Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

custom-resources: make the CustomResource depend on the AwsCustomResource that created it #28049

Open
2 tasks done
toxygene opened this issue Nov 17, 2023 · 2 comments
Open
2 tasks done

custom-resources: make the CustomResource depend on the AwsCustomResource that created it #28049

toxygene opened this issue Nov 17, 2023 · 2 comments
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@toxygene
Copy link

Describe the feature

It's currently not possible to make the CustomResource created by an AwsCustomResource depend on other resources. As a result, code that would otherwise appear to be correct to fail due to dependency issues.

Use Case

To an end user, the following code looks correct, but causes an error:

class MyStack extends Stack {
  constructor(scope: Construct, id: string, options: StackProps) {
    super(scope, id, options);

    const vpc = Vpc.fromLookup(
      this,
      'Vpc',
      {
        tags: {
          AccountResourceId: 'Vpc'
        }
      }
    );

    const topic = new Topic(
      this,
      'Topic'
    );

    const role = new Role(
      this,
      'Role',
      {
        assumedBy: new ServicePrincipal('lambda.amazonaws.com')
      }
    );

    const managedPolicy = new ManagedPolicy(
      this,
      'ManagedPolicy',
      {
        roles: [role],
        statements: [
          new PolicyStatement({
            actions: [
              'ec2:CreateNetworkInterface',
              'ec2:DescribeNetworkInterfaces',
              'ec2:DeleteNetworkInterface',
              'ec2:AssignPrivateIpAddresses',
              'ec2:UnassignPrivateIpAddresses',
            ],
            effect: Effect.ALLOW,
            resources: ['*']
          }),
          new PolicyStatement({
            actions: [
              'sns:SetTopicAttributes'
            ],
            effect: Effect.ALLOW,
            resources: [topic.topicArn]
          })
        ]
      }
    );

    const customResource = new AwsCustomResource(
      this,
      'CustomResource',
      {
        onCreate: {
          service: 'sns',
          action: 'SetTopicAttributes',
          parameters: {
            AttributeName: 'SQSSuccessFeedbackSampleRate',
            AttributeValue: '100',
            TopicArn: topic.topicArn,
            Version: '2010-03-31'
          },
          physicalResourceId: PhysicalResourceId.of(`${topic.topicName}-SQSSuccessFeedbackSampleRate`)
        },
        role: role,
        vpc: vpc,
        vpcSubnets: {
          subnetType: SubnetType.PRIVATE_WITH_EGRESS
        }
      }
    );

    customResource.node.addDependency(managedPolicy);
  }
}

This causes the following error:

Resource handler returned message: "The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: Lambda, Status Co
de: 400, Request ID: 7fdc9ef3-f44a-4f4f-8f87-b3b438ca9ebd)" (RequestToken: 519f5445-5cd6-1b0e-e5b1-fc55d1ee9e06, HandlerErrorCode: InvalidRequest)

Proposed Solution

Adding the following to AwsCustomResource fixes the issue:

this.customResource.node.addDependency(this);

I have a fork created that implements this change: https://github.com/toxygene/aws-cdk

Other Information

It should be noted that there is a work around for this issue by creating the ManagedPolicy first, then pass that managed policy to the Role constructor. I found this work around frustrating because the AwsCustomResource was dictating how I created resources instead of me dictating it.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.110.0

Environment details (OS name and version, etc.)

macOS Ventura 13.6.1
@toxygene toxygene added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 17, 2023
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Nov 17, 2023
@toxygene toxygene mentioned this issue Nov 17, 2023
Closed
@pahud
Copy link
Contributor

pahud commented Nov 17, 2023

Can we make your AwsCustomResource depend on the ManagedPolicy?

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 17, 2023
@toxygene
Copy link
Author

Can we make your AwsCustomResource depend on the ManagedPolicy?

customResource.node.addDependency(managedPolicy);

I'm sorry if the variable names I used is causing confusion. customResource is an AwsCustomResource. The dependency created by the addDependency call does not create a dependency between the managedPolicy and the CustomResource created by AwsCustomResource (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/custom-resources/lib/aws-custom-resource/aws-custom-resource.ts#L478-L489).

You can see my proposed change here: toxygene@de3209b#diff-59a2455f55b99a83244003b2f56eef71ba3c0539f6f1ff273e662e66bc0bf08eR490

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Nov 17, 2023
@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @toxygene