-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
aws-pipes: CfnPipe does not wait for DDB Stream to be created before checking if it has permissions to read from it. #31211
Comments
Looks like I will create an internal ticket with relevant team for clarifying. |
internal tracking: V1497473646 |
We need to explicitly ensure the Pipe depends on the role as well as the default policy // ensure the pipe depends on the logging role default policy as well as the role
const cfndefaultPolicy = pipeRole.node.tryFindChild('DefaultPolicy') as iam.CfnPolicy
pipe.node.addDependency(cfndefaultPolicy, pipeRole) On cdk synth you should see two explicit dependencies in the pipe resource: Type: AWS::Pipes::Pipe
Properties:
RoleArn:
Fn::GetAtt:
- LoggingRole0BCFB29B
- Arn
Source:
Fn::GetAtt:
- TableCD117FA1
- StreamArn
SourceParameters:
DynamoDBStreamParameters:
BatchSize: 1
OnPartialBatchItemFailure: AUTOMATIC_BISECT
StartingPosition: LATEST
Target:
Fn::GetAtt:
- LogGroupF5B46931
- Arn
DependsOn:
- LoggingRoleDefaultPolicy7C1A4368
- LoggingRole0BCFB29B |
I can confirm that this worked. The problem was that the It's worth noting that there is an L2 construct for |
Resolving this issue now. When the DDB stream source is implemented in the Pipe L2 construct, it should take care of the dependence then. |
Comments on closed issues and PRs are hard for our team to see. |
Describe the bug
The CfnPipe does not wait for DDB Stream to be created before checking if it has permissions to read from it. If the DDB Stream does not exist, then the CfnPipe resource fails to deploy with an error claiming it doesn't have permissions to read from the table. However, if the stream does exist, it deploys fine.
Because of this, this issue is intermittent, and has a higher likelihood of failing the stack the more tables + pipes you deploy in it.
See this discussion in
#eventbridge-interest
: https://amzn-aws.slack.com/archives/C017SEP3GCE/p1723573294515119Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
The stack should deploy successfully.
Current Behavior
Stack fails with an error on one of the CfnPipe constructs.
Reproduction Steps
I tried my best to create a minimal, consistently failing stack. This creates 10 tables, and 10 GSIs on each table. In my testing, having one of the pipes fail is common, which will cause the stack to fail.
To see this example of this being intermittent, reduce
steps
to 1, so only a single DDB table is created. Odds are good that the associated pipe will succeed in deploying.Possible Solution
There are a couple of workarounds which should work for this.
As Oliver mentioned in the attached slack thread, there are a couple of ways this could be fixed for real.
Additional Information/Context
No response
CDK CLI Version
3.154.1 (build febce9d)
Framework Version
3.154.1
Node.js Version
v16.7.0
OS
macOS Sonoma Version 14.6.1
Language
TypeScript
Language Version
TypeScript (5.5.3)
Other information
No response
The text was updated successfully, but these errors were encountered: