Skip to content

Commit

Permalink
fix(lambda): validate localMountPath format and length (#31019)
Browse files Browse the repository at this point in the history
### Issue # (if applicable)

Closes #17526

### Reason for this change

Show user-friendly error message faster (before deployment)


### Description of changes

Added format and length validation according to [AWS::Lambda::Function FileSystemConfig document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-filesystemconfig.html#cfn-lambda-function-filesystemconfig-localmountpath)

![image](https://github.com/user-attachments/assets/5296cef5-9b33-4ddc-bfc2-8e6fac00dc66)


### Description of how you validated changes

- Added unit test
- No integration test because I think it is overkill


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
exoego authored and GavinZZ committed Aug 20, 2024
1 parent d6a75d7 commit cf271f5
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 0 deletions.
8 changes: 8 additions & 0 deletions packages/aws-cdk-lib/aws-lambda/lib/function.ts
Original file line number Diff line number Diff line change
Expand Up @@ -935,6 +935,14 @@ export class Function extends FunctionBase {
// add additional managed policies when necessary
if (props.filesystem) {
const config = props.filesystem.config;
if (!Token.isUnresolved(config.localMountPath)) {
if (!/^\/mnt\/[a-zA-Z0-9-_.]+$/.test(config.localMountPath)) {
throw new Error(`Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given ${config.localMountPath}.`);
}
if (config.localMountPath.length > 160) {
throw new Error(`Local mount path can not be longer than 160 characters but has ${config.localMountPath.length} characters.`);
}
}
if (config.policies) {
config.policies.forEach(p => {
this.role?.addToPrincipalPolicy(p);
Expand Down
93 changes: 93 additions & 0 deletions packages/aws-cdk-lib/aws-lambda/test/function.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2923,6 +2923,99 @@ describe('function', () => {
});
});

test('validate localMountPath format when mounting efs', () => {
// GIVEN
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 3,
natGateways: 1,
});
const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', {
vpc,
allowAllOutbound: false,
});

const fs = new efs.FileSystem(stack, 'Efs', {
vpc,
});
const accessPoint = fs.addAccessPoint('AccessPoint');

// THEN
expect(() => {
new lambda.Function(stack, 'MyFunction', {
vpc,
handler: 'foo',
securityGroups: [securityGroup],
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')),
filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, '/not-mnt/foo-bar'),
});
}).toThrow('Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given /not-mnt/foo-bar');
});

test('validate localMountPath length when mounting efs', () => {
// GIVEN
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 3,
natGateways: 1,
});
const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', {
vpc,
allowAllOutbound: false,
});

const fs = new efs.FileSystem(stack, 'Efs', {
vpc,
});
const accessPoint = fs.addAccessPoint('AccessPoint');

// THEN
expect(() => {
new lambda.Function(stack, 'MyFunction', {
vpc,
handler: 'foo',
securityGroups: [securityGroup],
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')),
filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, `/mnt/${'a'.repeat(160)}`),
});
}).toThrow('Local mount path can not be longer than 160 characters but has 165 characters');
});

test('No error when local mount path is Tokenized and Unresolved', () => {
// GIVEN
const realLocalMountPath = '/not-mnt/foo-bar';
const tokenizedLocalMountPath = cdk.Token.asString(new cdk.Intrinsic(realLocalMountPath));

const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Vpc', {
maxAzs: 3,
natGateways: 1,
});
const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', {
vpc,
allowAllOutbound: false,
});

const fs = new efs.FileSystem(stack, 'Efs', {
vpc,
});
const accessPoint = fs.addAccessPoint('AccessPoint');

// THEN
expect(() => {
new lambda.Function(stack, 'MyFunction', {
vpc,
handler: 'foo',
securityGroups: [securityGroup],
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')),
filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, tokenizedLocalMountPath),
});
}).not.toThrow();
});

test('correct security group is created when deployed in separate stacks', () => {
const app = new cdk.App();

Expand Down

0 comments on commit cf271f5

Please sign in to comment.