY])('%p mode', (hot await hotswapMockSdkProvider.tryHotswapDeployment(hotswapMode, cdkStackArtifact); // THEN - expect(waitUntilFunctionUpdated).toHaveBeenCalledWith( + expect(waitUntilFunctionUpdatedV2).toHaveBeenCalledWith( expect.objectContaining({ minDelay: 5, maxDelay: 5, diff --git a/packages/aws-cdk/test/api/hotswap/lambda-functions-hotswap-deployments.test.ts b/packages/aws-cdk/test/api/hotswap/lambda-functions-hotswap-deployments.test.ts index a180e89d8d741..cf354a1aaa053 100644 --- a/packages/aws-cdk/test/api/hotswap/lambda-functions-hotswap-deployments.test.ts +++ b/packages/aws-cdk/test/api/hotswap/lambda-functions-hotswap-deployments.test.ts @@ -1,7 +1,7 @@ import { UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, - waitUntilFunctionUpdated, + waitUntilFunctionUpdatedV2, } from '@aws-sdk/client-lambda'; import * as setup from './hotswap-test-setup'; import { HotswapMode } from '../../../lib/api/hotswap/common'; @@ -10,10 +10,9 @@ import { silentTest } from '../../util/silent'; jest.mock('@aws-sdk/client-lambda', () => { const original = jest.requireActual('@aws-sdk/client-lambda'); - return { ...original, - waitUntilFunctionUpdated: jest.fn(), + waitUntilFunctionUpdatedV2: jest.fn(), }; }); @@ -617,7 +616,7 @@ describe.each([HotswapMode.FALL_BACK, HotswapMode.HOTSWAP_ONLY])('%p mode', (hot // THEN expect(mockLambdaClient).toHaveReceivedCommand(UpdateFunctionCodeCommand); - expect(waitUntilFunctionUpdated).toHaveBeenCalledWith( + expect(waitUntilFunctionUpdatedV2).toHaveBeenCalledWith( expect.objectContaining({ minDelay: 1, maxDelay: 1, @@ -675,7 +674,7 @@ describe.each([HotswapMode.FALL_BACK, HotswapMode.HOTSWAP_ONLY])('%p mode', (hot await hotswapMockSdkProvider.tryHotswapDeployment(hotswapMode, cdkStackArtifact); // THEN - expect(waitUntilFunctionUpdated).toHaveBeenCalledWith( + expect(waitUntilFunctionUpdatedV2).toHaveBeenCalledWith( expect.objectContaining({ minDelay: 1, maxDelay: 1, @@ -733,7 +732,7 @@ describe.each([HotswapMode.FALL_BACK, HotswapMode.HOTSWAP_ONLY])('%p mode', (hot await hotswapMockSdkProvider.tryHotswapDeployment(hotswapMode, cdkStackArtifact); // THEN - expect(waitUntilFunctionUpdated).toHaveBeenCalledWith( + expect(waitUntilFunctionUpdatedV2).toHaveBeenCalledWith( expect.objectContaining({ minDelay: 5, maxDelay: 5, From 8beaa20e29ab966d1ad6fc87083c4cc2962e851d Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Wed, 27 Nov 2024 15:57:42 +0100 Subject: [PATCH 2/2] chore(release): 2.171.1 --- CHANGELOG.v2.alpha.md | 16 +++++++++------- CHANGELOG.v2.md | 7 +++++++ version.v2.json | 4 ++-- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index 71e33d6d89bd4..9682da4675bda 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,8 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.171.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.171.0-alpha.0...v2.171.1-alpha.0) (2024-11-27) + ## [2.171.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.170.0-alpha.0...v2.171.0-alpha.0) (2024-11-25) ## [2.170.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.169.0-alpha.0...v2.170.0-alpha.0) (2024-11-22) @@ -80,7 +82,7 @@ All notable changes to this project will be documented in this file. See [standa ### Bug Fixes -* **location:** remove base class from PlaceIndex class ([#31287](https://github.com/aws/aws-cdk/issues/31287)) ([bc67866](https://github.com/aws/aws-cdk/commit/bc67866f579c401556d427eb150bcd118d69bd17)), closes [#30711](https://github.com/aws/aws-cdk/issues/30711) [#30682](https://github.com/aws/aws-cdk/issues/30682) +* **location:** remove base class from PlaceIndex class ([#31287](https://github.com/aws/aws-cdk/issues/31287)) ([bc67866](https://github.com/aws/aws-cdk/commit/bc67866f579c401556d427eb150bcd118d69bd17)), closes [#30711](https://github.com/aws/aws-cdk/issues/30711) [#30682](https://github.com/aws/aws-cdk/issues/30682) * **scheduler-alpha:** scheduler input always get transformed to string with extra double quotes ([#31894](https://github.com/aws/aws-cdk/issues/31894)) ([186b8ab](https://github.com/aws/aws-cdk/commit/186b8abfab8452b31cba13b56998242f63c43159)) * **scheduler-alpha:** too