IAM Role for Custom Resource - Invoke Function Policy fails with long CF stack names

[ghost]

Describe the bug If the stack name is long and is getting truncated on lambda names creation, the Invoke Function policy on the IAM Role for Custom Resources does not work.

To Reproduce Create a new deployment using the quickstart. Name the Cloudformation Stack with a custom name such as: testDeployment-Developer-12-waf-security-automations-drupal-300

Expected behavior No errors are thrown

Please complete the following information about the solution:

• [ ] Version: 3.0.0

• [ ] Region: us-east-1

• [ ] Was the solution modified from the version published on this repository? Yes - custom named S3 bucket for WAF Logs was added (not related to the section that broke). Also provided custom name for Cloudformation stack following internal naming policy.

• [ ] If the answer to the previous question was yes, are the changes available on GitHub? No - custom CodeCommit resource

• [ ] Have you checked your service quotas for the sevices this solution uses? Yes

• [ ] Were there any errors in the CloudWatch Logs? Yes, also in the cloudformation logs: Failed to create resource. An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:sts::377178645200:assumed-role/testDeployment-developer-12-LambdaRoleCustomResource-1AOUWFWQQBACJ/testDeployment-developer-12-waf-securi-CustomResource-17LI4JR0YM8S5 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:377178645200:function:testDeployment-developer-12-waf-s-AddAthenaPartitions-1GOE8YBUON14

Screenshots n/a - see above for error

Additional context Cloudformation is shortening the resource names for lambda functions, so the following policy using the AWS::StackName will not work:

• !If
  • CustomResourceLambdaAccess
  • PolicyName: LambdaAccess PolicyDocument: Statement:
    • Effect: Allow Action: "lambda:InvokeFunction" Resource:
      • !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}*"
  • !Ref "AWS::NoValue"

The Stack Name was: testDeployment-developer-12-waf-security-automations-drupal-300 The lambda function name that got created was: testDeployment-developer-12-waf-s-AddAthenaPartitions-1GOE8YBUON14

AWS::StackName for the IAM policy won't work in this situation.

This could be solved by using tags on the lambda functions and then locking down the lambda:InvokeFunction with a condition on the policy looking for a specific tag. For our testing of the quickstart, we removed ${AWS::StackName} and left just "*" but this is not ideal and we won't be moving to production with that test policy.

[praveenis]

Hi @brentbain ,

We have added this issue to our backlog for upcoming release and we will update the thread once the fix for the issue is released.

Thanks, Praveen

[hongyuanlei]

I'm facing the same issue, I think it is better to add some comments in the readme file to mention this.

[dscpinheiro]

Hi!

We just released v3.2.0 of the solution, and this issue has been fixed.