batch: job-definition-arn has trailing ':1'

[alexiswl]

Describe the bug

Hello,

I have created a CDK pipeline with the following stack
https://github.com/umccr/cttso-ica-to-pieriandx/blob/3f1de2c187c0587db97712920a02119d95054628/deploy/cttso-ica-to-pieriandx-cdk/lib/cttso-ica-to-pieriandx-batch-stack.ts

The job definition (https://github.com/umccr/cttso-ica-to-pieriandx/blob/3f1de2c187c0587db97712920a02119d95054628/deploy/cttso-ica-to-pieriandx-cdk/lib/cttso-ica-to-pieriandx-batch-stack.ts) has a jobDefinitionArn attribute,

This job definition arn attribute is added to a IAM Policy used by a lambda role to submit jobs to this batch stack (https://github.com/umccr/cttso-ica-to-pieriandx/blob/3f1de2c187c0587db97712920a02119d95054628/deploy/cttso-ica-to-pieriandx-cdk/lib/cttso-ica-to-pieriandx-batch-stack.ts#L464)

Unforunately this resulted in the following error at runtime

An error occurred (AccessDeniedException) when calling the SubmitJob operation: User: arn:aws:sts::843407916570:assumed-role/cttso-ica-to-pieriandx-de-cttsoicatopieriandxdevba-173SBBKFYE8R6/cttso-ica-to-pieriandx-dev-batch-stack-lambda-function is not authorized to perform: batch:SubmitJob on resource: arn:aws:batch:ap-southeast-2:843407916570:job-definition/cttsoicatopieriandxdevb-3fac93477d7a86a

I then had a look at the policies for the lambda role (and the cloud formation outputs, since it has the jobAttributeArn as an output),

And the jobAttributeArn attribute generated by cloudFormation is

arn:aws:batch:ap-southeast-2:843407916570:job-definition/cttsoicatopieriandxdevb-3fac93477d7a86a:1

Which has a trailing :1???

Expected Behavior

For the jobdefinition attribute ARN to be

arn:aws:batch:ap-southeast-2:843407916570:job-definition/cttsoicatopieriandxdevb-3fac93477d7a86a

not

arn:aws:batch:ap-southeast-2:843407916570:job-definition/cttsoicatopieriandxdevb-3fac93477d7a86a:1

Current Behavior

The stack definition can be found here

Reproduction Steps

I do not have a self-contained version of this error for reproduction

Possible Solution

I have no idea, I did not have this error when working with aws-cdk aws-batch-alpha v2.39.0

Additional Information/Context

No response

CDK CLI Version

2.85.0

Framework Version

No response

Node.js Version

16.13.0 (not sure what cdk on the self-mutating pipeline is using)

OS

Ubuntu

Language

Typescript

Language Version

TypeScript (5.1.3)

Other information

No response

[pahud]

The ARN with trailing :1 should be correct.

export class Demo2Stack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const jobDefn = new batch.EcsJobDefinition(this, 'JobDefn', {
      container: new batch.EcsEc2ContainerDefinition(this, 'containerDefn', {
        image: ecs.ContainerImage.fromRegistry('public.ecr.aws/amazonlinux/amazonlinux:latest'),
        memory: Size.mebibytes(2048),
        cpu: 256,
      }),
    });
    new CfnOutput(this, 'Arn', { value: jobDefn.jobDefinitionArn })

  };
};

demo-12.Arn = arn:aws:batch:us-east-1::job-definition/JobDefnA747EE6E-a8543348e5eef30:1

And I see this in the AWS console

How did you pass this ARN to lambda? I didn't see job_definition.jobDefinitionArn in your lambda env vars?

https://github.com/umccr/cttso-ica-to-pieriandx/blob/3f1de2c187c0587db97712920a02119d95054628/deploy/cttso-ica-to-pieriandx-cdk/lib/cttso-ica-to-pieriandx-batch-stack.ts#L489-L495

[alexiswl]

Hi @pahud, thank you for getting back to me.

Will use the job definition arn over the job definition name instead

Putting this down to user error.

Alexis

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.