(iam): principal conditions are not type-checked correctly

[tenjaa]

Describe the bug

When adding a permission to a lambda function, there is an error since CDK 2.30.0.
Adding a PrincipalWithConditions supports less conditions than before.

Expected Behavior

I expect, that synthing the project still works fine like in the prior version.

Current Behavior

When synthing the following error appears:

Error: PrincipalWithConditions had unsupported conditions for Lambda permission statement: [{"operator":"0","key":"StringEquals"}]. Supported operator/condition pairs: [{"operator":"ArnLike","key":"aws:SourceArn"},{"operator":"StringEquals","key":"aws:SourceAccount"},{"operator":"StringEquals","key":"aws:PrincipalOrgID"}]

Reproduction Steps

secretRotationFunction.grantInvoke(new ServicePrincipal('secretsmanager.amazonaws.com', {
      conditions: [
        {
          StringEquals: {
            'aws:SourceAccount': Accounts.MAIN.account,
          }
        }
      ]
    }));

Possible Solution

No response

Additional Information/Context

I guess the responsible change is in packages/@aws-cdk/aws-lambda/lib/function-base.ts directly below line 596 / 643 in the diff: v2.29.1...v2.30.0#diff-6cd0e14e946761622244e7c236ddb2c328b1881f050b1638897231ea27e5e62eR645.

CDK CLI Version

2.30.0

Framework Version

No response

Node.js Version

18.2.0

OS

OSX/CodeBuild

Language

Typescript

Language Version

No response

Other information

No response

[hutchy2570]

This problem also occurs when trying to create an API Gateway using the SpecRestApi construct with a Lambda handler. Was working fine with 2.29.1.

Looks like it was introduced in 2.30.0 with #19975

[kaizencc]

Hi @tenjaa + @hutchy2570. Thanks for the report, confirmed the behavior on my end as well. In my mind, your code worked in the past due to a bug, #19975 fixed that bug, and the synth-time error that should have popped up before is now showing up. Let me explain.

Prior to #19975, we incorrectly checked if a principal had conditions: #19975 (comment). That means your principal (which had conditions) was not actually passed through the synth-time condition checks at all. #19975 introduced correct logic for isPrincipalWithConditions. So now, your code passes synth time checks, of which it is flagged as incorrect. In particular, your value for conditions shouldn't have been accepted. conditions is typed this way: conditions?: { [key: string]: any }; and even though arrays are valid objects we are not expecting to handle an array here (and we're expecting to alert you at synth time if the type is not supported).

Workaround is:

secretRotationFunction.grantInvoke(new ServicePrincipal('secretsmanager.amazonaws.com', {
  conditions: {
    StringEquals: {
      'aws:SourceAccount': Accounts.MAIN.account,
    },
  },
}));

While I'm definitely apologetic that fixing an old bug has resulted in breaking your code, I'm not sure that there's anything to do here. This is now the behavior we are looking for. Pinging @rix0rrr for a second pair of eyes, but that's my $0.02.

---

Github comment linking is funky, so here's the actual bug fix:

previously:

private isPrincipalWithConditions(principal: iam.IPrincipal): principal is iam.PrincipalWithConditions {
    return 'conditions' in principal;

but the conditions property is actually found inside policyFragment: principal.policyFragment.conditions

the fix makes it:

  private isPrincipalWithConditions(principal: iam.IPrincipal): boolean {
    return Object.keys(principal.policyFragment.conditions).length > 0;
  }

[rix0rrr]

I'm amazed that

new ServicePrincipal('secretsmanager.amazonaws.com', {
      conditions: [
        {
          StringEquals: {
            'aws:SourceAccount': Accounts.MAIN.account,
          }
        }
      ]
});

Even worked. As @kaizencc says, it should always have been:

new ServicePrincipal('secretsmanager.amazonaws.com', {
      conditions: {
          StringEquals: {
            'aws:SourceAccount': Accounts.MAIN.account,
        }
      }
});

Our apologies that we didn't throw an error before.