Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(resources/template-writer): add IAM policy as customResource dependency #1148

Merged
merged 2 commits into from
Jul 16, 2024
Merged

fix(resources/template-writer): add IAM policy as customResource dependency #1148

merged 2 commits into from
Jul 16, 2024

Conversation

indieisaconcept
Copy link
Contributor

Issue #, if available:

Description of changes:
Resources provisioned using the construct @aws-solutions-constructs/aws-openapigateway-lambda succeed on initial deploy however when a modification is made to the referenced OpenAPI specification the deployment fails. Resulting in the following error.

CustomResource attribute error: Vendor response doesn't contain TemplateOutputKey attribute in object arn:aws:cloudformation:ap-southeast-2:000000000000:stack/TestStac
k/1de47700-433e-11ef-8d9f-02222ec9a44d|OpenApiGatewayToLambdaApiTemplateWriterCustomResource957D1BA4|98e1521e-6163-4459-a73d-68f2b50cb336

The issue is caused by ./resources/template-writer. When the specification changes this results in a new S3 asset which is used by template-writer to update the inline IAM policy which is attached to the custom resource Lambda responsible for managing the create and update lifecycle events.

image

However during a stack update this Lambda will fail to execute as it still references the old IAM policy and so this results in a 403 error when await s3Client.send(new client_s3_1.GetObjectCommand ... is attempted as the supplied event.ResourceProperties.TemplateInputKey does not match the current policy.

To address this the following has been added, to ensure that the policy is in place when the Lambda is executed.

customResource.node.addDependency(templateWriterPolicy);

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: ce18904
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@biffgaut
Copy link
Contributor

Thanks, we'll look at this right away.

@aws-solutions-constructs-team
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: githubautobuild-for-cdk-v2
  • Commit ID: 3016786
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@biffgaut biffgaut merged commit bbdeddd into awslabs:main Jul 16, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@biffgaut biffgaut biffgaut approved these changes

@hayesry hayesry Awaiting requested review from hayesry hayesry is a code owner

@mobri2a mobri2a Awaiting requested review from mobri2a mobri2a is a code owner

@emcfins emcfins Awaiting requested review from emcfins emcfins is a code owner

@georgebearden georgebearden Awaiting requested review from georgebearden georgebearden is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@indieisaconcept @aws-solutions-constructs-team @biffgaut