New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

InvokePermission not automatically added to Lambda when triggered via Cloudwatch Rule #555

Closed
jnmullen opened this Issue Aug 13, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@jnmullen

jnmullen commented Aug 13, 2018

Trying wire up an EventRule as an input/trigger to a Lambda function but the permission to allow Cloudwatch to invoke the Lambda is not being added automatically.

e.g. would expect the following to add the permission automatically but doesn't

       const lambdaFunction = new lambda.Lambda(this, 'lambdaFunction', {
            code: new lambda.LambdaS3Code(bucket, 'lambda-cloudwatch-triggered.zip'),
            runtime: lambda.LambdaRuntime.NodeJS810,
            handler: 'index.handler',
            functionName: 'my-cdk-lambda-function'
        });

        const rule = new events.EventRule(this, 'Rule', {
            scheduleExpression: 'cron(0 0 * * ? *)',
        });
        rule.addTarget(lambdaFunction);

Have to add this code in to get the permission added:

        lambdaFunction.addPermission('allowCloudWatchInvocation', {
            principal: new ServicePrincipal('events.amazonaws.com'),
            sourceArn: rule.ruleArn
        });

Output from cdk synth shows this:

    lambdaFunctionInvokedByCloudWatchB3D0554C:
        Type: 'AWS::Lambda::Permission'
        Properties:
            Action: 'lambda:InvokeFunction'
            FunctionName:
                Ref: lambdaFunction940E68AD
            Principal: events.amazonaws.com

@eladb suspected in a gitter chat this was because the sourceArn is missing.

@eladb eladb self-assigned this Aug 14, 2018

eladb added a commit that referenced this issue Aug 14, 2018

fix(aws-lambda): CloudWatch event rule permissions
Lambda permissions granted when it was added as an event rule target
did not include "SourceArn" as required. This allowed any event rule
to trigger the function, and also did not show as a trigger in the AWS
Lambda console.

Added a integration test to verify.

BREAKING CHANGE

To fix this, we needed to modify `IEventRuleTarget` to pass the ARN of
the rule and a unique ID to the registered target in order to allow it
to specify the Source ARN. This required fixing all existing event rule
targets (which, so far would return a role to be assumed by CWE, so the
source ARN was not required).

Fixes #555

@eladb eladb closed this in #558 Aug 14, 2018

eladb added a commit that referenced this issue Aug 14, 2018

fix(aws-lambda): CloudWatch event rule permissions (#558)
Lambda permissions granted when it was added as an event rule target
did not include "SourceArn" as required. This allowed any event rule
to trigger the function, and also did not show as a trigger in the AWS
Lambda console.

Added a integration test to verify.

BREAKING CHANGE

To fix this, we needed to modify `IEventRuleTarget` to pass the ARN of
the rule and a unique ID to the registered target in order to allow it
to specify the Source ARN. This required fixing all existing event rule
targets (which, so far would return a role to be assumed by CWE, so the
source ARN was not required).

Fixes #555
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment