Fixing IAM policy limits for onboarding service

Author: brtrvn

layers/cloudformation-utils/src/main/java/com/amazon/aws/partners/saasfactory/saasboost/CloudFormationResponse.java

@@ -20,67 +20,70 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.IOException;
-import java.io.OutputStreamWriter;
 import java.net.HttpURLConnection;
-import java.net.URL;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
 
 public class CloudFormationResponse {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(CloudFormationResponse.class);
+    private static final HttpClient http = HttpClient.newBuilder().build();
 
     private CloudFormationResponse() {
     }
 
     public static void send(Map<String, Object> event, Context context, String responseStatus,
                             Map<String, Object> responseData) {
-        Map<String, Object> responseBody = buildResponseBody(event, context, responseStatus, responseData);
+        send(event, context, responseStatus, responseData, false);
+    }
+
+    public static void send(Map<String, Object> event, Context context, String responseStatus,
+                            Map<String, Object> responseData, boolean noEcho) {
+        String responseBody = buildResponseBody(event, context, responseStatus, responseData, noEcho);
         String responseUrl = (String) event.get("ResponseURL");
+        LOGGER.info("curl -H 'Content-Type: \"\"' -X PUT -d '" + responseBody + "' \"" + responseUrl + "\"");
+
+        HttpRequest request = HttpRequest.newBuilder()
+                .uri(URI.create(responseUrl))
+                .setHeader("Content-Type", "")
+                .PUT(HttpRequest.BodyPublishers.ofString(responseBody, StandardCharsets.UTF_8))
+                .build();
         try {
-            URL url = new URL(responseUrl);
-            HttpURLConnection connection = (HttpURLConnection) url.openConnection();
-            connection.setDoOutput(true);
-            connection.setRequestProperty("Content-Type", "");
-            connection.setRequestMethod("PUT");
-            try (OutputStreamWriter response = new OutputStreamWriter(connection.getOutputStream(),
-                    StandardCharsets.UTF_8)) {
-                response.write(Utils.toJson(responseBody));
-                int responseCode = connection.getResponseCode();
-                if (responseCode < 200 || responseCode > 299) {
-                    LOGGER.error("Response from CFN S3 signed URL failed {}", responseUrl);
-                    LOGGER.error("Response: {} {}", responseCode, connection.getResponseMessage());
-                }
-            } catch (IOException ioe) {
-                LOGGER.error("Failed to complete HTTP request");
-                LOGGER.error(Utils.getFullStackTrace(ioe));
+            HttpResponse<String> response = http.send(request,
+                    HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8));
+            if (HttpURLConnection.HTTP_OK != response.statusCode()) {
+                LOGGER.error("Response from CFN S3 signed URL failed {} {}", response.statusCode(), response.body());
             }
-            connection.disconnect();
-        } catch (IOException e) {
-            LOGGER.error("Failed to open connection to CFN response URL");
+        } catch (Exception e) {
+            LOGGER.error("Failed to complete HTTP request");
             LOGGER.error(Utils.getFullStackTrace(e));
         }
     }
 
-    protected static Map<String, Object> buildResponseBody(Map<String, Object> event, Context context,
-                                                           String responseStatus, Map<String, Object> responseData) {
+    protected static String buildResponseBody(Map<String, Object> event, Context context, String responseStatus,
+                                              Map<String, Object> responseData, boolean noEcho) {
         Map<String, Object> responseBody = new HashMap<>();
         responseBody.put("Status", responseStatus);
         responseBody.put("RequestId", event.get("RequestId"));
         responseBody.put("LogicalResourceId", event.get("LogicalResourceId"));
         responseBody.put("StackId", event.get("StackId"));
+        responseBody.put("NoEcho", noEcho);
         // If the physical resource id changes between a CREATE and an UPDATE event, CloudFormation will DELETE
         // the previous physical resource. Usually this doesn't matter -- unless you're actually creating something
         // in your custom resource that you don't want deleted.
         responseBody.put("PhysicalResourceId", context.getAwsRequestId());
         if (!"FAILED".equals(responseStatus)) {
-            responseBody.put("Data", responseData);
+            if (responseData != null && !responseData.isEmpty()) {
+                responseBody.put("Data", responseData);
+            }
         } else {
             responseBody.put("Reason", responseData.get("Reason"));
         }
-        LOGGER.info("Response Body: " + Utils.toJson(responseBody));
-        return responseBody;
+        return Utils.toJson(responseBody);
     }
 }

layers/cloudformation-utils/update_layer.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ -z $1 ]; then
+    echo "Usage: $0 <Environment> [Lambda Folder]"
+    exit 2
+fi
+
+MY_AWS_REGION=$(aws configure list | grep region | awk '{print $2}')
+echo "AWS Region = $MY_AWS_REGION"
+
+ENVIRONMENT=$1
+LAMBDA_STAGE_FOLDER=$2
+if [ -z $LAMBDA_STAGE_FOLDER ]; then
+	LAMBDA_STAGE_FOLDER="lambdas"
+fi
+LAMBDA_CODE=CloudFormationUtils-lambda.zip
+LAYER_NAME="sb-${ENVIRONMENT}-cloudformation-utils"
+
+#set this for V2 AWS CLI to disable paging
+export AWS_PAGER=""
+
+SAAS_BOOST_BUCKET=$(aws --region $MY_AWS_REGION ssm get-parameter --name "/saas-boost/${ENVIRONMENT}/SAAS_BOOST_BUCKET" --query 'Parameter.Value' --output text)
+echo "SaaS Boost Bucket = $SAAS_BOOST_BUCKET"
+if [ -z $SAAS_BOOST_BUCKET ]; then
+    echo "Can't find SAAS_BOOST_BUCKET in Parameter Store"
+    exit 1
+fi
+
+# Do a fresh build of the project
+mvn
+if [ $? -ne 0 ]; then
+    echo "Error building project"
+    exit 1
+fi
+
+# And copy it up to S3
+aws s3 cp target/$LAMBDA_CODE s3://$SAAS_BOOST_BUCKET/$LAMBDA_STAGE_FOLDER/
+
+# Publish a new version of the layer
+PUBLISHED_LAYER=$(aws --region $MY_AWS_REGION lambda publish-layer-version --layer-name "${LAYER_NAME}" --compatible-runtimes java11 --content S3Bucket="${SAAS_BOOST_BUCKET}",S3Key="${LAMBDA_STAGE_FOLDER}/${LAMBDA_CODE}")
+
+# Use eval to deal with the backticks in the filter expression
+eval LAYER_VERSION_ARN=\$\("aws lambda list-layers --query 'Layers[?LayerName==\`${LAYER_NAME}\`].LatestMatchingVersion.LayerVersionArn' --output text"\)
+echo "Published new layer = $LAYER_VERSION_ARN"
+
+# Find all the functions for this SaaS Boost environment that have layers
+eval FUNCTIONS=\$\("aws --region $MY_AWS_REGION lambda list-functions --query 'Functions[?starts_with(FunctionName, \`sb-${ENVIRONMENT}-\`)] | [?Layers != null] | [].FunctionName' --output text"\)
+FUNCTIONS=($FUNCTIONS)
+#echo "Updating ${#FUNCTIONS[@]} functions with new layer version"
+
+for FX in ${FUNCTIONS[@]}; do
+	# The order of the function's layers must be maintained. Iterate through this function's layers
+	# and update this layer's ARN with the newly published version.
+	FOUND=0
+	LAYERS=""
+	for LAYER_ARN in $(aws --region $MY_AWS_REGION lambda get-function --function-name $FX --query 'Configuration.Layers[].Arn' --output text); do
+		if [[ $LAYER_ARN == *"${LAYER_NAME}"* ]]; then
+			LAYER_ARN=$LAYER_VERSION_ARN
+			FOUND=1
+		fi
+		if [ ${#LAYERS} -gt 0 ]; then
+			LAYERS="${LAYERS} "
+		fi
+		LAYERS="${LAYERS}${LAYER_ARN}"
+	done
+	if (( $FOUND )); then
+		eval "aws --region $MY_AWS_REGION lambda update-function-configuration --function-name $FX --layers $LAYERS"
+	fi
+done

resources/custom-resources/cidr-dynamodb/src/main/java/com/amazon/aws/partners/saasfactory/saasboost/CidrDynamoDB.java

