Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-config): Creating multiple rules from the same lambda fails #17582

Closed
fitzoh opened this issue Nov 19, 2021 · 2 comments · Fixed by #21594
Closed

(aws-config): Creating multiple rules from the same lambda fails #17582

fitzoh opened this issue Nov 19, 2021 · 2 comments · Fixed by #21594
Labels
@aws-cdk/aws-config Related to AWS Config bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@fitzoh
Copy link

fitzoh commented Nov 19, 2021
edited
Loading

What is the problem?

If you create a (python) lambda and use it as the lambda function for multiple custom config rules, it will fail with the following error:
jsii.errors.JSIIError: There is already a Construct with name 'Permission' in PythonFunction [MonolithicConfigRuleLambda]

This appears to be similar to #9756 which was fixed in 1.61.0

Reproduction Steps

Create a (python) lambda function and use it to create more than one custom AWS Config rule

        rule_lambda = aws_lambda_python.PythonFunction(
            self,
            f"MonolithicConfigRuleLambda",
            runtime=aws_lambda.Runtime.PYTHON_3_9,
            entry=str(Path(__file__).parent / "config_lambda"),
            index="handler.py",
            handler="lambda_handler",
            memory_size=512,
            timeout=core.Duration.seconds(60),
        )
        aws_config.CustomRule(
            self,
            "Rule1",
            config_rule_name="Rule1",
            rule_scope=aws_config.RuleScope.from_tag("Key"),
            configuration_changes=True,
            lambda_function=rule_lambda,
        )
        aws_config.CustomRule(
            self,
            "Rule2",
            config_rule_name="Rule2",
            rule_scope=aws_config.RuleScope.from_tag("Key"),
            configuration_changes=True,
            lambda_function=rule_lambda,
        )

What did you expect to happen?

Create many config rules using a single labmda

What actually happened?

The following error is received:
jsii.errors.JSIIError: There is already a Construct with name 'Permission' in PythonFunction [MonolithicConfigRuleLambda]

CDK CLI Version

1.130.0

Framework Version

No response

Node.js Version

15.14.0

OS

MacOS

Language

Python

Language Version

3.9

Other information

You can work around it by referencing the function by arn for subsequent calls:

        rule_lambda = aws_lambda_python.PythonFunction(
            self,
            f"MonolithicConfigRuleLambda",
            runtime=aws_lambda.Runtime.PYTHON_3_9,
            entry=str(Path(__file__).parent / "config_lambda"),
            index="handler.py",
            handler="lambda_handler",
            memory_size=512,
            timeout=core.Duration.seconds(60),
        )
        aws_config.CustomRule(
            self,
            "Rule1",
            config_rule_name="Rule1",
            rule_scope=aws_config.RuleScope.from_tag("Key"),
            configuration_changes=True,
            lambda_function=rule_lambda,
        )
        rule_lambda_copy = aws_lambda.Function.from_function_arn(self, "MonolithicConfigRuleLambdaCopy", rule_lambda.function_arn)
        aws_config.CustomRule(
            self,
            "Rule2",
            config_rule_name="Rule2",
            rule_scope=aws_config.RuleScope.from_tag("Key"),
            configuration_changes=True,
            lambda_function=rule_lambda_copy,
        )
        aws_config.CustomRule(
            self,
            "Rule3",
            config_rule_name="Rule3",
            rule_scope=aws_config.RuleScope.from_tag("Key"),
            configuration_changes=True,
            lambda_function=rule_lambda_copy,
        )
@fitzoh fitzoh added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2021
@github-actions github-actions bot added the @aws-cdk/aws-config Related to AWS Config label Nov 19, 2021
@NGL321 NGL321 added the p2 label Nov 22, 2021
@rix0rrr rix0rrr added effort/medium Medium work item – several days of effort p1 and removed p2 needs-triage This issue or PR still needs to be triaged. labels Nov 22, 2021
@rix0rrr rix0rrr removed their assignment Nov 22, 2021
@watany-dev
Copy link
Contributor

This is because the id of addPermission is set to a fixed value of ″permission″, which means that only one can be set in the stack.

Try the following modification

  1. and add the name of each config rule to the id. This will allow multiple custom rules to be handled in one stack.
  2. Do the id check before addPermission. This will allow only one permission to be granted to a custom rule from the config service.

watany-dev added a commit to watany-dev/aws-cdk that referenced this issue Aug 14, 2022
@watany-dev
aws#17582 Creating-multiple-rules-from-the-same-lambda-fails
b4280f0
@watany-dev watany-dev mentioned this issue Aug 14, 2022
Merged
4 tasks
watany-dev added a commit to watany-dev/aws-cdk that referenced this issue Aug 15, 2022
@watany-dev
aws#17582 Creating-multiple-rules-from-the-same-lambda-fails
b7fe9f8
watany-dev added a commit to watany-dev/aws-cdk that referenced this issue Aug 26, 2022
@watany-dev
aws#17582 Creating-multiple-rules-from-the-same-lambda-fails
41b31dc
@mergify mergify bot closed this as completed in #21594 Oct 19, 2022
mergify bot pushed a commit that referenced this issue Oct 19, 2022
@watany-dev
fix(config): Creating multiple rules from the same lambda (#21594)
0d2b529 
fixes #17582 

because the id of ".addPermission" is set to a fixed value of ″permission″, which means that only one can be set in the stack.

1. and add a unique suffix to the id. This will allow multiple custom rules to be handled in one stack.
2. Do the id check before addPermission. This will allow only one permission to be granted to a custom rule from the config service.

Addendum:.
I have created a hash from FunctionName, AccountID, and Region to make the suffix unique.
Therefore, the omitted parts in the test code have been modified to fix the result.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mrgrain pushed a commit to mrgrain/aws-cdk that referenced this issue Oct 24, 2022
@watany-dev @mrgrain
fix(config): Creating multiple rules from the same lambda (aws#21594)
8a82b8d 
fixes aws#17582 

because the id of ".addPermission" is set to a fixed value of ″permission″, which means that only one can be set in the stack.

1. and add a unique suffix to the id. This will allow multiple custom rules to be handled in one stack.
2. Do the id check before addPermission. This will allow only one permission to be granted to a custom rule from the config service.

Addendum:.
I have created a hash from FunctionName, AccountID, and Region to make the suffix unique.
Therefore, the omitted parts in the test code have been modified to fix the result.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-config Related to AWS Config bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(config): Creating multiple rules from the same lambda watany-dev/aws-cdk
4 participants
@fitzoh @rix0rrr @NGL321 @watany-dev