@friggframework/devtools 2.0.0--canary.461.e6fc7c7.0 → 2.0.0--canary.461.322ea57.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -137,20 +137,9 @@ class KmsBuilder extends InfrastructureBuilder {
|
|
|
137
137
|
},
|
|
138
138
|
},
|
|
139
139
|
},
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
Principal: {
|
|
144
|
-
AWS: { 'Fn::GetAtt': ['IamRoleLambdaExecution', 'Arn'] },
|
|
145
|
-
},
|
|
146
|
-
Action: [
|
|
147
|
-
'kms:Decrypt',
|
|
148
|
-
'kms:GenerateDataKey',
|
|
149
|
-
'kms:Encrypt',
|
|
150
|
-
'kms:DescribeKey',
|
|
151
|
-
],
|
|
152
|
-
Resource: '*',
|
|
153
|
-
},
|
|
140
|
+
// NOTE: We do NOT add a statement referencing IamRoleLambdaExecution here
|
|
141
|
+
// because it creates a circular dependency (KMS Key → IAM Role → KMS Key).
|
|
142
|
+
// Instead, IAM policies grant the Lambda execution role permissions to use KMS.
|
|
154
143
|
],
|
|
155
144
|
},
|
|
156
145
|
Tags: [
|
|
@@ -329,15 +329,11 @@ describe('KmsBuilder', () => {
|
|
|
329
329
|
const result = await kmsBuilder.build(appDefinition, {});
|
|
330
330
|
|
|
331
331
|
const policy = result.resources.FriggKMSKey.Properties.KeyPolicy;
|
|
332
|
+
// Should NOT have AllowLambdaExecutionRole statement to avoid circular dependency
|
|
333
|
+
// (KMS Key → IAM Role → KMS Key = circular)
|
|
334
|
+
// IAM policies already grant KMS permissions, so key policy doesn't need to reference the role
|
|
332
335
|
const roleStatement = policy.Statement.find(s => s.Sid === 'AllowLambdaExecutionRole');
|
|
333
|
-
|
|
334
|
-
expect(roleStatement).toBeDefined();
|
|
335
|
-
expect(roleStatement.Effect).toBe('Allow');
|
|
336
|
-
expect(roleStatement.Principal.AWS).toEqual({ 'Fn::GetAtt': ['IamRoleLambdaExecution', 'Arn'] });
|
|
337
|
-
expect(roleStatement.Action).toContain('kms:GenerateDataKey');
|
|
338
|
-
expect(roleStatement.Action).toContain('kms:Decrypt');
|
|
339
|
-
expect(roleStatement.Action).toContain('kms:Encrypt');
|
|
340
|
-
expect(roleStatement.Action).toContain('kms:DescribeKey');
|
|
336
|
+
expect(roleStatement).toBeUndefined();
|
|
341
337
|
});
|
|
342
338
|
});
|
|
343
339
|
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@friggframework/devtools",
|
|
3
3
|
"prettier": "@friggframework/prettier-config",
|
|
4
|
-
"version": "2.0.0--canary.461.
|
|
4
|
+
"version": "2.0.0--canary.461.322ea57.0",
|
|
5
5
|
"dependencies": {
|
|
6
6
|
"@aws-sdk/client-ec2": "^3.835.0",
|
|
7
7
|
"@aws-sdk/client-kms": "^3.835.0",
|
|
@@ -11,8 +11,8 @@
|
|
|
11
11
|
"@babel/eslint-parser": "^7.18.9",
|
|
12
12
|
"@babel/parser": "^7.25.3",
|
|
13
13
|
"@babel/traverse": "^7.25.3",
|
|
14
|
-
"@friggframework/schemas": "2.0.0--canary.461.
|
|
15
|
-
"@friggframework/test": "2.0.0--canary.461.
|
|
14
|
+
"@friggframework/schemas": "2.0.0--canary.461.322ea57.0",
|
|
15
|
+
"@friggframework/test": "2.0.0--canary.461.322ea57.0",
|
|
16
16
|
"@hapi/boom": "^10.0.1",
|
|
17
17
|
"@inquirer/prompts": "^5.3.8",
|
|
18
18
|
"axios": "^1.7.2",
|
|
@@ -34,8 +34,8 @@
|
|
|
34
34
|
"serverless-http": "^2.7.0"
|
|
35
35
|
},
|
|
36
36
|
"devDependencies": {
|
|
37
|
-
"@friggframework/eslint-config": "2.0.0--canary.461.
|
|
38
|
-
"@friggframework/prettier-config": "2.0.0--canary.461.
|
|
37
|
+
"@friggframework/eslint-config": "2.0.0--canary.461.322ea57.0",
|
|
38
|
+
"@friggframework/prettier-config": "2.0.0--canary.461.322ea57.0",
|
|
39
39
|
"aws-sdk-client-mock": "^4.1.0",
|
|
40
40
|
"aws-sdk-client-mock-jest": "^4.1.0",
|
|
41
41
|
"jest": "^30.1.3",
|
|
@@ -70,5 +70,5 @@
|
|
|
70
70
|
"publishConfig": {
|
|
71
71
|
"access": "public"
|
|
72
72
|
},
|
|
73
|
-
"gitHead": "
|
|
73
|
+
"gitHead": "322ea5711e264c07e301f58169414bc67deab2d3"
|
|
74
74
|
}
|