Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

re-create lambda policy when permission sid not found #11924

Merged
merged 4 commits into from
Feb 19, 2020
Merged

re-create lambda policy when permission sid not found #11924

merged 4 commits into from
Feb 19, 2020

Conversation

ansoni
Copy link

@ansoni ansoni commented Feb 6, 2020

Hello,
Please find the small change to blank out the Id for proper remediation when the policy SID goes missing.

Thanks,

Anthony

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #11008

Release note for CHANGELOG:

lambda policy SIDs that are deleted out-of-band are now properly drift detected and restored.

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestLambdaPermission'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -count 1 -parallel 20 -run=TestLambdaPermission -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
=== RUN   TestLambdaPermissionUnmarshalling
--- PASS: TestLambdaPermissionUnmarshalling (0.00s)
=== RUN   TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_alias
--- PASS: TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_alias (0.00s)
=== RUN   TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_govcloud
--- PASS: TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_govcloud (0.00s)
=== RUN   TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_version
--- PASS: TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_version (0.00s)
=== RUN   TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_invalid
--- PASS: TestLambdaPermissionGetQualifierFromLambdaAliasOrVersionArn_invalid (0.00s)
=== RUN   TestLambdaPermissionGetFunctionNameFromLambdaArn_invalid
--- PASS: TestLambdaPermissionGetFunctionNameFromLambdaArn_invalid (0.00s)
=== RUN   TestLambdaPermissionGetFunctionNameFromLambdaArn_valid
--- PASS: TestLambdaPermissionGetFunctionNameFromLambdaArn_valid (0.00s)
=== RUN   TestLambdaPermissionGetFunctionNameFromGovCloudLambdaArn
--- PASS: TestLambdaPermissionGetFunctionNameFromGovCloudLambdaArn (0.00s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	0.062s
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/flatmap	0.023s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags	0.101s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/batch/equivalency	0.034s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/eks/token	0.035s [no tests to run]
?   	github.com/terraform-providers/terraform-provider-aws/awsproviderlint	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes	0.068s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSAT001	0.048s [no tests to run]
...

@ansoni ansoni requested a review from a team February 6, 2020 08:01
@ghost ghost added needs-triage Waiting for first response or review from a maintainer. size/XS Managed by automation to categorize the size of a PR. service/lambda Issues and PRs that pertain to the lambda service. labels Feb 6, 2020
ansoni
ansoni commented Feb 6, 2020
View reviewed changes
aws/resource_aws_lambda_permission.go
return nil, fmt.Errorf("Error finding Lambda policy statement: %s", psErr)
}
return statement, nil
return findLambdaPolicyStatementById(&policy, statemendId)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-casting the error to a human readable string is unnecessary since we are a tool that can do something about it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, there's no need to wrap this again

ansoni
ansoni commented Feb 6, 2020
View reviewed changes
aws/resource_aws_lambda_permission.go
@@ -225,6 +225,16 @@ func resourceAwsLambdaPermissionRead(d *schema.ResourceData, meta interface{}) e
if err == nil {
var psErr error
statement, psErr = getLambdaPolicyStatement(out, d.Id())

// handle the resource not existing
if awsErr, ok := psErr.(awserr.Error); ok {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pattern taken from existing code a few lines below. I don't believe we were ever hitting that case, but left just to be sure.

@ansoni
Copy link
Author

ansoni commented Feb 6, 2020

FYI @bflad, this hard fail caused us a lot of grief today. If we can get this drift-remediation update included then our work-around for the modified lambda policies will be a terraform upgrade instead of us having to modify 40-50 TFE project state files or out-of-band edit of lambda permissions.

@gdavison gdavison self-assigned this Feb 10, 2020
gdavison
gdavison requested changes Feb 10, 2020
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @ansoni. Could you add acceptance tests for this, please?

