Naming Conflict in AWS CDK v2.128: addRotationSingleUser Lambda Naming Collision Across Multiple Stacks with Identical Node IDs

[zzDave]

Describe the bug

Bug Description

Context: The issue arises when creating a ServerlessCluster in AWS CDK, particularly when using the same logical ID (node id) for this resource in multiple CDK projects. This problem occurs even if these projects are deployed in the same AWS region.

Problem: Despite different stackNames being specified in each project, a naming conflict occurs for the addRotationSingleUser Lambda function associated with the ServerlessCluster. This leads to an error stating that the resource already exists.

Root Cause: It appears that the naming mechanism for the addRotationSingleUser Lambda function does not appropriately differentiate between the CDK stack ID (node id) and the stackName. This results in a naming collision, as the Lambda function's name is generated based on the node id only, without considering the unique stackName of each project.

Expected Behavior: The name for each addRotationSingleUser Lambda function should be unique across different stacks, especially when they have distinct stackNames. The naming convention should incorporate both the stackName and the node id to ensure uniqueness, avoiding conflicts across multiple CDK projects deployed in the same region.

Expected Behavior

The new ServerlessCluster is in a different stack, so the rotation single user should not exist.

Current Behavior

Deployment fails with a rotation single user resource already exists.

CREATE_FAILED | AWS::Lambda::Function | SecretsManagerRDSMySQLRotationSingleUser
testauroramysqlclusterRotationSingleUser3DBEDD21 already exists in stack arn:aws:cloudformation:XXXXXXX stack.

Reproduction Steps

Issue Summary

The Secrets Manager rotation single user is incorrectly named in two CDK projects. Both projects use "test" as the logical identifier but have different stackNames. They also use a shared construct library to create a Serverless Cluster.

Project 1: Seattle

• CDK Stack Creation

  new cdk.Stack(app, "test", {
     stackName: "cdk-seattle",
  });
  
  const auroraInstance = new ServerlessCluster(this, "aurora-mysql-cluster", { /* ... */ });
  auroraInstance.addRotationSingleUser({
     automaticallyAfter: Duration.days(30),
  });

• Generated Names

  • Incorrect SecretsManagerRDSMySQLRotationSingleUser: testauroramysqlclusterRotationSingleUser3DBEDD21
  • Correct SecretsManagerRDSMySQLRotationSingleUserRole: cdk-seattle-SecretsManagerRDSMySQLRot-2kTqohOcS6Lh

Project 2: Florida

• CDK Stack Creation

  new cdk.Stack(app, "test", {
     stackName: "cdk-florida",
  });
  
  const auroraInstance = new ServerlessCluster(this, "aurora-mysql-cluster", { /* ... */ });
  auroraInstance.addRotationSingleUser({
     automaticallyAfter: Duration.days(30),
  });

• Generated Names

  • Incorrect SecretsManagerRDSMySQLRotationSingleUser: testauroramysqlclusterRotationSingleUserDFBEDD21
  • Correct SecretsManagerRDSMySQLRotationSingleUserRole: cdk-florida-SecretsManagerRDSMySQLRot-2GlqohOcS6Lh

Issue Description

• The rotation single user secret name should be based on the stackName rather than the logical identifier test.
• Correct naming should follow the pattern: cdk-[stackName]auroramysqlclusterRotationSingleUser[UniqueID].

Possible Solution

Use the stack name instead of the logical id for the lambda name.

Additional Information/Context

No response

CDK CLI Version

2.128

Framework Version

3.431.0

Node.js Version

v20.11.1

OS

Ubuntu 23

Language

TypeScript

Language Version

Typescript 5.2.2

Other information

No response

[pahud]

Are you seeing the collision of lambda functions or the secrets?

I just defined this stack class

export class DummyStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    const cluster = new rds.ServerlessCluster(this, 'Cluster', {
      engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
      parameterGroup: rds.ParameterGroup.fromParameterGroupName(this, 'ParameterGroup', 'default.aurora-postgresql11'),
      vpc: getDefaultVpc(this),
    });
    cluster.addRotationSingleUser({
      automaticallyAfter: Duration.days(30),
    });
  }
}

And deploy two stacks using the same class

new DummyStack(app, 'dummy-stack1', { env });
new DummyStack(app, 'dummy-stack2', { env });

But I didn't see the collision of any resources. Did I miss anything?

