Lambda as target in ALB fails to create due to Principal permission issue

[edisongustavo]

When a Lambda function is registered as a target group in an Application Load Balancer it adds a AWS::Lambda::Permission allowing the Principal: elasticloadbalancing.amazonaws.com to invoke the function.

However, the Target group does not contain a dependency on this permission and due to order of creation might fail if CloudFormation decides to create the TargetGroup before the Lambda permission.

Reproduction Steps

alb = ApplicationLoadBalancer(...)
listener = alb.add_listener("Listener", port=80, open=False)
lambda_function = Function(...)
listener.add_targets(
            "Target",
            targets=[LambdaTarget(lambda_function)],
            priority=1,
        )

Error Log

From the CloudFormation console:

API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:us-west-2:********:function:LambdaFunctionF38095AF-1BKXQUR0FWO9P from target group arn:aws:elasticloadbalancing:us-west-2:***********:targetgroup/LambdaFunction6BJ8GFZ2AFNJ/40d175d269b48dec

Environment

• **CLI Version :1.14.0
• **Framework Version:1.14.0
• **OS :N/A
• **Language :English

Other

---

This is 🐛 Bug Report

[edisongustavo]

I've solved this with:

target_group = listener.add_targets(...)
target_group.node.add_dependency(lambda_function)

[SomayaB]

Hi @edisongustavo, I'm glad you made it work! I will close this issue for now but feel free to reopen it.

[edisongustavo]

Hi @edisongustavo, I'm glad you made it work! I will close this issue for now but feel free to reopen it.

Yes, but I don't think it is "solved". I believe this should be fixed within CDK.

Do you agree?

[edisongustavo]

I also don't have permission to reopen this issue.

[rix0rrr]

Yes, the dependency should be added automatically.