Support resource suffix for Lambda function names (#256)

aws-samples · Dec 5, 2023 · 8da3334 · 8da3334
1 parent 1293b9e
commit 8da3334
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 63 deletions.
diff --git a/example-serverless-app-reuse/reuse-auth-only.yaml b/example-serverless-app-reuse/reuse-auth-only.yaml
@@ -32,7 +32,7 @@ Parameters:
   SemanticVersion:
     Type: String
     Description: Semantic version of the back end
-    Default: 2.1.8
+    Default: 2.1.9
 
   HttpHeaders:
     Type: String

diff --git a/example-serverless-app-reuse/reuse-complete-cdk.ts b/example-serverless-app-reuse/reuse-complete-cdk.ts
@@ -19,7 +19,7 @@ const authAtEdge = new sam.CfnApplication(stack, "AuthorizationAtEdge", {
   location: {
     applicationId:
       "arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge",
-    semanticVersion: "2.1.8",
+    semanticVersion: "2.1.9",
   },
   parameters: {
     EmailAddress: "[email protected]",

diff --git a/example-serverless-app-reuse/reuse-complete.yaml b/example-serverless-app-reuse/reuse-complete.yaml
@@ -12,7 +12,7 @@ Resources:
     Properties:
       Location:
         ApplicationId: arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge
-        SemanticVersion: 2.1.8
+        SemanticVersion: 2.1.9
   AlanTuring:
     Type: AWS::Cognito::UserPoolUser
     Properties:

diff --git a/example-serverless-app-reuse/reuse-with-existing-user-pool.yaml b/example-serverless-app-reuse/reuse-with-existing-user-pool.yaml
@@ -75,7 +75,7 @@ Resources:
     Properties:
       Location:
         ApplicationId: arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge
-        SemanticVersion: 2.1.8
+        SemanticVersion: 2.1.9
       Parameters:
         UserPoolArn: !GetAtt UserPool.Arn
         UserPoolClientId: !Ref UserPoolClient

diff --git a/src/cfn-custom-resources/us-east-1-lambda-stack/index.ts b/src/cfn-custom-resources/us-east-1-lambda-stack/index.ts
@@ -174,7 +174,8 @@ async function ensureUsEast1LambdaStack(props: {
         ([key, lambdaArn]) =>
           key.toLowerCase().startsWith(lambdaName.toLowerCase()) && !!lambdaArn
       );
-      if (!lambdaProperty) {
+      const lambdaArn = lambdaProperty && lambdaProperty[1];
+      if (!lambdaArn) {
         console.log(
           `Couldn't locate ARN for lambda ${lambdaName} in input properties: ${JSON.stringify(
             props,
@@ -187,14 +188,17 @@ async function ensureUsEast1LambdaStack(props: {
       // Copy the Lambda code to us-east-1, and set that location in the new CloudFormation template
       const lambdaResource = parsedOriginalTemplate.Resources[lambdaName]!;
       return copyLambdaCodeToUsEast1({
-        lambdaArn: lambdaProperty[1]!,
+        lambdaArn,
         toBucket: deploymentBucket,
         key: lambdaResource.Properties.Code.S3Key,
       }).then(() => {
         const updatedLambdaResource: CfnLambdaResource = lambdaResource;
         updatedLambdaResource.Properties.Code.S3Bucket = deploymentBucket;
         delete updatedLambdaResource.Condition;
         updatedLambdaResource.Properties.Role = props.lambdaRoleArn;
+        updatedLambdaResource.Properties.FunctionName = lambdaArn
+          .split(":")
+          .pop();
         templateForUsEast1.Resources[lambdaName] = updatedLambdaResource;
         templateForUsEast1.Outputs[lambdaName] = {
           Value: {

diff --git a/template.yaml b/template.yaml
@@ -27,7 +27,7 @@ Metadata:
         "amplify",
       ]
     HomePageUrl: https://github.com/aws-samples/cloudfront-authorization-at-edge
-    SemanticVersion: 2.1.8
+    SemanticVersion: 2.1.9
     SourceCodeUrl: https://github.com/aws-samples/cloudfront-authorization-at-edge
 
 Parameters:
@@ -150,7 +150,7 @@ Parameters:
   Version:
     Type: String
     Description: "Changing this parameter after initial deployment forces redeployment of Lambda@Edge functions"
-    Default: "2.1.8"
+    Default: "2.1.9"
   LogLevel:
     Type: String
     Description: "Use for development: setting to a value other than none turns on logging at that level. Warning! This will log sensitive data, use for development only"
@@ -214,7 +214,7 @@ Parameters:
     Type: String
     Default: ""
   ResourceSuffix:
-    Description: The lambda suffix to use, will be common to lambdas and logs
+    Description: The suffix to use for Lambda function names. Use this to disambiguate between multiple deployments of this application
     Type: String
     Default: ""
 
@@ -273,7 +273,7 @@ Conditions:
     - !Equals [!Ref CreateCloudFrontDistribution, "true"]
     - !Equals [!Ref CustomOriginDomainName, ""]
   UseWAF: !Not [!Equals [!Ref WebACLId, ""]]
-  UseResourceSuffix: !Not [!Equals [!Ref ResourceSuffix, ""]] # Use "" as default value for ResourceSuffix
+  UseResourceSuffix: !Not [!Equals [!Ref ResourceSuffix, ""]]
   DefaultRootObjectProvided: !Not [!Equals [!Ref DefaultRootObject, ""]]
   CloudFrontAccessLogsBucketProvided:
     !Not [!Equals [!Ref CloudFrontAccessLogsBucket, ""]]
@@ -310,93 +310,76 @@ Resources:
 
