Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-lambda): deprecate feature flag @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy introduced in pr-33291 #33688

Open
1 task
QuantumNeuralCoder opened this issue Mar 4, 2025 · 1 comment
Open
1 task

(aws-lambda): deprecate feature flag @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy introduced in pr-33291 #33688

QuantumNeuralCoder opened this issue Mar 4, 2025 · 1 comment
Assignees
@QuantumNeuralCoder
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@QuantumNeuralCoder
Copy link
Contributor

Describe the bug

This issue is to deprecate the feature flag @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy ie unset the default values due to a risk found as described below. PR-33291 introducing the feature flag.
In the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role.
This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created.
We recommend to unset the feature flag if already set which will restore the original behavior.
sample-app

const fn = new lambda.Function(this, 'MyLambda', {
    code: new lambda.InlineCode('foo'),
    handler: 'index.handler',
    runtime: lambda.Runtime.NODEJS_20_X,
  });
  
  const userPool = new UserPool(this, 'myUserPoolTest', {
    lambdaTriggers: {
      fn,
    },
  });
  
  const cognitoPolicy = new iam.PolicyStatement({
    actions: ['cognito:*'],
    resources: [userPool.userPoolArn],
  });
  
  fn.addToRolePolicy(cognitoPolicy);

old template

Resources:
  MyLambdaServiceRole4539ECB6:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/ServiceRole/Resource
  MyLambdaServiceRoleDefaultPolicy5BBC6F68:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: cognito:*
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - myUserPoolTestD44472FC
                - Arn
        Version: "2012-10-17"
      PolicyName: MyLambdaServiceRoleDefaultPolicy5BBC6F68
      Roles:
        - Ref: MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/ServiceRole/DefaultPolicy/Resource
  MyLambdaCCE802FB:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: foo
      Handler: index.handler
      Role:
        Fn::GetAtt:
          - MyLambdaServiceRole4539ECB6
          - Arn
      Runtime: nodejs20.x
    DependsOn:
      - MyLambdaServiceRoleDefaultPolicy5BBC6F68
      - MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/Resource
  myUserPoolTestFnCognito7EF64C97:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Fn::GetAtt:
          - MyLambdaCCE802FB
          - Arn
      Principal: cognito-idp.amazonaws.com
      SourceArn:
        Fn::GetAtt:
          - myUserPoolTestD44472FC
          - Arn
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/FnCognito
  myUserPoolTestD44472FC:
    Type: AWS::Cognito::UserPool
    Properties:
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_phone_number
            Priority: 1
          - Name: verified_email
            Priority: 2
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
      EmailVerificationMessage: The verification code to your new account is {####}
      EmailVerificationSubject: Verify your new account
      LambdaConfig: {}
      SmsVerificationMessage: The verification code to your new account is {####}
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
        EmailMessage: The verification code to your new account is {####}
        EmailSubject: Verify your new account
        SmsMessage: The verification code to your new account is {####}
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/4VRTUtDMRD8LeYoadSKiL1VQfD2qPUkRdJkfd02HyXJU0rIf3dfkxbBg6ckMzszu9mpuLl/ENcX8jtOlN5NDK5Ffk1S7ThBH9lIu9ZS5OfBqYTevWemvAY2Y5eMs4102kBorzC4hLZyZcWfPt1JNd47CBZjpFfhKK3IC2+A7GSMgwX9eGCzzPYBncK9NHOlPNk151ozCuZHvxrBmZVO9qA7b1AhRDYjv9/YYR5a7apwitJ66btTRK0YNY1NNPbmxRl0cOZI+w95HHRsjVd8RM+CpR+ZPz5/Ya3p0xNYcCm2lo7G1bNw5XuHyYv8FiF03huatO5mGbDvIZAql6o5lZTCFxD9EBS0IEerE9t49TW9FXe09W1EnLS1iUU9fwDTmWW+EgIAAA==
    Metadata:
      aws:cdk:path: MyappStack/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

