EventSourceMapping has a race condition with IAM Policy?

Question

EventSourceMapping has a race condition with IAM Policy?

sam-goodwin opened this issue 2 years ago · 2 comments

What happened?

When deploying without a re-mapped AWS::Lambda::EventSourceMapping, I encountered errors where the deployment would fail because the target Function did not have permissions to receive messages from the source SQS Queue. After re-mapping to a pulumi classic EventSourceMapping Resource, the problem seemed to go away.

Not sure if this is a consistency problem with IAM Policies, or whether there's a bug in the dependency chain when using the aws-native:EventSourceMapping resource.

Expected Behavior

Dependencies should be traversed in order and Event Source Mappings should only be created once the target has permissions to read from the source.

Steps to reproduce

Create a SQS Queue and subscribe a Lambda Function to it. Deploy.

Output of `pulumi about`

CLI
Version      3.53.1
Go Version   go1.19.5
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.28.0
nodejs  unknown

Host
OS       darwin
Version  13.1
Arch     arm64

This project is written in nodejs: executable='/Users/samgoodwin/.nvm/versions/node/v16.14.2/bin/node' version='v16.14.2'

Current Stack: sam-g/stock-bot/stock-bot

TYPE                 URN
pulumi:pulumi:Stack  urn:pulumi:stock-bot::stock-bot::pulumi:pulumi:Stack::stock-bot-stock-bot


Found no pending operations associated with stock-bot

Backend
Name           pulumi.com
URL            https://app.pulumi.com/sam-g
User           sam-g
Organizations  sam-g

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Answer 1 · 2023-01-30T03:45:03.000Z

Can you share a minimal repro that triggers this behavior? It sounds like there is a missing DependsOn resource option which would ensure the right order of resource creates.

Pulumi creates resources concurrently. The EventSourceMapping might need a dependency relationship on the IAM policy.

Answer 2 · 2023-07-28T13:23:01.000Z

Since we haven't heard back and we don't have a repro code, I'll go ahead and close this issue as stale. Please open a new issue if the problem still persists and provide the details for us to reproduce it. Thank you!