sst 2.0.14 → 2.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,5 +1,5 @@
1
1
  import * as ssm from "aws-cdk-lib/aws-ssm";
2
- import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
2
+ import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
3
3
  import { Construct } from "constructs";
4
4
  import { Stack } from "./Stack.js";
5
5
  import { ENVIRONMENT_PLACEHOLDER, getEnvironmentKey, getParameterPath, } from "./util/functionBinding.js";
@@ -37,7 +37,22 @@ export class Auth extends Construct {
37
37
  this.id = id;
38
38
  const stack = Stack.of(scope);
39
39
  this.authenticator = props.authenticator;
40
- new CustomResource(this, "StackMetadata", {
40
+ const policy = new Policy(this, "CloudFrontInvalidatorPolicy", {
41
+ statements: [
42
+ new PolicyStatement({
43
+ actions: [
44
+ "ssm:GetParameter",
45
+ "ssm:PutParameter",
46
+ "ssm:DeleteParameter",
47
+ ],
48
+ resources: [
49
+ `arn:${stack.partition}:ssm:${stack.region}:${stack.account}:parameter/*`,
50
+ ],
51
+ }),
52
+ ],
53
+ });
54
+ stack.customResourceHandler.role?.attachInlinePolicy(policy);
55
+ const resource = new CustomResource(this, "StackMetadata", {
41
56
  serviceToken: stack.customResourceHandler.functionArn,
42
57
  resourceType: "Custom::AuthKeys",
43
58
  properties: {
@@ -45,16 +60,7 @@ export class Auth extends Construct {
45
60
  privatePath: getParameterPath(this, PRIVATE_KEY_PROP),
46
61
  },
47
62
  });
48
- stack.customResourceHandler.role?.addToPrincipalPolicy(new PolicyStatement({
49
- actions: [
50
- "ssm:GetParameter",
51
- "ssm:PutParameter",
52
- "ssm:DeleteParameter",
53
- ],
54
- resources: [
55
- `arn:${stack.partition}:ssm:${stack.region}:${stack.account}:parameter/*`,
56
- ],
57
- }));
63
+ resource.node.addDependency(policy);
58
64
  }
59
65
  /** @internal */
60
66
  getConstructMetadata() {
@@ -1,5 +1,5 @@
1
1
  import { Construct, IConstruct } from "constructs";
2
- import * as iam from "aws-cdk-lib/aws-iam";
2
+ import { Role } from "aws-cdk-lib/aws-iam";
3
3
  import * as lambda from "aws-cdk-lib/aws-lambda";
4
4
  import { Size } from "./util/size.js";
5
5
  import { Duration } from "./util/duration.js";
@@ -23,7 +23,7 @@ export interface EdgeFunctionProps {
23
23
  scopeOverride?: IConstruct;
24
24
  }
25
25
  export declare class EdgeFunction extends Construct {
26
- role: iam.Role;
26
+ role: Role;
27
27
  functionArn: string;
28
28
  private scope;
29
29
  private versionId;
@@ -3,7 +3,7 @@ import url from "url";
3
3
  import path from "path";
4
4
  import crypto from "crypto";
5
5
  import { Construct } from "constructs";
6
- import * as iam from "aws-cdk-lib/aws-iam";
6
+ import { Effect, Role, Policy, PolicyStatement, CompositePrincipal, ServicePrincipal, ManagedPolicy, } from "aws-cdk-lib/aws-iam";
7
7
  import * as lambda from "aws-cdk-lib/aws-lambda";
8
8
  import * as s3Assets from "aws-cdk-lib/aws-s3-assets";
9
9
  import { Lazy, Duration as CdkDuration, CustomResource, } from "aws-cdk-lib";
@@ -95,10 +95,10 @@ ${exports}
95
95
  createRole() {
96
96
  const { permissions } = this.props;
97
97
  // Create function role
98
- const role = new iam.Role(this.scope, `ServerLambdaRole`, {
99
- assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal("lambda.amazonaws.com"), new iam.ServicePrincipal("edgelambda.amazonaws.com")),
98
+ const role = new Role(this.scope, `ServerLambdaRole`, {
99
+ assumedBy: new CompositePrincipal(new ServicePrincipal("lambda.amazonaws.com"), new ServicePrincipal("edgelambda.amazonaws.com")),
100
100
  managedPolicies: [
101
- iam.ManagedPolicy.fromManagedPolicyArn(this, "EdgeLambdaPolicy", `arn:${Stack.of(this).partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole`),
101
+ ManagedPolicy.fromManagedPolicyArn(this, "EdgeLambdaPolicy", `arn:${Stack.of(this).partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole`),
102
102
  ],
103
103
  });
104
104
  // Attach permission
@@ -150,6 +150,16 @@ ${exports}
150
150
  // They need to be replaced with real values before the Lambda
151
151
  // functions get deployed.
