(aws-scheduler-targets): singletonScheduleRole() generates targetArn hash incorrectly
Tietew opened this issue · comments
Describe the bug
Creating two or more LambdaInvoke
s with different lambda functions causes synth time error: Resolution error: All principals in a PolicyStatement must have the same Conditions.
The role is created in ScheduleTargetBase.singletonScheduleRole()
.
Expected Behavior
Multiple LambdaInvoke
with different functions work with no errors.
Current Behavior
Error occuers on synth.
Error: Resolution error: Resolution error: Resolution error: All principals in a PolicyStatement must have the same Conditions (got '{}' and '{"StringEquals":{"aws:SourceAccount":"${Token[AWS.AccountId.6]}"}}'). Use multiple statements instead..
Object creation stack:
at new PolicyDocument (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1378)
at createAssumeRolePolicy (.../node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:13332)
at new Role (.../node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:5544)
at LambdaInvoke.singletonScheduleRole (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:132:18)
at LambdaInvoke.bindBaseTargetConfig (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:79:57)
at LambdaInvoke.bind (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:103:17)
at new Schedule (.../node_modules/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts:315:39)
(snip)
at node:internal/main/run_main_module:28:49..
at PolicyStatement.addPrincipalConditions (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:7201)
at PolicyStatement.addPrincipals (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:2407)
at new PolicyStatement (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:663)
at PolicyStatement.copy (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:6086)
at mergeIfCombinable (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1847)
at onePass (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1032)
at mergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:660)
at PolicyDocument._maybeMergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:3033)
at PolicyDocument.resolve (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1755)
at RememberingTokenResolver.resolveToken (.../node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)
Reproduction Steps
Deploy stack contains following lambda functions and schedules.
import * as cdk from 'aws-cdk-lib';
import * as scheduler from '@aws-cdk/aws-scheduler-alpha';
import * as targets from '@aws-cdk/aws-scheduler-targets-alpha';
import * as lambda from 'aws-cdk-lib/aws-lambda';
declare const stack: cdk.Stack;
const func1 = new lambda.Function(stack, 'Function1', { code: "FunctionCode1" });
new scheduler.Schedule(stack, 'Schedule1', {
schedule: scheduler.ScheduleExpression.rate(cdk.Duration.days(1)),
target: new targets.LambdaInvoke(func1, {}),
});
const func2 = new lambda.Function(stack, 'Function2', { code: "FunctionCode2" });
new scheduler.Schedule(stack, 'Schedule1', {
schedule: scheduler.ScheduleExpression.rate(cdk.Duration.days(1)),
target: new targets.LambdaInvoke(func1, {}),
});
Possible Solution
singletonScheduleRole()
generates target arn hash using stack.resolve(targetArn).toString()
.
But when targetArn is lambda.Function.functionArn, stack.resolve()
returns an object {"Fn:GetAtt":["xxxxxx","Arn"]}
, then toString()
returns a constant string "[object Object]"
.
This means different lambda functions share same hash.
Using JSON.stringify()
instead of .toString()
may resolve.
Additional Information/Context
No response
CDK CLI Version
2.146.0
Framework Version
No response
Node.js Version
20.14.0
OS
Ubuntu 20.04
Language
TypeScript
Language Version
No response
Other information
#28713: same error message, but reproduction steps differ.
I tried to make a PR to fix, but found toString()
isn't a root cause.
2 Schedule
s with SAME lambda function target occur same Resolution Error.
Both of your schedulers in the example code have the same ID. I currently get this error message trying to deploy two different schedulers with two different functions as targets.
⚠️ COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.