   CheckAuthHandler:
     Type: AWS::Serverless::Function
-    FunctionName:
-      !If
-        - UseResourceSuffix
-        - Fn::Join:
-            - ""
-            - ["CheckAuthHandler", !Ref: "ResourceSuffix"]
-        - AWS::NoValue
     Properties:
       CodeUri: src/lambda-edge/check-auth/
       Handler: bundle.handler
       Role: !GetAtt LambdaEdgeExecutionRole.Arn
       Timeout: 5
+      FunctionName: !If
+        - UseResourceSuffix
+        - !Sub "CheckAuthHandler-${ResourceSuffix}"
+        - !Ref AWS::NoValue
 
   ParseAuthHandler:
     Type: AWS::Serverless::Function
-    FunctionName:
-      !If
-        - UseResourceSuffix
-        - Fn::Join:
-            - ""
-            - ["ParseAuthHandler", !Ref: "ResourceSuffix"]
-        - AWS::NoValue
     Properties:
       CodeUri: src/lambda-edge/parse-auth/
       Handler: bundle.handler
       Role: !GetAtt LambdaEdgeExecutionRole.Arn
       Timeout: 5
+      FunctionName: !If
+        - UseResourceSuffix
+        - !Sub "ParseAuthHandler-${ResourceSuffix}"
+        - !Ref AWS::NoValue
 
   RefreshAuthHandler:
     Type: AWS::Serverless::Function
-    FunctionName:
-     !If
-        - UseResourceSuffix
-        - Fn::Join:
-            - ""
-            - ["RefreshAuthHandler", !Ref: "ResourceSuffix"]
-        - AWS::NoValue
     Properties:
       CodeUri: src/lambda-edge/refresh-auth/
       Handler: bundle.handler
       Role: !GetAtt LambdaEdgeExecutionRole.Arn
       Timeout: 5
+      FunctionName: !If
+        - UseResourceSuffix
+        - !Sub "RefreshAuthHandler-${ResourceSuffix}"
+        - !Ref AWS::NoValue
 
   HttpHeadersHandler:
     Type: AWS::Serverless::Function
-    FunctionName:
-     !If
-        - UseResourceSuffix
-        - Fn::Join:
-            - ""
-            - ["HttpHeadersHandler", !Ref: "ResourceSuffix"]
-        - AWS::NoValue
     Properties:
       CodeUri: src/lambda-edge/http-headers/
       Handler: bundle.handler
       Role: !GetAtt LambdaEdgeExecutionRole.Arn
       Timeout: 5
+      FunctionName: !If
+        - UseResourceSuffix
+        - !Sub "HttpHeadersHandler-${ResourceSuffix}"
+        - !Ref AWS::NoValue
 
   SignOutHandler:
     Type: AWS::Serverless::Function
-    FunctionName:
-     !If
-        - UseResourceSuffix
-        - Fn::Join:
-            - ""
-            - ["SignOutHandler", !Ref: "ResourceSuffix"]
-        - AWS::NoValue
     Properties:
       CodeUri: src/lambda-edge/sign-out/
       Handler: bundle.handler
       Role: !GetAtt LambdaEdgeExecutionRole.Arn
       Timeout: 5
+      FunctionName: !If
+        - UseResourceSuffix
+        - !Sub "SignOutHandler-${ResourceSuffix}"
+        - !Ref AWS::NoValue
 
   TrailingSlashHandler:
     Type: AWS::Serverless::Function
-    FunctionName:
-     !If
-        - UseResourceSuffix
-        - Fn::Join:
-            - ""
-            - ["TrailingSlashHandler", !Ref: "ResourceSuffix"]
     Condition: RewritePathWithTrailingSlashToIndex
     Properties:
       CodeUri: src/lambda-edge/rewrite-trailing-slash/
       Handler: bundle.handler
       Role: !GetAtt LambdaEdgeExecutionRole.Arn
       Timeout: 5
+      FunctionName: !If
+        - UseResourceSuffix
+        - !Sub "TrailingSlashHandler-${ResourceSuffix}"
+        - !Ref AWS::NoValue
 
   LambdaEdgeExecutionRole:
     Type: AWS::IAM::Role
@@ -494,12 +477,12 @@ Resources:
                 - lambda:TagResource
                 - lambda:ListTags
               Resource:
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-CheckAuthHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-ParseAuthHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-RefreshAuthHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-SignOutHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-HttpHeadersHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-TrailingSlashHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*CheckAuthHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*ParseAuthHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*RefreshAuthHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*SignOutHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*HttpHeadersHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*TrailingSlashHandler-*"
             - Effect: Allow
               Action: iam:PassRole
               Resource: !GetAtt LambdaEdgeExecutionRole.Arn
@@ -1201,12 +1184,12 @@ Resources:
                 - lambda:GetFunctionConfiguration
                 - lambda:UpdateFunctionCode
               Resource:
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-CheckAuthHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-ParseAuthHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-RefreshAuthHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-SignOutHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-HttpHeadersHandler-*"
-                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*-TrailingSlashHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*CheckAuthHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*ParseAuthHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*RefreshAuthHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*SignOutHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*HttpHeadersHandler-*"
+                - !Sub "arn:${AWS::Partition}:lambda:us-east-1:${AWS::AccountId}:function:*TrailingSlashHandler-*"
 
   NonceSigningSecret:
     Type: Custom::NonceSigningSecret