Aws-cdk: [aws-events] Rule.addTarget(new LambdaFunction(Function.fromFunctionArn(...))) does not add trigger to Lambda

Created on 24 Sep 2020  路  5Comments  路  Source: aws/aws-cdk

No trigger on AWS Lambda for Rule Target in different CF Stack

  1. Rule.addTarget(new LambdaFunction(Function.fromFunctionArn(...))) does not add trigger to Lambda, where the Lambda is on another existing CF stack. The Rule has correct Lambda name in place and when I do edit+save on the Rule on AWS Console without changing anything, the trigger gets added to Lambda.

  2. We would like this Rule to be updated on every release to point a new Lambda (arn), so that in any time the Rule has only single target, but also the previous Lambda doesn't have the trigger in place anymore.

Reproduction Steps

  import { Function as LFunction } from "@aws-cdk/aws-lambda";

  public eventSubscription = new Rule(
    this,
    "MyEvent for my Lambda",
    {
      eventBus: EventBus.fromEventBusArn(
        this,
        "My EventBus",
        this.stack.getEnvrionmentVariable("eventBusArn")
      ),
      eventPattern: {
        detailType: [
          "myEvent",
        ],
      },
    }
  ).addTarget(
    new LambdaFunction(
      LFunction.fromFunctionArn(
        this,
        "myLambda",
        this.config.myLambdaArn
      )
    )
  );

What did you expect to happen?

Expected the Lambda to have the trigger in place and thus get the events from EventBridge as input events.

What actually happened?

Lambda didn't get any input trigger and didn't get any events either.

Environment

  • CLI Version : CDK 1.61.1 (?)
  • Framework Version: CDK 1.61.1
  • Node.js Version: NodeJS 12 (?)
  • OS : aws/codebuild/standard:3.0... TBD
  • Language (Version): Typescript (?)

Other

The Rule has correct Lambda name in place and when I do edit+save on the Rule on AWS Console without changing anything, the trigger gets added to Lambda.

This is :bug: Bug Report

@aws-cdaws-events bug efformedium p1
Source
picture dforsber

All 5 comments

Hello,

I believe I am facing the same problem using CloudWatchEvents to trigger an existent function.

The problem is that the Lambda Resource Policy is not created.

If I run:
aws lambda get-policy --function-name MyFunction --region us-east-1

I get :

A client error (ResourceNotFoundException) occurred when calling the GetPolicy operation: The resource you requested does not exist.

So, if I run the following command to add a Lambda ResourcePolicy:

aws lambda add-permission \
--function-name MyFunction \
--statement-id MyId \
--action 'lambda:InvokeFunction' \
--principal events.amazonaws.com \
--source-arn arn:aws:events:us-east-1:123456789012:rule/MyRule

Then the trigger works as expected.

I have also tried to add the ResourcePolicy explicitly in the CDK app but it didn't work (should this be in a separate bug ticket?).

const lambdaFunction = Function.fromFunctionArn(this, "triggerFunction", "arn:aws:lambda:us-east-1:xxxxxxx:function:dummy");

        const onCommitRule = repo.onCommit('OnCommit', {
            ruleName: "myRule",
            target: new targets.LambdaFunction(lambdaFunction)
          });

The CDK code above won't create a ResourcePolicy in the lambda function.

lambdaFunction.addPermission("cloudWatchEvents", {
            principal: new ServicePrincipal('events.amazonaws.com'),
            sourceArn: onCommitRule.ruleArn
        });

The code above will not create a ResourcePolicy in the Lambda function as well.

Please advise if I should create a different ticket for adding a permission to an existent function.

PS: I have not tried setting a target to a Lambda function created in the same stack.

marcioemiranda picture marcioemiranda on 26 Sep 2020
👍1

Quick update: The problem does not occur if the Lambda function is created in the same stack.

Adding the Lambda function as a target to the Rule will automatically create the Resource Policy and everything works as expected.

marcioemiranda picture marcioemiranda on 26 Sep 2020
👍1

I added permission for the Lambda for events.amazonaws.com principal in the same stack where the Lambda is created. Then the Rule specified in another started working. However, Lambda AWS Console does not show any triggers as source, but the resource policy (permissions tab) still shows the permission. So, it works, but AWS Console is a bit inconsistent.

In general, I tend to like the fact that a stack can't modify resources in another stack. Not sure if this is by design or whether CF would need to have some additional permissions to be able to do cross stack changes while deploying the stack.

dforsber picture dforsber on 28 Sep 2020
👍1

I'll try what you are suggesting @dforsber , because for me eventbridge is creating the rule, attaching the trigger but it's never being invoked which si weird.
I have the lambda and the rule in two different CDK Stacks
If I edit and save the rule it starts working, my impression was a policy issue and I can see here that's the problem, add target is not adding the permission.

I'll try this solution.
Thanks

leantorres73 picture leantorres73 on 30 Sep 2020

The base-function construct implements the following:

  /**
   * Whether the addPermission() call adds any permissions
   *
   * True for new Lambdas, false for version $LATEST and imported Lambdas
   * from different accounts.
   */
  protected abstract readonly canCreatePermissions: boolean;

canCreatePermissions is automatically set to false when the stack doesn't match the stack of the Lambda function.

And canCreatePermission must be true for Function.addPermission to actually create the Lambda::Permission resource.

However, there is a solution to overcome that. You just need to do it the other way. Instead of calling the repository.onCommit in the stack where the repository is created, you want to do it on the Stack where the lambda function is created.

See example below:

#!/usr/bin/env node
import 'source-map-support/register';

import { App, Construct, Stack, StackProps } from '@aws-cdk/core';
import { IRepository, Repository } from '@aws-cdk/aws-codecommit';
import { LambdaFunction } from '@aws-cdk/aws-events-targets';
import { Code, Function, IFunction, Runtime } from '@aws-cdk/aws-lambda';

const app = new App();

interface LambdaStackProps extends StackProps {
  repositoryName: string;
}

class LambdaStack extends Stack {
  fn: IFunction;
  constructor(scope: Construct, id: string, props: LambdaStackProps) {
    super(scope, id, props);

    this.fn = new Function(this, 'lambda', {
      runtime: Runtime.NODEJS_12_X,
      code: Code.fromAsset('lambdas/oncommit'),
      handler: 'index.handler',
    });

    let repository = Repository.fromRepositoryName(this, 'repo', props.repositoryName);

    repository.onCommit('on-commit', {
      target: new LambdaFunction(this.fn),
    });
  }
}

class CodeCommitStack extends Stack {
  repository: IRepository;
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    this.repository = new Repository(this, 'my-test-repository', {
      repositoryName: 'my-test-repository',
    });
  }
}

let codecommit = new CodeCommitStack(app, 'codecommit-stack');

let lambdaStack = new LambdaStack(app, 'lambda-stack', {
  repositoryName: codecommit.repository.repositoryName,
});

Hope it helps !

DaWyz picture DaWyz on 3 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Kent1 picture Kent1  路  3Comments
EduardTheThird picture EduardTheThird  路  3Comments
eladb picture eladb  路  3Comments
schof picture schof  路  3Comments
kawamoto picture kawamoto  路  3Comments