(lambda): cross account lambda resolvers can not be created #18781
Comments
vdahlberg
added
bug
kaizencc
changed the title
kaizencc
added
@aws-cdk/aws-appsync
|
The issue here is that an imported lambda cannot be modified; this is true for both v1 and v2. Can you share what was working in v1? I think the issue here is that we cannot |
kaizencc
added
effort/small
|
I was confused when it didn't work on cdk v1.143.0 (same error as above). However, when downgrading to cdk v1.130.0, it does work. This is the example synths fine with cdk v1.130.0; import * as cdk from '@aws-cdk/core';
import * as appsync from '@aws-cdk/aws-appsync';
import * as lambda from '@aws-cdk/aws-lambda'
export class Appsynccdk1BugStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const api = new appsync.GraphqlApi(this, 'Api', {
name: 'demo',
});
const fn = lambda.Function.fromFunctionArn(this, "mylambda", "arn:aws:lambda:eu-west-1:111222333444:function:MyLambda")
const dataSource = api.addLambdaDataSource("lambdaDataSource", fn)
dataSource.createResolver({
typeName: 'Query',
fieldName: 'getDemos'
})
}
}So somewhere between cdk v1.130.0 and cdk v1.143.0 it stopped working. |
|
This issue is not necessarily related to appsync. It is an issue when I am also having this issue after upgrading cdk to 1.143.0. Calling I discovered this happened going from version |
|
It looks like going from version |
|
Apologies for my initial comment, it does not paint the full picture here. Here's what I think: The commit in question here is #18255, thank you @sseidel16 for narrowing down the versions so that this commit was easy to find. What the commit changes is that it grabs the environment from the function arn during So at CDK v1.138.2, we did not supply the environment (region/account) during Now, why this causes your code to break: aws-cdk/packages/@aws-cdk/aws-lambda/lib/function-base.ts Lines 344 to 348 in f8bb85f This is the offending code, and I find it perfectly reasonable. We cannot modify your imported lambda, and we are trying to. So the question becomes, why did this not happen before? When we call aws-cdk/packages/@aws-cdk/aws-iam/lib/grant.ts Lines 120 to 135 in f8bb85f Specifically, So the variable tl;dr: we fixed a bug that your use case relied on. I have a feeling that while your code deployed successfully in CDK v1.138.2, the imported lambda did not have the permissions to allow appsync to call it. @skinny85, you were the contributor who fixed the initial bug, can you please confirm my logic and suggest what you think we should do here? |
kaizencc
changed the title
kaizencc
added
@aws-cdk/aws-lambda
|
@kaizen3031593 thanks for the explanation. This really comes down to the line "we must also add a trust policy on the resource." I assumed I believe it's not necessarily correct that "the imported lambda did not have the permissions to allow appsync to call it." Cross-account lambdas are often owned by other teams and these permissions are then added separately. We have a use case currently where the cross-account lambda is owned by somebody else, and they have added the proper permissions to it manually. The only thing needed is to allow the invoke action on our lambda's role. The entire flow worked prior (build, deployment, invoke), and now breaks because it's trying to modify the resource as well (and this has already been done manually). I am not saying the current behavior is correct or incorrect. It simply is whether the imported resource should be modified. I would argue strongly that it should not be, since it is an imported resource, but I understand if others disagree. |
|
We seem to have stumbled on a rabbit hole here that was most recently modified here: #11369 (and that PR links to at least 2 others trying to do the same thing). There are a few attributes you can try from At any rate, I'm a bit out of my depth and I'll wait for @skinny85 to weigh in. |
|
I agree with everything @kaizen3031593 said 🙂. |
