aws-cdk: success and failure lambdas for state machines are being duplicated in iam roles #30059
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
closing-soon
This issue will automatically close in 4 days unless further comments are made.
effort/medium
Medium work item – several days of effort
p2
response-requested
Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Comments
theomantz-luna
added
bug
github-actions
bot
added
the
@aws-cdk/aws-iam
This was referenced May 6, 2024
theomantz-luna
changed the title
|
Hi Can you elaborate more about the issue? This is my testing code export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
// dummy lambda function
const fn = new lambda.Function(this, 'CatchFn', {
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromInline('foo'),
handler: 'dummy.handler',
});
const fntask = new sfntasks.LambdaInvoke(this, 'CatchFnInvoke', {
lambdaFunction: fn,
});
const fn2 = new lambda.Function(this, 'NextFn', {
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromInline('bar'),
handler: 'dummy.handler',
});
const fn2task = new sfntasks.LambdaInvoke(this, 'NextFnInvoke', {
lambdaFunction: fn2,
});
const start = new sfntasks.LambdaInvoke(this, 'StartState', {
lambdaFunction: new lambda.Function(this, 'StartLambda', {
runtime: lambda.Runtime.NODEJS_LATEST,
code: lambda.Code.fromInline('start'),
handler: 'dummy.handler',
}),
})
const definitionBody = sfn.DefinitionBody.fromChainable(
start
.addCatch(
fntask.next(
new sfn.Fail(this, " Fail State"),
),
)
.next(fn2task),
)
new sfn.StateMachine(this, 'StateMachine', {
definitionBody,
})
}
}And I got this in the default policy of the state machine execution role: {
"Version": "2012-10-17",
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Resource": [
"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-CatchFn9B5768B8-ga1bHwyKMnlm",
"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-NextFn2EC1E31E-2qr1IoR8eTSX",
"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-StartLambda81613300-GgkyN4bUAdvo",
"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-CatchFn9B5768B8-ga1bHwyKMnlm:*",
"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-NextFn2EC1E31E-2qr1IoR8eTSX:*",
"arn:aws:lambda:us-east-1:<DEDUCTED>:function:dummy-stack2-StartLambda81613300-GgkyN4bUAdvo:*"
],
"Effect": "Allow"
}
]
}Can you clarify which entries are redundant and should be removed? |
pahud
added
p2
response-requested
|
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
the
closing-soon
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
success and failure lambdas for state machines are being duplicated in iam generated roles.
Expected Behavior
the success / failure path lambda should be added to the associated policy once.
Current Behavior
when creating a success and error lambda for each lambda in a state machine, each success and failure lambda is added to the iam policy document. even when they are the same lambda. due to this, iam policy document size limits are reached quickly as each document that has success and failure lambdas associated with it has n+(n * 2) resources added (where n is the number of unique lambda functions).
Reproduction Steps
create a definition body with the following general format:
Possible Solution
perform a minimal compression on the iam policy document before deploying so that lambdas with duplicate names are not added to the same policy document
Additional Information/Context
No response
CDK CLI Version
2.133
Framework Version
No response
Node.js Version
v18.20.2
OS
macOS (silicon)
Language
TypeScript
Language Version
5.4.4
Other information
No response
The text was updated successfully, but these errors were encountered: