(aws-events): Cross Stack Rule Requires Concrete Account #18405
Comments
jatsrt
added
bug
ryparker
added
guidance
|
Her @jatsrt 👋🏻 This is intentional. Importing a resource using a method such as See How to define environment in CDK |
ryparker
added
@aws-cdk/aws-events
|
Hello, as discussed in #18255, this used to work when using cdk.ScopedAws (in cdk 1.138.0). CDK didn't need to know the region & account when using the I created a reproducer stack (when using with codepipeline since it's my use case but the issue seems to be the same) : https://github.com/cbm-gplassard/cdk-lambda-events-reproducer Maybe the |
|
@ryparker the top level env that is being passed in with the scope to the lookup has both account and region defined in it in this scenario. So, I think (again worked previously) this should work as it does have an account to base the lookup on. |
|
This is what was generated by CDK <= 2.3.0, which for a same account, same region would be correct and scoped right. |
|
@ryparker and @cbm-gplassard Ae we sure we are talking about the same issue. |
|
Hello @jatsrt , indeed you're right we don't have exactly the same use case as if I understand correctly
But both use cases trigger the same error message and might be cause by the same issue. And as you said both use cases used to work with previous versions and should continue to work IMHO |
|
I see the same issue @jatsrt is describing. Through the change from #18255 the account and region are trying to be imported from the lambda arn which is not known yet, since it is being imported. Not sure if this is something we can fix in the events section here. |
|
We are blocked with the same issue as @jatsrt but with a slightly different config: Account and region are passed in with the scope so are known at synth time (Stack is part of a Stage). We are also using the sameEnvironment flag here to allow for permission changes - could the same flag disable this cross-account error check? As above it was working in v2.3 |
|
Workaround: Importing stack: |
|
Hey all, thanks for the discussion here. I can reproduce this issue that's been described here. I can confirm that this functionality was working prior to v2.4.0, and is still broken on the current version. Interestingly enough, I've found that the issue only occurs if you specify the environment on your stack. |
peterwoodworth
added
bug
|
I believe adding |
|
Hey @peterwoodworth - are there any plans to fix this? Really blocked by this at the moment |
|
@peterwoodworth I'm blocked by this too, unfortunately. I tried the workaround suggested by @markilott (using Function.fromFunctionAttributes instead of Function.fromFunctionArn), but still got the same error. |
|
You can know the Lambda Function is definitely in the same account, but CDK can't know that because all you're giving it is an ARN that it can't look into ( lambda.Function.fromFunctionArn(this, 'Fn', fn.importValue('FunctionArn'));
// ^^^^^ ^^^^^^^^^^^^
// the combination of these is the problemThe solution is to use If all you have is an ARN, parse it first to get the function name out (dropping the account and region on the floor, telling CDK not to worry about it): const functionArn = Fn.importValue('FunctionArn');
const functionName = Arn.split(functionArn, ArnFormat.COLON_RESOURCE_NAME).resourceName;
const fn = lambda.Function.fromFunctionName(this, 'Fn', functionName!);In case the resource you are importing only has a const stateMachineArn = Fn.importValue('StateMachineArn');
const stackLocalArn = stack.formatArn({
...stack.splitArn(stateMachineArn,ArnFormat.COLON_RESOURCE_NAME),
account: stack.account,
region: stack.region,
});
const stateMachine = sfn.StateMachine.fromStateMachineArn(stack, 'SM', stackLocalArn); |
|
Why is there not just an easy way to override the environment for any event target? Seems silly to have to mess around with all this ARN parsing logic when typically the environment is known and can just be injected manually. |
|
@gravitylow would you rather have: const fn = lambda.Function.fromFunctionArn(this, 'Fn', Fn.importValue('FunctionArn'), {
env: {
account: Stack.of(this).account,
region: Stack.of(this).region,
},
});? |
|
Actually in my case I'm dealing with a stepFunction having this issue, so I'd rather be able to override it at the |
|
I am convinced now that treating a "floating" region and account as being equal to the "current" region and account is the most desirable behavior. While the current way is technically correct it is also very inconvenient in many common use cases. The use case we are optimizing for (cross-env targets) is likely to be much more rare. |
|
I upgrade from cdk v1.45 to cdk 1.168 and is getting the same error when importing state machine of the same stack |
When a rule and a rule target are in different environments (account and/or region) we have to perform some extra setup to get the cross environment stuff working. Previously if one of the environments was not defined then we assumed that we were working in a cross environment fashion and we threw an error message. It is probably a much more common scenario for both the stacks to be deployed to the same environment if one of the environments is not defined. This PR updates the logic to make that assumption and to provide a warning to the user that if they _are_ working in a cross environment setup they need to provide the environment. fix #18405 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
What is the problem?
When setting up a rule against a lambda defined in another stack that is in the same account and region. CDK is now returning an error:
"You need to provide a concrete account for the target stack when using cross-account or cross-region events"
This is for any CDK version > 2.3.0
Reproduction Steps
Create and export the ARN of a lambda function from one stack. Add a policy to the function that allows "lambda:InvokeFunction". In another stack use "Function.fromFunctionArn"
Example:
What did you expect to happen?
Expect the rule to be created and the rule is able to execute the remote function.
What actually happened?
/cdk/node_modules/aws-cdk-lib/aws-events/lib/rule.ts:134 throw new Error('You need to provide a concrete account for the target stack when using cross-account or cross-region events');CDK CLI Version
2.7.0
Framework Version
2.7.0
Node.js Version
16.13.1
OS
OSX M1
Language
Typescript
Language Version
4.5
Other information
No response
The text was updated successfully, but these errors were encountered: