Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(iam): cdk synth Throws Error When Adding SQS Event Source to Imported Lambda Function #12607

Closed
bravemav opened this issue Jan 20, 2021 · 10 comments · Fixed by #21970
Closed

(iam): cdk synth Throws Error When Adding SQS Event Source to Imported Lambda Function #12607

bravemav opened this issue Jan 20, 2021 · 10 comments · Fixed by #21970
Assignees
@corymhall
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@bravemav
Copy link

bravemav commented Jan 20, 2021
edited
Loading

cdk synth throws an error when addEventSource is used to add an SQS event source on an imported lambda function.

Reproduction Steps

import * as cdk from '@aws-cdk/core';
import {Fn} from "@aws-cdk/core";
import * as sqs from '@aws-cdk/aws-sqs';
import * as lambda from "@aws-cdk/aws-lambda";
import {SqsEventSource} from "@aws-cdk/aws-lambda-event-sources";

export class CdkLambdaImportErrorStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const importedFunction = lambda.Function.fromFunctionArn(this, 'imported-function', 'imported-lambda-function-arn');
    const queue = new sqs.Queue(this, 'queue');
    importedFunction.addEventSource(new SqsEventSource(queue));
  }
}

What did you expect to happen?

cdk synth succeeds when an SQS event source is added to an imported lambda function.

What actually happened?

The following error occurred while calling cdk synth

Error: Cannot get policy fragment of CdkLambdaImportErrorStack/imported-function, resource imported without a role

Environment

  • CDK CLI Version : 1.85.0
  • Framework Version:
  • Node.js Version: v12.20.1
  • OS : macOS Big Sur 11.1
  • Language (Version): TypeScript 3.9.7

Other

Related issue: #4613
The above referenced issue fixed a similar issue with the same error message but as part of the CodeBuild module. Maybe this issue has the same underlying root cause and a similar fix?

Stack trace for this issue:

Error: Cannot get policy fragment of CdkLambdaImportErrorStack/product-search-function, resource imported without a role
    at UnknownPrincipal.get policyFragment [as policyFragment] (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/unknown-principal.ts:38:11)
    at PolicyStatement.addPrincipals (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/policy-statement.ts:141:34)
    at new PolicyStatement (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/policy-statement.ts:76:10)
    at Function.addToPrincipalOrResource (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/grant.ts:141:23)
    at Queue.grant (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-sqs/lib/queue-base.ts:241:22)
    at Queue.grantConsumeMessages (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-sqs/lib/queue-base.ts:177:22)
    at SqsEventSource.bind (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-lambda-event-sources/lib/sqs.ts:45:16)
    at Import.addEventSource (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-lambda/lib/function-base.ts:344:12)
    at new CdkLambdaImportErrorStack (/Users/computer/dev/cdk-lambda-import-error/lib/cdk-lambda-import-error-stack.ts:14:27)
    at Object.<anonymous> (/Users/computer/dev/cdk-lambda-import-error/bin/cdk-lambda-import-error.ts:7:1)

This is 🐛 Bug Report
@bravemav bravemav added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 20, 2021
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Jan 20, 2021
@bravemav bravemav changed the title (aws-lambda): cdk synth Throws Error When Adding Event Source to Imported Lambda Function (aws-lambda): cdk synth Throws Error When Adding SQS Event Source to Imported Lambda Function Jan 20, 2021
@shahbour
Copy link

Same result when trying to add to DynamoEventSource

@nija-at
Copy link
Contributor

nija-at commented Feb 4, 2021

This seems to a bug in the grant APIs. Transferring to IAM.

@nija-at nija-at added @aws-cdk/aws-iam Related to AWS Identity and Access Management and removed @aws-cdk/aws-lambda Related to AWS Lambda labels Feb 4, 2021
@nija-at nija-at removed their assignment Feb 4, 2021
@nija-at nija-at changed the title (aws-lambda): cdk synth Throws Error When Adding SQS Event Source to Imported Lambda Function (iam): cdk synth Throws Error When Adding SQS Event Source to Imported Lambda Function Feb 4, 2021
@rix0rrr rix0rrr added effort/medium Medium work item – several days of effort p1 labels Feb 8, 2021
@filipsuk
Copy link

filipsuk commented Feb 10, 2021
edited
Loading

Please is there a workaround for this? Maybe using Cfn resources?

EDIT: I think this can be used https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.EventSourceMapping.html. But it probably requires to manually update the lambda exection role:

The SqsEventSource class will automatically create the mapping, and will also modify the Lambda's execution role so it can consume messages from the queue.

@eladb
Copy link
Contributor

eladb commented Feb 14, 2021

@rix0rrr can you propose a workaround until this is resolved?

@rix0rrr
Copy link
Contributor

rix0rrr commented Feb 15, 2021

I would have to dive into the specifics, but you can try using fromFunctionAttributes() and passing in a placeholder object for role.

That feels like it should do it.

@filipsuk
Copy link

I found an example in other issue #10342 (comment)

const myFn = lambda.Function.fromFunctionArn(this, 'function', {
  functionArn: 'function-arn',
  role: iam.Role.fromRoleArn(this, 'role', 'role-arn'),
});

But it sucks you need to know the execution role arn :/

@ryparker ryparker removed the needs-triage This issue or PR still needs to be triaged. label Jun 2, 2021
@argenstijn
Copy link

Using the role arn to fetch the role of the function is really nasty. Because the role is mostly a generated value .

Would be must helpful if the role is just retrieved along with the function.

@pnedelko
Copy link

pnedelko commented Dec 7, 2021

Is it already fixed or planned to be fixed?

@NGL321 NGL321 mentioned this issue Dec 23, 2021
Open
@modul
Copy link

modul commented Feb 24, 2022

any updates on this?

@corymhall corymhall self-assigned this Aug 15, 2022
@corymhall corymhall mentioned this issue Sep 8, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #21970 Sep 9, 2022
mergify bot pushed a commit that referenced this issue Sep 9, 2022
@corymhall
fix(lambda-event-sources): cannot add sqs event source to an imported…
c33bb81 
… function (#21970)

If an SQS event sources is added to an imported function it will throw an error if the function is not imported with an IAM role.

This PR updates the logic to only attempt to add permissions to the principal if the role exists, otherwise it will add a warning indicating that permissions were not added.

fixes #12607


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Sep 9, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Kruspe pushed a commit to DavidSchwarz2/aws-cdk that referenced this issue Sep 13, 2022
@corymhall @Kruspe
fix(lambda-event-sources): cannot add sqs event source to an imported…
a8b8197 
… function (aws#21970)

If an SQS event sources is added to an imported function it will throw an error if the function is not imported with an IAM role.

This PR updates the logic to only attempt to add permissions to the principal if the role exists, otherwise it will add a warning indicating that permissions were not added.

fixes aws#12607


----

### All Submissions:

* [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(lambda-event-sources): cannot add sqs event source to an imported function