amazon-web-servicesaws-lambdaaws-cloudformationtroposphere

AWS Scheduled Event Rule for Lambda doesn't work in CloudFormation


Having trouble configuring AWS Lambda to be triggered by a Rule->Trigger as a Scheduled Event Source using CloudFormation (in reality, using Python's Troposphere.) This has cost me a couple of days already, and any help would be appreciated.

Here's the relevant CF JSON snippet -

        "DataloaderRetrier": {
        "Properties": {
            "Code": {
                "S3Bucket": "mycompanylabs-config",
                "S3Key": "v3/mycompany-component-loader-lambda-0.5.jar"
            },
            "FunctionName": "DataloaderRetriervitest27",
            "Handler": "mycompany.ScheduledEventHandler::handleRequest",
            "MemorySize": 320,
            "Role": "arn:aws:iam::166662328783:role/kinesis-lambda-role",
            "Runtime": "java8",
            "VpcConfig": {
                "SecurityGroupIds": [
                    "sg-2f1f6047"
                ],
                "SubnetIds": [
                    "subnet-ec3c1435"
                ]
            }
        },
        "Type": "AWS::Lambda::Function"
    },
    "DataloaderRetrierEventTriggerPermission": {
        "Properties": {
            "Action": "lambda:InvokeFunction",
            "FunctionName": {
                "Fn::GetAtt": [
                    "DataloaderRetrier",
                    "Arn"
                ]
            },
            "Principal": "events.amazonaws.com",
            "SourceAccount": {
                "Ref": "AWS::AccountId"
            },
            "SourceArn": {
                "Fn::GetAtt": [
                    "DataloaderRetrierEventTriggerRule",
                    "Arn"
                ]
            }
        },
        "Type": "AWS::Lambda::Permission"
    },
    "DataloaderRetrierEventTriggerRule": {
        "DependsOn": "DataloaderRetrier",
        "Properties": {
            "Description": "Reminding the lambda to read from the retry SQS",
            "Name": "DataloaderRetrierEventTriggerRulevitest27",
            "ScheduleExpression": "rate(1 minute)",
            "State": "ENABLED",
            "Targets": [
                {
                    "Arn": {
                        "Fn::GetAtt": [
                            "DataloaderRetrier",
                            "Arn"
                        ]
                    },
                    "Id": "DataloaderRetrierEventTriggerTargetvitest27",
                    "Input": "{\"Hey\":\"WAKE UP!\"}"
                }
            ]
        },
        "Type": "AWS::Events::Rule"
    }

The AWS Lambda function shows zero invocations, and the Events->Rules metric shows the correct number of invocations, however they all fail. The Lambda shows the trigger in the Triggers section, and the Rule shows the lambda in its trigger sections. They link up fine.

However, if I go in and manually create the same trigger under the rule in the web console, it will happily start sending events to the Lambda.

PS - here's the troposphere code:

# DATALOADER RETRIER LAMBDA
dataloader_retrier = t.add_resource(awslambda.Function(
    "DataloaderRetrier",
    Code=awslambda.Code(
        "DataloaderRetrierCode",
        S3Bucket='mycompanylabs-config',
        S3Key='v3/mycompany-snowplow-loader-lambda-0.5.jar'
    ),
    FunctionName=suffix("DataloaderRetrier"),
    Handler="mycompany.ScheduledEventHandler::handleRequest",
    MemorySize="320",
    Role="arn:aws:iam::166662328783:role/kinesis-lambda-role",
    Runtime="java8",
    VpcConfig=lambda_vpc_config
))

dataloader_retrier_scheduled_rule = t.add_resource(events.Rule(
    "DataloaderRetrierEventTriggerRule",
    Name=suffix("DataloaderRetrierEventTriggerRule"),
    Description="Reminding the lambda to read from the retry SQS",
    Targets=[events.Target(
        Id=suffix("DataloaderRetrierEventTriggerTarget"),
        Arn=tr.GetAtt("DataloaderRetrier", "Arn"),
        Input='{"Hey":"WAKE UP!"}'
    )],
    State='ENABLED',
    ScheduleExpression="rate(1 minute)",
    DependsOn="DataloaderRetrier"
)),

t.add_resource(awslambda.Permission(
    "DataloaderRetrierEventTriggerPermission",
    Action="lambda:InvokeFunction",
    FunctionName=tr.GetAtt("DataloaderRetrier", "Arn"),
    Principal="events.amazonaws.com",
    SourceAccount=tr.Ref("AWS::AccountId"),
    SourceArn=tr.GetAtt("DataloaderRetrierEventTriggerRule", "Arn")
))

Solution

  • You need to remove the SourceAccount parameter from your AWS::Lambda::Permission Resource.

    As described in the AddPermission API documentation, the SourceAccount parameter restricts the 'source' of the permitted invocation to the specified AWS Account ID, for example when specifying an S3 Bucket or CloudWatch Logs notification.

    However (and the docs should probably be made more clear on this point), in the case of a CloudWatch Events Schedule Expression, the source of the Event is aws.events, not your own AWS Account ID, which is why adding this parameter causes the event to fail to trigger the Lambda function.