support lambda actions for IoT topic rules
See original GitHub issueVery similar to #555
There does not appear to be an automatic way to add permissions (the “Function Policy”) to the Lambda which is invoked from an IoT Topic Rule.
I obviously was not expecting the below to work since there is no explicit link between the IoT rule and the Lambda (since IoT does not appear to be supported by lambda-event-sources
)
- The IoT rule is created with Lambda as its target
- The Lambda is created with no trigger (nothing visible on the console)
- No Function Policy exists on the Lambda
Upon “editing” the IoT rule through the console, AWS helpfully says “we’ll handle the Lambda permissions for you” - would be nice if this happened through the CDK
Reproduction Steps
const motaAckLambda = new lambda.Function(this, 'MotaGwAck', {
code: lambda.Code.fromAsset('apps/stacks/hw-mgmt/fota/dist/'),
handler: 'fotaAck.handler',
runtime: lambda.Runtime.NODEJS_10_X,
});
const lambdaIotAction: LambdaActionProperty = {
functionArn: motaAckLambda.functionArn,
};
const iotFwdRule = new iot.CfnTopicRule(this, 'IotLambFwdRule', {
topicRulePayload: {
actions: [
{
lambda: lambdaIotAction,
},
],
ruleDisabled: false,
sql: `SELECT soemthing FROM 'somewhere'`,
awsIotSqlVersion: '2016-03-23',
},
});
Error Log
The IoT rule does NOT trigger the lambda and, in fact, I don’t think the rule triggers at all (no error is logged in the verbose IoT logs in CloudWatch)
Environment
- CLI Version :1.18.0
- Framework Version: 1.18.0
- OS : Mac
- Language : TypeScript
Other
Removing the policy
- Whilst experimenting with this (to reproduce), if you need to remove the policy (you cannot do it through the console)
➜ ~ aws lambda get-policy --function-name functionArn
# Get the statement SID from here
➜ ~ aws lambda remove-permission --function-name functionArn --statement-id retrievedAbove
Current approach
My current approach (which I can confirm does work)
Everything as above and append:
motaAckLambda.addPermission('AllowIoTInvoke', {
principal: new ServicePrincipal('iot.amazonaws.com'),
sourceArn: iotFwdRule.attrArn,
});
It’s unclear if this is the suggested fix (because IoT has notoriously never had a huge amount of documentation) but its working. Still, would be nice if IoT worked in the same way as almost every other Lambda event trigger
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:12
- Comments:5 (2 by maintainers)
Top GitHub Comments
As you’ve noted, using Lambda’s
addPermission()
method is the best workaround.This issue is not a bug, but a feature gap. Ideally, we would have a way to configure a lambda function, dynamo table or SNS topic directly into an IoT rule as an action.
Unfortunately, we don’t yet have full support of IoT in the CDK, and only support
Cfn*
constructs. Any required permissions would be correctly modeled and granted when we have full support.If this was built out, it would be modeled as a secondary module of IoT, named something like
@aws-cdk/aws-iot-actions
and the code would look something like -The
addAction()
and theLambdaAction
classes in conjunction would take care of assigning the right permission.@shivlaks - does this seem reasonable to you? Would you consider this a gap with the IoT construct library support?
This is resolved by https://github.com/aws/aws-cdk/pull/17110 😃