Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(core): cross region ssm writer update (aws#23356)
Hello, I have come across many errors with cross region export feature when updating the export values. Without this fix when updating cross region export values and there are no ssm parameters to be deleted, the Lambda function would throw with error: ``` ERROR Error processing event: AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/xxx-CustomCrossRegionExportWrite-xxx/xxx-CustomCrossRegionExportWrite-xxx is not authorized to perform: ssm:DeleteParameters on resource: arn:aws:ssm:us-east-1:xxx:* because no identity-based policy allows the ssm:DeleteParameters action at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12) at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) { code: 'AccessDeniedException', time: 2022-12-15T10:13:59.977Z, requestId: 'xxx', statusCode: 400, retryable: false, retryDelay: 10.941837950279254 }} ``` This is because `ssm.deleteParameters` would be called with empty array for `Names` parameter as: ```js await ssm.deleteParameters({ Names: [], }).promise(); ``` ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information