Amplify-cli: Lambda trigger for DynamoDB REST api generates buggy cloudformation template
When adding a lambda trigger to a storage db (using a REST DynamoDB), the generated CloudFormation template isn't correct, and prevents the trigger from firing.
To Reproduce
Steps to reproduce the behavior:
amplify add storage
? Please select from one of the below mentioned services **NoSQL Database**
? Please provide a friendly name for your resource that will be used to label this category in the project: **test**
? Please provide table name: **test**
? What would you like to name this column: **id**
? Please choose the data type: **string**
? Would you like to add another column? **No**
? Please choose partition key for the table: **id**
? Do you want to add a sort key to your table? **No**
? Do you want to add global secondary indexes to your table? **No**
? Do you want to add a Lambda Trigger for your Table? **Yes**
? Select from the following options **Create a new function**
? Do you want to edit the local testTrigger624869b1 lambda function now? **No**
Then push your changes with amplify push and manually add an element to the dynamotable. The testTrigger function will have an error.
Expected behavior
It should work out of the box
Additional context
The cli generates these lines in the trigger function's CloudFormation template:
"lambdaexecutionpolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
}
]
}
}
},
"testTriggerPolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Resource": [
{
"Ref": "storagetestStreamArn"
}
]
}
]
}
}
},
When it should be:
"lambdaexecutionpolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-execution-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:aws:logs:${region}:${account}:log-group:/aws/lambda/${lambda}:log-stream:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Resource": [
{
"Ref": "storagetestStreamArn"
}
]
}
]
}
}
},
It works after doing the change manually and then pushing the changes.
thedgbrt
All 9 comments
@thedgbrt Not sure if I get the difference between the two roles that you mentioned. The "testTriggerPolicy" is attached to the lambda Execution Role.
The other two issues which you've tagged isn't related to this.
kaustavghosh06
on 5 Sep 2019
@kaustavghosh06 I’m not fluent with the way policies get attached to each other, I just tried to fix it until it worked 👨💻
However I can confirm that with the first solution, i get an error that the trigger function doesn’t have the necessary permissions. With the second one it works out of the box.
I removed the references to other issues.
thedgbrt
on 5 Sep 2019
I was having similar issues as @kaustavghosh06. I added what he outlined to the first lambda-execution-policy policy name as a Policy Statement
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Resource": [
{
"Ref": "storagetestStreamArn"
}
]
}
And deleted the second lambda-execution-policy
nateiler
on 18 Sep 2019
I would add I had to update the depends on in the <name>Trigger: {}section of the file because it was using depending on the policy that needed to be deleted.
set321go
on 20 Sep 2019
I'm having the same issue. I'm not a CloudFormation expert, but is it possible the two policies in the generated template are clashing? both the lambdaexecutionpolicy and testTriggerPolicy are setting the same policy name lambda-execution-policy.
When I first tried it this it failed to roll back and left behind a user. The user had only had one policy attached and it specified only the "logs" actions. I saw this through the IAM console
jmosul
on 22 Sep 2019
@jmosul Correct. When I was done, I only had one lambda-execution-policy not two.
nateiler
on 23 Sep 2019
I can also confirm that only doing one policy with both statements fixed the issue for me. So thanks for that work around
jmosul
on 23 Sep 2019
@thedgbrt I apologize the delay in getting back to you. This should be fixed now
ammarkarachi
on 21 Dec 2019
Closing this issue as this is not reproducible with the latest version of the CLI. Please comment ton this issue if you're still facing this.
kaustavghosh06
on 2 Jan 2020
Related issues
ffxsam
·
3Comments
MageMasher
·
3Comments
jeanpaulcozzatti
·
3Comments
amlcodes
·
3Comments
nason
·
3Comments