(lambda): Support SNS Topics as DLQs #16246
Description
aws_lambda.Function does not support having sns.Topic as a target dead letter queue. It is incorrect as lambda does allow to set topic as a target.
Such information can be found here as well as can be seen in attached screenshot.
Reproduction Steps
#!/usr/bin/env python3
import os
from aws_cdk import (
core as cdk,
aws_lambda as fn,
aws_sns as sns,
)
class BugTestStack(cdk.Stack):
def __init__(self, scope, construct_id, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
dlq = sns.Topic(self, 'dlq')
fun = fn.Function(
self,
'lambdaFn',
code=fn.Code.from_inline('def handler(event, context): ...'),
runtime=fn.Runtime.PYTHON_3_8,
handler='index.handler',
dead_letter_queue=dlq,
)
app = cdk.App()
BugTestStack(app, "BugTestStack")
app.synth()
What did you expect to happen?
Expected lambda to deploy correctly and have topic configured as DQL.
What actually happened?
$ cdk deploy
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:
IAM Statement Changes
┌───┬──────────────────────┬────────┬──────────────────────┬──────────────────────┬───────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼──────────────────────┼────────┼──────────────────────┼──────────────────────┼───────────┤
│ + │ │ Allow │ sqs:SendMessage │ AWS:${lambdaFn/Servi │ │
│ │ │ │ │ ceRole} │ │
├───┼──────────────────────┼────────┼──────────────────────┼──────────────────────┼───────────┤
│ + │ ${lambdaFn/ServiceRo │ Allow │ sts:AssumeRole │ Service:lambda.amazo │ │
│ │ le.Arn} │ │ │ naws.com │ │
└───┴──────────────────────┴────────┴──────────────────────┴──────────────────────┴───────────┘
IAM Policy Changes
┌───┬─────────────────────────┬───────────────────────────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼─────────────────────────┼───────────────────────────────────────────────────────────────┤
│ + │ ${lambdaFn/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaB │
│ │ │ asicExecutionRole │
└───┴─────────────────────────┴───────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)
Do you wish to deploy these changes (y/n)? y
BugTestStack: deploying...
BugTestStack: creating CloudFormation changeset...
10:01:05 PM | CREATE_FAILED | AWS::IAM::Policy | lambdaFnServiceRoleDefaultPolicyFB
1DE846
Policy statement must contain resources. (Service: AmazonIdentityManagement; Status Code: 400;
Error Code: MalformedPolicyDocument; Request ID: 76d252b1-e30d-473f-8c16-6cab739f2a46; Proxy: n
ull)
new Policy (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/jsii-kernel-H52uSA/node_molowing resource(s) failed to create: [lambdaFnServiceRoleDefaultPolicyFB1DE846]. Rollbac
dules/@aws-cdk/aws-iam/lib/policy.js:56:26)
\_ Role.addToPrincipalPolicy (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/jsii-ker
nel-H52uSA/node_modules/@aws-cdk/aws-iam/lib/role.js:209:34)
\_ Function.addToRolePolicy (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/jsii-kern
el-H52uSA/node_modules/@aws-cdk/aws-lambda/lib/function-base.js:60:19)
\_ Function.buildDeadLetterQueue (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/jsii
-kernel-H52uSA/node_modules/@aws-cdk/aws-lambda/lib/function.js:594:14)
\_ new Function (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/jsii-kernel-H52uSA/no
de_modules/@aws-cdk/aws-lambda/lib/function.js:128:37)
\_ /private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/tmpkb42qs7s/lib/program.js:8154:58
\_ Kernel._wrapSandboxCode (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/tmpkb42qs7
s/lib/program.js:8582:24)
\_ Kernel._create (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/tmpkb42qs7s/lib/pro
gram.js:8154:34)
\_ Kernel.create (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/tmpkb42qs7s/lib/prog
ram.js:7895:29)
\_ KernelHost.processRequest (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/tmpkb42q
s7s/lib/program.js:9479:36)
\_ KernelHost.run (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/tmpkb42qs7s/lib/pro
gram.js:9442:22)
\_ Immediate._onImmediate (/private/var/folders/23/m0xp04h13tl7ht3bx69jgfvc0000gn/T/tmpkb42qs7s
/lib/program.js:9443:46)
\_ processImmediate (internal/timers.js:464:21)
❌ BugTestStack failed: Error: The stack named BugTestStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
at Object.waitForStackDeploy (/Users/tomasztrebski/dev/dotfiles/dependencies/nodenv/versions/14.17.4/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:305:11)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at Object.deployStack (/Users/tomasztrebski/dev/dotfiles/dependencies/nodenv/versions/14.17.4/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:294:26)
at CdkToolkit.deploy (/Users/tomasztrebski/dev/dotfiles/dependencies/nodenv/versions/14.17.4/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:184:24)
at initCommandLine (/Users/tomasztrebski/dev/dotfiles/dependencies/nodenv/versions/14.17.4/lib/node_modules/aws-cdk/bin/cdk.ts:213:9)
The stack named BugTestStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE
Environment
- CDK CLI Version : 1.118.0
- Framework Version: ?
- OS : MacOS BigSur
- **Language (Version): Python 3.9.6 **
Other
I believe it makes sense to enable that for the sake of use cases where someone wishes to receive Slack or Email notification that one the lambda failed. Having only SQS as an option forces to write additional lambda to simply send an email.
This is 🐛 Bug Report