diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.dns-validated-certificate.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.dns-validated-certificate.ts index 602dde1f57303..930597d1f7c30 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.dns-validated-certificate.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-certificatemanager/test/integ.dns-validated-certificate.ts @@ -26,7 +26,11 @@ if (!hostedZoneName) throw new Error('For this test you must provide your own Ho const domainName = process.env.CDK_INTEG_DOMAIN_NAME ?? process.env.DOMAIN_NAME; if (!domainName) throw new Error('For this test you must provide your own DomainName as an env var "DOMAIN_NAME". See framework-integ/README.md for details.'); -const app = new App(); +const app = new App({ + postCliContext: { + '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true, + }, +}); const stack = new Stack(app, 'integ-dns-validated-certificate'); const hostedZone = PublicHostedZone.fromHostedZoneAttributes(stack, 'HostedZone', { hostedZoneId, diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-lambda-node-runtime.ts b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-lambda-node-runtime.ts index fc8ef0a8c7ee3..4383990ac6d5b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-lambda-node-runtime.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/custom-resource-config/integ.custom-resource-config-lambda-node-runtime.ts @@ -6,6 +6,7 @@ import { CustomResourceConfig } from 'aws-cdk-lib/custom-resources'; const app = new cdk.App({ postCliContext: { + '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true, '@aws-cdk/aws-dynamodb:retainTableReplica': true, }, }); diff --git a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine-custom-role.ts b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine-custom-role.ts index 8e185bc56dc19..9c44f767d482c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine-custom-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/custom-resources/test/provider-framework/integ.provider-with-waiter-state-machine-custom-role.ts @@ -47,7 +47,11 @@ class TestStack extends Stack { } } -const app = new App(); +const app = new App({ + postCliContext: { + '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true, + }, +}); const stack = new TestStack(app, 'integ-provider-with-waiter-state-machine-custom-role'); new integ.IntegTest(app, 'IntegProviderWithWaiterStateMachineCustomRole', { diff --git a/packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-auto.ts b/packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-auto.ts index 869a686cc8084..789f4d1347258 100644 --- a/packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-auto.ts +++ b/packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-auto.ts @@ -78,7 +78,11 @@ export class EksAutoModeNodePoolsStack extends Stack { } } -const app = new App(); +const app = new App({ + postCliContext: { + '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true, + }, +}); const stack1 = new EksAutoModeBaseStack(app, 'eks-auto-mode-stack', { env: { region: 'us-east-1' } }); const stack2 = new EksAutoModeNodePoolsStack(app, 'eks-auto-mode-empty-nodepools-stack', { env: { region: 'us-east-1' } }); diff --git a/packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-maintenance-track-name.ts b/packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-maintenance-track-name.ts index c168e95a5f893..bcafe789de1c4 100644 --- a/packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-maintenance-track-name.ts +++ b/packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-maintenance-track-name.ts @@ -29,7 +29,11 @@ class RedshiftStack extends Stack { } } -const app = new App(); +const app = new App({ + postCliContext: { + '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy': true, + }, +}); new integ.IntegTest(app, 'RedshiftMaintenanceTrackNameInteg', { testCases: [new RedshiftStack(app, 'RedshiftMaintenanceTrackNameIntegStack')], diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index bd94ffaada95c..d044aa26c2526 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -89,7 +89,7 @@ Flags come in three types: | [@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault](#aws-cdkaws-elasticloadbalancingv2albdualstackwithoutpublicipv4securitygrouprulesdefault) | When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere | 2.176.0 | (fix) | | [@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections](#aws-cdkaws-iamoidcrejectunauthorizedconnections) | When enabled, the default behaviour of OIDC provider will reject unauthorized connections | 2.177.0 | (fix) | | [@aws-cdk/core:enableAdditionalMetadataCollection](#aws-cdkcoreenableadditionalmetadatacollection) | When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues. | 2.178.0 | (config) | -| [@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy](#aws-cdkaws-lambdacreatenewpolicieswithaddtorolepolicy) | When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement | 2.180.0 | (fix) | +| [@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy](#aws-cdkaws-lambdacreatenewpolicieswithaddtorolepolicy) | [Deprecated]When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement | 2.180.0 | (fix) | | [@aws-cdk/aws-s3:setUniqueReplicationRoleName](#aws-cdkaws-s3setuniquereplicationrolename) | When enabled, CDK will automatically generate a unique role name that is used for s3 object replication. | 2.182.0 | (fix) | | [@aws-cdk/pipelines:reduceStageRoleTrustScope](#aws-cdkpipelinesreducestageroletrustscope) | Remove the root account principal from Stage addActions trust policy | 2.184.0 | (default) | | [@aws-cdk/aws-events:requireEventBusPolicySid](#aws-cdkaws-eventsrequireeventbuspolicysid) | When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals. | 2.186.0 | (fix) | @@ -172,6 +172,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true, "@aws-cdk/core:enableAdditionalMetadataCollection": true, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true, "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true, "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true, "@aws-cdk/aws-events:requireEventBusPolicySid": true, @@ -1701,17 +1703,20 @@ When this feature flag is enabled, CDK expands the scope of usage data collectio ### @aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy -*When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement* (fix) +*[Deprecated]When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement* (fix) -When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. +[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement. This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions. +However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. +This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. +We recommend to unset the feature flag if already set which will restore the original behavior. | Since | Default | Recommended | | ----- | ----- | ----- | | (not in v1) | | | -| 2.180.0 | `false` | `true` | +| 2.180.0 | `false` | `false` | ### @aws-cdk/aws-s3:setUniqueReplicationRoleName diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index 293937247f2ee..8e65326c079ed 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -615,16 +615,19 @@ _cdk.json_ * `@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy` -When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. +[Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement. This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions. +However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. +This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. +We recommend to unset the feature flag if already set which will restore the original behavior. _cdk.json_ ```json { "context": { - "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false } } ``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 62628504acacb..b0763057168c4 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -1396,14 +1396,17 @@ export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// [LAMBDA_CREATE_NEW_POLICIES_WITH_ADDTOROLEPOLICY]: { type: FlagType.BugFix, - summary: 'When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement', + summary: '[Deprecated]When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement', detailsMd: ` - When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. + [Deprecated default feature] When this feature flag is enabled, Lambda will create new inline policies with AddToRolePolicy. The purpose of this is to prevent lambda from creating a dependency on the Default Policy Statement. This solves an issue where a circular dependency could occur if adding lambda to something like a Cognito Trigger, then adding the User Pool to the lambda execution role permissions. + However in the current implementation, we have removed a dependency of the lambda function on the policy. In addition to this, a Role will be attached to the Policy instead of an inline policy being attached to the role. + This will create a data race condition in the CloudFormation template because the creation of the Lambda function no longer waits for the policy to be created. Having said that, we are not deprecating the feature (we are defaulting the feature flag to false for new stacks) since this feature can still be used to get around the circular dependency issue (issue-7016) particularly in cases where the lambda resource creation doesnt need to depend on the policy resource creation. + We recommend to unset the feature flag if already set which will restore the original behavior. `, introducedIn: { v2: '2.180.0' }, - recommendedValue: true, + recommendedValue: false, }, ////////////////////////////////////////////////////////////////////// diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json index 7e77a8d923094..7e248b910c161 100644 --- a/packages/aws-cdk-lib/recommended-feature-flags.json +++ b/packages/aws-cdk-lib/recommended-feature-flags.json @@ -65,6 +65,8 @@ "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true, "@aws-cdk/core:enableAdditionalMetadataCollection": true, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true, "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": true, "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true, "@aws-cdk/aws-events:requireEventBusPolicySid": true,