Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cognito): permissions for lambda triggers are created in the lambda's scope instead of the user pool's scope #22315

Closed
abrgr opened this issue Sep 30, 2022 · 4 comments · Fixed by #22444
Closed

(cognito): permissions for lambda triggers are created in the lambda's scope instead of the user pool's scope #22315

abrgr opened this issue Sep 30, 2022 · 4 comments · Fixed by #22444
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2

Comments

@abrgr
Copy link

abrgr commented Sep 30, 2022

Describe the bug

If you create a lambda in stack A and then use that lambda as a cognito UserPool trigger in stack B, you will get a circular reference error.

The problem stems from the fact that, when the UserPool calls fn.addPermission from UserPool.prototype.addLambdaPermission, it does not pass a scope on the permission. FunctionBase.prototype.addPermission uses the function's scope if no scope is present on the permission.

Expected Behavior

The permission should be added in the UserPool's scope, not in the lambda function's scope. If the scopes differ, adding the permission in the UserPool's scope guarantees a circular reference error.

Current Behavior

A circular reference is created because the permission is added in the IFunction's scope instead of the UserPool's scope.

Reproduction Steps

  1. Create stack A with a lambda function, func
  2. Create stack B with a UserPool, passing func as a lambda trigger
  3. Notice that you get a circular reference error

Possible Solution

In

aws-cdk/packages/@aws-cdk/aws-cognito/lib/user-pool.ts

Line 978 in e2deca0

private addLambdaPermission(fn: lambda.IFunction, name: string): void {
, pass scope as a field on the permission passed to addLambdaPermission.

Desired code:

  private addLambdaPermission(fn: lambda.IFunction, name: string): void {
    const capitalize = name.charAt(0).toUpperCase() + name.slice(1);
    fn.addPermission(`${capitalize}Cognito`, {
      principal: new ServicePrincipal('cognito-idp.amazonaws.com'),
      sourceArn: Lazy.string({ produce: () => this.userPoolArn }),
      scope: this // <--- this is the new line
    });
  }

Additional Information/Context

No response

CDK CLI Version

8.15.0

Framework Version

No response

Node.js Version

v16.17.0

OS

linux

Language

Typescript

Language Version

No response

Other information

No response
@abrgr abrgr added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 30, 2022
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Sep 30, 2022
@kaizencc kaizencc changed the title aws-cdk-lib/aws-cognito: permissions for lambda triggers are created in the lambda's scope instead of the user pool's scope (cognito): permissions for lambda triggers are created in the lambda's scope instead of the user pool's scope Oct 3, 2022
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Oct 3, 2022
@kaizencc kaizencc added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2022
@kaizencc kaizencc removed the @aws-cdk/aws-lambda Related to AWS Lambda label Oct 3, 2022
@kaizencc
Copy link
Contributor

kaizencc commented Oct 3, 2022

hi @abrgr, thanks for letting us know! Are you interested in picking this up? Would need a few tests in addition to the 1 line change to ensure that its all working smoothly.

@kaizencc kaizencc added the good first issue Related to contributions. See CONTRIBUTING.md label Oct 3, 2022
@abrgr
Copy link
Author

abrgr commented Oct 4, 2022
edited
Loading

Happy to put up a PR. Just wanted to make sure that you're in agreement that the permission should be created in the UserPool's scope before I put up the change. It sounds like you're aligned with that?

This was referenced Oct 11, 2022
Closed
Merged
@mergify mergify bot closed this as completed in #22444 Oct 19, 2022
mergify bot pushed a commit that referenced this issue Oct 19, 2022
@jogold
fix(cognito): cannot use same lambda function as trigger in multiple …

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
b26fc00 
…user pools (#22444)

Create the permission in the scope of the user pool 
instead of the lambda function.

Integ tests contain destructive changes for the permissions because
of the new logical IDs. This should not cause any downtime since the new permission is created first.

Fixes #22315


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@abrgr
Copy link
Author

abrgr commented Oct 19, 2022

Thanks @jogold!

mrgrain pushed a commit to mrgrain/aws-cdk that referenced this issue Oct 24, 2022
@jogold @mrgrain
fix(cognito): cannot use same lambda function as trigger in multiple …
282cc87 
…user pools (aws#22444)

Create the permission in the scope of the user pool 
instead of the lambda function.

Integ tests contain destructive changes for the permissions because
of the new logical IDs. This should not cause any downtime since the new permission is created first.

Fixes aws#22315


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cognito): cannot use same lambda function as trigger in multiple user pools jogold/aws-cdk
3 participants
@abrgr @kaizencc @corymhall