Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk: success and failure lambdas for state machines are being duplicated in iam roles #30059

Closed
theomantz-luna opened this issue May 3, 2024 · 4 comments
Closed

aws-cdk: success and failure lambdas for state machines are being duplicated in iam roles #30059

theomantz-luna opened this issue May 3, 2024 · 4 comments
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@theomantz-luna
Copy link

theomantz-luna commented May 3, 2024
edited
Loading

Describe the bug

success and failure lambdas for state machines are being duplicated in iam generated roles.

Expected Behavior

the success / failure path lambda should be added to the associated policy once.

Current Behavior

when creating a success and error lambda for each lambda in a state machine, each success and failure lambda is added to the iam policy document. even when they are the same lambda. due to this, iam policy document size limits are reached quickly as each document that has success and failure lambdas associated with it has n+(n * 2) resources added (where n is the number of unique lambda functions).

Reproduction Steps

create a definition body with the following general format:

DefinitionBody.fromChainable(
            sfnChain
                .addCatch(
                    errorReporterTask.next(
                        new sfn.Fail(this, name + " Fail State"),
                    ),
                )
                .next(successReporterTask),
        )

Possible Solution

perform a minimal compression on the iam policy document before deploying so that lambdas with duplicate names are not added to the same policy document

Additional Information/Context

No response

CDK CLI Version

2.133

Framework Version

No response

Node.js Version

v18.20.2

OS

macOS (silicon)

Language

TypeScript

Language Version

5.4.4

Other information

No response
@theomantz-luna theomantz-luna added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 3, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label May 3, 2024
This was referenced May 6, 2024
Closed
Closed
@theomantz-luna theomantz-luna changed the title aws-cdk: aws-cdk: success and failure lambdas for state machines are being duplicated in iam roles May 6, 2024
@pahud
Copy link
Contributor

pahud commented May 6, 2024

Hi

Can you elaborate more about the issue?

This is my testing code

export class DummyStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    // dummy lambda function
    const fn = new lambda.Function(this, 'CatchFn', {
      runtime: lambda.Runtime.NODEJS_LATEST,
      code: lambda.Code.fromInline('foo'),
      handler: 'dummy.handler',
    });
    const fntask = new sfntasks.LambdaInvoke(this, 'CatchFnInvoke', {
      lambdaFunction: fn,
    });

    const fn2 = new lambda.Function(this, 'NextFn', {
      runtime: lambda.Runtime.NODEJS_LATEST,
      code: lambda.Code.fromInline('bar'),
      handler: 'dummy.handler',
    });
    const fn2task = new sfntasks.LambdaInvoke(this, 'NextFnInvoke', {
      lambdaFunction: fn2,
    });

    const start = new sfntasks.LambdaInvoke(this, 'StartState', {
      lambdaFunction: new lambda.Function(this, 'StartLambda', {
        runtime: lambda.Runtime.NODEJS_LATEST,
        code: lambda.Code.fromInline('start'),
        handler: 'dummy.handler',
      }),
    })


    const definitionBody = sfn.DefinitionBody.fromChainable(
      start
          .addCatch(
              fntask.next(
                  new sfn.Fail(this, " Fail State"),
              ),
          )
          .next(fn2task),
    )

    new sfn.StateMachine(this, 'StateMachine', {
      definitionBody,
    })

  }
}

And I got this in the default policy of the state machine execution role:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": "lambda:InvokeFunction",
			"Resource": [
				"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-CatchFn9B5768B8-ga1bHwyKMnlm",
				"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-NextFn2EC1E31E-2qr1IoR8eTSX",
				"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-StartLambda81613300-GgkyN4bUAdvo",
				"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-CatchFn9B5768B8-ga1bHwyKMnlm:*",
				"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-NextFn2EC1E31E-2qr1IoR8eTSX:*",
				"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-StartLambda81613300-GgkyN4bUAdvo:*"
			],
			"Effect": "Allow"
		}
	]
}

Can you clarify which entries are redundant and should be removed?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 8, 2024

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label May 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 9, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. closing-soon This issue will automatically close in 4 days unless further comments are made. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @aws-cdk-automation @theomantz-luna