Open cjhelloletsgo opened 5 months ago
Hi
I was able to deploy it with UntrustedArtifactOnDeployment.ENFORCE
with cdk v2.133.0.
Please check my code in TypeScript:
const signingProfile = new signer.SigningProfile(this, 'SigningProfile', {
platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
});
const codeSigningConfig = new lambda.CodeSigningConfig(this, 'CodeSigningConfig', {
signingProfiles: [signingProfile],
untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE,
});
new lambda.Function(this, 'Function', {
codeSigningConfig,
runtime: lambda.Runtime.NODEJS_18_X,
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, '../lambda')),
});
synth
Resources:
SigningProfile2139A0F9:
Type: AWS::Signer::SigningProfile
Properties:
PlatformId: AWSLambda-SHA384-ECDSA
SignatureValidityPeriod:
Type: MONTHS
Value: 135
Metadata:
aws:cdk:path: dummy-stack4/SigningProfile/Resource
CodeSigningConfigD8D41C10:
Type: AWS::Lambda::CodeSigningConfig
Properties:
AllowedPublishers:
SigningProfileVersionArns:
- Fn::GetAtt:
- SigningProfile2139A0F9
- ProfileVersionArn
CodeSigningPolicies:
UntrustedArtifactOnDeployment: Enforce
Metadata:
aws:cdk:path: dummy-stack4/CodeSigningConfig/Resource
FunctionServiceRole675BB04A:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Metadata:
aws:cdk:path: dummy-stack4/Function/ServiceRole/Resource
Function76856677:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: cdk-hnb659fds-assets-903779448426-us-east-1
S3Key: 297e4961275717170c4e122c4dd6e629b83080796b88b6716027321ec3f4e2c7.zip
CodeSigningConfigArn:
Fn::GetAtt:
- CodeSigningConfigD8D41C10
- CodeSigningConfigArn
Handler: index.handler
Role:
Fn::GetAtt:
- FunctionServiceRole675BB04A
- Arn
Runtime: nodejs18.x
DependsOn:
- FunctionServiceRole675BB04A
Metadata:
aws:cdk:path: dummy-stack4/Function/Resource
aws:asset:path: asset.297e4961275717170c4e122c4dd6e629b83080796b88b6716027321ec3f4e2c7
aws:asset:is-bundled: false
aws:asset:property: Code
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/2WPzw6CMAzGn8X7qCKJ8Sokng0+ABljkPJnS+jQw7J3twM8GE9f+/3afO0Z0iyD00G+KVHNkIxYg386qQbBVuUJO6NntljRdI/ZtjhqUbTm1wlilFPdSPCFbfTOCmta7OLwv3lfjHJoTaTfOgiUE/jSbglRg6CskkTaEdyicA/5ogbtckmMS012mZUWK+XLO85Yt3cQhOFw6On4Sq+QXvjZnhCTeTEOJw3lph8kXNDoCQEAAA==
Metadata:
aws:cdk:path: dummy-stack4/CDKMetadata/Default
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value<String>
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
CheckBootstrapVersion:
Assertions:
- Assert:
Fn::Not:
- Fn::Contains:
- - "1"
- "2"
- "3"
- "4"
- "5"
- Ref: BootstrapVersion
AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.
cdk deploy
works great to me. And I can see this from the lambda console.
Is your error coming from cloudformation? Can you share your cdk synth
template? I believe it should work.
