(lambda,iam): using a shared role for more than 1 function while enabling lambda insights generates problematic CloudFormation

[humanzz]

What is the problem?

Having noticed the introduction of the lambda function prop insightsVersion, I wanted to refactor some code (See the code in Other Information) to make use of that property instead of explicitly attaching a layer and adding the required managed policy similar to what's defined here.

I have multiple Lambda functions using the same explicitly created IAM role passed to those functions via the role property.

The issue that happens is that the generated CloudFormation ends up having 2 repeated entries for the role's ManagedPolicyArns property

"ManagedPolicyArns": [
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
              ]
            ]
          },
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
              ]
            ]
          }
        ],

Ignoring the wasted duplication, when deploying a CloudFormation template containing such code, CloudFormation deployment fails.

I've checked various pieces of code in lambda and iam modules

1. function.ts's configureLambdaInsights method which attaches the layer and adds the AwsManagedPolicy
2. managed-policy.ts's fromAwsManagedPolicyName which has the arn as a token - more specifically a Lazy.uncachedString
3. role.ts's addManagedPolicy which seems to try to do the right thing by attempting to only add a policy to the role only if it has not been added before. I believe this to be the source of the issue, because since the managed policy in this cases uses token, the equality comparison fails

Reproduction Steps

Here's a skeleton code for creating 1 role, 2 lambda functions, use the role in the 2 lambdas while enabling insights for both. When synthesized, it generates the CloudFormation that will fail deployment due to the duplicate entries in the role's ManagedPolicyArns

const role = new iam.Role(this, 'Role', ...);

const fn1 = new lambda.Function(this, 'Function1', {
  ...
  insightsVersion: lambda.LambdaInsightsVersion.VERSION_1_0_98_0,
  role,
});

const fn1 = new lambda.Function(this, 'Function1', {
  ...
  insightsVersion: lambda.LambdaInsightsVersion.VERSION_1_0_98_0,
  role,
});

A simple check to verify what I think to be the root cause

const x = iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchLambdaInsightsExecutionRolePolicy');
const y = iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchLambdaInsightsExecutionRolePolicy');
x === y; // false

What did you expect to happen?

1. The role's CloudFormation to not have duplicate entries for the CloudWatchLambdaInsightsExecutionRolePolicy managed policy
2. The CloudFormation deployment to succeed

What actually happened?

1. The role's CloudFormation had 2 duplicate entries for the CloudWatchLambdaInsightsExecutionRolePolicy managed policy
2. The CloudFormation deployment failed

CDK CLI Version

1.132.0

Framework Version

No response

Node.js Version

14

OS

macOS 11.6.1

Language

Typescript

Language Version

No response

Other information

A couple of thoughts/ideas

1. A superficial fix: extract iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchLambdaInsightsExecutionRolePolicy') into a constant that's reused across all function instantiations. This way the comparison will always succeed as the token object is always the same.
2. Root cause investigation: how to make the comparison for for managed policies with tokens or simply just tokens succeed
3. Singleton values or interning for the relevant tokens, that's the deeper version of 1 above

My current implementation for setting up Lambda Insights is to call the following utility method

export function setupLambdaInsights(fn: lambda.Function): void {
  if (!fn.role) {
    throw new Error(`Function ${fn.functionName} does not have a role associated`);
  }
  const uniqueRoleId = fn.role?.node.addr;
  if (!insightLambdaFunctionRoles.has(uniqueRoleId)) {
    fn.role?.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('CloudWatchLambdaInsightsExecutionRolePolicy'));
    insightLambdaFunctionRoles.add(uniqueRoleId);
  }
  const layerArn = `arn:aws:lambda:${cdk.Stack.of(fn).region}:580247275435:layer:LambdaInsightsExtension:14`;
  const layer = lambda.LayerVersion.fromLayerVersionArn(fn, 'LambdaInsightsLayer', layerArn);
  fn.addLayers(layer);
}

/**
 * A set of roles' uniqueIds already instrumented for LambdaInsights
 * We keep track of which ones have already been instrumented (managed policy added) because a role fails
 * in CloudFormation if the managed policies are repeated and since some roles are used in multiple lambdas,
 * we'd end with the policy attached to the same role multiple times
 */
const insightLambdaFunctionRoles = new Set();

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.