@@ -87,7 +87,7 @@ public Object handleRequest(Map<String, Object> event, Context context) {
             f.get(context.getRemainingTimeInMillis() - 1000, TimeUnit.MILLISECONDS);
         } catch (final TimeoutException | InterruptedException | ExecutionException e) {
             // Timed out
-            LOGGER.error("FAILED unexpected error or request timed out " + e.getMessage());
+            LOGGER.error("FAILED unexpected error or request timed out", e);
             String stackTrace = Utils.getFullStackTrace(e);
             LOGGER.error(stackTrace);
             responseData.put("Reason", stackTrace);

resources/saas-boost-private-api.yaml

@@ -409,6 +409,7 @@ Resources:
     Properties:
       RestApiId: !Ref PrivateApi
       ParentId: !Ref RootResourceId
+      PathPart: 'onboarding'
   OnboardingServiceUpdateResource:
     Type: AWS::ApiGateway::Resource
     Properties:

resources/saas-boost-public-api.yaml

@@ -52,9 +52,6 @@ Parameters:
   OnboardingServiceById:
     Description: Onboarding Service get onboarding request by id Lambda ARN
     Type: String
-  OnboardingServiceUpdateStatus:
-    Description: Onboarding Service update status Lambda ARN
-    Type: String
   SettingsServiceGetAll:
     Description: Settings Service get all settings Lambda ARN
     Type: String
@@ -632,35 +629,6 @@ Resources:
       Action: lambda:InvokeFunction
       FunctionName: !Ref OnboardingServiceById
       SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${PublicApi}/*/GET/onboarding/{id}
-  OnboardingServiceUpdateStatusMethod:
-    Type: AWS::ApiGateway::Method
-    Properties:
-      RestApiId: !Ref PublicApi
-      ResourceId: !Ref OnboardingServiceByIdResource
-      HttpMethod: PUT
-      AuthorizationType: COGNITO_USER_POOLS
-      AuthorizerId: !Ref CognitoAuthorizer
-      AuthorizationScopes:
-        - aws.cognito.signin.user.admin
-      RequestParameters: {method.request.path.id: true}
-      Integration:
-        Type: AWS_PROXY
-        IntegrationHttpMethod: POST
-        Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${OnboardingServiceUpdateStatus}/invocations
-        PassthroughBehavior: WHEN_NO_MATCH
-        RequestParameters: {integration.request.path.id: 'method.request.path.id'}
-      MethodResponses:
-        - StatusCode: '200'
-          ResponseModels: {application/json: Empty}
-          ResponseParameters:
-            method.response.header.Access-Control-Allow-Origin: false
-  OnboardingServiceUpdateStatusLambdaPermission:
-    Type: AWS::Lambda::Permission
-    Properties:
-      Principal: apigateway.amazonaws.com
-      Action: lambda:InvokeFunction
-      FunctionName: !Ref OnboardingServiceUpdateStatus
-      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${PublicApi}/*/PUT/onboarding/{id}
   OnboardingServiceByIdResourceCORS:
     Type: AWS::ApiGateway::Method
     Properties:
@@ -1938,7 +1906,6 @@ Resources:
       - OnboardingServiceStartMethod
       - OnboardingServiceResourceCORS
       - OnboardingServiceByIdMethod
-      - OnboardingServiceUpdateStatusMethod
       - OnboardingServiceByIdResourceCORS
       - SettingsServiceGetAllMethod
       - SettingsServiceResourceCORS