…ured permissions (#18979) There have been a few reports of regressions after #18228 was merged in v1.139.0: #18781, #18967. AFAIK, #18228 fixed a bug in our environment configuring logic for `fromFunctionAttributes()`, so the environment is now being properly passed to the `functionBase` that CDK creates. The bug was being relied on by CDK customers for a particular use case: calling `grantInvoke()` on imported cross-account lambdas with pre-configured permissions. In general, `grantInvoke()` modifies the trust policy of the resource if it is not from the same environment. In the case of cross-account lambdas, this is impossible, and results in a synth-time error. CDK users know this and have modified the lambda permissions in question to have the correct permissions. These users do not need permissions added to the cross-account lambda, so it is not an error. To support this use case, I'm introducing `skipPermissions` as a property for `fromFunctionAttributes()`. When set, we skip this synth-time check all together. Beware, users who set this property are now on their own for the permissions of their cross-account lambda. ```ts const fn = lambda.Function.fromFunctionAttributes(stack, 'Function', { functionArn: 'arn:aws:lambda:us-east-1:123456789012:function:MyFn', skipPermissions: true, }); ``` Closes #18781. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…ured permissions (aws#18979) There have been a few reports of regressions after aws#18228 was merged in v1.139.0: aws#18781, aws#18967. AFAIK, aws#18228 fixed a bug in our environment configuring logic for `fromFunctionAttributes()`, so the environment is now being properly passed to the `functionBase` that CDK creates. The bug was being relied on by CDK customers for a particular use case: calling `grantInvoke()` on imported cross-account lambdas with pre-configured permissions. In general, `grantInvoke()` modifies the trust policy of the resource if it is not from the same environment. In the case of cross-account lambdas, this is impossible, and results in a synth-time error. CDK users know this and have modified the lambda permissions in question to have the correct permissions. These users do not need permissions added to the cross-account lambda, so it is not an error. To support this use case, I'm introducing `skipPermissions` as a property for `fromFunctionAttributes()`. When set, we skip this synth-time check all together. Beware, users who set this property are now on their own for the permissions of their cross-account lambda. ```ts const fn = lambda.Function.fromFunctionAttributes(stack, 'Function', { functionArn: 'arn:aws:lambda:us-east-1:123456789012:function:MyFn', skipPermissions: true, }); ``` Closes aws#18781. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
What is the problem?
Can not create cross account lambda function resolver for an appsync api. It tries to add a permission to lambda but can not.
Worked in CDKv1 but not in CDKv2.
Reproduction Steps
Then run
cdk synthWhat did you expect to happen?
Generates a cloudformation template.
What actually happened?
/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:212 throw new Error('Cannot modify permission to lambda function. Function is either imported or $LATEST version. ' ^ Error: Cannot modify permission to lambda function. Function is either imported or $LATEST version. If the function is imported from the same account use `fromFunctionAttributes()` API with the `sameEnvironment` flag. at Object.addToResourcePolicy (/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:212:21) at Function.addToPrincipalOrResource (/Users/.../node_modules/aws-cdk-lib/aws-iam/lib/grant.ts:77:45) at Import.grantInvoke (/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:195:25) at new LambdaDataSource (/Users/.../node_modules/@aws-cdk/aws-appsync-alpha/lib/data-source.ts:197:26) at GraphqlApi.addLambdaDataSource (/Users/.../node_modules/@aws-cdk/aws-appsync-alpha/lib/graphqlapi-base.ts:106:12) at new GraphqlbugStack (/Users/.../lib/graphqlbug-stack.ts:15:24) at Object.<anonymous> (/Users/.../bin/graphqlbug.ts:7:1) at Module._compile (node:internal/modules/cjs/loader:1101:14) at Module.m._compile (/Users/.../node_modules/ts-node/src/index.ts:1056:23) at Module._extensions..js (node:internal/modules/cjs/loader:1153:10) Subprocess exited with error 1CDK CLI Version
2.9.0
Framework Version
No response
Node.js Version
v16.13.2
OS
macOS Catalina
Language
Typescript
Language Version
TypeScript (4.5.5)
Other information
No response
The text was updated successfully, but these errors were encountered: