(iam): cdk synth Throws Error When Adding SQS Event Source to Imported Lambda Function

[bravemav]

cdk synth throws an error when addEventSource is used to add an SQS event source on an imported lambda function.

Reproduction Steps

import * as cdk from '@aws-cdk/core';
import {Fn} from "@aws-cdk/core";
import * as sqs from '@aws-cdk/aws-sqs';
import * as lambda from "@aws-cdk/aws-lambda";
import {SqsEventSource} from "@aws-cdk/aws-lambda-event-sources";

export class CdkLambdaImportErrorStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const importedFunction = lambda.Function.fromFunctionArn(this, 'imported-function', 'imported-lambda-function-arn');
    const queue = new sqs.Queue(this, 'queue');
    importedFunction.addEventSource(new SqsEventSource(queue));
  }
}

What did you expect to happen?

cdk synth succeeds when an SQS event source is added to an imported lambda function.

What actually happened?

The following error occurred while calling cdk synth

Error: Cannot get policy fragment of CdkLambdaImportErrorStack/imported-function, resource imported without a role

Environment

• CDK CLI Version : 1.85.0
• Framework Version:
• Node.js Version: v12.20.1
• OS : macOS Big Sur 11.1
• Language (Version): TypeScript 3.9.7

Other

Related issue: #4613
The above referenced issue fixed a similar issue with the same error message but as part of the CodeBuild module. Maybe this issue has the same underlying root cause and a similar fix?

Stack trace for this issue:

Error: Cannot get policy fragment of CdkLambdaImportErrorStack/product-search-function, resource imported without a role
    at UnknownPrincipal.get policyFragment [as policyFragment] (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/unknown-principal.ts:38:11)
    at PolicyStatement.addPrincipals (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/policy-statement.ts:141:34)
    at new PolicyStatement (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/policy-statement.ts:76:10)
    at Function.addToPrincipalOrResource (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-iam/lib/grant.ts:141:23)
    at Queue.grant (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-sqs/lib/queue-base.ts:241:22)
    at Queue.grantConsumeMessages (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-sqs/lib/queue-base.ts:177:22)
    at SqsEventSource.bind (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-lambda-event-sources/lib/sqs.ts:45:16)
    at Import.addEventSource (/Users/computer/dev/cdk-lambda-import-error/node_modules/@aws-cdk/aws-lambda/lib/function-base.ts:344:12)
    at new CdkLambdaImportErrorStack (/Users/computer/dev/cdk-lambda-import-error/lib/cdk-lambda-import-error-stack.ts:14:27)
    at Object.<anonymous> (/Users/computer/dev/cdk-lambda-import-error/bin/cdk-lambda-import-error.ts:7:1)

---

This is 🐛 Bug Report

[shahbour]

Same result when trying to add to DynamoEventSource

[nija-at]

This seems to a bug in the grant APIs. Transferring to IAM.

[filipsuk]

Please is there a workaround for this? Maybe using Cfn resources?

EDIT: I think this can be used https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.EventSourceMapping.html. But it probably requires to manually update the lambda exection role:

The SqsEventSource class will automatically create the mapping, and will also modify the Lambda's execution role so it can consume messages from the queue.