add GetFunction permission to Provider Framework lambda

aws · Jan 13, 2025 · b4d9e7a · b4d9e7a
1 parent f0e2f2a
commit b4d9e7a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts b/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts
@@ -250,6 +250,20 @@ export class Provider extends Construct implements ICustomResourceProvider {
     };
   }
 
+  private addPermissions(frameworkLambda: lambda.Function, arnOfUserDefinedHandlerLambda: lambda.IFunction) {
+    arnOfUserDefinedHandlerLambda.grantInvoke(frameworkLambda);
+
+    /*
+    lambda:GetFunction is needed as the framework Lambda use it to poll the state of User Defined
+    Handler until it is ACTIVE state
+     */
+    frameworkLambda.addToRolePolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      actions: ['lambda:GetFunction'],
+      resources: [arnOfUserDefinedHandlerLambda.functionArn],
+    }));
+  }
+
   private createFunction(entrypoint: string, name?: string) {
     const fn = new lambda.Function(this, `framework-${entrypoint}`, {
       code: lambda.Code.fromAsset(RUNTIME_HANDLER_PATH, {
@@ -272,11 +286,11 @@ export class Provider extends Construct implements ICustomResourceProvider {
     });
 
     fn.addEnvironment(consts.USER_ON_EVENT_FUNCTION_ARN_ENV, this.onEventHandler.functionArn);
-    this.onEventHandler.grantInvoke(fn);
+    this.addPermissions(fn, this.onEventHandler);
 
     if (this.isCompleteHandler) {
       fn.addEnvironment(consts.USER_IS_COMPLETE_FUNCTION_ARN_ENV, this.isCompleteHandler.functionArn);
-      this.isCompleteHandler.grantInvoke(fn);
+      this.addPermissions(fn, this.isCompleteHandler);
     }
 
     return fn;

diff --git a/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts b/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts
@@ -62,6 +62,11 @@ async function defaultInvokeFunction(req: InvokeCommandInput): Promise<Invocatio
      * We're using invoke first because `waitFor` doesn't trigger an inactive function to do anything,
      * it just runs `getFunction` and checks the state.
      */
+
+    const fakeError = new Error('keungsi threw this to mimic error');
+    fakeError.name = 'ResourceNotReadyException';
+    throw fakeError;
+
     return await lambda.invoke(req);
   } catch {
     /**