lambda: EventSourceMapping in 2.159.0 introduced Tags, which are not supported in cn-north-1

[holomekc]

Describe the bug

Hi Team, after updating to 2.159.0 or 2.159.1 our deployment in cn-north-1 fails because of the error: Resource handler returned message: "Model validation failed (#: extraneous key [Tags] is not permitted)"

The error message already says it, but we compared the old template of 2.158.0 with the template of 2.159.1 and we noticed that Tags were added to EventSourceMapping. We do not explicitly set those tags, but it seems that cdk does that for us.

In theory this is nice, but this creates an issue in cn-north-1. It seems that there the EventSourceMappings do not support Tags yet.

Regression Issue

• [ ] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Only compatible changes with all AWS partition and regions are applied. So I guess: Option 1: wait with adding Tag support until Tags for EventSourceMapping is supported in all partitions and regions Option 2: Include a more complex solution, which exclude Tags in China partition until it is also supported there.

Current Behavior

The deployment fails in cn-north-1

Reproduction Steps

Create a lambda with SQS EventSource and try to roll it out in China.

Possible Solution

See expected behavior section

Additional Information/Context

No response

CDK CLI Version

2.159.1

Framework Version

No response

Node.js Version

20.17

OS

Ubuntu

Language

Java

Language Version

No response

Other information

No response

[khushail]

Hi @holomekc , thanks for reaching out.

Sharing my analysis of the issue -

1. CDK L2 construct does not support tags yet - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.EventSourceMapping.html

2. Cloudformation L1 construct supports tags - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.CfnEventSourceMapping.html#tags

3. However this tags property is not rolled out in all regions -

• Supported in us-east-1 - https://d1uauaxba7bl26.cloudfront.net/latest/gzip/CloudFormationResourceSpecification.json

-Not yet rolled out in China region-https://cfn-resource-specifications-cn-north-1-prod.s3.cn-north-1.amazonaws.com.cn/latest/gzip/CloudFormationResourceSpecification.json

For cloudformation feature requests/bug, its recommended to open an issue with them on the Cloudformation coverage roadmap.

You could also file a ticket through Premium support and reach out to Cloudformation team for further action.

Hope that would be helpful. Feel free to reach out if you have any questions. Thanks.

[khushail]

@holomekc , I have filed an issue with Cloudformation team - https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/2137

Please follow this for more updates.

[GavinZZ]

Hello, confirmed with CloudFormation team and I can reproduce this issue. For now, please consider downgrading to a version below 2.159.0, or use CDK escape hatch to remove the tags if the region is CN. The Tags property would be supported in mid to late October in CN regions.

[holomekc]

Hi. I tried escape hach an tested with null, but this did not work for me. I extracted the EventSourceMapping from the lambda itself and then searched for the type in the list of children. Maybe I am missing something.

[GavinZZ]

@holomekc Hello, please give the following a try and let me know if it works for you.

export class CdkAppStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    cdk.Tags.of(this).add("Project", "CDKTest123")

    // Create a DynamoDB table
    const table = new dynamodb.Table(this, 'MyTable', {
      partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
      billingMode: dynamodb.BillingMode.PAY_PER_REQUEST,
    });

    // Create a Lambda function
    const myFunction = new lambda.Function(this, 'MyFunction', {
      runtime: lambda.Runtime.NODEJS_18_X,
      handler: 'index.handler',
      code: lambda.Code.fromInline(`
        exports.handler = async function(event) {
          console.log('Received event:', JSON.stringify(event, null, 2));
          return {
            statusCode: 200,
            body: JSON.stringify('Hello from Lambda!'),
          };
        }
      `),
    });

    // Create an EventSourceMapping to trigger the Lambda function when items are added to the DynamoDB table
    const esm = new lambda.EventSourceMapping(this, 'MyEventSourceMapping', {
      target: myFunction,
      eventSourceArn: table.tableArn,
      startingPosition: lambda.StartingPosition.LATEST,
    });

    const cfnEsm = esm.node.defaultChild as lambda.CfnEventSourceMapping;
    cfnEsm.addPropertyDeletionOverride('Tags'); // this line should remove the tags and you can apply it if region is cn
  }
}

[holomekc]

Hi @GavinZZ ,

thx this works!!!

[gkaskonas]

We have the same issue in us-east-1"Unsupported resource type for tagging or invalid arn: arn:aws:lambda:us-east-1:xxxxxxxx:event-source-mapping:1b9b34f5-536c-4398-8162-fa34aafb044f

[GavinZZ]

@gkaskonas that's weird. The tagging property should be supported in us-east-1. Can you provide a minimum CDK app that I can use to reproduce the error and share with me the CDK version.

[gkaskonas]

import * as cdk from 'aws-cdk-lib';

import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { SqsEventSource } from 'aws-cdk-lib/aws-lambda-event-sources';
import { Queue } from 'aws-cdk-lib/aws-sqs';
import { Construct } from 'constructs';
// import * as sqs from 'aws-cdk-lib/aws-sqs';

export class EventsourcemappingStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const sqs = new Queue(this, 'EventsourcemappingQueue', {});

    const lambda = new Function(this, 'EventsourcemappingFunction', {
      runtime: Runtime.NODEJS_20_X,
      handler: 'index.handler',
      code: Code.fromInline('exports.handler = async function() { return "Hello, CDK"; }'),
    });

    const eventsource = lambda.addEventSource(new SqsEventSource(sqs));

    cdk.Tags.of(this).add('project', 'eventsourcemapping');

  }
}

#!/opt/homebrew/opt/node/bin/node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { EventsourcemappingStack } from '../lib/eventsourcemapping-stack';

const app = new cdk.App();
new EventsourcemappingStack(app, 'EventsourcemappingStack', {
  tags: {
    'project': 'eventsourcemapping',
    'environment': 'dev'
  }
});

09:33:26 | UPDATE_FAILED        | AWS::Lambda::EventSourceMapping | Eventsourcemapping...ueD5DC6A06DEA49DDF
Resource handler returned message: "Unsupported resource type for tagging or invalid arn: arn:aws:lambda:us-east-1:xxxxxxx:event-source-mapping:ea5d75c8-42d7-4013-a82c
-0ce246d90463 (Service: Lambda, Status Code: 400, Request ID: dc72411b-b3a8-4faa-a420-fdc625e295fd)" (RequestToken: b0dba2f6-d09d-ab7a-a8f3-9d37e9eb6260, HandlerErrorCode:
InvalidRequest)

  "EventsourcemappingFunctionSqsEventSourceEventsourcemappingStackEventsourcemappingQueueD5DC6A06DEA49DDF": {
   "Type": "AWS::Lambda::EventSourceMapping",
   "Properties": {
    "EventSourceArn": {
     "Fn::GetAtt": [
      "EventsourcemappingQueueD8945817",
      "Arn"
     ]
    },
    "FunctionName": {
     "Ref": "EventsourcemappingFunction2F91A4D5"
    },
    "Tags": [
     {
      "Key": "project",
      "Value": "eventsourcemapping"
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "EventsourcemappingStack/EventsourcemappingFunction/SqsEventSource:EventsourcemappingStackEventsourcemappingQueueD5DC6A06/Resource"
   }
  },

[gkaskonas]

We noticed that this issue is only happening in our staging account. Dev account is fine. Is there something we need to do on our account to enable this?