Lambda Create/Update handles lack of GetFunctionConfiguration (#448)

Users without lambda.GetFunctionConfiguration permissions will get warned and have a 5 second wait inserted into their AWS Lambda Deploy Function workflows.

Author: bryceitoc9

.changes/next-release/Feature-efef33cb-2f0d-495a-999b-4b3448351410.json

@@ -0,0 +1,4 @@
+{
+	"type": "Feature",
+	"description": "Lambda Deploy Function gracefully handles missing lambda:GetFunctionConfiguration with a warning and a 5-second wait"
+}

src/tasks/LambdaDeployFunction/TaskOperations.ts

@@ -9,6 +9,7 @@ import * as tl from 'azure-pipelines-task-lib/task'
 import { SdkUtils } from 'lib/sdkutils'
 import { readFileSync } from 'fs'
 import { deployCodeAndConfig, deployCodeOnly, TaskParameters, updateFromLocalFile } from './TaskParameters'
+import { AWSError } from 'aws-sdk'
 
 const FUNCTION_UPDATED = 'functionUpdated'
 const FUNCTION_ACTIVE = 'functionActive'
@@ -17,7 +18,8 @@ export class TaskOperations {
     public constructor(
         public readonly iamClient: IAM,
         public readonly lambdaClient: Lambda,
-        public readonly taskParameters: TaskParameters
+        public readonly taskParameters: TaskParameters,
+        private readonly _timeoutSeconds: number = 5
     ) {}
 
     public async execute(): Promise<void> {
@@ -73,7 +75,7 @@ export class TaskOperations {
                 throw new Error(tl.loc('NoFunctionArnReturned'))
             }
 
-            await this.waitForUpdate()
+            await this.waitForStatus(FUNCTION_UPDATED)
 
             return response.FunctionArn
         } catch (err) {
@@ -128,7 +130,7 @@ export class TaskOperations {
                 throw new Error(tl.loc('NoFunctionArnReturned'))
             }
 
-            await this.waitForUpdate()
+            await this.waitForStatus(FUNCTION_UPDATED)
 
             // Update tags if we have them
             const tags = SdkUtils.getTagsDictonary<Lambda.Tags>(this.taskParameters.tags)
@@ -209,11 +211,7 @@ export class TaskOperations {
                 throw new Error(tl.loc('NoFunctionArnReturned'))
             }
 
-            console.log(tl.loc('AwaitingStatus', this.taskParameters.functionName, FUNCTION_ACTIVE))
-            await this.lambdaClient
-                .waitFor(FUNCTION_ACTIVE, { FunctionName: this.taskParameters.functionName })
-                .promise()
-            console.log(tl.loc('AwaitingStatusComplete', this.taskParameters.functionName, FUNCTION_ACTIVE))
+            await this.waitForStatus(FUNCTION_ACTIVE)
 
             return response.FunctionArn
         } catch (err) {
@@ -235,9 +233,32 @@ export class TaskOperations {
         }
     }
 
-    private async waitForUpdate(): Promise<void> {
-        console.log(tl.loc('AwaitingStatus', this.taskParameters.functionName, FUNCTION_UPDATED))
-        await this.lambdaClient.waitFor(FUNCTION_UPDATED, { FunctionName: this.taskParameters.functionName }).promise()
-        console.log(tl.loc('AwaitingStatusComplete', this.taskParameters.functionName, FUNCTION_UPDATED))
+    private async waitForStatus(status: typeof FUNCTION_ACTIVE | typeof FUNCTION_UPDATED): Promise<void> {
+        try {
+            console.log(tl.loc('AwaitingStatus', this.taskParameters.functionName, status))
+            // make the compiler happy: waitFor has different signatures depending on status...
+            if (status === FUNCTION_ACTIVE) {
+                await this.lambdaClient.waitFor(status, { FunctionName: this.taskParameters.functionName }).promise()
+            } else {
+                await this.lambdaClient.waitFor(status, { FunctionName: this.taskParameters.functionName }).promise()
+            }
+            console.log(tl.loc('AwaitingStatusComplete', this.taskParameters.functionName, status))
+        } catch (e) {
+            const err = e as AWSError
+            // waitFor lacking permissions: surface warning and sanely wait 5 seconds
+            if (
+                (err.originalError as AWSError | undefined)?.code === 'AccessDeniedException' &&
+                err.originalError?.message.includes('lambda:GetFunctionConfiguration')
+            ) {
+                tl.warning(
+                    tl.loc('CantWaitWarning', this._timeoutSeconds.toString(), 'lambda:GetFunctionConfiguration')
+                )
+                await new Promise(resolve => {
+                    setTimeout(resolve, this._timeoutSeconds * 1000)
+                })
+            } else {
+                throw err
+            }
+        }
     }
 }

