Unable to set a lambda's role from CDK
Question:
I have the following code:
EventbridgeToLambda(
self,
"Some",
lambda_function_props=lambda_.FunctionProps(
code=lambda_.InlineCode(lambda_code),
handler="index.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
# Set timeout to something other than 3 seconds
timeout=Duration.seconds(45),
layers=[lambdaLayer],
environment={
"S3_BUCKET": "dev_environment_bucket",
},
role=iam.Role.from_role_arn(
self, id="x", role_arn="arn:aws:iam::numbers:path/rolename", mutable=True
),
vpc=ec2.Vpc.from_lookup(self, "VPC", vpc_id="vpc-0hex"),
allow_public_subnet=True,
vpc_subnets=ec2.SubnetSelection(
subnets=[ec2.Subnet.from_subnet_id(self, "Subnet", "subnet-0hex")]
),
security_groups=[ec2.SecurityGroup.from_lookup_by_id(self, "SG", "sg-0hex")],
),
event_rule_props=events.RuleProps(
schedule=events.Schedule.cron(
minute="*", hour="0-3,11-23", day="*", month="*", year="*"
)
),
)
If I manually install/create this lambda, there is a specific role I need to set in the Configuration->Basic Settings->Edit panel. If I forget to set this role, then when I go to set up the configuration in Configuration->VPC, the correct vpc/subnet/security-groups are not available to choose from the list.
The above CDK code will work to set arbitrary vpc/subnet/security-groups, I’ve tested it and that part seems to work. However, I am unable to figure out why I’m not able to set the role. When I attempt to synth/deploy, I receieve the following warnings/errors:
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[physicalName].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[grantPrincipal].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[roleName].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[roleArn].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[policyFragment][principalJson][AWS][0].
jsii.errors.JavaScriptError:
TypeError: Cannot read properties of undefined (reading 'cfnOptions')
at Object.addCfnSuppressRules (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/core/lib/utils.js:138:18)
at deployLambdaFunction (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/core/lib/lambda-helper.js:135:17)
at Object.buildLambdaFunction (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/core/lib/lambda-helper.js:33:20)
at new EventbridgeToLambda (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/aws-eventbridge-lambda/lib/index.js:23:40)
at Kernel._create (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:9964:29)
at Kernel.create (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:9693:29)
at KernelHost.processRequest (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:11544:36)
at KernelHost.run (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:11504:22)
at Immediate._onImmediate (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:11505:46)
at process.processImmediate (node:internal/timers:471:21)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "app.py", line 16, in <module>
SomeStack(app, "DataIngestion", env=Environment(account='numbers', region='us-east-1'))
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_runtime.py", line 112, in __call__
inst = super().__call__(*args, **kwargs)
File "/Users/john/Projects/z-data-ingestion-v2/cdk_stacks/lambdasSomeStack.py", line 43, in __init__
EventbridgeToLambda(self, 'Some',
File "/Users/john/Projects/quext-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_runtime.py", line 112, in __call__
inst = super().__call__(*args, **kwargs)
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/aws_solutions_constructs/aws_eventbridge_lambda/__init__.py", line 204, in __init__
jsii.create(self.__class__, self, [scope, id, props])
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 334, in create
response = self.provider.create(
File "/Users/john/Projects/quext-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 363, in create
return self._process.send(request, CreateResponse)
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 340, in send
raise RuntimeError(resp.error) from JavaScriptError(resp.stack)
RuntimeError: Cannot read properties of undefined (reading 'cfnOptions')
I can use this role when configuring Lambdas manually. It is pre-existing, I’m not trying to create a new one. The syntax seems correct. I suspect that there is some missing configuration that I need to set if I need a role other than default, but it’s unclear what that’d be. I saw something in the documents about how sometimes it’s necessary to remove the path portion of the ARN, and I’ve tried it both with and without that. Without the path portion, the stack trace is identical, except that the last line says cannot read properties of undefined (reading 'split'). I assume this is because it’s expecting the path to be present.
iam.Role.from_role_name() behaves similarly.
I’m just trying to match with CDK what I can do by hand. What am I missing or failing to understand?
Answers:
I guess you probably is using aws-eventbridge-lambda from AWS Solutions Constructs, which provides a default lambda function role for you and does not allow you to override.
See Pattern Properties for more details.
