CDK deploy is not updating the changes to IAM statement policy

[harmohan-a]

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?
  If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

I had cdk stack that included, appsync, lambda, dax, dynamo. I updated the stack by granting permission on the table to the lambda

dynamoTable.grantReadWriteData(lambdaFunction);
doing a cdk diff shows the changes

when i do, cdk deploy, i get the deploying... message but nothing actually happens

Do you wish to deploy these changes (y/n)? y
DaxDdbApiCdkStack: deploying...
harmohan:dax-ddb-api-cdk administrator$ 

• What is the expected behavior (or behavior of feature suggested)?

cdk deploy should update the iam policy

• What is the motivation / use case for changing the behavior or adding this feature?

• Please tell us about your environment:

  • CDK CLI Version: 1.3.0
  • Module Version: 1.3.0
  • OS: [all | Windows 10 | OSX Mojave | Ubuntu | etc... ]
  • Language: TypeScript

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

[nmussy]

I haven't been able to reproduce your issue with what you've described. I've created the following stack:

const table = new Table(this, 'table', {
    partitionKey: { name: 'id', type: AttributeType.STRING }
});

const lambda = new Function(this, 'function', {
    runtime: Runtime.NODEJS_8_10,
    handler: 'index.handler',
    code: Code.inline('exports.handler = () => { return cb(null, "test"); }'),
});

Deploying that stack, and then adding table.grantReadWriteData(lambda); works fine:

>npx cdk diff
Stack DynamoTestStack
IAM Statement Changes
┌───┬───────────────┬────────┬───────────────────────────────────────────┬───────────────────────────────────────────┬───────────┐
│   │ Resource      │ Effect │ Action                                    │ Principal                                 │ Condition │
├───┼───────────────┼────────┼───────────────────────────────────────────┼───────────────────────────────────────────┼───────────┤
│ + │ ${table.Arn}  │ Allow  │ dynamodb:BatchGetItem                     │ AWS:${function/ServiceRole}               │           │
│   │               │        │ dynamodb:BatchWriteItem                   │                                           │           │
│   │               │        │ dynamodb:DeleteItem                       │                                           │           │
│   │               │        │ dynamodb:GetItem                          │                                           │           │
│   │               │        │ dynamodb:GetRecords                       │                                           │           │
│   │               │        │ dynamodb:GetShardIterator                 │                                           │           │
│   │               │        │ dynamodb:PutItem                          │                                           │           │
│   │               │        │ dynamodb:Query                            │                                           │           │
│   │               │        │ dynamodb:Scan                             │                                           │           │
│   │               │        │ dynamodb:UpdateItem                       │                                           │           │
└───┴───────────────┴────────┴───────────────────────────────────────────┴───────────────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See http://bit.ly/cdk-2EhF7Np)

Resources
[+] AWS::IAM::Policy function/ServiceRole/DefaultPolicy functionServiceRoleDefaultPolicy5ACF569A
[~] AWS::Lambda::Function function functionF19B1A04
 └─ [~] DependsOn
     └─ @@ -1,3 +1,4 @@
        [ ] [
        [+]   "functionServiceRoleDefaultPolicy5ACF569A",
        [ ]   "functionServiceRoleEF216095"
        [ ] ]

> npx cdk deploy
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broad
ening).
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬───────────────┬────────┬───────────────────────────────────────────┬───────────────────────────────────────────┬───────────┐
│   │ Resource      │ Effect │ Action                                    │ Principal                                 │ Condition │
├───┼───────────────┼────────┼───────────────────────────────────────────┼───────────────────────────────────────────┼───────────┤
│ + │ ${table.Arn}  │ Allow  │ dynamodb:BatchGetItem                     │ AWS:${function/ServiceRole}               │           │
│   │               │        │ dynamodb:BatchWriteItem                   │                                           │           │
│   │               │        │ dynamodb:DeleteItem                       │                                           │           │
│   │               │        │ dynamodb:GetItem                          │                                           │           │
│   │               │        │ dynamodb:GetRecords                       │                                           │           │
│   │               │        │ dynamodb:GetShardIterator                 │                                           │           │
│   │               │        │ dynamodb:PutItem                          │                                           │           │
│   │               │        │ dynamodb:Query                            │                                           │           │
│   │               │        │ dynamodb:Scan                             │                                           │           │
│   │               │        │ dynamodb:UpdateItem                       │                                           │           │
└───┴───────────────┴────────┴───────────────────────────────────────────┴───────────────────────────────────────────┴───────────┘
(NOTE: There may be security-related changes not in this list. See http://bit.ly/cdk-2EhF7Np)

Do you wish to deploy these changes (y/n)? y
DynamoTestStack: deploying...
DynamoTestStack: creating CloudFormation changeset...
 0/2 | 3:38:42 PM | CREATE_IN_PROGRESS   | AWS::IAM::Policy      | function/ServiceRole/DefaultPolicy (functionServiceRoleDefaultPolicy5ACF569A)
 0/2 | 3:38:44 PM | CREATE_IN_PROGRESS   | AWS::IAM::Policy      | function/ServiceRole/DefaultPolicy (functionServiceRoleDefaultPolicy5ACF569A) Resource creation Initiated
 1/2 | 3:38:52 PM | CREATE_COMPLETE      | AWS::IAM::Policy      | function/ServiceRole/DefaultPolicy (functionServiceRoleDefaultPolicy5ACF569A)
 1/2 | 3:38:58 PM | UPDATE_COMPLETE_CLEA | AWS::CloudFormation::Stack | DynamoTestStack
 2/2 | 3:38:58 PM | UPDATE_COMPLETE      | AWS::CloudFormation::Stack | DynamoTestStack

 ✅  DynamoTestStack

Could you give us additional details about your stack to help understand what's blocking the second deployment?

[harmohan-a]

Hi, initially when it wasn't working I update the lambda code and the deployment worked fine. i thought that was the work around. But, I've been trying to re-create the same issue since morning and I cant.

I'll close the ticket. Thanks for having a look at it. and sorry for wasting your time

[nmussy]

No problem!