src/tasks/LambdaDeployFunction/task.json

@@ -4,7 +4,7 @@
     "friendlyName": "AWS Lambda Deploy Function",
     "description": "General purpose deployment of AWS Lambda functions for all supported language runtimes.",
     "author": "Amazon Web Services",
-    "helpMarkDown": "Please refer to [AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/) for more information on working with AWS Lambda.\n\nMore information on this task can be found in the [task reference](https://docs.aws.amazon.com/vsts/latest/userguide/lambda-deploy.html).\n\n####Task Permissions\nThis task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):\n* lambda:CreateFunction\n* lambda:GetFunction\n* lambda:UpdateFunctionCode\n* lambda:UpdateFunctionConfiguration",
+    "helpMarkDown": "Please refer to [AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/) for more information on working with AWS Lambda.\n\nMore information on this task can be found in the [task reference](https://docs.aws.amazon.com/vsts/latest/userguide/lambda-deploy.html).\n\n####Task Permissions\nThis task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):\n* lambda:CreateFunction\n* lambda:GetFunction\n* lambda:GetFunctionConfiguration\n* lambda:UpdateFunctionCode\n* lambda:UpdateFunctionConfiguration",
     "category": "Deploy",
     "visibility": ["Build", "Release"],
     "demands": [],
@@ -318,6 +318,7 @@
         "NoFunctionArnReturned": "No function ARN returned from the service! Deployment failed!",
         "SettingOutputVariable": "Setting output variable %s with the function output",
         "AwaitingStatus": "Waiting for function %s to reach %s state...",
-        "AwaitingStatusComplete": "Function %s has reached %s state"
+        "AwaitingStatusComplete": "Function %s has reached %s state",
+        "CantWaitWarning": "Role doesn't have Lambda States waiting permissions; will wait %s seconds and proceed. To avoid this in the future, grant %s permissions to the task role!"
     }
 }

tests/taskTests/lambdaDeployFunction/lambdaDeployFunction-test.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: MIT
  */
 
-import { IAM, Lambda } from 'aws-sdk'
+import { AWSError, IAM, Lambda } from 'aws-sdk'
 import { SdkUtils } from 'lib/sdkutils'
 import { TaskOperations } from 'tasks/LambdaDeployFunction/TaskOperations'
 import { deployCodeAndConfig, deployCodeOnly, TaskParameters } from 'tasks/LambdaDeployFunction/TaskParameters'
@@ -84,6 +84,20 @@ const waitForFails = {
     }
 }
 
+const waitForPermissionsGetConfigurationFails = {
+    promise: function() {
+        const e = new Error() as AWSError
+        e.code = 'ResourceNotReady'
+        e.message = 'Resource is not in the state of denial'
+        e.originalError = {
+            code: 'AccessDeniedException',
+            message:
+                'User: youHaveNoPowerHere is not authorized to perform: lambda:GetFunctionConfiguration on resource: resource with an explicit deny in an identity-based policy'
+        } as AWSError
+        throw e
+    }
+}
+
 describe('Lambda Deploy Function', () => {
     // TODO https://github.com/aws/aws-vsts-tools/issues/167
     beforeAll(() => {
@@ -147,6 +161,22 @@ describe('Lambda Deploy Function', () => {
         expect(lambda.waitFor).toBeCalledTimes(1)
     })
 
