From cf271f500ee39ba3d36f7c18bdcb66b9a0b67211 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?TATSUNO=20=E2=80=9CTaz=E2=80=9D=20Yasuhiro?= Date: Sat, 17 Aug 2024 12:08:53 +0900 Subject: [PATCH] fix(lambda): validate localMountPath format and length (#31019) ### Issue # (if applicable) Closes https://github.com/aws/aws-cdk/issues/17526 ### Reason for this change Show user-friendly error message faster (before deployment) ### Description of changes Added format and length validation according to [AWS::Lambda::Function FileSystemConfig document](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-filesystemconfig.html#cfn-lambda-function-filesystemconfig-localmountpath) ![image](https://github.com/user-attachments/assets/5296cef5-9b33-4ddc-bfc2-8e6fac00dc66) ### Description of how you validated changes - Added unit test - No integration test because I think it is overkill ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-lib/aws-lambda/lib/function.ts | 8 ++ .../aws-lambda/test/function.test.ts | 93 +++++++++++++++++++ 2 files changed, 101 insertions(+) diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index 1d39d596087d4..6fab7f359084e 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -935,6 +935,14 @@ export class Function extends FunctionBase { // add additional managed policies when necessary if (props.filesystem) { const config = props.filesystem.config; + if (!Token.isUnresolved(config.localMountPath)) { + if (!/^\/mnt\/[a-zA-Z0-9-_.]+$/.test(config.localMountPath)) { + throw new Error(`Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given ${config.localMountPath}.`); + } + if (config.localMountPath.length > 160) { + throw new Error(`Local mount path can not be longer than 160 characters but has ${config.localMountPath.length} characters.`); + } + } if (config.policies) { config.policies.forEach(p => { this.role?.addToPrincipalPolicy(p); diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index 13e40d01d576a..0ce4ea8b47517 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -2923,6 +2923,99 @@ describe('function', () => { }); }); + test('validate localMountPath format when mounting efs', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, '/not-mnt/foo-bar'), + }); + }).toThrow('Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given /not-mnt/foo-bar'); + }); + + test('validate localMountPath length when mounting efs', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, `/mnt/${'a'.repeat(160)}`), + }); + }).toThrow('Local mount path can not be longer than 160 characters but has 165 characters'); + }); + + test('No error when local mount path is Tokenized and Unresolved', () => { + // GIVEN + const realLocalMountPath = '/not-mnt/foo-bar'; + const tokenizedLocalMountPath = cdk.Token.asString(new cdk.Intrinsic(realLocalMountPath)); + + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, tokenizedLocalMountPath), + }); + }).not.toThrow(); + }); + test('correct security group is created when deployed in separate stacks', () => { const app = new cdk.App();