You can probably use direct AWS API calls to make the out-of-band changes. Take a look at some of the <something>_disappears acceptance tests for inspiration.

aws/resource_aws_lambda_permission.go
return nil, fmt.Errorf("Error finding Lambda policy statement: %s", psErr)
}
return statement, nil
return findLambdaPolicyStatementById(&policy, statemendId)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, there's no need to wrap this again

@gdavison gdavison added waiting-response Maintainers are waiting on response from community or contributor. and removed needs-triage Waiting for first response or review from a maintainer. labels Feb 10, 2020
@ghost ghost added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/M Managed by automation to categorize the size of a PR. and removed size/XS Managed by automation to categorize the size of a PR. labels Feb 14, 2020
@scottwinkler
Copy link
Contributor

@gdavison I wrote an acceptance test for this

Running tool: /usr/local/bin/go test -timeout 30s github.com/terraform-providers/terraform-provider-aws/aws -run ^(TestAccAWSLambdaPermission_disappears)$
ok github.com/terraform-providers/terraform-provider-aws/aws 2.518s
Success: Tests passed.

@ghost ghost removed the waiting-response Maintainers are waiting on response from community or contributor. label Feb 14, 2020
gdavison
gdavison requested changes Feb 18, 2020
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the test, @scottwinkler. I have a couple changes.

aws/resource_aws_lambda_permission_test.go Outdated
Comment on lines 331 to 338
{
Config: testAccAWSLambdaPermissionConfig(funcName, roleName),
Check: resource.ComposeTestCheckFunc(
testAccCheckLambdaPermissionExists("aws_lambda_permission.allow_cloudwatch", &statement),
),
},
// Here we delete the Lambda permission to verify the follow-on refresh after this step
// should not error.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This first step can be removed

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed

aws/resource_aws_lambda_permission_test.go Outdated
// Here we delete the Lambda permission to verify the follow-on refresh after this step
// should not error.
{
Config: testAccAWSLambdaPermissionConfig(funcName, roleName),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error only shows up when there are still permission elements left. We can use testAccAWSLambdaPermissionConfig_multiplePerms() instead, and then remove aws_lambda_permission.first.

@gdavison gdavison added the waiting-response Maintainers are waiting on response from community or contributor. label Feb 18, 2020
@scottwinkler
Copy link
Contributor

scottwinkler commented Feb 18, 2020
edited
Loading

@gdavison I made the changes you requested. Please let me know if there is anything else you require

@ghost ghost removed the waiting-response Maintainers are waiting on response from community or contributor. label Feb 18, 2020
@gdavison
Copy link
Contributor

LGTM 🚀

--- PASS: TestAccAWSLambdaPermission_basic (24.64s)
--- PASS: TestAccAWSLambdaPermission_withIAMRole (33.33s)
--- PASS: TestAccAWSLambdaPermission_withQualifier (33.23s)
--- PASS: TestAccAWSLambdaPermission_withStatementIdPrefix (33.43s)
--- PASS: TestAccAWSLambdaPermission_withRawFunctionName (33.53s)
--- PASS: TestAccAWSLambdaPermission_withSNS (33.73s)
--- PASS: TestAccAWSLambdaPermission_withS3 (33.70s)
--- PASS: TestAccAWSLambdaPermission_multiplePerms (40.61s)
--- PASS: TestAccAWSLambdaPermission_StatementId_Duplicate (89.63s)
--- PASS: TestAccAWSLambdaPermission_disappears (91.56s)

@gdavison gdavison added this to the v2.50.0 milestone Feb 19, 2020
@gdavison gdavison merged commit a3c7502 into hashicorp:master Feb 19, 2020
gdavison added a commit that referenced this pull request Feb 19, 2020
@gdavison
Update CHANGELOG for #11924
9f67e78
@ghost
Copy link

ghost commented Feb 21, 2020

This has been released in version 2.50.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 20, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@scottwinkler scottwinkler scottwinkler left review comments

@gdavison gdavison gdavison approved these changes

Assignees

@gdavison gdavison

Labels
service/lambda Issues and PRs that pertain to the lambda service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v2.50.0
Development

Successfully merging this pull request may close these issues.

Error finding Lambda policy statement: Failed to find statement
3 participants
@ansoni @scottwinkler @gdavison