Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(lambda): cross account lambda resolvers can not be created

See original GitHub issue

What is the problem?

Can not create cross account lambda function resolver for an appsync api. It tries to add a permission to lambda but can not. Worked in CDKv1 but not in CDKv2.

Reproduction Steps

import { aws_lambda, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as appsync from '@aws-cdk/aws-appsync-alpha';

export class GraphqlbugStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const api = new appsync.GraphqlApi(this, 'Api', {
      name: 'demo',
    });

    const myLambda = aws_lambda.Function.fromFunctionArn(this, "function", "arn:aws:lambda:eu-west-1:111222333444:function:MyLambda")
    const demoDS = api.addLambdaDataSource("lambdaDataSource", myLambda)

    demoDS.createResolver({
      typeName: 'Query',
      fieldName: 'getDemos',
    });
    
  }
}

Then run cdk synth

What did you expect to happen?

Generates a cloudformation template.

What actually happened?

/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:212
              throw new Error('Cannot modify permission to lambda function. Function is either imported or $LATEST version. '
                    ^
Error: Cannot modify permission to lambda function. Function is either imported or $LATEST version. If the function is imported from the same account use `fromFunctionAttributes()` API with the `sameEnvironment` flag.
    at Object.addToResourcePolicy (/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:212:21)
    at Function.addToPrincipalOrResource (/Users/.../node_modules/aws-cdk-lib/aws-iam/lib/grant.ts:77:45)
    at Import.grantInvoke (/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:195:25)
    at new LambdaDataSource (/Users/.../node_modules/@aws-cdk/aws-appsync-alpha/lib/data-source.ts:197:26)
    at GraphqlApi.addLambdaDataSource (/Users/.../node_modules/@aws-cdk/aws-appsync-alpha/lib/graphqlapi-base.ts:106:12)
    at new GraphqlbugStack (/Users/.../lib/graphqlbug-stack.ts:15:24)
    at Object.<anonymous> (/Users/.../bin/graphqlbug.ts:7:1)
    at Module._compile (node:internal/modules/cjs/loader:1101:14)
    at Module.m._compile (/Users/.../node_modules/ts-node/src/index.ts:1056:23)
    at Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
Subprocess exited with error 1

CDK CLI Version

2.9.0

Framework Version

No response

Node.js Version

v16.13.2

OS

macOS Catalina

Language

Typescript

Language Version

TypeScript (4.5.5)

Other information

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
kaizencccommented, Feb 14, 2022

We seem to have stumbled on a rabbit hole here that was most recently modified here: https://github.com/aws/aws-cdk/pull/11369 (and that PR links to at least 2 others trying to do the same thing).

There are a few attributes you can try from fromFunctionAttributes() that are related: sameEnvironment and allowPermissions. But after hearing the use case you describe, I wonder if these will both still result in deploy time failures (since there is no way to attempt to modify imported resources). Perhaps we need to introduce a property like skipPermissions to address this use case.

At any rate, I’m a bit out of my depth and I’ll wait for @skinny85 to weigh in.

0reactions
github-actions[bot]commented, Feb 16, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Building cross-account AWS Lambda Resolvers for AWS ...
In this post, we look at how to set up AWS Lambda functions deployed on different AWS accounts to resolve data in AppSync...
Read more >
API (GraphQL) - Configure Lambda resolvers - Amplify Docs
To create a pipeline resolver that calls out to multiple AWS Lambda functions in series, use multiple @function directives on the field.
Read more >
Introduction to Lambda Resolvers with AWS Amplify - YouTube
Your browser can ' t play this video. ... #AWS # Lambda # Resolvers #Amplify #Enlear Welcome to my channel on AWS Cloud...
Read more >
AWS AppSync - Create a Custom Lambda Resolver with ...
In this video, I show you how to implement custom resolvers in AWS AppSync. This use case is particularly helpful when you need...
Read more >
AWS AppSync: No option to add Lambda resolver
When the pipeline page opens you select the "Actions" dropdown menu, and then you can choose the "Update runtime" option. Under resolver ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(aws-cdk) Version of Lambda already exists when Migrate to aws-cdk 2.0

Next page

TypeError: Cannot read property 'Symbol(@aws-cdk/core.DependableTrait)' of undefined