diff --git a/lib/plugins/aws/package/compile/events/cloudFront/index.js b/lib/plugins/aws/package/compile/events/cloudFront/index.js index f12b08dce..241a4b467 100644 --- a/lib/plugins/aws/package/compile/events/cloudFront/index.js +++ b/lib/plugins/aws/package/compile/events/cloudFront/index.js @@ -105,7 +105,7 @@ class AwsCompileCloudFrontEvents { lambdaAtEdgeFunctions.push(_.merge({ cloudFront: { origin, behavior } }, - functionObj)); + functionObj, { functionName, lambdaVersionLogicalId })); } }); } @@ -113,20 +113,106 @@ class AwsCompileCloudFrontEvents { if (lambdaAtEdgeFunctions.length > 0) { if (this.provider.getRegion() !== 'us-east-1') { - throw new Error('CloudFront triggered functions has to be deployed to the us-east-1 region.'); + throw new + Error('CloudFront associated functions have to be deployed to the us-east-1 region.'); } - Resources + const lambdaInvokePermissions = lambdaAtEdgeFunctions.reduce((permissions, lambdaAtEdgeFunction) => { + const logicalId = this.provider.naming.getLambdaLogicalId(lambdaAtEdgeFunction.functionName); + // @todo fix naming + const invokePermissionName = logicalId+'InvokePermission'; + const invokePermission = { + Type: 'AWS::Lambda::Permission', + Properties: { + FunctionName: { + Ref: lambdaAtEdgeFunction.lambdaVersionLogicalId, + }, + Action: 'lambda:InvokeFunction', + Principal: 'edgelambda.amazonaws.com', + SourceArn: { + 'Fn::Join': [ + '', + ['', 'arn:aws:cloudfront::', + { Ref: 'AWS::AccountId' }, + ':distribution/', + { Ref: this.provider.naming.getCloudFrontDistributionLogicalId() }], + ], + }, + }, + }; + // cloudfront handles replication permissions automatically? + // const replicatorPermissionName = logicalId+'ReplicatorPermission'; + // const replicatorPermission = { + // Type: 'AWS::Lambda::Permission', + // Properties: { + // Action: 'lambda:GetFunction', + // FunctionName: { + // Ref: lambdaAtEdgeFunction.lambdaVersionLogicalId, + // // 'Fn::GetAtt': [ + // // logicalId, + // // 'Arn', + // // ], + // }, + // Principal: 'replicator.lambda.amazonaws.com', + // // SourceAccount: { + // // Ref: 'AWS::AccountId', + // // }, + // SourceArn: { + // 'Fn::Join': [ + // '', + // ['', 'arn:aws:cloudfront::', + // { Ref: 'AWS::AccountId' }, + // ':distribution/', + // { Ref: this.provider.naming.getCloudFrontDistributionLogicalId() }], + // ], + // }, + // }, + // }; + + // const replicatorStatement = { + // Sid: 'replicatorLambdaAtEdge', + // Action: 'lambda:GetFunction', + // Principal: { Service: 'replicator.lambda.amazonaws.com' }, + // Resource: { + // Ref: lambdaAtEdgeFunction.lambdaVersionLogicalId, + // }, + // }; + + // const policy = { + // Type: 'AWS::IAM::Policy', + // Properties: { + // PolicyName: 'lambdaAtEdgePolicy', + // PolicyDocument: { + // Version: '2012-10-17', + // Statement: [ + // replicatorStatement, + // ], + // }, + // Roles: [ + // { Ref: this.provider.naming.getRoleLogicalId() }, + // ], + // }, + // }; + + return Object.assign(permissions, { + [invokePermissionName]: invokePermission, + }); + }, {}); + + _.merge(Resources, lambdaInvokePermissions); + + const lambdaAssumeStatement = _.find(Resources .IamRoleLambdaExecution .Properties .AssumeRolePolicyDocument - .Statement.push({ - Effect: 'Allow', - Principal: { - Service: ['edgelambda.amazonaws.com'], - }, - Action: ['sts:AssumeRole'], - }); + .Statement, statement => + _.includes(statement.Principal.Service, 'lambda.amazonaws.com')); + + if (typeof lambdaAssumeStatement !== 'undefined') { + lambdaAssumeStatement.Principal.Service.push('edgelambda.amazonaws.com'); + } + + console.log('IF NOT ROLE ALERT!'); const CacheBehaviors = lambdaAtEdgeFunctions