fix(aws-cognito): Lambda::Permission of lambdaTrigger should have a SourceArn (#19622)

Tietew · web-flow · commit c62eeb7162d8 · 2022-03-31T16:28:34.000Z
Fixes #19604 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `cdk-integ` to deploy the infrastructure and generate the snapshot (i.e. `cdk-integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool.ts
@@ -936,7 +936,7 @@ export class UserPool extends UserPoolBase {
     const capitalize = name.charAt(0).toUpperCase() + name.slice(1);
     fn.addPermission(`${capitalize}Cognito`, {
       principal: new ServicePrincipal('cognito-idp.amazonaws.com'),
-      sourceArn: this.userPoolArn,
+      sourceArn: Lazy.string({ produce: () => this.userPoolArn }),
     });
   }
 
diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-custom-sender.expected.json
@@ -60,7 +60,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "pool056F3F7E",
+            "Arn"
+          ]
+        }
       }
     },
     "keyFEDD6EC0": {
diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.expected.json b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-explicit-props.expected.json
@@ -61,7 +61,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "customMessageServiceRoleB4AE7F17": {
@@ -125,7 +131,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "defineAuthChallengeServiceRole9E2D15DF": {
@@ -189,7 +201,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "postAuthenticationServiceRole5B3B242A": {
@@ -253,7 +271,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "postConfirmationServiceRole864BE5F9": {
@@ -317,7 +341,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "preAuthenticationServiceRole9712F4D8": {
@@ -381,7 +411,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "preSignUpServiceRole0A7E91EB": {
@@ -445,7 +481,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "preTokenGenerationServiceRole430C3D14": {
@@ -509,7 +551,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "userMigrationServiceRole091766B0": {
@@ -573,7 +621,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "verifyAuthChallengeResponseServiceRole7077884C": {
@@ -637,7 +691,13 @@
             "Arn"
           ]
         },
-        "Principal": "cognito-idp.amazonaws.com"
+        "Principal": "cognito-idp.amazonaws.com",
+        "SourceArn": {
+          "Fn::GetAtt": [
+            "myuserpool01998219",
+            "Arn"
+          ]
+        }
       }
     },
     "myuserpoolsmsRole0E16FDD9": {
diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool.test.ts
@@ -335,7 +335,7 @@ describe('User Pool', () => {
     const fn = fooFunction(stack, 'preSignUp');
 
     // WHEN
-    new UserPool(stack, 'Pool', {
+    const pool = new UserPool(stack, 'Pool', {
       lambdaTriggers: {
         preSignUp: fn,
       },
@@ -351,6 +351,7 @@ describe('User Pool', () => {
       Action: 'lambda:InvokeFunction',
       FunctionName: stack.resolve(fn.functionArn),
       Principal: 'cognito-idp.amazonaws.com',
+      SourceArn: stack.resolve(pool.userPoolArn),
     });
   });
 
@@ -362,7 +363,7 @@ describe('User Pool', () => {
     const smsFn = fooFunction(stack, 'customSmsSender');
 
     // WHEN
-    new UserPool(stack, 'Pool', {
+    const pool = new UserPool(stack, 'Pool', {
       customSenderKmsKey: kmsKey,
       lambdaTriggers: {
         customEmailSender: emailFn,
@@ -387,11 +388,13 @@ describe('User Pool', () => {
       Action: 'lambda:InvokeFunction',
       FunctionName: stack.resolve(emailFn.functionArn),
       Principal: 'cognito-idp.amazonaws.com',
+      SourceArn: stack.resolve(pool.userPoolArn),
     });
     Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
       Action: 'lambda:InvokeFunction',
       FunctionName: stack.resolve(smsFn.functionArn),
       Principal: 'cognito-idp.amazonaws.com',
+      SourceArn: stack.resolve(pool.userPoolArn),
     });
   });
 
@@ -479,6 +482,7 @@ describe('User Pool', () => {
         Action: 'lambda:InvokeFunction',
         FunctionName: stack.resolve(fn.functionArn),
         Principal: 'cognito-idp.amazonaws.com',
+        SourceArn: stack.resolve(pool.userPoolArn),
       });
     });
   });
@@ -1760,4 +1764,4 @@ function fooFunction(scope: Construct, name: string): lambda.IFunction {
 
 function fooKey(scope: Construct, name: string): kms.Key {
   return new kms.Key(scope, name);
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -936,7 +936,7 @@ export class UserPool extends UserPoolBase {`
`936`	`936`	`const capitalize = name.charAt(0).toUpperCase() + name.slice(1);`
`937`	`937`	fn.addPermission(`${capitalize}Cognito`, {
`938`	`938`	`principal: new ServicePrincipal('cognito-idp.amazonaws.com'),`
`939`		`- sourceArn: this.userPoolArn,`
	`939`	`+ sourceArn: Lazy.string({ produce: () => this.userPoolArn }),`
`940`	`940`	`});`
`941`	`941`	`}`
`942`	`942`