fix(custom-resources): inactive lambda functions fail on invoke #22612
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
closes #20123 All lambda functions can become inactive eventually. This will result in invocations failing. This PR adds logic to wait for functions to become active on a failed invocation.
|
|
github-actions
bot
added
effort/small
aws-cdk-automation
previously requested changes
Oct 23, 2022
TheRealAmazonKendra
added
the
pr-linter/exempt-integ-test
|
We can't really integ test this as it would require a lambda function that was already inactive and we don't have that resource setup. |
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
TheRealAmazonKendra
removed
the
pr-linter/exempt-integ-test
aws-cdk-automation
previously requested changes
Oct 26, 2022
|
@Mergifyio update |
✅ Branch has been successfully updated |
TheRealAmazonKendra
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
ryparker
reviewed
Dec 8, 2022
| expectedFunctionStates.push('Active'); | ||
| expectedFunctionStates.push('Pending'); | ||
|
|
||
| expect(await invokeFunction(req)).toEqual({ Payload: req.Payload }); |
There was a problem hiding this comment.
Clever use of await inside & outside the expect()
ryparker
approved these changes
Dec 8, 2022
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
brennanho
pushed a commit
to brennanho/aws-cdk
that referenced
this pull request
Dec 9, 2022
…22612) closes aws#20123 All lambda functions can become inactive eventually. This will result in invocations failing. This PR adds logic to wait for functions to become active on a failed invocation. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho
pushed a commit
to brennanho/aws-cdk
that referenced
this pull request
Jan 20, 2023
…22612) closes aws#20123 All lambda functions can become inactive eventually. This will result in invocations failing. This PR adds logic to wait for functions to become active on a failed invocation. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
brennanho
pushed a commit
to brennanho/aws-cdk
that referenced
this pull request
Feb 22, 2023
…22612) closes aws#20123 All lambda functions can become inactive eventually. This will result in invocations failing. This PR adds logic to wait for functions to become active on a failed invocation. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 task
mergify bot
pushed a commit
that referenced
this pull request
Jan 20, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
moelasmar
pushed a commit
that referenced
this pull request
Jan 24, 2025
…ermission (#32904) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 035d17d)
1 task
This was referenced Feb 5, 2025
mergify bot
pushed a commit
that referenced
this pull request
Feb 6, 2025
…ermission (#33315) ### Issue # (if applicable) Closes #26838. ### Reason for this change In the Provider Framework lambda code, there is a logic to catch error arise from invoking the User Defined handler lambda. Upon error, it polls the state of the User Defined handler until it is in ACTIVE state (#22612 added this logic): https://github.com/aws/aws-cdk/blob/64b865ba7697f454a1f091a67bf54a6d4ad0e76e/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L66-L80 The polling uses the AWS SDK `waitUntilFunctionActiveV2` function, which calls the Lambda GetFunction API: https://github.com/aws/aws-sdk-js-v3/blob/6858c7e04730a2b524b06355969e4076c28ae863/clients/client-lambda/src/waiters/waitForFunctionActiveV2.ts#L57 However, the Provider Framework lambda does not have the `lambda:GetFunction` permission. ##### Why is the issue saying the `lambda:GetFunctionConfiguration` is needed instead of `lambda:GetFunction`? At some point in time, the retry logic used `waitUntilFunctionActive` for polling, which use the `GetFunctionConfiguration`. But this is no longer the case after c3a4b7b#diff-85920270c638d83b082246e0026f1a316dd39aaa3cd8720fdaeb3d526e438f7fR66 ### Description of changes Added the `lambda:GetFunction` permission on the role used by the Provider Framework lambda. ### Describe any new or updated permissions being added The `lambda:GetFunction` permission is added. ### Description of how you validated changes There isn't a straight forward way to test the INACTIVE lambda scenario as one need to wait 14 days for a Lambda function to become INACTIVE. Therefore, I am not able to create an integ test. What I did was locally changing the Provider Framework lambda code to throw an error such that it executes the catch block. Then I verified in CloudTrail that the Provider Framework lambda called `GetFunction` successfully and then it was also able to invoke the User Defined Handler lambda. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #20123
All lambda functions can become inactive eventually. This will result in invocations failing. This PR adds logic to wait for functions to become active on a failed invocation.
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license