move supported conditions to function-base and minor name changes

aws · May 18, 2021 · 35a6202 · 35a6202
1 parent 7c6c217
commit 35a6202
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/packages/@aws-cdk/aws-lambda/README.md b/packages/@aws-cdk/aws-lambda/README.md
@@ -119,7 +119,7 @@ myRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("service-role/AWS
 AWS Lambda supports resource-based policies for controlling access to Lambda
 functions and layers on a per-resource basis. In particular, this allows you to
 give permission to AWS services and other AWS accounts to modify and invoke your
-resources. You can also restrict permissions given to AWS services by providing
+functions. You can also restrict permissions given to AWS services by providing
 a source account or ARN (representing the account and identifier of the resource
 that accesses the function or layer).
 

diff --git a/packages/@aws-cdk/aws-lambda/lib/function-base.ts b/packages/@aws-cdk/aws-lambda/lib/function-base.ts
@@ -8,9 +8,11 @@ import { IEventSource } from './event-source';
 import { EventSourceMapping, EventSourceMappingOptions } from './event-source-mapping';
 import { IVersion } from './lambda-version';
 import { CfnPermission } from './lambda.generated';
-import { Permission, PERMISSION_SUPPORTED_PRINCIPAL_CONDITIONS } from './permission';
+import { Permission } from './permission';
 import { addAlias } from './util';
 
+const PERMISSION_SUPPORTED_PRINCIPAL_CONDITIONS = [{ operator: 'ArnLike', key: 'aws:SourceArn' }, { operator: 'StringEquals', key: 'aws:SourceAccount' }];
+
 export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable {
 
   /**
@@ -239,7 +241,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC
     }
 
     const principal = this.parsePermissionPrincipal(permission.principal);
-    const { sourceAccount, sourceArn } = this.parsePermissionPrincipalConditions(permission.principal) ?? {};
+    const { sourceAccount, sourceArn } = this.parseConditions(permission.principal) ?? {};
     const action = permission.action ?? 'lambda:InvokeFunction';
     const scope = permission.scope ?? this;
 
@@ -434,7 +436,7 @@ export abstract class FunctionBase extends Resource implements IFunction, ec2.IC
       'Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal');
   }
 
-  private parsePermissionPrincipalConditions(principal: iam.IPrincipal): { sourceAccount: string, sourceArn: string } | null {
+  private parseConditions(principal: iam.IPrincipal): { sourceAccount: string, sourceArn: string } | null {
     if ('conditions' in principal) {
       const conditions: iam.Conditions = (principal as iam.PrincipalWithConditions).policyFragment.conditions;
       const conditionPairs = Object.entries(conditions)

diff --git a/packages/@aws-cdk/aws-lambda/lib/permission.ts b/packages/@aws-cdk/aws-lambda/lib/permission.ts
@@ -65,5 +65,3 @@ export interface Permission {
    */
   readonly sourceArn?: string;
 }
-
-export const PERMISSION_SUPPORTED_PRINCIPAL_CONDITIONS = [{ operator: 'ArnLike', key: 'aws:SourceArn' }, { operator: 'StringEquals', key: 'aws:SourceAccount' }];