152
152
  const stack = Stack.of(this);
153
+ const policy = new Policy(this, "AssetReplacerPolicy", {
154
+ statements: [
155
+ new PolicyStatement({
156
+ effect: Effect.ALLOW,
157
+ actions: ["s3:GetObject", "s3:PutObject"],
158
+ resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
159
+ }),
160
+ ],
161
+ });
162
+ stack.customResourceHandler.role?.attachInlinePolicy(policy);
153
163
  const resource = new CustomResource(this.scope, "AssetReplacer", {
154
164
  serviceToken: stack.customResourceHandler.functionArn,
155
165
  resourceType: "Custom::AssetReplacer",
@@ -159,11 +169,7 @@ ${exports}
159
169
  replacements: this.getLambdaContentReplaceValues(),
160
170
  },
161
171
  });
162
- stack.customResourceHandler.role?.addToPrincipalPolicy(new iam.PolicyStatement({
163
- effect: iam.Effect.ALLOW,
164
- actions: ["s3:GetObject", "s3:PutObject"],
165
- resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
166
- }));
172
+ resource.node.addDependency(policy);
167
173
  return resource;
168
174
  }
169
175
  createSingletonBucketCR() {
@@ -183,8 +189,8 @@ ${exports}
183
189
  timeout: CdkDuration.minutes(15),
184
190
  memorySize: 1024,
185
191
  initialPolicy: [
186
- new iam.PolicyStatement({
187
- effect: iam.Effect.ALLOW,
192
+ new PolicyStatement({
193
+ effect: Effect.ALLOW,
188
194
  actions: ["s3:*"],
189
195
  resources: ["*"],
190
196
  }),
@@ -215,8 +221,8 @@ ${exports}
215
221
  timeout: CdkDuration.minutes(15),
216
222
  memorySize: 1024,
217
223
  initialPolicy: [
218
- new iam.PolicyStatement({
219
- effect: iam.Effect.ALLOW,
224
+ new PolicyStatement({
225
+ effect: Effect.ALLOW,
220
226
  actions: ["lambda:*", "s3:*"],
221
227
  resources: ["*"],
222
228
  }),
@@ -253,8 +259,8 @@ ${exports}
253
259
  timeout: CdkDuration.minutes(15),
254
260
  memorySize: 1024,
255
261
  initialPolicy: [
256
- new iam.PolicyStatement({
257
- effect: iam.Effect.ALLOW,
262
+ new PolicyStatement({
263
+ effect: Effect.ALLOW,
258
264
  actions: ["lambda:*"],
259
265
  resources: ["*"],
260
266
  }),
@@ -2,7 +2,7 @@ import url from "url";
2
2
  import path from "path";
3
3
  import spawn from "cross-spawn";
4
4
  import { Construct } from "constructs";
5
- import * as iam from "aws-cdk-lib/aws-iam";
5
+ import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
6
6
  import * as logs from "aws-cdk-lib/aws-logs";
7
7
  import * as lambda from "aws-cdk-lib/aws-lambda";
8
8
  import * as s3Assets from "aws-cdk-lib/aws-s3-assets";
@@ -78,6 +78,16 @@ export class SsrFunction extends Construct {
78
78
  // They need to be replaced with real values before the Lambda
79
79
  // functions get deployed.
80
80
  const stack = Stack.of(this);
81
+ const policy = new Policy(this, "AssetReplacerPolicy", {
82
+ statements: [
83
+ new PolicyStatement({
84
+ effect: Effect.ALLOW,
85
+ actions: ["s3:GetObject", "s3:PutObject"],
86
+ resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
87
+ }),
88
+ ],
89
+ });
90
+ stack.customResourceHandler.role?.attachInlinePolicy(policy);
81
91
  const resource = new CustomResource(this, "AssetReplacer", {
82
92
  serviceToken: stack.customResourceHandler.functionArn,
83
93
  resourceType: "Custom::AssetReplacer",
@@ -87,11 +97,7 @@ export class SsrFunction extends Construct {
87
97
  replacements: this.getLambdaContentReplaceValues(),
88
98
  },
89
99
  });
90
- stack.customResourceHandler.role?.addToPrincipalPolicy(new iam.PolicyStatement({
91
- effect: iam.Effect.ALLOW,
92
- actions: ["s3:GetObject", "s3:PutObject"],
93
- resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
94
- }));
100
+ resource.node.addDependency(policy);
95
101
  return resource;
96
102
  }
97
103
  getLambdaContentReplaceValues() {
@@ -8,7 +8,7 @@ import { execSync } from "child_process";
8
8
  import { Construct } from "constructs";
9
9
  import { Fn, Token, Duration as CdkDuration, CfnOutput, RemovalPolicy, CustomResource, } from "aws-cdk-lib";
10
10
  import { Bucket } from "aws-cdk-lib/aws-s3";
11
- import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
11
+ import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
12
12
  import { Function, Code, Runtime, FunctionUrlAuthType, } from "aws-cdk-lib/aws-lambda";