new template

Resources:
  MyLambdaServiceRole4539ECB6:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/ServiceRole/Resource
  MyLambdaCCE802FB:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        ZipFile: foo
      Handler: index.handler
      Role:
        Fn::GetAtt:
          - MyLambdaServiceRole4539ECB6
          - Arn
      Runtime: nodejs20.x
    DependsOn:
      - MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/Resource
  MyLambdainlinePolicyAddedToExecutionRole0E0144580:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: cognito:*
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - myUserPoolTestD44472FC
                - Arn
        Version: "2012-10-17"
      PolicyName: MyLambdainlinePolicyAddedToExecutionRole0E0144580
      Roles:
        - Ref: MyLambdaServiceRole4539ECB6
    Metadata:
      aws:cdk:path: MyappStack/MyLambda/inlinePolicyAddedToExecutionRole-0/Resource
  myUserPoolTestFnCognito7EF64C97:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Fn::GetAtt:
          - MyLambdaCCE802FB
          - Arn
      Principal: cognito-idp.amazonaws.com
      SourceArn:
        Fn::GetAtt:
          - myUserPoolTestD44472FC
          - Arn
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/FnCognito
  myUserPoolTestD44472FC:
    Type: AWS::Cognito::UserPool
    Properties:
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_phone_number
            Priority: 1
          - Name: verified_email
            Priority: 2
      AdminCreateUserConfig:
        AllowAdminCreateUserOnly: true
      EmailVerificationMessage: The verification code to your new account is {####}
      EmailVerificationSubject: Verify your new account
      LambdaConfig: {}
      SmsVerificationMessage: The verification code to your new account is {####}
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_CODE
        EmailMessage: The verification code to your new account is {####}
        EmailSubject: Verify your new account
        SmsMessage: The verification code to your new account is {####}
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: MyappStack/myUserPoolTest/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/4WRT0sDMRDFP4s5SjbWiiC9VUHwVrb1VIqkybidNn9KklVKyHd3ttlCxYOnJG/mvV+GmYr7p4mY3Mjv2Ch9aAxuRV4mqQ6cpI9spN1qKfJr71RC79aZKa+Bzdgt42wnnTYQxlfoXUJba2XDXz7dxTXcFxAsxkivwlFakVtvgOJkjL0F/Xxis8yOAZ3CozRzpTzFjcm1ZzDMz3kVwZmVTnagF96gQohsRnnX2mkext5N4YRKNNjuzRl0UOvkoOo/xfMoA5xXnSAxyQQWXIrjV8iv9fJKXedr5soP/j+03/KZUxGFK985TF7k9whh4b0hal3GKmDXQSBGLtVzaSmFtxB9HxSMIEe7Evt49zV9EI+05n1EbMY9ibaeP+lWiooDAgAA
    Metadata:
      aws:cdk:path: MyappStack/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Expected Policy attachment

{
    "RoleName": "MyExampleRole",
    "Policies": [
        {
            "PolicyName": "InlineS3AccessPolicy",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": "s3:ListBucket",
                        "Resource": "arn:aws:s3:::example-bucket"
                    }
                ]
            }
        }
    ]
}

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.179.0

Expected Behavior

Expected Policy attachment

{
    "RoleName": "MyExampleRole",
    "Policies": [
        {
            "PolicyName": "InlineS3AccessPolicy",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": "s3:ListBucket",
                        "Resource": "arn:aws:s3:::example-bucket"
                    }
                ]
            }
        }
    ]
}

Current Behavior

Described above

Reproduction Steps

Described above

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.1002.0

Framework Version

No response

Node.js Version

v23.5.0

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response
@QuantumNeuralCoder QuantumNeuralCoder added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 4, 2025
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Mar 4, 2025
@QuantumNeuralCoder QuantumNeuralCoder self-assigned this Mar 4, 2025
@QuantumNeuralCoder QuantumNeuralCoder mentioned this issue Mar 4, 2025
Open
@pahud pahud added p2 effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. p2 labels Mar 4, 2025
@pahud
Copy link
Contributor

pahud commented Mar 4, 2025

Thank you. Let me attach a mermaid chart to better explain this issue.

Making this a p1. We'll review your PR when it's ready.

flowchart TB
    title["Lambda Permissions Behavior Comparison"]
    title --> behavior1
    title --> behavior2
    
    subgraph behavior1["Original Behavior (Feature Flag OFF)"]
        direction TB
        A1[User Creates Lambda Function] --> B1[IAM Role Created]
        B1 --> C1[Default Policy Attached to Role]
        C1 --> D1["Lambda Function DependsOn Default Policy"]
        A1 --> E1["Function.addToRolePolicy() Called"]
        E1 --> F1["Updates Existing Default Policy"]
        D1 --> G1["Lambda Function Deployed AFTER Policies Ready"]
        F1 --> G1
    end
    
    subgraph behavior2["New Behavior (Feature Flag ON - Creates Race Condition)"]
        direction TB
        A2[User Creates Lambda Function] --> B2[IAM Role Created]
        A2 --> E2["Function.addToRolePolicy() Called"]
        B2 --> C2["Lambda Function Created Without Dependency on Policies"]
        E2 --> F2["Creates NEW Separate Policy and Attaches to Role"]
        C2 --> G2["Lambda Function May Deploy BEFORE Policies Ready"]
        F2 --> H2["Policy Created Later (Race Condition)"]
        G2 -- "Runtime Error Risk" --> X["⚠️ Missing Permissions at Runtime"]
    end
    
    subgraph circular["Circular Dependency Example"]
        direction TB
        A3[User Creates Lambda Function] --> B3[Lambda Added as Cognito Trigger]
        B3 --> C3[Cognito UserPool Created with Lambda Reference]
        C3 --> D3[UserPool ARN Available]
        D3 --> E3["Function.addToRolePolicy(cognito:* on UserPool)"]
        E3 --> F3["Creates Circular Dependency"]
        F3 -- "Flag ON" --> G3["Policy Detached: Deployable but Race Condition"]
        F3 -- "Flag OFF" --> H3["Static Dependency: Hard to Deploy"]
    end
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@QuantumNeuralCoder QuantumNeuralCoder

Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @QuantumNeuralCoder