Open tomwwright opened 3 years ago
Lambda-backed CloudFormation Custom Resources also cannot be invoked (securely) cross-account without specifying specific Account IDs in AWS::Lambda::Permission
resources. While Lambda functions are governed by a resource policy, managing this resource policy can only be done via the AddPermission
API action that doesn't have support for IAM Conditions
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html
Solution here would be to introduce an SNS topic to the Custom Resource stack and attach a more expressive resource policy to that
Lamba-backed Custom Resource must be invoked from stacks in the same region
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html
This is a limitation when trying to use Stack Sets to deploy to many regions at the same time that are integrated with a Custom Resource.
This issue is compounded by #15 and #16 as other limitations exist for deploying a Custom Resource packaged with SAM
Solution here is to create a small Lambda that can be deployed via inline code that is able to "proxy" a Custom Resource invocation to another Lambda Custom Resource cross-region