v0.8.3.1

Author: bjorg

Docs/articles/ReleaseNotes-Hicetas.md

@@ -4,7 +4,7 @@ description: Release notes for LambdaSharp "Hicetas" (v0.8)
 keywords: release, notes, hicetas
 ---
 
-# LambdaSharp "Hicetas" Release (v0.8.3.0) - 2021-05-18
+# LambdaSharp "Hicetas" Release (v0.8.3.1) - 2021-05-28
 
 > Hicetas was a Greek philosopher of the Pythagorean School. He was born in Syracuse. Like his fellow Pythagorean Ecphantus and the Academic Heraclides Ponticus, he believed that the daily movement of permanent stars was caused by the rotation of the Earth around its axis. When Copernicus referred to Nicetus Syracusanus (Nicetus of Syracuse) in _De revolutionibus orbium coelestium_ as having been cited by Cicero as an ancient who also argued that the Earth moved, it is believed that he was actually referring to Hicetas. [(Wikipedia)](https://en.wikipedia.org/wiki/Hicetas)
 
@@ -141,9 +141,25 @@ Part of this release, _LambdaSharp.Core_ functions were ported to .NET Core 3.1
 
 ## Releases
 
-### (v0.8.3.0) - 2018-05-18
+### (v0.8.3.1) - 2021-05-28
 
-### Features
+#### Features
+
+* CLI
+  * Simplified the mechanism for dynamically allowing operations on KMS keys passed in via `Secrets` parameter.
+
+* Samples
+  * Added `Samples/SecretSample` module showing how to use KMS encrypted values with Secret Manager and the access it from a Lambda function.
+
+#### Fixes
+
+* CLI
+  * Fixed a regression in the parameters file processing.
+  * Fixed a circular dependency when the `DecryptSecretFunction` was used to initialize a resource that was then scoped to a Lambda function.
+
+### (v0.8.3.0) - 2021-05-18
+
+#### Features
 
 * All
   * Updated _Amazon.Lambda.*_ assembly references to v2.0.*

Docs/articles/toc.yml

@@ -57,7 +57,7 @@
 - name: Releases
   items:
 
-    - name: Hicetas (v0.8.3.0)
+    - name: Hicetas (v0.8.3.1)
       href: ReleaseNotes-Hicetas.md
 
     - name: Geminus (v0.7.0.17)

Samples/SecretSample/Module.yml

@@ -0,0 +1,40 @@
+# LambdaSharp (λ#)
+# Copyright (C) 2018-2021
+# lambdasharp.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Module: Sample.SecretsManager
+Description: LambdaSharp CloudFormation Test
+Items:
+
+  - Parameter: UserName
+    Type: String
+
+  - Parameter: Password
+    Type: Secret
+
+  - Resource: CredentialsSecret
+    Scope: MyFunction
+    Type: AWS::SecretsManager::Secret
+    Allow:
+      - secretsmanager:GetSecretValue
+    Properties:
+      SecretString: !Sub
+        - '{"username": "${user}", "password": "${password}"}'
+        - user: !Ref UserName
+          password: !Ref Password::Plaintext
+
+  - Function: MyFunction
+    Memory: 1769
+    Timeout: 30

Samples/SecretSample/MyFunction/Function.cs

@@ -0,0 +1,40 @@
+using System;
+using System.Threading.Tasks;
+using Amazon.SecretsManager;
+using Amazon.SecretsManager.Model;
+using LambdaSharp;
+
+namespace Test.TestModule.MyFunction {
+
+    public class FunctionRequest { }
+    public class FunctionResponse { }
+
+    public sealed class Function : ALambdaFunction<FunctionRequest, FunctionResponse> {
+
+        //--- Fields ---
+        private string _secretArn;
+        private IAmazonSecretsManager _secretManagerClient;
+
+        //--- Constructors ---
+        public Function() : base(new LambdaSharp.Serialization.LambdaSystemTextJsonSerializer()) { }
+
+        //--- Methods ---
+        public override async Task InitializeAsync(LambdaConfig config) {
+
+            // read configuration settings
+            _secretArn = config.ReadText("CredentialsSecret");
+
+            // create clients
+            _secretManagerClient = new AmazonSecretsManagerClient();
+        }
+
+        public override async Task<FunctionResponse> ProcessMessageAsync(FunctionRequest request) {
+            LogInfo("retrieving secret");
+            var secret = await _secretManagerClient.GetSecretValueAsync(new GetSecretValueRequest {
+                SecretId = _secretArn
+            });
+            LogInfo($"Received: {secret.SecretString}");
+            return new FunctionResponse();
+        }
+    }
+}