+    test('Deploy only Function exists calls wait and still updates if wait fails due to waiter permissions', async () => {
+        expect.assertions(3)
+        const taskParameters = { ...baseTaskParameters }
+        taskParameters.deploymentMode = deployCodeOnly
+        taskParameters.roleARN = 'arn:yes'
+        const lambda = new Lambda() as any
+        lambda.getFunction = jest.fn(() => getFunctionSucceeds)
+        lambda.updateFunctionCode = jest.fn(() => updateFunctionSucceeds)
+        lambda.waitFor = jest.fn(() => waitForPermissionsGetConfigurationFails)
+        const taskOperations = new TaskOperations(new IAM(), lambda, taskParameters, 0)
+        await taskOperations.execute()
+        expect(lambda.getFunction).toBeCalledTimes(1)
+        expect(lambda.updateFunctionCode).toBeCalledTimes(1)
+        expect(lambda.waitFor).toBeCalledTimes(1)
+    })
+
     test('Deploy only Function exists calls update but fails if status does not update', async () => {
         expect.assertions(4)
         const taskParameters = { ...baseTaskParameters }
@@ -179,6 +209,22 @@ describe('Lambda Deploy Function', () => {
         expect(lambda.waitFor).toBeCalledTimes(1)
     })
 
+    test('Deploy and config does not exist calls create and still updates if wait fails due to waiter permissions', async () => {
+        expect.assertions(3)
+        const taskParameters = { ...baseTaskParameters }
+        taskParameters.deploymentMode = deployCodeAndConfig
+        taskParameters.roleARN = 'arn:yes'
+        const lambda = new Lambda() as any
+        lambda.getFunction = jest.fn(() => getFunctionFails)
+        lambda.createFunction = jest.fn(() => updateFunctionSucceeds)
+        lambda.waitFor = jest.fn(() => waitForPermissionsGetConfigurationFails)
+        const taskOperations = new TaskOperations(new IAM(), lambda, taskParameters, 0)
+        await taskOperations.execute()
+        expect(lambda.getFunction).toBeCalledTimes(1)
+        expect(lambda.createFunction).toBeCalledTimes(1)
+        expect(lambda.waitFor).toBeCalledTimes(1)
+    })
+
     test('Deploy and config does not exist calls create but fails if status does not update', async () => {
         expect.assertions(4)
         const taskParameters = { ...baseTaskParameters }
@@ -213,6 +259,24 @@ describe('Lambda Deploy Function', () => {
         expect(lambda.waitFor).toBeCalledTimes(2)
     })
 
+    test('Deploy and config exists calls update and still updates if wait fails due to waiter permissions', async () => {
+        expect.assertions(4)
+        const taskParameters = { ...baseTaskParameters }
+        taskParameters.deploymentMode = deployCodeAndConfig
+        taskParameters.roleARN = 'arn:yes'
+        const lambda = new Lambda() as any
+        lambda.getFunction = jest.fn(() => getFunctionSucceeds)
+        lambda.updateFunctionCode = jest.fn(() => updateFunctionSucceeds)
+        lambda.updateFunctionConfiguration = jest.fn(() => updateFunctionSucceeds)
+        lambda.waitFor = jest.fn(() => waitForPermissionsGetConfigurationFails)
+        const taskOperations = new TaskOperations(new IAM(), lambda, taskParameters, 0)
+        await taskOperations.execute()
+        expect(lambda.getFunction).toBeCalledTimes(1)
+        expect(lambda.updateFunctionCode).toBeCalledTimes(1)
+        expect(lambda.updateFunctionConfiguration).toBeCalledTimes(1)
+        expect(lambda.waitFor).toBeCalledTimes(2)
+    })
+
     test('Deploy and config exists calls update but fails if status does not update after config update', async () => {
         expect.assertions(5)
         const taskParameters = { ...baseTaskParameters }