(lambda): Incorrect profiler arn on import when profiling is off
See original GitHub issueWhat is the problem?
When importing an existing profiling group into a lambda function using ProfilingGroup.fromProfilingGroupArn
if profiling is flipped to false, the lambda role policy receives an invalid profiling group arn on it’s resource.
The resource arn becomes arn:aws:codeguru-profiler:<region>:<accountid>:profilingGroup/profilingGroup
The name of the profiling group is invalid in this case.
Reproduction Steps
import * as cdk from '@aws-cdk/core';
import * as codeguru from '@aws-cdk/aws-codeguruprofiler';
import * as lambda from '@aws-cdk/aws-lambda';
const app = new cdk.App();
const stack = new cdk.Stack(app, "Test");
const profilingGroup = codeguru.ProfilingGroup.fromProfilingGroupArn(this, "ProfilingGroup", "somearnhere");
const func = new lambda.Function(this, "Function", {
... // your lambda props here
runtime: lambda.Runtime.PYTHON_3_7,
profilingGroup,
profiling: false, // Or this key can simply be omitted
});
Using the code above the environment variable for AWS_CODEGURU_PROFILER_GROUP_ARN
will result in arn:aws:codeguru-profiler:us-west-2:0123456789:profilingGroup/profilingGroup
(account id just for the sake of valid arn pattern)
What did you expect to happen?
Expected result is for profiling to simply be switched off, but the profiling group arn injected into the environment variables should still be the arn of the profiling group being imported in the lambda function definition.
What actually happened?
The environment variable AWS_CODEGURU_PROFILER_GROUP_ARN is set to arn:aws:codeguru-profiler:us-west-2:0123456789:profilingGroup/profilingGroup
CDK CLI Version
2.4.0 (build 993f14d)
Framework Version
No response
Node.js Version
v14.18.2
OS
Ubuntu
Language
Typescript
Language Version
~4.5.4
Other information
The issue is caused by this line https://github.com/aws/aws-cdk/blob/ddc2bc6ae64fe14ddb4a03122c90dfcf954f149f/packages/%40aws-cdk/aws-lambda/lib/function.ts#L647
If a profiling group is being imported, the correct values should be injected, and the correct iam permissions should be given regardless of whether or not profiling is enabled. Instead the value of AWS_CODEGURU_PROFILER_ENABLED should be set depending on the props passed to the lambda.Function constructor.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:6 (2 by maintainers)
Top GitHub Comments
I would be happy to open a PR to fix this bug, if that is alright with the cdk team
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.