Samples/SecretSample/MyFunction/MyFunction.csproj

@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <Deterministic>true</Deterministic>
+    <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+    <GenerateRuntimeConfigurationFiles>true</GenerateRuntimeConfigurationFiles>
+    <RootNamespace>Test.TestModule.MyFunction</RootNamespace>
+    <NoWarn>CS1998</NoWarn>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="AWSSDK.SecretsManager" Version="3.7.0.26"/>
+  </ItemGroup>
+  <ItemGroup>
+    <PackageReference Condition="'$(LAMBDASHARP)'==''" Include="LambdaSharp" Version="0.8.3.*"/>
+    <ProjectReference Condition="'$(LAMBDASHARP)'!=''" Include="$(LAMBDASHARP)\src\LambdaSharp\LambdaSharp.csproj" />
+  </ItemGroup>
+</Project>

Scripts/Set-Lash-Version.ps1

@@ -1,4 +1,4 @@
-$Env:LAMBDASHARP_VERSION_PREFIX="0.8.3.0"
+$Env:LAMBDASHARP_VERSION_PREFIX="0.8.3.1"
 $Env:LAMBDASHARP_VERSION_SUFFIX=""
 
 # create full version text

Scripts/run-tests.sh

@@ -8,6 +8,7 @@ VERSION_PREFIX="1.0.0"
 
 if [ -z "$1" ]; then
 
+    # run all unit tests
     for i in `find $LAMBDASHARP/ -name Tests.*.csproj`; do
         pushd $(dirname $(realpath $i)) > /dev/null 2>&1
         dotnet test --configuration Release
@@ -30,8 +31,17 @@ if [ -z "$1" ]; then
         exit $?
     fi
 
-    # delete only generated output files
-    find $LAMBDASHARP/Tests/Modules/ -maxdepth 1 -name *.yml | xargs -l basename | sed 's/.yml/.json/' | xargs -I{} rm $LAMBDASHARP/Tests/Modules/Results/{} > /dev/null 2>&1
+    # evaluate module parameters for each test file
+    find $LAMBDASHARP/Tests/ParameterFiles/ -maxdepth 1 -name *.yml \
+        | xargs -L 1 dotnet $LAMBDASHARP/src/LambdaSharp.Tool/bin/Debug/net5.0/LambdaSharp.Tool.dll util show-parameters --quiet
+
+    # delete generated output CloudFormation template files
+    find $LAMBDASHARP/Tests/Modules/ -maxdepth 1 -name *.yml \
+        | xargs -l basename \
+        | sed 's/.yml/.json/' \
+        | xargs -I{} rm $LAMBDASHARP/Tests/Modules/Results/{} > /dev/null 2>&1
+
+    # generate CloudFormation template for each test module
     dotnet $LAMBDASHARP/src/LambdaSharp.Tool/bin/Debug/net5.0/LambdaSharp.Tool.dll deploy \
         --verbose:exceptions \
         --no-beep \

Scripts/set-lash-version.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-export LAMBDASHARP_VERSION_PREFIX=0.8.3.0
+export LAMBDASHARP_VERSION_PREFIX=0.8.3.1
 export LAMBDASHARP_VERSION_SUFFIX=
 
