Open SamStephens opened 2 years ago
Thinking about this, it may be worth auditing for any other places where the Logical ID is used as the resource name, or to construct the Physical ID of the resource as Lambda Layers do. Any resource for which the Logical ID is used as the resource name is going to be subject to this issue.
Is the underlying issue here that the Stack name is not used as part of the Logical ID; because Stack names are guaranteed to be unique?
Yes.
We will have to switch to using Names.uniqueResourceName (and put that change behind a feature flag).
Describe the bug
When two stacks both import a role with the same Logical ID, and both try and add policies to that role, both stacks will use the same name for the policy, and the policy from one stack will overwrite the other.
Expected Behavior
I'd expect the IAM policy to use the Physical ID of the Cloudformation resource as its name. The Physical IDs differ across the two stacks.
Current Behavior
The IAM policy uses the Logical ID of the Cloudformation resource as its name. The Logical IDs are the same across both stacks. Hence one overwrites the other.
Reproduction Steps
Here's the
app.py
for three stacks that demonstrate this problem. After deploying all three stacks, you'll see that the role has a single policy, that only provides permissions to one of the two lambdas.Possible Solution
I'm not sure what the right solution is here, because: (a) I think this is a Cloudformation bug, rather than a CDK bug; (b) changing the Policy resource to use the Logical ID rather than the Physical ID would be a breaking change for existing stacks.
Additional Information/Context
The similarity to https://github.com/aws/aws-cdk/issues/8742 is worth considering, where we see basically the same issue with Lambda Layers from different stacks overwriting each other.
CDK CLI Version
2.45.0 (build af1fb7c)
Framework Version
2.45.0
Node.js Version
v16.15.1
OS
Ubuntu (Windows Subsystem for Linux)
Language
Python
Language Version
Python 3.9.7
Other information
No response