diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index eebe0b37db0ba..2f804ca0d4f06 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -916,6 +916,14 @@ export class Function extends FunctionBase { // add additional managed policies when necessary if (props.filesystem) { const config = props.filesystem.config; + if (!Token.isUnresolved(config.localMountPath)) { + if (!/^\/mnt\/[a-zA-Z0-9-_.]+$/.test(config.localMountPath)) { + throw new Error(`Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given ${config.localMountPath}.`); + } + if (config.localMountPath.length > 160) { + throw new Error(`Local mount path can not be longer than 160 characters but has ${config.localMountPath.length} characters.`); + } + } if (config.policies) { config.policies.forEach(p => { this.role?.addToPrincipalPolicy(p); diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index c5228bb2cd82c..a6d982ddf5bdf 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -2923,6 +2923,99 @@ describe('function', () => { }); }); + test('validate localMountPath format when mounting efs', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, '/not-mnt/foo-bar'), + }); + }).toThrow('Local mount path should match with ^/mnt/[a-zA-Z0-9-_.]+$ but given /not-mnt/foo-bar'); + }); + + test('validate localMountPath length when mounting efs', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, `/mnt/${'a'.repeat(160)}`), + }); + }).toThrow('Local mount path can not be longer than 160 characters but has 165 characters'); + }); + + test('No error when local mount path is Tokenized and Unresolved', () => { + // GIVEN + const realLocalMountPath = '/not-mnt/foo-bar'; + const tokenizedLocalMountPath = cdk.Token.asString(new cdk.Intrinsic(realLocalMountPath)); + + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Vpc', { + maxAzs: 3, + natGateways: 1, + }); + const securityGroup = new ec2.SecurityGroup(stack, 'LambdaSG', { + vpc, + allowAllOutbound: false, + }); + + const fs = new efs.FileSystem(stack, 'Efs', { + vpc, + }); + const accessPoint = fs.addAccessPoint('AccessPoint'); + + // THEN + expect(() => { + new lambda.Function(stack, 'MyFunction', { + vpc, + handler: 'foo', + securityGroups: [securityGroup], + runtime: lambda.Runtime.NODEJS_LATEST, + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + filesystem: lambda.FileSystem.fromEfsAccessPoint(accessPoint, tokenizedLocalMountPath), + }); + }).not.toThrow(); + }); + test('correct security group is created when deployed in separate stacks', () => { const app = new cdk.App();