 # create full version text

Tests/Modules/Results/Condition-Function.json

@@ -70,7 +70,7 @@
     "DeploymentChecksum": {
       "Type": "String",
       "Description": "Deployment Checksum",
-      "Default": "1FD28946648756B786C43EC7E67C1AD9"
+      "Default": "98539D2D986EA6FDAB667412AA63ADD1"
     }
   },
   "Resources": {
@@ -197,17 +197,6 @@
                   "Ref": "AWS::NoValue"
                 }
               ]
-            },
-            "STR_MODULE_ROLE_SECRETSPOLICY": {
-              "Fn::If": [
-                "ModuleRoleSecretsPolicyCondition",
-                {
-                  "Ref": "ModuleRoleSecretsPolicy"
-                },
-                {
-                  "Ref": "AWS::NoValue"
-                }
-              ]
             }
           }
         },
@@ -263,6 +252,39 @@
             "PolicyDocument": {
               "Version": "2012-10-17",
               "Statement": [
+                {
+                  "Sid": "DeploymentSecrets",
+                  "Effect": "Allow",
+                  "Action": [
+                    "kms:Decrypt",
+                    "kms:Encrypt"
+                  ],
+                  "Resource": {
+                    "Fn::If": [
+                      "SecretsHasValue",
+                      {
+                        "Fn::Split": [
+                          ",",
+                          {
+                            "Ref": "Secrets"
+                          }
+                        ]
+                      },
+                      {
+                        "Ref": "AWS::NoValue"
+                      }
+                    ]
+                  },
+                  "NotResource": {
+                    "Fn::If": [
+                      "SecretsHasValue",
+                      {
+                        "Ref": "AWS::NoValue"
+                      },
+                      "*"
+                    ]
+                  }
+                },
                 {
                   "Sid": "LogStream",
                   "Effect": "Allow",
@@ -387,41 +409,6 @@
         ]
       }
     },
-    "ModuleRoleSecretsPolicy": {
-      "Type": "AWS::IAM::Policy",
-      "Condition": "ModuleRoleSecretsPolicyCondition",
-      "Properties": {
-        "PolicyDocument": {
-          "Version": "2012-10-17",
-          "Statement": [
-            {
-              "Sid": "Secrets",
-              "Effect": "Allow",
-              "Action": [
-                "kms:Decrypt",
-                "kms:Encrypt"
-              ],
-              "Resource": {
-                "Fn::Split": [
-                  ",",
-                  {
-                    "Ref": "Secrets"
-                  }
-                ]
-              }
-            }
-          ]
-        },
-        "PolicyName": {
-          "Fn::Sub": "${AWS::StackName}ModuleRoleSecrets"
-        },
-        "Roles": [
-          {
-            "Ref": "ModuleRole"
-          }
-        ]
-      }
-    },
     "ModuleRegistration": {
       "Type": "Custom::LambdaSharpRegistrationModule",
       "Condition": "UseCoreServices",
@@ -592,6 +579,18 @@
         "value"
       ]
     },
+    "SecretsHasValue": {
+      "Fn::Not": [
+        {
+          "Fn::Equals": [
+            {
+              "Ref": "Secrets"
+            },
+            ""
+          ]
+        }
+      ]
+    },
     "XRayIsEnabled": {
       "Fn::Not": [
         {
@@ -714,18 +713,6 @@
         }
       ]
     },
-    "ModuleRoleSecretsPolicyCondition": {
-      "Fn::Not": [
-        {
-          "Fn::Equals": [
-            {
-              "Ref": "Secrets"
-            },
-            ""
-          ]
-        }
-      ]
-    },
     "FunctionRegistrationCondition": {
       "Fn::And": [
         {
@@ -831,7 +818,7 @@
       "Version": "2019-07-04",
       "Module": "Test.TestModule:1.0-DEV",
       "Description": "LambdaSharp CloudFormation Test",
-      "TemplateChecksum": "1FD28946648756B786C43EC7E67C1AD9",
+      "TemplateChecksum": "98539D2D986EA6FDAB667412AA63ADD1",
       "Date": "2019-08-09T15:00:00Z",
       "CoreServicesVersion": "1",
       "ParameterSections": [
@@ -924,7 +911,6 @@
         "FunctionLogGroup": "Function::LogGroup",
         "ModuleRole": "Module::Role",
         "ModuleRoleDeadLetterQueuePolicy": "Module::Role::DeadLetterQueuePolicy",
-        "ModuleRoleSecretsPolicy": "Module::Role::SecretsPolicy",
         "ModuleRegistration": "Module::Registration",
         "FunctionRegistration": "Function::Registration",
         "FunctionLogGroupSubscription": "Function::LogGroupSubscription"