(aws-lambda): lambda does not set environment variable AWS_CODEGURU_PROFILER_GROUP_NAME when creating Amazon CodeGuru Profiler profiling group

[tfcerda]

Describe the bug

When setting { profiling: true }, the CDK creates a Profiling Group with an autogenerated name. This name is never set to AWS_CODEGURU_PROFILER_GROUP_NAME environment variable as stated in the official docs. This causes the Lambda to create another profiling group with a default name aws-lambda-<LAMBDA_FUNCTION_NAME>. Therefore, the Lambda runs into permissions issues when submitting profiles, as the CDK does not create permissions to submit to aws-lambda-<LAMBDA_FUNCTION_NAME>.

Expected Behavior

When setting { profiling: true }, Lambda submits profiles to Profiling Group created by CDK.

Current Behavior

When setting { profiling: true }, Lambda fails with permissions issues. Example errors:

INFO: Could not find a profiling group name from environment variable AWS_CODEGURU_PROFILER_GROUP_NAME. Using default profiling group name aws-lambda-<LAMBDA_FUNCTION_NAME>

codegurushadow.software.amazon.awssdk.services.codeguruprofiler.model.CodeGuruProfilerException: User: <USER_ARN> is not authorized to perform: codeguru-profiler:ConfigureAgent on resource: arn:aws:codeguru-profiler:<REGION>:<AWS_ACCOUNT_ID>:profilingGroup/aws-lambda-<LAMBA_FUNCTION_NAME> (Service: CodeGuruProfiler, Status Code: 403, Request ID: <REQUEST_ID>)

Reproduction Steps

Create Lambda function with Java runtime and { profiling: true }

Possible Solution

Set AWS_CODEGURU_PROFILER_GROUP_NAME: props.profilingGroup.profilingGroupName in

aws-cdk/packages/@aws-cdk/aws-lambda/lib/function.ts

Line 725 in fc70535

profilingGroupEnvironmentVariables = {

and AWS_CODEGURU_PROFILER_GROUP_NAME: profilingGroup.profilingGroupName in

aws-cdk/packages/@aws-cdk/aws-lambda/lib/function.ts

Line 739 in fc70535

profilingGroupEnvironmentVariables = {

Additional Information/Context

No response

CDK CLI Version

1.186.0 and 2.58.0

Framework Version

No response

Node.js Version

18.11.0

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response

[peterwoodworth]

It looks like this can apply to Python too

Until this gets fixed you should be able to work around this by adding an environment variable for this to your function with an escape hatch

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we can try to review a PR 🙂

[dastbe]

Decompling the codeguru profiler agent, this seems like a combination of

1. The environment variables used to configure things are inconsistent
2. Depending on if you do the in-code implementation vs. java agent (which depends on layers), the environment variables that need to be set are distinct. This needs to be better modeled in the CDK

re: environment variables, If you instrument using the request handler method, it uses the internal LambdaProfilerUtils class which looks at AWS_CODEGURU_PROFILER_GROUP_ARN, whereas with the corretto setup it uses LambdaJvmArgumentParser which doesn't look at that variable. Really the implementation should be consistent within java and the python profiler.

re: configuration, if you compare https://docs.aws.amazon.com/codeguru/latest/profiler-ug/lambda-custom.html vs https://docs.aws.amazon.com/codeguru/latest/profiler-ug/lambda-simple.html you'll see that the setup requires distinct sets of environment variables, possibly an additional lambda layer, and possibly changes in code. This just isn't well modeled.

This is related to #13001