Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

custom-resources: make the CustomResource depend on the AwsCustomResource that created it #28049

Open
2 tasks done
toxygene opened this issue Nov 17, 2023 · 2 comments
Open
2 tasks done

custom-resources: make the CustomResource depend on the AwsCustomResource that created it #28049

toxygene opened this issue Nov 17, 2023 · 2 comments
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@toxygene
Copy link

Describe the feature

It's currently not possible to make the CustomResource created by an AwsCustomResource depend on other resources. As a result, code that would otherwise appear to be correct to fail due to dependency issues.

Use Case

To an end user, the following code looks correct, but causes an error:

class MyStack extends Stack {
  constructor(scope: Construct, id: string, options: StackProps) {
    super(scope, id, options);

    const vpc = Vpc.fromLookup(
      this,
      'Vpc',
      {
        tags: {
          AccountResourceId: 'Vpc'
        }
      }
    );

    const topic = new Topic(
      this,
      'Topic'
    );

    const role = new Role(
      this,
      'Role',
      {
        assumedBy: new ServicePrincipal('lambda.amazonaws.com')
      }
    );

    const managedPolicy = new ManagedPolicy(
      this,
      'ManagedPolicy',
      {
        roles: [role],
        statements: [
          new PolicyStatement({
            actions: [
              'ec2:CreateNetworkInterface',
              'ec2:DescribeNetworkInterfaces',
              'ec2:DeleteNetworkInterface',
              'ec2:AssignPrivateIpAddresses',
              'ec2:UnassignPrivateIpAddresses',
            ],
            effect: Effect.ALLOW,
            resources: ['*']
          }),
          new PolicyStatement({
            actions: [
              'sns:SetTopicAttributes'
            ],
            effect: Effect.ALLOW,
            resources: [topic.topicArn]
          })
        ]
      }
    );

    const customResource = new AwsCustomResource(
      this,
      'CustomResource',
      {
        onCreate: {
          service: 'sns',
          action: 'SetTopicAttributes',
          parameters: {
            AttributeName: 'SQSSuccessFeedbackSampleRate',
            AttributeValue: '100',
            TopicArn: topic.topicArn,
            Version: '2010-03-31'
          },
          physicalResourceId: PhysicalResourceId.of(`${topic.topicName}-SQSSuccessFeedbackSampleRate`)
        },
        role: role,
        vpc: vpc,
        vpcSubnets: {
          subnetType: SubnetType.PRIVATE_WITH_EGRESS
        }
      }
    );

    customResource.node.addDependency(managedPolicy);
  }
}

This causes the following error:

Resource handler returned message: "The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: Lambda, Status Co
de: 400, Request ID: 7fdc9ef3-f44a-4f4f-8f87-b3b438ca9ebd)" (RequestToken: 519f5445-5cd6-1b0e-e5b1-fc55d1ee9e06, HandlerErrorCode: InvalidRequest)

Proposed Solution

Adding the following to AwsCustomResource fixes the issue:

this.customResource.node.addDependency(this);

I have a fork created that implements this change: https://github.com/toxygene/aws-cdk

Other Information

It should be noted that there is a work around for this issue by creating the ManagedPolicy first, then pass that managed policy to the Role constructor. I found this work around frustrating because the AwsCustomResource was dictating how I created resources instead of me dictating it.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.110.0

Environment details (OS name and version, etc.)

macOS Ventura 13.6.1
@toxygene toxygene added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 17, 2023
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Nov 17, 2023
@toxygene toxygene mentioned this issue Nov 17, 2023
Closed
@pahud
Copy link
Contributor

pahud commented Nov 17, 2023

Can we make your AwsCustomResource depend on the ManagedPolicy?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 17, 2023
@toxygene
Copy link
Author

Can we make your AwsCustomResource depend on the ManagedPolicy?

customResource.node.addDependency(managedPolicy);

I'm sorry if the variable names I used is causing confusion. customResource is an AwsCustomResource. The dependency created by the addDependency call does not create a dependency between the managedPolicy and the CustomResource created by AwsCustomResource (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/custom-resources/lib/aws-custom-resource/aws-custom-resource.ts#L478-L489).

You can see my proposed change here: toxygene@de3209b#diff-59a2455f55b99a83244003b2f56eef71ba3c0539f6f1ff273e662e66bc0bf08eR490

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 17, 2023
@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @toxygene