Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-events): Cross Stack Rule Requires Concrete Account

See original GitHub issue

What is the problem?

When setting up a rule against a lambda defined in another stack that is in the same account and region. CDK is now returning an error:

“You need to provide a concrete account for the target stack when using cross-account or cross-region events”

This is for any CDK version > 2.3.0

Reproduction Steps

Create and export the ARN of a lambda function from one stack. Add a policy to the function that allows “lambda:InvokeFunction”. In another stack use “Function.fromFunctionArn”

Example:

const importedFunction = lambda.Function.fromFunctionArn(this, "ImportedFunction", cdk.Fn.importValue("OtherStack-ExportedFunctionARN"));

new events.Rule(this, "Rule", {
      schedule: events.Schedule.expression("cron(0 * * * ? *)"),
      targets: [
        new targets.LambdaFunction(importedFunction, {}),
      ],
    });

What did you expect to happen?

Expect the rule to be created and the rule is able to execute the remote function.

What actually happened?

/cdk/node_modules/aws-cdk-lib/aws-events/lib/rule.ts:134
          throw new Error('You need to provide a concrete account for the target stack when using cross-account or cross-region events');

CDK CLI Version

2.7.0

Framework Version

2.7.0

Node.js Version

16.13.1

OS

OSX M1

Language

Typescript

Language Version

4.5

Other information

No response

Issue Analytics

State:
Created 2 years ago
Reactions:4
Comments:19 (8 by maintainers)

Top GitHub Comments

1reaction

rix0rrrcommented, Jun 1, 2022

I am convinced now that treating a “floating” region and account as being equal to the “current” region and account is the most desirable behavior. While the current way is technically correct it is also very inconvenient in many common use cases. The use case we are optimizing for (cross-env targets) is likely to be much more rare.

1reaction

rix0rrrcommented, Apr 22, 2022

You can know the Lambda Function is definitely in the same account, but CDK can’t know that because all you’re giving it is an ARN that it can’t look into (Fn.importValue()). It could be anything and anywhere, but in only a subset of cases can we successfully trigger that rule.

lambda.Function.fromFunctionArn(this, 'Fn', fn.importValue('FunctionArn'));
//                         ^^^^^               ^^^^^^^^^^^^
//                      the combination of these is the problem

The solution is to use Function.fromFunctionName(), which (due to lack of place to put an account and region) is forced to assume the Function must be in the same account and region as the Stack itself.

If all you have is an ARN, parse it first to get the function name out (dropping the account and region on the floor, telling CDK not to worry about it):

    const functionArn = Fn.importValue('FunctionArn');
    const functionName = Arn.split(functionArn, ArnFormat.COLON_RESOURCE_NAME).resourceName;
    const fn = lambda.Function.fromFunctionName(this, 'Fn', functionName!);

In case the resource you are importing only has a fromResourceArn method (and not a fromResourceName method) like a StepFunctions StateMachine, you need to take apart the ARN and put it together again using the stack’s region and account:

const stateMachineArn = Fn.importValue('StateMachineArn');
const stackLocalArn = stack.formatArn({
  ...stack.splitArn(stateMachineArn,ArnFormat.COLON_RESOURCE_NAME),
  account: stack.account,
  region: stack.region,
});

const stateMachine = sfn.StateMachine.fromStateMachineArn(stack, 'SM', stackLocalArn);