(aws-scheduler-targets): singletonScheduleRole() generates targetArn hash incorrectly #30584

Tietew · 2024-06-19T08:32:33Z

Describe the bug

Creating two or more LambdaInvokes with different lambda functions causes synth time error: Resolution error: All principals in a PolicyStatement must have the same Conditions.
The role is created in ScheduleTargetBase.singletonScheduleRole().

Expected Behavior

Multiple LambdaInvoke with different functions work with no errors.

Current Behavior

Error occuers on synth.

Error: Resolution error: Resolution error: Resolution error: All principals in a PolicyStatement must have the same Conditions (got '{}' and '{"StringEquals":{"aws:SourceAccount":"${Token[AWS.AccountId.6]}"}}'). Use multiple statements instead..
Object creation stack:
  at new PolicyDocument (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1378)
  at createAssumeRolePolicy (.../node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:13332)
  at new Role (.../node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:5544)
  at LambdaInvoke.singletonScheduleRole (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:132:18)
  at LambdaInvoke.bindBaseTargetConfig (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:79:57)
  at LambdaInvoke.bind (.../node_modules/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts:103:17)
  at new Schedule (.../node_modules/@aws-cdk/aws-scheduler-alpha/lib/schedule.ts:315:39)
(snip)
  at node:internal/main/run_main_module:28:49..
    at PolicyStatement.addPrincipalConditions (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:7201)
    at PolicyStatement.addPrincipals (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:2407)
    at new PolicyStatement (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:663)
    at PolicyStatement.copy (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-statement.js:2:6086)
    at mergeIfCombinable (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1847)
    at onePass (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:1032)
    at mergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/private/merge-statements.js:1:660)
    at PolicyDocument._maybeMergeStatements (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:3033)
    at PolicyDocument.resolve (.../node_modules/aws-cdk-lib/aws-iam/lib/policy-document.js:1:1755)
    at RememberingTokenResolver.resolveToken (.../node_modules/aws-cdk-lib/core/lib/resolvable.js:1:1401)

Reproduction Steps

Deploy stack contains following lambda functions and schedules.

import * as cdk from 'aws-cdk-lib';
import * as scheduler from '@aws-cdk/aws-scheduler-alpha';
import * as targets from '@aws-cdk/aws-scheduler-targets-alpha';
import * as lambda from 'aws-cdk-lib/aws-lambda';

declare const stack: cdk.Stack;

const func1 = new lambda.Function(stack, 'Function1', { code: "FunctionCode1" });
new scheduler.Schedule(stack, 'Schedule1', {
  schedule: scheduler.ScheduleExpression.rate(cdk.Duration.days(1)),
  target: new targets.LambdaInvoke(func1, {}),
});

const func2 = new lambda.Function(stack, 'Function2', { code: "FunctionCode2" });
new scheduler.Schedule(stack, 'Schedule1', {
  schedule: scheduler.ScheduleExpression.rate(cdk.Duration.days(1)),
  target: new targets.LambdaInvoke(func1, {}),
});

Possible Solution

singletonScheduleRole() generates target arn hash using stack.resolve(targetArn).toString().
But when targetArn is lambda.Function.functionArn, stack.resolve() returns an object {"Fn:GetAtt":["xxxxxx","Arn"]}, then toString() returns a constant string "[object Object]".
This means different lambda functions share same hash.

Using JSON.stringify() instead of .toString() may resolve.

Additional Information/Context

No response

CDK CLI Version

2.146.0

Framework Version

No response

Node.js Version

20.14.0

OS

Ubuntu 20.04

Language

TypeScript

Language Version

No response

Other information

#28713: same error message, but reproduction steps differ.

The text was updated successfully, but these errors were encountered:

Tietew · 2024-06-19T09:46:33Z

I tried to make a PR to fix, but found toString() isn't a root cause.
2 Schedules with SAME lambda function target occur same Resolution Error.

Reb-B · 2024-06-19T10:18:18Z

Both of your schedulers in the example code have the same ID. I currently get this error message trying to deploy two different schedulers with two different functions as targets.

Tietew · 2024-06-19T10:20:32Z

close as duplicate of #28713

github-actions · 2024-06-19T10:20:51Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

aws-cdk-automation · 2024-07-25T17:45:53Z

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

Tietew added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 19, 2024

github-actions bot added the @aws-cdk/aws-scheduler-targets Related to targets of the AWS Scheduler service label Jun 19, 2024

Tietew closed this as not planned Won't fix, can't repro, duplicate, stale Jun 19, 2024

khushail added duplicate This issue is a duplicate. and removed needs-triage This issue or PR still needs to be triaged. labels Jun 25, 2024

aws locked as resolved and limited conversation to collaborators Jul 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(aws-scheduler-targets): singletonScheduleRole() generates targetArn hash incorrectly #30584

(aws-scheduler-targets): singletonScheduleRole() generates targetArn hash incorrectly #30584

Tietew commented Jun 19, 2024

Tietew commented Jun 19, 2024

Reb-B commented Jun 19, 2024

Tietew commented Jun 19, 2024

github-actions bot commented Jun 19, 2024

aws-cdk-automation commented Jul 25, 2024