[aws-lambda]: Resource-based policies get deleted when lambda RemovalPolicy set to RETAIN

[chenwany]

Describe the bug

Hi team,
I meet a issue with deploying versioning lambda function with aws cdk. Even though we have lambda RemovalPolicy set to RETAIN, the resource-based policy of the lambda version get deleted after a update of the stack.

Here are the details:
I have a versioning lambda function created through aws cdk
In order to retain and able to invoke the old version lambda function when new lambda versions are created, I set the removal policy to retain through CDK.

    const taskDefinitionProviderLambda = new VersionedLambdaFunction(this, lambdaName, {
        code: LambdaAsset.fromBrazil({
            brazilPackage: lambdaPackage,
            componentName: lambdaName
        }),
        functionName: lambdaName,
        //Enforce the new version when lambda code change.
        description: `${lambdaPackage.name} in release version of ${lambdaPackageFullVersion}`,
        handler: 'my handler...',
        memorySize: 512,
        timeout: Duration.seconds(30),
        runtime: Runtime.JAVA_17,
        currentVersionOptions: {
            removalPolicy: RemovalPolicy.RETAIN,
        },
        environment: {
            "ENDPOINT_METADATA": ...
        },
    });

And I add resource based policy for the lambda version in order to invoke my lambda function from another account:

const currentVersion = taskDefinitionProviderLambda.currentVersion;
currentVersion.grantInvoke(new AccountPrincipal(......));

However, when a stack update that generate a new lambda version of function, the resource based policy for the old lambda version get removed, only the old lambda version retained.

That cause the problem of not able to invoke old version of lambdas from another account

Expected Behavior

I expected the Resource-based policies of the version get retained

Current Behavior

Resource-based policies of the lambda version get deleted

Reproduction Steps

See above description

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

cdk2

Framework Version

No response

Node.js Version

18

OS

macOs

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hi @chenwany , thanks for reaching out. Could you please share which CDK Version are you using ? Is it v 2.115.0 or earlier?

[chenwany]

we are using the latest released version

[michaellasmanis]

@chenwany I've been fighting this problem as well and here is the workaround I came up with:

        // Define the Lambda function resource
        Function myFunction = Function.Builder.create(this, id +"-LambdaFunction")
                // non-relevant details omitted
                .build();
        Version myVersion = Version.Builder.create(this, id + "-LambdaVersion")
                .lambda(myFunction)
                .removalPolicy(RemovalPolicy.RETAIN)
                .build();
        Role invokeRole = Role.Builder.create(this, id +"-LambdaInvokeRole")
                .assumedBy(new ServicePrincipal("apigateway.amazonaws.com"))
                .build();
        myFunction.grantInvoke(invokeRole);

This creates an IAM role that can be assumed by the caller (in my case apigateway). Calling myFunction.grantInvoke() on a role will create a role scoped to both the unqualified function ARN as well as ARN/* (ie all versions/aliases). This then preserves access to older versions.

I still think that a retained Version should not have it's permissions removed, so the original bug report I feel is still valid, just sharing a workaround for you or anyone else who stumbles across this issue.

Michael