fix(redshift-alpha): use same role for database-query singleton function

aws · Dec 2, 2024 · c1402b3 · c1402b3
1 parent 77fbddf
commit c1402b3
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-redshift-alpha/lib/private/database-query.ts b/packages/@aws-cdk/aws-redshift-alpha/lib/private/database-query.ts
@@ -8,6 +8,7 @@ import { Construct } from 'constructs';
 import { DatabaseQueryHandlerProps } from './handler-props';
 import { Cluster } from '../cluster';
 import { DatabaseOptions } from '../database-options';
+import { Stack } from 'aws-cdk-lib/core';
 
 export interface DatabaseQueryProps<HandlerProps> extends DatabaseOptions {
   readonly handler: string;
@@ -28,6 +29,8 @@ export interface DatabaseQueryProps<HandlerProps> extends DatabaseOptions {
 }
 
 export class DatabaseQuery<HandlerProps> extends Construct implements iam.IGrantable {
+  private static handlerToRole: Record<string, iam.IRole> = {}
+
   readonly grantPrincipal: iam.IPrincipal;
   readonly ref: string;
 
@@ -64,6 +67,7 @@ export class DatabaseQuery<HandlerProps> extends Construct implements iam.IGrant
 
     const provider = new customresources.Provider(this, 'Provider', {
       onEventHandler: handler,
+      role: this.roleForHandler(handler),
     });
 
     const queryHandlerProps: DatabaseQueryHandlerProps & HandlerProps = {
@@ -116,4 +120,17 @@ export class DatabaseQuery<HandlerProps> extends Construct implements iam.IGrant
     }
     return adminUser;
   }
+
+  private roleForHandler(handler: lambda.SingletonFunction): iam.IRole {
+    if (!DatabaseQuery.handlerToRole[handler.constructName]) {
+      DatabaseQuery.handlerToRole[handler.constructName] = new iam.Role(Stack.of(this), `Role${handler.constructName}`, {
+        assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+        managedPolicies: [
+          iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'),
+        ],
+      });
+    }
+
+    return DatabaseQuery.handlerToRole[handler.constructName];
+  }
 }
diff --git a/packages/aws-cdk-lib/aws-lambda/lib/singleton-lambda.ts b/packages/aws-cdk-lib/aws-lambda/lib/singleton-lambda.ts
@@ -53,17 +53,22 @@ export class SingletonFunction extends FunctionBase {
   public readonly permissionsNode: Node;
   public readonly architecture: Architecture;
 
+  /**
+   * The construct name of the Lambda function.
+   * */
+  public readonly constructName: string;
+
   /**
    * The runtime environment for the Lambda function.
    */
   public readonly runtime: Runtime;
-
   protected readonly canCreatePermissions: boolean;
+
   private lambdaFunction: LambdaFunction;
 
   constructor(scope: Construct, id: string, props: SingletonFunctionProps) {
     super(scope, id);
-
+    this.constructName = (props.lambdaPurpose || 'SingletonLambda') + slugify(props.uuid);
     this.lambdaFunction = this.ensureLambda(props);
     this.permissionsNode = this.lambdaFunction.node;
     this.architecture = this.lambdaFunction.architecture;
@@ -185,14 +190,13 @@ export class SingletonFunction extends FunctionBase {
   }
 
   private ensureLambda(props: SingletonFunctionProps): LambdaFunction {
-    const constructName = (props.lambdaPurpose || 'SingletonLambda') + slugify(props.uuid);
-    const existing = cdk.Stack.of(this).node.tryFindChild(constructName);
+    const existing = cdk.Stack.of(this).node.tryFindChild(this.constructName);
     if (existing) {
       // Just assume this is true
       return existing as LambdaFunction;
     }
 
-    return new LambdaFunction(cdk.Stack.of(this), constructName, props);
+    return new LambdaFunction(cdk.Stack.of(this), this.constructName, props);
   }
 }