Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

support lambda actions for IoT topic rules

See original GitHub issue

Very similar to #555

There does not appear to be an automatic way to add permissions (the “Function Policy”) to the Lambda which is invoked from an IoT Topic Rule.

I obviously was not expecting the below to work since there is no explicit link between the IoT rule and the Lambda (since IoT does not appear to be supported by lambda-event-sources)

The IoT rule is created with Lambda as its target
The Lambda is created with no trigger (nothing visible on the console)
No Function Policy exists on the Lambda

Upon “editing” the IoT rule through the console, AWS helpfully says “we’ll handle the Lambda permissions for you” - would be nice if this happened through the CDK

Reproduction Steps

const motaAckLambda = new lambda.Function(this, 'MotaGwAck', {
    code: lambda.Code.fromAsset('apps/stacks/hw-mgmt/fota/dist/'),
    handler: 'fotaAck.handler',
    runtime: lambda.Runtime.NODEJS_10_X,
});
const lambdaIotAction: LambdaActionProperty = {
    functionArn: motaAckLambda.functionArn,
};
const iotFwdRule = new iot.CfnTopicRule(this, 'IotLambFwdRule', {
    topicRulePayload: {
        actions: [
            {
                lambda: lambdaIotAction,
            },
        ],
        ruleDisabled: false,
        sql: `SELECT soemthing FROM 'somewhere'`,
        awsIotSqlVersion: '2016-03-23',
    },
});

Error Log

The IoT rule does NOT trigger the lambda and, in fact, I don’t think the rule triggers at all (no error is logged in the verbose IoT logs in CloudWatch)

Environment

CLI Version :1.18.0
Framework Version: 1.18.0
OS : Mac
Language : TypeScript

Other

Removing the policy

Whilst experimenting with this (to reproduce), if you need to remove the policy (you cannot do it through the console)

➜  ~ aws lambda get-policy --function-name functionArn
# Get the statement SID from here
➜  ~ aws lambda remove-permission --function-name functionArn --statement-id retrievedAbove

Current approach

My current approach (which I can confirm does work)

Everything as above and append:

motaAckLambda.addPermission('AllowIoTInvoke', {
    principal: new ServicePrincipal('iot.amazonaws.com'),
    sourceArn: iotFwdRule.attrArn,
});

It’s unclear if this is the suggested fix (because IoT has notoriously never had a huge amount of documentation) but its working. Still, would be nice if IoT worked in the same way as almost every other Lambda event trigger

This is 🐛 Bug Report

Issue Analytics

State:
Created 4 years ago
Reactions:12
Comments:5 (2 by maintainers)

Top GitHub Comments

4reactions

nija-atcommented, Jan 3, 2020

As you’ve noted, using Lambda’s addPermission() method is the best workaround.

This issue is not a bug, but a feature gap. Ideally, we would have a way to configure a lambda function, dynamo table or SNS topic directly into an IoT rule as an action.

Unfortunately, we don’t yet have full support of IoT in the CDK, and only support Cfn* constructs. Any required permissions would be correctly modeled and granted when we have full support.

If this was built out, it would be modeled as a secondary module of IoT, named something like @aws-cdk/aws-iot-actions and the code would look something like -

const fn = new lambda.Function(this, 'myfunction',  { ... });
const rule = new iot.Rule(this, 'myrule', { ... });
rule.addAction(new LambdaAction({
  handler: fn,
  ...
}));

The addAction() and the LambdaAction classes in conjunction would take care of assigning the right permission.

@shivlaks - does this seem reasonable to you? Would you consider this a gap with the IoT construct library support?

2reactions

yamatatsucommented, Nov 9, 2021

This is resolved by https://github.com/aws/aws-cdk/pull/17110 😃