aws-solutions-constructs: LambdaToStepfunctions default policy malformed by aws-cdk-lib upgrade to 2.127.0
Reproduction Steps
Install previous version of aws-cdk-lib
"devDependencies": {
"aws-cdk-lib": "2.126.0",
"aws-cdk": "2.126.0",
"@aws-solutions-constructs/aws-lambda-stepfunctions": "^2.51.0"
}
Deploy a stack with LambdaToStepfunctions with at least one Lambda Invoke
import * as cdk from 'aws-cdk-lib';
import {Construct} from "constructs";
import { LambdaToStepfunctions } from '@aws-solutions-constructs/aws-lambda-stepfunctions';
class AwsCdkDemoStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const startState = new cdk.aws_stepfunctions_tasks.LambdaInvoke(this, 'DemoLambdaInvoke', {
lambdaFunction: new cdk.aws_lambda.Function(this, 'DemoLambdaFunction', {
runtime: cdk.aws_lambda.Runtime.NODEJS_20_X,
handler: 'index.handler',
code: cdk.aws_lambda.Code.fromAsset('handlers'),
})
});
new LambdaToStepfunctions(this, 'LambdaToStepfunctionsPattern', {
existingLambdaObj: new cdk.aws_lambda.Function(this, 'DemoSFInvokerFunction', {
runtime: cdk.aws_lambda.Runtime.NODEJS_20_X,
handler: 'index.handler',
code: cdk.aws_lambda.Code.fromAsset('handlers'),
}),
stateMachineProps: {
definition: startState
}
});
}
}
const app = new cdk.App();
new AwsCdkDemoStack(app, 'AwsCdkDemoStack');
Bump aws-cdk-lib to 2.127.0
"devDependencies": {
"aws-cdk-lib": "2.127.0",
"aws-cdk": "2.127.0",
"@aws-solutions-constructs/aws-lambda-stepfunctions": "^2.51.0"
}
And try to deploy again
Error Log
I see this diff removing the lambda:InvokeFunction permission. When the diff is accepted and deployed the stepfunction can not invoke the lambda
IAM Statement Changes
┌───┬─────────────────────────────────────────────────────────────┬────────┬─────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┬───────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼─────────────────────────────────────────────────────────────┼────────┼─────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┼───────────┤
│ - │ ${DemoLambdaFunction.Arn} │ Allow │ lambda:InvokeFunction │ AWS:${LambdaToStepfunctionsPattern/StateMachine/Role} │ │
│ │ ${DemoLambdaFunction.Arn}:* │ │ │ │ │
├───┼─────────────────────────────────────────────────────────────┼────────┼─────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┼───────────┤
│ - │ * │ Allow │ logs:CreateLogDelivery │ AWS:${LambdaToStepfunctionsPattern/StateMachine/Role} │ │
│ │ │ │ logs:DeleteLogDelivery │ │ │
│ │ │ │ logs:GetLogDelivery │ │ │
│ │ │ │ logs:ListLogDeliveries │ │ │
│ │ │ │ logs:UpdateLogDelivery │ │ │
├───┼─────────────────────────────────────────────────────────────┼────────┼─────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${DemoLambdaFunction.Arn} │ Allow │ logs:CreateLogDelivery │ AWS:${LambdaToStepfunctionsPattern/StateMachine/Role} │ │
│ │ ${DemoLambdaFunction.Arn}:* │ │ logs:DeleteLogDelivery │ │ │
│ │ │ │ logs:GetLogDelivery │ │ │
│ │ │ │ logs:ListLogDeliveries │ │ │
│ │ │ │ logs:UpdateLogDelivery │ │ │
├───┼─────────────────────────────────────────────────────────────┼────────┼─────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┼───────────┤
│ + │ * │ Allow │ logs:CreateLogDelivery │ AWS:${LambdaToStepfunctionsPattern/StateMachine/Role} │ │
│ │ │ │ logs:DeleteLogDelivery │ │ │
│ │ │ │ logs:DescribeLogGroups │ │ │
│ │ │ │ logs:DescribeResourcePolicies │ │ │
│ │ │ │ logs:GetLogDelivery │ │ │
│ │ │ │ logs:ListLogDeliveries │ │ │
│ │ │ │ logs:PutResourcePolicy │ │ │
│ │ │ │ logs:UpdateLogDelivery │ │ │
└───┴─────────────────────────────────────────────────────────────┴────────┴─────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┴───────────┘
Environment
- **CDK CLI Version : 2.127.0
- **CDK Framework Version: 2.127.0
- **AWS Solutions Constructs Version : 2.51.0
- **OS : macOs
- **Language : Typescript
This is 🐛 Bug Report
About this issue
- Original URL
- State: closed
- Created 5 months ago
- Reactions: 3
- Comments: 15 (6 by maintainers)
I can confirm the fix worked as expected. Best!
@biffgaut Hi, I’m from the same team as Stoyan, We are in the process of updating the dependencies. Looking at the CDK diff I’d say the issue is resolved but confirmation will follow up shortly.
Thanks for looking into it!
Edit: the cdk-diff is taken straight from one of our projects and does not reflect the example provided previously
v2.53.0 is now live and should address this issue.
We’re looking into this closely. The problem stems from:
For some reason, the way our construct is building the infrastructure is preventing the CDK from configuring the Lambda function. This was no problem up until 2.126.0, but is now. We are determining why our code behaves this way.