test

Author: roger-zhangg

.cfnlintrc.yaml

@@ -1,6 +1,9 @@
 templates:
   - tests/translator/output/**/*.json
 ignore_templates:
+  - tests/translator/output/**/function_with_function_url_config.json
+  - tests/translator/output/**/function_with_function_url_config_and_autopublishalias.json
+  - tests/translator/output/**/function_with_function_url_config_without_cors_config.json
   - tests/translator/output/**/error_*.json # Fail by design
   - tests/translator/output/**/api_http_paths_with_if_condition.json
   - tests/translator/output/**/api_http_paths_with_if_condition_no_value_else_case.json

samtranslator/model/__init__.py

@@ -345,7 +345,7 @@ def validate_properties_and_return_model(self, cls: Type[RT]) -> RT:
         """
         try:
             return cls.parse_obj(self._generate_resource_dict()["Properties"])
-        except pydantic.error_wrappers.ValidationError as e:
+        except pydantic.error_wrappers.ValidationError as e:  # type: ignore
             error_properties: str = ""
             with suppress(KeyError):
                 error_properties = ".".join(str(x) for x in e.errors()[0]["loc"])

samtranslator/model/sam_resources.py

@@ -132,8 +132,6 @@
 from .tags.resource_tagging import get_tag_list
 
 _CONDITION_CHAR_LIMIT = 255
-FUNCTION_URL_PUBLIC_PERMISSION_ACTION = "lambda:InvokeFunctionUrl"
-FUNCTION_INVOKE_PERMISSION_ACTION = "lambda:InvokeFunction"
 
 
 class SamFunction(SamResourceMacro):
@@ -322,8 +320,13 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def] # noqa: P
         if self.FunctionUrlConfig:
             lambda_url = self._construct_function_url(lambda_function, lambda_alias, self.FunctionUrlConfig)
             resources.append(lambda_url)
-            url_permissions = self._construct_url_permissions(lambda_function, lambda_alias, self.FunctionUrlConfig)
-            resources.extend(url_permissions)
+            url_permission = self._construct_url_permission(lambda_function, lambda_alias, self.FunctionUrlConfig)
+            invoke_dual_auth_permission = self._construct_invoke_dual_auth_permission(
+                lambda_function, lambda_alias, self.FunctionUrlConfig
+            )
+            if url_permission and invoke_dual_auth_permission:
+                resources.append(url_permission)
+                resources.append(invoke_dual_auth_permission)
 
         self._validate_deployment_preference_and_add_update_policy(
             kwargs.get("deployment_preference_collection", None),
@@ -1198,11 +1201,11 @@ def _validate_cors_config_parameter(
                     "{} must be of type {}.".format(prop_name, str(prop_type).split("'")[1]),
                 )
 
-    def _construct_url_permissions(
+    def _construct_url_permission(
         self, lambda_function: LambdaFunction, lambda_alias: Optional[LambdaAlias], function_url_config: Dict[str, Any]
-    ) -> List[LambdaPermission]:
+    ) -> Optional[LambdaPermission]:
         """
-        Construct the lambda permissions associated with the function url resource in a case
+        Construct the lambda permission associated with the function url resource in a case
         for public access when AuthType is NONE
 
         Parameters
@@ -1215,45 +1218,62 @@ def _construct_url_permissions(
 
         Returns
         -------
-        List[LambdaPermission]
-            The lambda permission appended to a function url resource with public access and the
-            Permission to invoke the function in general.
+        LambdaPermission
+            The lambda permission appended to a function url resource with public access
         """
         auth_type = function_url_config.get("AuthType")
 
         if auth_type not in ["NONE"] or is_intrinsic(function_url_config):
-            return []
-
-        url_public_permission_logical_id = f"{lambda_function.logical_id}UrlPublicPermissions"
+            return None
 
+        logical_id = f"{lambda_function.logical_id}UrlPublicPermissions"
         lambda_permission_attributes = self.get_passthrough_resource_attributes()
-
-        lambda_url_public_permission = LambdaPermission(
-            logical_id=url_public_permission_logical_id, attributes=lambda_permission_attributes
-        )
-        lambda_url_public_permission.Action = FUNCTION_URL_PUBLIC_PERMISSION_ACTION
-        lambda_url_public_permission.Principal = "*"
-        lambda_url_public_permission.FunctionName = (
+        lambda_permission = LambdaPermission(logical_id=logical_id, attributes=lambda_permission_attributes)
+        lambda_permission.Action = "lambda:InvokeFunctionUrl"
+        lambda_permission.FunctionName = (
             lambda_alias.get_runtime_attr("arn") if lambda_alias else lambda_function.get_runtime_attr("name")
         )
-        lambda_url_public_permission.FunctionUrlAuthType = auth_type
+        lambda_permission.Principal = "*"
+        lambda_permission.FunctionUrlAuthType = auth_type
+        return lambda_permission
 
-        url_invoke_permission_logical_id = f"{lambda_function.logical_id}URLInvokeAllowPublicAccess"
+    def _construct_invoke_dual_auth_permission(
+        self, lambda_function: LambdaFunction, lambda_alias: Optional[LambdaAlias], function_url_config: Dict[str, Any]
+    ) -> Optional[LambdaPermission]:
+        """
+        Construct the lambda permission associated with the function invoke resource in a case
+        for public access when AuthType is NONE
 
-        lambda_permission_attributes = self.get_passthrough_resource_attributes()
+        Parameters
+        ----------
+        lambda_function : LambdaUrl
+            Lambda Function resource
 
-        lambda_invoke_permission = LambdaPermission(
-            logical_id=url_invoke_permission_logical_id, attributes=lambda_permission_attributes
-        )
-        lambda_invoke_permission.Action = FUNCTION_INVOKE_PERMISSION_ACTION
+        lambda_alias : LambdaAlias
+            Lambda Alias resource
+
+        Returns
+        -------
+        LambdaPermission
+            The lambda permission appended to a function that allow function invoke only from Function URL
+        """
+        # create lambda:InvokeFunction with InvokedViaFunctionUrl=True
+        auth_type = function_url_config.get("AuthType")
+
+        if auth_type not in ["NONE"] or is_intrinsic(function_url_config):
+            return None
+
+        logical_id = f"{lambda_function.logical_id}URLInvokeAllowPublicAccess"
+        lambda_permission_attributes = self.get_passthrough_resource_attributes()
+        lambda_invoke_permission = LambdaPermission(logical_id=logical_id, attributes=lambda_permission_attributes)
+        lambda_invoke_permission.Action = "lambda:InvokeFunction"
         lambda_invoke_permission.Principal = "*"
         lambda_invoke_permission.FunctionName = (
             lambda_alias.get_runtime_attr("arn") if lambda_alias else lambda_function.get_runtime_attr("name")
         )
-
         lambda_invoke_permission.InvokedViaFunctionUrl = True
 
-        return [lambda_url_public_permission, lambda_invoke_permission]
+        return lambda_invoke_permission
 
 
 class SamApi(SamResourceMacro):

tests/model/test_sam_resources.py

@@ -593,6 +593,20 @@ def test_with_valid_function_url_config_with_lambda_permission(self):
             if permission.Action == "lambda:InvokeFunction":
                 self.assertEqual(permission.InvokedViaFunctionUrl, True)
 
+    @patch("boto3.session.Session.region_name", "ap-southeast-1")
+    def test_with_aws_iam_function_url_config_with_lambda_permission(self):
+        function = SamFunction("foo")
+        function.CodeUri = "s3://foobar/foo.zip"
+        function.Runtime = "foo"
+        function.Handler = "bar"
+        # When create FURL with AWS_IAM
+        function.FunctionUrlConfig = {"AuthType": "AWS_IAM"}
+
+        cfnResources = function.to_cloudformation(**self.kwargs)
+        generatedUrlList = [x for x in cfnResources if isinstance(x, LambdaPermission)]
+        # Then no permisssion should be auto created
+        self.assertEqual(generatedUrlList.__len__(), 0)
+
     @patch("boto3.session.Session.region_name", "ap-southeast-1")
     def test_with_invalid_function_url_config_with_authorization_type_value_as_None(self):
         function = SamFunction("foo")