[zzDave]

Use a short name for the stack node id, in this case, "test", and you have a defined stackName in the properties:

test
stack-project-1-test

new DummyStack(app, 'test', {
    env: {
        account: defaultAccount,
        region: "us-west-2",
    },
    stackName: "stack-project-1-test"
});

cdk synth test
cdk deploy test

Look at the deployed physical IDs of the resources.  Everything is fine except the lambda attached to the nested stack.  
I would assume it should be named:
stackproject1testtestauroraclusterRotationSingleUser4B86C1AB
not
testauroraclusterRotationSingleUser4B86C1AB

Then you have another cdk project, and its named project-2.

```typescript
new DummyStack(app, 'test', {
    env: {
        account: defaultAccount,
        region: "us-west-2",
    },
    stackName: "stack-project-2-test"
});

cdk synth and deploy.

Since the lambda has a logical id from the node id, 
testauroraclusterRotationSingleUser4B86C1AB
it fails.



![image](https://github.com/aws/aws-cdk/assets/3958281/2728d722-62af-4a52-9c5c-91d691e409a7)


:59:33 AM | CREATE_FAILED        | AWS::Lambda::Function                       | SecretsManagerRDSMySQLRotationSingleUser
testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-pr
oject-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f

5:59:40 AM | CREATE_FAILED        | AWS::CloudFormation::Stack                  | auroraclusterRotationSingleUserD321448F
Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-
JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [Sec
retsManagerRDSMySQLRotationSingleUser].


 ❌  test (stack-project-2-test) failed: Error: The stack named stack-project-2-test failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f, Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [SecretsManagerRDSMySQLRotationSingleUser]. 
    at FullCloudFormationDeployment.monitorDeployment (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:431:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:196750)
    at async /usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:178719

 ❌ Deployment failed: Error: The stack named stack-project-2-test failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f, Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [SecretsManagerRDSMySQLRotationSingleUser]. 
    at FullCloudFormationDeployment.monitorDeployment (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:431:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:196750)
    at async /usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:178719

The stack named stack-project-2-test failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f, Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [SecretsManagerRDSMySQLRotationSingleUser]. 

[pahud]

new DummyStack(app, 'test', {
    env: {
        account: defaultAccount,
        region: "us-west-2",
    },
    stackName: "stack-project-1-test"
});

OK looks like you are having two stacks in the same cdk app with exactly the same id and custom stackName. Is there any reason you have to use the same stack ID like that? I think this would have some potential name collisions as a lot of the auto generated resource names would include the stack id as part of its suffix. I am not sure if this is a bug we need to fix but we generally don't encourage that.

[zzDave]

Clarification and Identification of the Problem:

It seems there's a misunderstanding in the discussion. The key point to clarify is that we are dealing with two completely separate projects, not a single project with multiple stacks. This is crucial because it negates the possibility of a synthetic error due to duplicate stack IDs within the same CDK app.

Example Projects Involved:

1. Processing Library Project with ProcessorStack
2. Analytics Library Project with AnalyticsStack

Both projects use a shared library construct, which includes the setupAuroraCluster function. Here's the implementation in each project:

// ProcessorStack in Processing Library Project
new ProcessorStack(app, 'test', {
    stackName: "processor-stack-test"
});

// AnalyticsStack in Analytics Library Project
new AnalyticsStack(app, 'test', {
    stackName: "analytics-stack-test"
});

Observed Issue:

• The ProcessorStack successfully creates an Aurora Cluster and its corresponding rotation single user Lambda.
• The AnalyticsStack fails to create the rotation single user Lambda due to a naming conflict.

Core Problem:

• The lambda generated by addRotationSingleUser is not incorporating the stack name into its naming convention, leading to conflicts across different projects.
• Current Lambda Naming (Problematic): testauroraclusterRotationSingleUserXXXXX
• Expected Lambda Naming (Solution): Incorporate the stack name for uniqueness, e.g., processorstacktestauroraclusterRotationSingleUserXXXXX and analyticsstacktestauroraclusterRotationSingleUserXXXXX.

[zzDave]

K looks like you are having two stacks in the same cdk app with exactly the same id and custom stackName. Is there any reason you have to use the same stack ID like that? I think this would have some potential name collisions as a lot of the auto generated resource names would include the stack id as part of its suffix. I am not sure if this is a bug we need to fix but we generally don't encourage that.

---

You can not have 2 cdk apps with the same id in a project. Synth would throw an error.
But we do use a common naming convention so scripts can be used across projects.

---

** Sample Framework Example **

new ProcessorStack(app, "test", {
    stackName: "processor-stack-test"
});

new ProcessorStack(app, "dev", {
    stackName: "processor-stack-dev"
});

new ProcessorStack(app, "staging", {
    stackName: "processor-stack-staging"
});

new ProcessorStack(app, "prod", {
    stackName: "processor-stack-prod"
});