13
13
  import { HostedZone, ARecord, AaaaRecord, RecordTarget, } from "aws-cdk-lib/aws-route53";
14
14
  import { Asset } from "aws-cdk-lib/aws-s3-assets";
@@ -100,8 +100,7 @@ export class SsrSite extends Construct {
100
100
  : this.createCloudFrontDistributionForRegional();
101
101
  this.distribution.node.addDependency(s3deployCR);
102
102
  // Invalidate CloudFront
103
- const invalidationCR = this.createCloudFrontInvalidation();
104
- invalidationCR.node.addDependency(this.distribution);
103
+ this.createCloudFrontInvalidation();
105
104
  // Connect Custom Domain to CloudFront Distribution
106
105
  this.createRoute53Records();
107
106
  }
@@ -553,6 +552,21 @@ export class SsrSite extends Construct {
553
552
  }
554
553
  createCloudFrontInvalidation() {
555
554
  const stack = Stack.of(this);
555
+ const policy = new Policy(this, "CloudFrontInvalidatorPolicy", {
556
+ statements: [
557
+ new PolicyStatement({
558
+ effect: Effect.ALLOW,
559
+ actions: [
560
+ "cloudfront:GetInvalidation",
561
+ "cloudfront:CreateInvalidation",
562
+ ],
563
+ resources: [
564
+ `arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
565
+ ],
566
+ }),
567
+ ],
568
+ });
569
+ stack.customResourceHandler.role?.attachInlinePolicy(policy);
556
570
  const resource = new CustomResource(this, "CloudFrontInvalidator", {
557
571
  serviceToken: stack.customResourceHandler.functionArn,
558
572
  resourceType: "Custom::CloudFrontInvalidator",
@@ -563,16 +577,7 @@ export class SsrSite extends Construct {
563
577
  waitForInvalidation: this.props.waitForInvalidation,
564
578
  },
565
579
  });
566
- stack.customResourceHandler.role?.addToPrincipalPolicy(new PolicyStatement({
567
- effect: Effect.ALLOW,
568
- actions: [
569
- "cloudfront:GetInvalidation",
570
- "cloudfront:CreateInvalidation",
571
- ],
572
- resources: [
573
- `arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
574
- ],
575
- }));
580
+ resource.node.addDependency(policy);
576
581
  return resource;
577
582
  }
578
583
  /////////////////////
@@ -7,7 +7,7 @@ import { Construct } from "constructs";
7
7
  import { Token, Duration, CfnOutput, RemovalPolicy, CustomResource, } from "aws-cdk-lib";
8
8
  import * as s3 from "aws-cdk-lib/aws-s3";
9
9
  import * as s3Assets from "aws-cdk-lib/aws-s3-assets";
10
- import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
10
+ import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
11
11
  import * as lambda from "aws-cdk-lib/aws-lambda";
12
12
  import * as route53 from "aws-cdk-lib/aws-route53";
13
13
  import * as route53Targets from "aws-cdk-lib/aws-route53-targets";
@@ -427,6 +427,21 @@ interface ImportMeta {
427
427
  .createHash("md5")
428
428
  .update(assets.map(({ assetHash }) => assetHash).join(""))
429
429
  .digest("hex");
430
+ const policy = new Policy(this, "CloudFrontInvalidatorPolicy", {
431
+ statements: [
432
+ new PolicyStatement({
433
+ effect: Effect.ALLOW,
434
+ actions: [
435
+ "cloudfront:GetInvalidation",
436
+ "cloudfront:CreateInvalidation",
437
+ ],
438
+ resources: [
439
+ `arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
440
+ ],
441
+ }),
442
+ ],
443
+ });
444
+ stack.customResourceHandler.role?.attachInlinePolicy(policy);
430
445
  const resource = new CustomResource(this, "CloudFrontInvalidator", {
431
446
  serviceToken: stack.customResourceHandler.functionArn,
432
447
  resourceType: "Custom::CloudFrontInvalidator",
@@ -437,16 +452,7 @@ interface ImportMeta {
437
452
  waitForInvalidation: this.props.waitForInvalidation,
438
453
  },
439
454
  });
440
- stack.customResourceHandler.role?.addToPrincipalPolicy(new PolicyStatement({
441
- effect: Effect.ALLOW,
442
- actions: [
443
- "cloudfront:GetInvalidation",
444
- "cloudfront:CreateInvalidation",
445
- ],
446
- resources: [
447
- `arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
448
- ],
449
- }));
455
+ resource.node.addDependency(policy);
450
456
  return resource;
451
457
  }
452
458
  /////////////////////
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "sst",
3
- "version": "2.0.14",
3
+ "version": "2.0.16",
4
4
  "bin": {
5
5
  "sst": "cli/sst.js"
6
6
  },