(aws-events): Cross Stack Rule Requires Concrete Account
See original GitHub issueWhat is the problem?
When setting up a rule against a lambda defined in another stack that is in the same account and region. CDK is now returning an error:
“You need to provide a concrete account for the target stack when using cross-account or cross-region events”
This is for any CDK version > 2.3.0
Reproduction Steps
Create and export the ARN of a lambda function from one stack. Add a policy to the function that allows “lambda:InvokeFunction”. In another stack use “Function.fromFunctionArn”
Example:
const importedFunction = lambda.Function.fromFunctionArn(this, "ImportedFunction", cdk.Fn.importValue("OtherStack-ExportedFunctionARN"));
new events.Rule(this, "Rule", {
schedule: events.Schedule.expression("cron(0 * * * ? *)"),
targets: [
new targets.LambdaFunction(importedFunction, {}),
],
});
What did you expect to happen?
Expect the rule to be created and the rule is able to execute the remote function.
What actually happened?
/cdk/node_modules/aws-cdk-lib/aws-events/lib/rule.ts:134
throw new Error('You need to provide a concrete account for the target stack when using cross-account or cross-region events');
CDK CLI Version
2.7.0
Framework Version
2.7.0
Node.js Version
16.13.1
OS
OSX M1
Language
Typescript
Language Version
4.5
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:19 (8 by maintainers)
Top Results From Across the Web
aws-events-targets: cross-account targets broken permissions ...
I have a stack with a lambda in it (note that after moving from 1.68.0 I am forced to define the function name...
Read more >Cross account AWS event bridge - amazon s3 - Stack Overflow
To configure cross-account event bridge communication following needs to be done. I am providing sample event and filters, you can replace ...
Read more >AWS::Events::Rule - AWS CloudFormation
A single rule watches for events from a single event bus. Events generated by AWS services go to your account's default event bus....
Read more >@aws-cdk/aws-events - npm
Start using @aws-cdk/aws-events in your project by running `npm i ... a rule in the source stack with the event bus of the...
Read more >Automating cross-account CI/CD pipelines [REPEAT] - YouTube
When building a deployment strategy for your applications, using a multi- account approach is a recommended best practice.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I am convinced now that treating a “floating” region and account as being equal to the “current” region and account is the most desirable behavior. While the current way is technically correct it is also very inconvenient in many common use cases. The use case we are optimizing for (cross-env targets) is likely to be much more rare.
You can know the Lambda Function is definitely in the same account, but CDK can’t know that because all you’re giving it is an ARN that it can’t look into (
Fn.importValue()
). It could be anything and anywhere, but in only a subset of cases can we successfully trigger that rule.The solution is to use
Function.fromFunctionName()
, which (due to lack of place to put an account and region) is forced to assume the Function must be in the same account and region as the Stack itself.If all you have is an ARN, parse it first to get the function name out (dropping the account and region on the floor, telling CDK not to worry about it):
In case the resource you are importing only has a
fromResourceArn
method (and not afromResourceName
method) like a StepFunctionsStateMachine
, you need to take apart the ARN and put it together again using the stack’s region and account: