aws#17582 Creating-multiple-rules-from-the-same-lambda-fails

packages/@aws-cdk/aws-config/lib/rule.ts

@@ -352,11 +352,14 @@ export class CustomRule extends RuleNew {
         messageType: 'ScheduledNotification',
       });
     }
-
-    props.lambdaFunction.addPermission('Permission', {
-      principal: new iam.ServicePrincipal('config.amazonaws.com'),
-      sourceAccount: this.env.account,
-    });
+    const customRuleFnName: string = props.lambdaFunction.node.id;
+    const customRulePermissionId: string = `customRulePermission-${customRuleFnName}`;
+    if (!props.lambdaFunction.permissionsNode.tryFindChild(customRulePermissionId)) {
+      props.lambdaFunction.addPermission(customRulePermissionId, {
+        principal: new iam.ServicePrincipal('config.amazonaws.com'),
+        sourceAccount: this.env.account,
+      });
+    };
 
     if (props.lambdaFunction.role) {
       props.lambdaFunction.role.addManagedPolicy(

packages/@aws-cdk/aws-config/test/rule.lit.integ.snapshot/aws-cdk-config-rule-integ.template.json

@@ -62,7 +62,7 @@
     "CustomFunctionServiceRoleD3F73B79"
    ]
   },
-  "CustomFunctionPermission41887A5E": {
+  "CustomFunctioncustomRulePermissionCustomFunctionA83F8117": {
    "Type": "AWS::Lambda::Permission",
    "Properties": {
     "Action": "lambda:InvokeFunction",
@@ -107,7 +107,7 @@
     }
    },
    "DependsOn": [
-    "CustomFunctionPermission41887A5E",
+    "CustomFunctioncustomRulePermissionCustomFunctionA83F8117",
     "CustomFunctionBADD59E7",
     "CustomFunctionServiceRoleD3F73B79"
    ]

packages/@aws-cdk/aws-config/test/rule.test.ts

@@ -92,7 +92,7 @@ describe('rule', () => {
         MaximumExecutionFrequency: 'Six_Hours',
       },
       DependsOn: [
-        'FunctionPermissionEC8FE997',
+        'FunctioncustomRulePermissionFunction82095E26',
         'Function76856677',
         'FunctionServiceRole675BB04A',
       ],
@@ -417,4 +417,47 @@ describe('rule', () => {
     });
   });
 
-});
+  test('create two custom rule and one function', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const fn = new lambda.Function(stack, 'Function', {
+      code: lambda.AssetCode.fromInline('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.NODEJS_14_X,
+    });
+
+    // WHEN
+    new config.CustomRule(stack, 'Rule1', {
+      configurationChanges: true,
+      description: 'really cool rule',
+      lambdaFunction: fn,
+      maximumExecutionFrequency: config.MaximumExecutionFrequency.SIX_HOURS,
+      configRuleName: 'cool rule 1',
+      periodic: true,
+    });
+    new config.CustomRule(stack, 'Rule2', {
+      configurationChanges: true,
+      description: 'really cool rule',
+      lambdaFunction: fn,
+      configRuleName: 'cool rule 2',
+    });
+
+    // THEN
+    Template.fromStack(stack).resourceCountIs('AWS::Config::ConfigRule', 2);
+    Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 1);
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'Function76856677',
+          'Arn',
+        ],
+      },
+      Principal: 'config.amazonaws.com',
+      SourceAccount: {
+        Ref: 'AWS::AccountId',
+      },
+    });
+  });
+});

packages/@aws-cdk/aws-config/test/scoped-rule.integ.snapshot/aws-cdk-config-rule-scoped-integ.template.json

@@ -62,7 +62,7 @@
     "CustomFunctionServiceRoleD3F73B79"
    ]
   },
-  "CustomFunctionPermission41887A5E": {
+  "CustomFunctioncustomRulePermissionCustomFunctionA83F8117": {
    "Type": "AWS::Lambda::Permission",
    "Properties": {
     "Action": "lambda:InvokeFunction",
@@ -103,7 +103,7 @@
     }
    },
    "DependsOn": [
-    "CustomFunctionPermission41887A5E",
+    "CustomFunctioncustomRulePermissionCustomFunctionA83F8117",
     "CustomFunctionBADD59E7",
     "CustomFunctionServiceRoleD3F73B79"
    ]