Sure, this is the template it generates:
Resources:
TestSigningProfile98254211:
Type: AWS::Signer::SigningProfile
Properties:
PlatformId: AWSLambda-SHA384-ECDSA
SignatureValidityPeriod:
Type: MONTHS
Value: 135
Metadata:
aws:cdk:path: IssueStack/Test Signing Profile/Resource
TestCodeSigningConfig2952C7DC:
Type: AWS::Lambda::CodeSigningConfig
Properties:
AllowedPublishers:
SigningProfileVersionArns:
- Fn::GetAtt:
- TestSigningProfile98254211
- ProfileVersionArn
CodeSigningPolicies:
UntrustedArtifactOnDeployment: Enforce
Description: Test
Metadata:
aws:cdk:path: IssueStack/Test Code Signing Config/Resource
TestLambdaServiceRoleECB4CB18:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Metadata:
aws:cdk:path: IssueStack/Test Lambda/ServiceRole/Resource
TestLambda93B0066B:
Type: AWS::Lambda::Function
Properties:
Architectures:
- x86_64
Code:
S3Bucket: cdk-hnb659fds-assets-308665918648-us-east-1
S3Key: 851da26868933e8ab521e3bc2c318bd2a7f9220284d9b35ce3ab5c31fce99feb.zip
CodeSigningConfigArn:
Fn::GetAtt:
- TestCodeSigningConfig2952C7DC
- CodeSigningConfigArn
Description: Test Lambda delete later.
Handler: lambda_function.lambda_handler
MemorySize: 256
Role:
Fn::GetAtt:
- TestLambdaServiceRoleECB4CB18
- Arn
Runtime: python3.12
DependsOn:
- TestLambdaServiceRoleECB4CB18
Metadata:
aws:cdk:path: IssueStack/Test Lambda/Resource
aws:asset:path: asset.851da26868933e8ab521e3bc2c318bd2a7f9220284d9b35ce3ab5c31fce99feb
aws:asset:is-bundled: false
aws:asset:property: Code
TestLambdaEventInvokeConfig9F084114:
Type: AWS::Lambda::EventInvokeConfig
Properties:
FunctionName:
Ref: TestLambda93B0066B
MaximumRetryAttempts: 0
Qualifier: $LATEST
Metadata:
aws:cdk:path: IssueStack/Test Lambda/EventInvokeConfig/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/2WO0W7CMAxFv4X31IzmC6Bi0t5Q+wHIpG7w2jpSnYJQlH9HBbZp4ulY99jWLWFjLXys8KqFa/ti4BOkJqLrDV71mJS90ASpYS8s/jCFjgcyVSf/k2wGHE8tQqpCSy9XBenYL8vv4ecsLnKQxf7O+wtJ/JJL6Onv9i3MhnGEVIdnkYXZqD2iKkWF7QKjFnaz6ynuUCmbmjTMkyPzsE1Ez/L4/iOyOdziOcjawqaEcvWtzMU0S+SRoH7yDppk/rctAQAA
Metadata:
aws:cdk:path: IssueStack/CDKMetadata/Default
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value<String>
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
CheckBootstrapVersion:
Assertions:
- Assert:
Fn::Not:
- Fn::Contains:
- - "1"
- "2"
- "3"
- "4"
- "5"
- Ref: BootstrapVersion
AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.
As well as the entire stack if that helps
from aws_cdk import (
Stack,
)
from aws_cdk import aws_lambda as lambda_
from aws_cdk import aws_signer as signer
from constructs import Construct
class IssueStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
test_signing_profile = signer.SigningProfile(
self,
"Test Signing Profile",
platform=signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
)
test_code_signing_config = lambda_.CodeSigningConfig(
self,
"Test Code Signing Config",
signing_profiles=[
test_signing_profile,
],
description="Test",
# setting untrusted_artifact_on_deployment to ENFORCE causes deployment to fail
untrusted_artifact_on_deployment=lambda_.UntrustedArtifactOnDeployment.ENFORCE,
)
test_lambda = lambda_.Function(
self,
"Test Lambda",
runtime=lambda_.Runtime.PYTHON_3_12,
handler="lambda_function.lambda_handler",
code_signing_config=test_code_signing_config,
code=lambda_.Code.from_asset(
"lambda/test",
),
memory_size=256,
architecture=lambda_.Architecture.X86_64,
retry_attempts=0,
description="Test Lambda delete later.",
initial_policy=[],
)
And a screenshot to match yours
So everything seems good except the lambda will always fail to deploy.
@pahud Have you got a chance to look into this any more?
Describe the bug
While configuring code signing on an aws lambda if you specify a code signing config where the untrusted_artifact_on_deployment parameter is set to ENFORCE the deployment will always fail. If the policy is set to warn there is no problem.