(aws-lambda): Deploying updated stack with unchanged Lambda and modified execution role fails with error: "A version for this Lambda function exists ( {n} ). Modify the function to create a new version"

[jmm]

Hello,

With CDK 1.101.0, I'm encountering this when attempting to deploy an updated stack with an unchanged Lambda, but where I've changed the policy configuration of its execution role, e.g. with someFunction.role.addToPrincipalPolicy().

Somewhat related to #5334.

So in this case the Lambda resource in the CloudFormation template is identical except for the addition of an AWS::IAM::Policy's name to its DependsOn set.

Based on the description of #6771 and a skim of the code, I'm assuming it's incorporating the function's DependsOn attribute in the hashing. And based on the documentation of DependsOn, it sounds like that should be irrelevant for the purpose of #6771, right? What do you think about omitting it from the hashing?

So in plain CloudFormation it doesn't automatically create a new version in response to changes to the function code or configuration, correct? You either need to manually change something about the version configuration, like description, or wire up something to detect changes to the function yourself and do something that forces CloudFormation to create a new version, like here you're changing the logical ID.

I'm temporarily using the workaround from #5334.

Reproduction Steps

First iteration:

const someFunction = new lambda.Function(this, "some-function", {
  code: lambda.Code.fromAsset(somePath),
  handler: "index.lambdaHandler",
  runtime: lambda.Runtime.NODEJS_14_X,
})

Second iteration:

const someFunction = new lambda.Function(this, "some-function", {
  code: lambda.Code.fromAsset(somePath),
  handler: "index.lambdaHandler",
  runtime: lambda.Runtime.NODEJS_14_X,
})

someFunction.role.addToPrincipalPolicy(
  new iam.PolicyStatement({
    actions: ["s3:GetObject"],
    effect: iam.Effect.ALLOW,
    resources: [bucketArn],
  })
)

What did you expect to happen?

Both iterations to deploy successfully, modifying the Lambda's execution role in the second one.

What actually happened?

On the second iteration, failed deployment with error message (where {n} is a placeholder):

A version for this Lambda function exists ( {n} ). Modify the function to create a new version.

Environment

• CDK CLI Version : 1.101.0
• Framework Version: What does this refer to, the version of @aws-cdk/core?
• Node.js Version: 14.16.0
• OS : Mac
• Language (Version):

---

This is 🐛 Bug Report

[nija-at]

Hi @jmm -

We're tracking this issue here - #11537.
I've copied over your report into this issue.

Closing this issue as a duplicate.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[jmm]

Thanks @nija-at!

Sorry about the duplicate, I didn't turn that up when searching, or else I would've added the additional example with addToPrincipalPolicy there.