support lambda actions for IoT topic rules

[JoshM1994]

Very similar to #555

There does not appear to be an automatic way to add permissions (the "Function Policy") to the Lambda which is invoked from an IoT Topic Rule.

I obviously was not expecting the below to work since there is no explicit link between the IoT rule and the Lambda (since IoT does not appear to be supported by lambda-event-sources)

• The IoT rule is created with Lambda as its target
• The Lambda is created with no trigger (nothing visible on the console)
• No Function Policy exists on the Lambda

Upon "editing" the IoT rule through the console, AWS helpfully says "we'll handle the Lambda permissions for you" - would be nice if this happened through the CDK

Reproduction Steps

const motaAckLambda = new lambda.Function(this, 'MotaGwAck', {
    code: lambda.Code.fromAsset('apps/stacks/hw-mgmt/fota/dist/'),
    handler: 'fotaAck.handler',
    runtime: lambda.Runtime.NODEJS_10_X,
});
const lambdaIotAction: LambdaActionProperty = {
    functionArn: motaAckLambda.functionArn,
};
const iotFwdRule = new iot.CfnTopicRule(this, 'IotLambFwdRule', {
    topicRulePayload: {
        actions: [
            {
                lambda: lambdaIotAction,
            },
        ],
        ruleDisabled: false,
        sql: `SELECT soemthing FROM 'somewhere'`,
        awsIotSqlVersion: '2016-03-23',
    },
});

Error Log

The IoT rule does NOT trigger the lambda and, in fact, I don't think the rule triggers at all (no error is logged in the verbose IoT logs in CloudWatch)

Environment

• CLI Version :1.18.0
• Framework Version: 1.18.0
• OS : Mac
• Language : TypeScript

Other

Removing the policy

• Whilst experimenting with this (to reproduce), if you need to remove the policy (you cannot do it through the console)

➜  ~ aws lambda get-policy --function-name functionArn
# Get the statement SID from here
➜  ~ aws lambda remove-permission --function-name functionArn --statement-id retrievedAbove

Current approach

My current approach (which I can confirm does work)

Everything as above and append:

motaAckLambda.addPermission('AllowIoTInvoke', {
    principal: new ServicePrincipal('iot.amazonaws.com'),
    sourceArn: iotFwdRule.attrArn,
});

It's unclear if this is the suggested fix (because IoT has notoriously never had a huge amount of documentation) but its working. Still, would be nice if IoT worked in the same way as almost every other Lambda event trigger

---

This is 🐛 Bug Report

[nija-at]

As you've noted, using Lambda's addPermission() method is the best workaround.

This issue is not a bug, but a feature gap. Ideally, we would have a way to configure a lambda function, dynamo table or SNS topic directly into an IoT rule as an action.

Unfortunately, we don't yet have full support of IoT in the CDK, and only support Cfn* constructs.
Any required permissions would be correctly modeled and granted when we have full support.

If this was built out, it would be modeled as a secondary module of IoT, named something like @aws-cdk/aws-iot-actions and the code would look something like -

const fn = new lambda.Function(this, 'myfunction',  { ... });
const rule = new iot.Rule(this, 'myrule', { ... });
rule.addAction(new LambdaAction({
  handler: fn,
  ...
}));

The addAction() and the LambdaAction classes in conjunction would take care of assigning the right permission.

@shivlaks - does this seem reasonable to you? Would you consider this a gap with the IoT construct library support?

[AniketDani]

How to implement the same using Java ?

[tomcatvr]

I've the same problem in Java
This code create a rule on IotCore which essentially use a lambda to log everything is published on the topic 'mytopic'
CDK deploy the stack without error but the lambda is never called
To let the lambda be called I need to log on the console, select the rule -> Actions-> Edit and re select the lambda

``
Function lambdaFunction = Function.Builder.create(this, "logData")
.code(Code.fromAsset("./asset/lambda-log-1.0-jar-with-dependencies.jar"))
.handler("com.plussrl.devel.lamda.log.App")
.runtime(Runtime.JAVA_11)
.timeout(Duration.seconds(30))
.memorySize(128)
.build();

    CfnTopicRule.LambdaActionProperty lambdaActionProperty = CfnTopicRule.LambdaActionProperty
            .builder().functionArn(lambdaFunction.getFunctionArn()).build();

    CfnTopicRule.ActionProperty ap = CfnTopicRule.ActionProperty.builder().lambda(lambdaActionProperty).build();

    List<CfnTopicRule.ActionProperty> actions = new ArrayList<>();
    actions.add(ap);

    CfnTopicRule.TopicRulePayloadProperty topicRulePayloadProperty = CfnTopicRule.TopicRulePayloadProperty
            .builder()
            .actions(actions)
            .sql("SELECT * FROM 'mytopic'")
            .description("Log on lambda logData")
            .awsIotSqlVersion("2016-03-23")
            .ruleDisabled(false)
            .build();

    CfnTopicRule.Builder.create(this, "topicRule")
            .topicRulePayload(topicRulePayloadProperty)
            .ruleName("log_on_logData")
            .build();
}

``

Step to reproduce

1. cdk deploy
2. test is not working publishing message (Iot Core-> test ->Publish topic: mytopic
3. nothing happens
4. edit the rule Iot Core-> Rules-> log_on_logData-> Actions-> Edit, select again IotCoreCdkStack-logDataXXX and then update
5. publish another message
6. wait a couple of seconds to see the log in cloudwatch
7. Sample project is in the attachment

[yamatatsu]

This is resolved by #17110 😃

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.