Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-lambda]: Resource-based policies get deleted when lambda RemovalPolicy set to RETAIN #28412

Open
chenwany opened this issue Dec 18, 2023 · 2 comments
Open

[aws-lambda]: Resource-based policies get deleted when lambda RemovalPolicy set to RETAIN #28412

chenwany opened this issue Dec 18, 2023 · 2 comments
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@chenwany
Copy link

Describe the bug

Hi team,
I meet a issue with deploying versioning lambda function with aws cdk. Even though we have lambda RemovalPolicy set to RETAIN, the resource-based policy of the lambda version get deleted after a update of the stack.

Here are the details:
I have a versioning lambda function created through aws cdk
In order to retain and able to invoke the old version lambda function when new lambda versions are created, I set the removal policy to retain through CDK.

    const taskDefinitionProviderLambda = new VersionedLambdaFunction(this, lambdaName, {
        code: LambdaAsset.fromBrazil({
            brazilPackage: lambdaPackage,
            componentName: lambdaName
        }),
        functionName: lambdaName,
        //Enforce the new version when lambda code change.
        description: `${lambdaPackage.name} in release version of ${lambdaPackageFullVersion}`,
        handler: 'my handler...',
        memorySize: 512,
        timeout: Duration.seconds(30),
        runtime: Runtime.JAVA_17,
        currentVersionOptions: {
            removalPolicy: RemovalPolicy.RETAIN,
        },
        environment: {
            "ENDPOINT_METADATA": ...
        },
    });

And I add resource based policy for the lambda version in order to invoke my lambda function from another account:

const currentVersion = taskDefinitionProviderLambda.currentVersion;
currentVersion.grantInvoke(new AccountPrincipal(......));

However, when a stack update that generate a new lambda version of function, the resource based policy for the old lambda version get removed, only the old lambda version retained.

That cause the problem of not able to invoke old version of lambdas from another account

Expected Behavior

I expected the Resource-based policies of the version get retained

Current Behavior

Resource-based policies of the lambda version get deleted

Reproduction Steps

See above description

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

cdk2

Framework Version

No response

Node.js Version

18

OS

macOs

Language

TypeScript

Language Version

No response

Other information

No response
@chenwany chenwany added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 18, 2023
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Dec 18, 2023
@khushail
Copy link
Contributor

Hi @chenwany , thanks for reaching out. Could you please share which CDK Version are you using ? Is it v 2.115.0 or earlier?

@khushail khushail added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 18, 2023
@khushail khushail changed the title Create lambda function version using AWS CDK, Resource-based policies get deleted when lambda RemovalPolicy set to RETAIN [aws-lambda]: Resource-based policies get deleted when lambda RemovalPolicy set to RETAIN Dec 18, 2023
@khushail khushail added p2 effort/medium Medium work item – several days of effort labels Dec 18, 2023
@chenwany
Copy link
Author

we are using the latest released version

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 19, 2023
@github-actions github-actions bot mentioned this issue Jan 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chenwany @khushail