ci: update example deployment script to use PutResourcePolicy instead of AddPermission (#72)

* chore: update deployment cli to use PutResourcePolicy API

* fix: use :* wildcard pattern for resource ARN

Author: bchampp

.github/model/lambda.json

@@ -1055,6 +1055,26 @@
       ],
       "documentation":"<p>Adds a provisioned concurrency configuration to a function's alias or version.</p>"
     },
+    "PutResourcePolicy":{
+      "name":"PutResourcePolicy",
+      "http":{
+        "method":"PUT",
+        "requestUri":"/2024-09-16/resource-policy/{ResourceArn}",
+        "responseCode":200
+      },
+      "input":{"shape":"PutResourcePolicyRequest"},
+      "output":{"shape":"PutResourcePolicyResponse"},
+      "errors":[
+        {"shape":"InvalidParameterValueException"},
+        {"shape":"ResourceConflictException"},
+        {"shape":"PublicPolicyException"},
+        {"shape":"ServiceException"},
+        {"shape":"TooManyRequestsException"},
+        {"shape":"PolicyLengthExceededException"},
+        {"shape":"ResourceNotFoundException"},
+        {"shape":"PreconditionFailedException"}
+      ]
+    },
     "RemoveLayerVersionPermission":{
       "name":"RemoveLayerVersionPermission",
       "http":{
@@ -4737,6 +4757,10 @@
       "type":"integer",
       "min":0
     },
+    "NullableBoolean":{
+      "type":"boolean",
+      "box":true
+    },
     "OnFailure":{
       "type":"structure",
       "members":{
@@ -4949,6 +4973,36 @@
       "type":"integer",
       "min":1
     },
+    "PolicyResourceArn":{
+      "type":"string",
+      "max":256,
+      "min":0,
+      "pattern":"arn:(aws[a-zA-Z-]*)?:lambda:(eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:\\d{12}:(lite-function|function|layer):[a-zA-Z0-9-_]+(:(\\$LATEST|[a-zA-Z0-9-_])+)?"
+    },
+    "PutResourcePolicyRequest":{
+      "type":"structure",
+      "required":[
+        "ResourceArn",
+        "Policy"
+      ],
+      "members":{
+        "ResourceArn":{
+          "shape":"PolicyResourceArn",
+          "location":"uri",
+          "locationName":"ResourceArn"
+        },
+        "Policy":{"shape":"ResourcePolicy"},
+        "BlockPublicPolicy":{"shape":"NullableBoolean"},
+        "RevisionId":{"shape":"RevisionId"}
+      }
+    },
+    "PutResourcePolicyResponse":{
+      "type":"structure",
+      "members":{
+        "Policy":{"shape":"ResourcePolicy"},
+        "RevisionId":{"shape":"RevisionId"}
+      }
+    },
     "PreconditionFailedException":{
       "type":"structure",
       "members":{
@@ -5410,6 +5464,18 @@
       "error":{"httpStatusCode":404},
       "exception":true
     },
+    "ResourcePolicy":{
+      "type":"string",
+      "max":20480,
+      "min":1,
+      "pattern":"[\\s\\S]+"
+    },
+    "RevisionId":{
+      "type":"string",
+      "max":36,
+      "min":36,
+      "pattern":"[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
+    },
     "ResourceNotReadyException":{
       "type":"structure",
       "members":{

examples/cli.py

@@ -378,45 +378,26 @@ def deploy_function(example_name: str, function_name: str | None = None):
     except lambda_client.exceptions.ResourceNotFoundException:
         lambda_client.create_function(**function_config, Code={"ZipFile": zip_content})
 
-    # Update invoke permission for worker account if needed
-    try:
-        policy_response = lambda_client.get_policy(FunctionName=function_name)
-        policy = json.loads(policy_response["Policy"])
-
-        # Check if permission exists with correct principal
-        needs_update = True
-        for statement in policy.get("Statement", []):
-            if (
-                statement.get("Sid") == "dex-invoke-permission"
-                and statement.get("Principal", {}).get("AWS")
-                == config["invoke_account_id"]
-            ):
-                needs_update = False
-                break
-
-        if needs_update:
-            with contextlib.suppress(
-                lambda_client.exceptions.ResourceNotFoundException
-            ):
-                lambda_client.remove_permission(
-                    FunctionName=function_name, StatementId="dex-invoke-permission"
-                )
-
-            lambda_client.add_permission(
-                FunctionName=function_name,
-                StatementId="dex-invoke-permission",
-                Action="lambda:InvokeFunction",
-                Principal=config["invoke_account_id"],
-            )
+    # Update invoke permission for worker account using put_resource_policy
+    function_arn = f"arn:aws:lambda:{config['region']}:{config['account_id']}:function:{function_name}"
+    
+    policy_document = {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "dex-invoke-permission",
+                "Effect": "Allow",
+                "Principal": {"AWS": config["invoke_account_id"]},
+                "Action": "lambda:InvokeFunction",
+                "Resource": f"{function_arn}:*"
+            }
+        ]
+    }
 
-    except lambda_client.exceptions.ResourceNotFoundException:
-        # No policy exists, add permission
-        lambda_client.add_permission(
-            FunctionName=function_name,
-            StatementId="dex-invoke-permission",
-            Action="lambda:InvokeFunction",
-            Principal=config["invoke_account_id"],
-        )
+    lambda_client.put_resource_policy(
+        ResourceArn=function_arn,
+        Policy=json.dumps(policy_document)
+    )
 
     logger.info("Function deployed successfully! %s", function_name)
     return True