many KMS permissions granted ([#31923](https://github.com/aws/aws-cdk/issues/31923)) ([06678a3](https://github.com/aws/aws-cdk/commit/06678a39e029582af14c8b021f946b9ce9cac9be)), closes [#31785](https://github.com/aws/aws-cdk/issues/31785) @@ -148,10 +150,10 @@ All notable changes to this project will be documented in this file. See [standa ### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES -* **kinesisfirehose-destinations:** the `logging` and `logGroup` properties in `DestinationLoggingProps` have been removed and replaced with a single optional property `loggingConfig` which accepts a class of type `LoggingConfig`. +* **kinesisfirehose-destinations:** the `logging` and `logGroup` properties in `DestinationLoggingProps` have been removed and replaced with a single optional property `loggingConfig` which accepts a class of type `LoggingConfig`. #### Details -Combine the `logging` and `logGroup` properties into a single new optional property called `loggingConfig` which accepts a class of type `LoggingConfig`. +Combine the `logging` and `logGroup` properties into a single new optional property called `loggingConfig` which accepts a class of type `LoggingConfig`. `LoggingConfig` is an abstract class which can be instantiated through either an instance of `EnableLogging` or `DisableLogging` which can be used in the following 3 ways: @@ -222,7 +224,7 @@ unit + integ test ### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES -* **kinesisfirehose-alpha:** `encryptionKey` property is removed and `encryption` property type has changed from the `StreamEncryption` enum to the `StreamEncryption` class. +* **kinesisfirehose-alpha:** `encryptionKey` property is removed and `encryption` property type has changed from the `StreamEncryption` enum to the `StreamEncryption` class. To pass in a KMS key for the customer managed key case, use `StreamEncryption.customerManagedKey(key)` @@ -234,12 +236,12 @@ StreamEncryption.awsOwnedKey() StreamEncryption.customerManagedKey(key?: IKey) ``` -This makes it so it's not longer possible to pass in a key when the encryption type is AWS owned or unencrypted. The `key` is an optional parameter in `StreamEncryption.customerManagedKey(key?: IKey)` so following the previous behaviour, if a key is provided it will be used, otherwise a key will be created for the user. +This makes it so it's not longer possible to pass in a key when the encryption type is AWS owned or unencrypted. The `key` is an optional parameter in `StreamEncryption.customerManagedKey(key?: IKey)` so following the previous behaviour, if a key is provided it will be used, otherwise a key will be created for the user. ### Description of how you validated changes -Generated templates do not change so behaviour remains the same. +Generated templates do not change so behaviour remains the same. -Updated integ/unit tests. +Updated integ/unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 322437a6e0eb4..42cf512a04cd9 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.171.1](https://github.com/aws/aws-cdk/compare/v2.171.0...v2.171.1) (2024-11-27) + + +### Bug Fixes + +* **cli:** lambda hotswap fails if `lambda:GetFunctionConfiguration` action is not allowed ([#32301](https://github.com/aws/aws-cdk/issues/32301)) ([a073e93](https://github.com/aws/aws-cdk/commit/a073e9302dbd4213275e99c86476ab8152af7caf)), closes [/github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdatedV2.ts#L10](https://github.com/aws//github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdatedV2.ts/issues/L10) [/github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdated.ts#L13](https://github.com/aws//github.com/aws/aws-sdk-js-v3/blob/main/clients/client-lambda/src/waiters/waitForFunctionUpdated.ts/issues/L13) + ## [2.171.0](https://github.com/aws/aws-cdk/compare/v2.170.0...v2.171.0) (2024-11-25) diff --git a/version.v2.json b/version.v2.json index e910410b729ed..841a865f4d1b3 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.171.0", - "alphaVersion": "2.171.0-alpha.0" + "version": "2.171.1", + "alphaVersion": "2.171.1-alpha.0" } \ No newline at end of file