I have the following code:
EventbridgeToLambda(
self,
"Some",
lambda_function_props=lambda_.FunctionProps(
code=lambda_.InlineCode(lambda_code),
handler="index.lambda_handler",
runtime=lambda_.Runtime.PYTHON_3_8,
# Set timeout to something other than 3 seconds
timeout=Duration.seconds(45),
layers=[lambdaLayer],
environment={
"S3_BUCKET": "dev_environment_bucket",
},
role=iam.Role.from_role_arn(
self, id="x", role_arn="arn:aws:iam::numbers:path/rolename", mutable=True
),
vpc=ec2.Vpc.from_lookup(self, "VPC", vpc_id="vpc-0hex"),
allow_public_subnet=True,
vpc_subnets=ec2.SubnetSelection(
subnets=[ec2.Subnet.from_subnet_id(self, "Subnet", "subnet-0hex")]
),
security_groups=[ec2.SecurityGroup.from_lookup_by_id(self, "SG", "sg-0hex")],
),
event_rule_props=events.RuleProps(
schedule=events.Schedule.cron(
minute="*", hour="0-3,11-23", day="*", month="*", year="*"
)
),
)
If I manually install/create this lambda, there is a specific role I need to set in the Configuration->Basic Settings->Edit panel. If I forget to set this role, then when I go to set up the configuration in Configuration->VPC, the correct vpc/subnet/security-groups are not available to choose from the list.
The above CDK code will work to set arbitrary vpc/subnet/security-groups, I’ve tested it and that part seems to work. However, I am unable to figure out why I’m not able to set the role. When I attempt to synth/deploy, I receieve the following warnings/errors:
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[physicalName].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[grantPrincipal].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[roleName].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[roleArn].
WARN AWS_SOLUTIONS_CONSTRUCTS_WARNING: An override has been provided for the property: role[policyFragment][principalJson][AWS][0].
jsii.errors.JavaScriptError:
TypeError: Cannot read properties of undefined (reading 'cfnOptions')
at Object.addCfnSuppressRules (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/core/lib/utils.js:138:18)
at deployLambdaFunction (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/core/lib/lambda-helper.js:135:17)
at Object.buildLambdaFunction (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/core/lib/lambda-helper.js:33:20)
at new EventbridgeToLambda (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/jsii-kernel-VO2cY2/node_modules/@aws-solutions-constructs/aws-eventbridge-lambda/lib/index.js:23:40)
at Kernel._create (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:9964:29)
at Kernel.create (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:9693:29)
at KernelHost.processRequest (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:11544:36)
at KernelHost.run (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:11504:22)
at Immediate._onImmediate (/private/var/folders/_0/8_jcp7n556xdgnb70mfxh95m0000gn/T/tmpucsljbww/lib/program.js:11505:46)
at process.processImmediate (node:internal/timers:471:21)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "app.py", line 16, in <module>
SomeStack(app, "DataIngestion", env=Environment(account='numbers', region='us-east-1'))
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_runtime.py", line 112, in __call__
inst = super().__call__(*args, **kwargs)
File "/Users/john/Projects/z-data-ingestion-v2/cdk_stacks/lambdasSomeStack.py", line 43, in __init__
EventbridgeToLambda(self, 'Some',
File "/Users/john/Projects/quext-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_runtime.py", line 112, in __call__
inst = super().__call__(*args, **kwargs)
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/aws_solutions_constructs/aws_eventbridge_lambda/__init__.py", line 204, in __init__
jsii.create(self.__class__, self, [scope, id, props])
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_kernel/__init__.py", line 334, in create
response = self.provider.create(
File "/Users/john/Projects/quext-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 363, in create
return self._process.send(request, CreateResponse)
File "/Users/john/Projects/z-data-ingestion-v2/.venv/lib/python3.8/site-packages/jsii/_kernel/providers/process.py", line 340, in send
raise RuntimeError(resp.error) from JavaScriptError(resp.stack)
RuntimeError: Cannot read properties of undefined (reading 'cfnOptions')
I can use this role when configuring Lambdas manually. It is pre-existing, I’m not trying to create a new one. The syntax seems correct. I suspect that there is some missing configuration that I need to set if I need a role other than default, but it’s unclear what that’d be. I saw something in the documents about how sometimes it’s necessary to remove the path portion of the ARN, and I’ve tried it both with and without that. Without the path portion, the stack trace is identical, except that the last line says cannot read properties of undefined (reading 'split'). I assume this is because it’s expecting the path to be present.
iam.Role.from_role_name() behaves similarly.
I’m just trying to match with CDK what I can do by hand. What am I missing or failing to understand?
I guess you probably is using aws-eventbridge-lambda from AWS Solutions Constructs, which provides a default lambda function role for you and does not allow you to override.
See Pattern Properties for more details.