API Gateway Resource Policy limits with too many scheduled events

[aleontiev]

Context

On a recent deployment, I hit this error:

An error occurred (PolicyLengthExceededException) when calling the AddPermission operation: The final policy size (20698) is bigger than the limit (20480).

When looking at the policy, I can see that Zappa is creating one policy entry for each task, e.g:

{
  "StringEquals": {
    "AWS:SourceAccount": "$AWS_ACCOUNT_ID"
  },
  "ArnLike": {
    "AWS:SourceArn": "arn:aws:events:$AWS_REGION:$AWS_ACCOUNT_ID:rule/$AWS_LAMBDA_FUNCTION_NAME.$APP_TASK_NAME"
  }
}

I know this is an AWS limit and not strictly a Zappa issue, but I wonder if there can be a more efficient way to handle these permissions so that larger functions can support more events.

Possible Fix

Either one of these:

a) (preferred, better UX for users) a policy generator that uses a wildcard in the SourceArn so that all events can be supported by a single clause in the policy

b) (easier implementation for Zappa) a way to disable automatic API Gateway Resource Policy management in Zappa so that users can manage the policy manually

[aleontiev]

Bump, any thoughts? Still running into this, so far I was able to find a few old/redundant jobs to consolidate, but hoping for a longer term solution..

[aleontiev]

Any support for this issue or interest in accepting a PR? I am working around it in a fork

[grantmcconnaughey]

I'm running into this, too. Currently trying to figure out a way to work around it.

[github-actions[bot]]

Hi there! Unfortunately, this Issue has not seen any activity for at least 90 days. If the Issue is still relevant to the latest version of Zappa, please comment within the next 10 days if you wish to keep it open. Otherwise, it will be automatically closed.

[github-actions[bot]]

Hi there! Unfortunately, this Issue was automatically closed as it had not seen any activity in at least 100 days. If the Issue is still relevant to the latest version of Zappa, please open a new Issue.