fix(secretsmanager): rotation resource creation can fail due to race …

…condition (#26512) Setting up a `RotationSchedule` with `rotationLambda` could cause failures due to the lambda invoking permission and the`RotationSchedule` being created concurrently. This fix adds a dependency to ensure the policy is created first and to prevent race conditions. Closes #26481. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Aug 18, 2023 · 94e48c6 · 94e48c6
1 parent 3305d4f
commit 94e48c6
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 3 deletions.
diff --git a/...ger/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json b/...ger/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json
@@ -144,7 +144,10 @@
     "RotationRules": {
      "AutomaticallyAfterDays": 30
     }
-   }
+   },
+   "DependsOn": [
+    "LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677"
+   ]
   },
   "SecretPolicy06C9821C": {
    "Type": "AWS::SecretsManager::ResourcePolicy",

diff --git a/...es/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts b/...es/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.ts
@@ -2,6 +2,7 @@ import * as kms from 'aws-cdk-lib/aws-kms';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import * as cdk from 'aws-cdk-lib';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import * as integ from '@aws-cdk/integ-tests-alpha';
 
 class TestStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string) {
@@ -24,5 +25,11 @@ class TestStack extends cdk.Stack {
 }
 
 const app = new cdk.App();
-new TestStack(app, 'cdk-integ-secret-lambda-rotation');
+
+const stack = new TestStack(app, 'cdk-integ-secret-lambda-rotation');
+
+new integ.IntegTest(app, 'cdk-integ-secret-lambda-rotation-test', {
+  testCases: [stack],
+});
+
 app.synth();
diff --git a/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts b/packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts
@@ -100,7 +100,8 @@ export class RotationSchedule extends Resource {
         );
       }
 
-      props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));
+      const grant = props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));
+      grant.applyBefore(this);
 
       props.rotationLambda.addToRolePolicy(
         new iam.PolicyStatement({

diff --git a/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts b/packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts
@@ -629,3 +629,25 @@ describe('manual rotations', () => {
     checkRotationNotSet(Duration.millis(0));
   });
 });
+
+test('rotation schedule should have a dependency on lambda permissions', () => {
+  // GIVEN
+  const secret = new secretsmanager.Secret(stack, 'Secret');
+  const rotationLambda = new lambda.Function(stack, 'Lambda', {
+    runtime: lambda.Runtime.NODEJS_14_X,
+    code: lambda.Code.fromInline('export.handler = event => event;'),
+    handler: 'index.handler',
+  });
+
+  // WHEN
+  secret.addRotationSchedule('RotationSchedule', {
+    rotationLambda,
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResource('AWS::SecretsManager::RotationSchedule', {
+    DependsOn: [
+      'LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677',
+    ],
+  });
+});