(aws-scheduler-targets): singletonScheduleRole() generates targetArn hash incorrectly

Question

(aws-scheduler-targets): singletonScheduleRole() generates targetArn hash incorrectly

Tietew opened this issue 21 days ago · comments

Describe the bug

Creating two or more LambdaInvokes with different lambda functions causes synth time error: Resolution error: All principals in a PolicyStatement must have the same Conditions.
The role is created in ScheduleTargetBase.singletonScheduleRole().

Expected Behavior

Multiple LambdaInvoke with different functions work with no errors.

Current Behavior

Error occuers on synth.

Error: Resolution error: Resolution error: Resolution error: All principals in a PolicyStatement must have the same Conditions (got '{}' and '{"StringEquals":{"aws:SourceAccount":"${Token[AWS.AccountId.6]}"}}'). Use multiple statements instead..
Object creation stack:
  at new PolicyDocument (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1378)
  at createAssumeRolePolicy (.../node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:13332)
  at new Role (.../node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:5544)
  at LambdaInvoke.singletonScheduleRole (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:132:18)
  at LambdaInvoke.bindBaseTargetConfig (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:79:57)
  at LambdaInvoke.bind (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:103:17)
  at new Schedule (.../node_modules/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts:315:39)
(snip)
  at node:internal/main/run_main_module:28:49..
    at PolicyStatement.addPrincipalConditions (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:7201)
    at PolicyStatement.addPrincipals (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:2407)
    at new PolicyStatement (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:663)
    at PolicyStatement.copy (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:6086)
    at mergeIfCombinable (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1847)
    at onePass (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1032)
    at mergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:660)
    at PolicyDocument._maybeMergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:3033)
    at PolicyDocument.resolve (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1755)
    at RememberingTokenResolver.resolveToken (.../node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)

Reproduction Steps

Deploy stack contains following lambda functions and schedules.

import * as cdk from 'aws-cdk-lib';
import * as scheduler from '@aws-cdk/aws-scheduler-alpha';
import * as targets from '@aws-cdk/aws-scheduler-targets-alpha';
import * as lambda from 'aws-cdk-lib/aws-lambda';

declare const stack: cdk.Stack;

const func1 = new lambda.Function(stack, 'Function1', { code: "FunctionCode1" });
new scheduler.Schedule(stack, 'Schedule1', {
  schedule: scheduler.ScheduleExpression.rate(cdk.Duration.days(1)),
  target: new targets.LambdaInvoke(func1, {}),
});

const func2 = new lambda.Function(stack, 'Function2', { code: "FunctionCode2" });
new scheduler.Schedule(stack, 'Schedule1', {
  schedule: scheduler.ScheduleExpression.rate(cdk.Duration.days(1)),
  target: new targets.LambdaInvoke(func1, {}),
});

Possible Solution

singletonScheduleRole() generates target arn hash using stack.resolve(targetArn).toString().
But when targetArn is lambda.Function.functionArn, stack.resolve() returns an object {"Fn:GetAtt":["xxxxxx","Arn"]}, then toString() returns a constant string "[object Object]".
This means different lambda functions share same hash.

Using JSON.stringify() instead of .toString() may resolve.

Additional Information/Context

No response

CDK CLI Version

2.146.0

Framework Version

No response

Node.js Version

20.14.0

OS

Ubuntu 20.04

Language

TypeScript

Language Version

No response

Other information

#28713: same error message, but reproduction steps differ.

Tietew · Answer 1 · Wed Jun 19 2024 17:46:33 GMT+0800 (China Standard Time)

I tried to make a PR to fix, but found toString() isn't a root cause.
2 Schedules with SAME lambda function target occur same Resolution Error.

Rebecca Burnside · Answer 2 · Wed Jun 19 2024 18:18:18 GMT+0800 (China Standard Time)

Both of your schedulers in the example code have the same ID. I currently get this error message trying to deploy two different schedulers with two different functions as targets.

Tietew · Answer 3 · Wed Jun 19 2024 18:20:32 GMT+0800 (China Standard Time)

close as duplicate of #28713

github-actions · Answer 4 · Wed Jun 19 2024 18:20:51 GMT+0800 (China Standard Time)

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.