Hi there,
The requirement is to add a trigger in Lambda function on object creation in s3 bucket along with some VPC, s3 and cloud watch permissions, trying this using CF.
-
The fresh/initial deployment works fine with all new resources build like IAM role and associated policies, able to add new s3 bucket using CF and add an event trigger/invocation in Lambda from the same s3 bucket.
-
On next/consecutive deployments, to skip the s3 bucket creation, the YAML file handles it using - “existing: true” option in YAML, from the official documentation of serverless deployment.
-
However the lambda function in the next deployment, still demands to specify the rules of invocation from the same bucket and it’s associated rules like prefix and suffix need to be mentioned.
-
Since the rules of invocation were already defined in the first deployment, it fails with the below message:
“Failed to create resource. Configuration is ambiguously defined. Cannot have overlapping suffixes in two rules if the prefixes are overlapping for the same event type. See details in CloudWatch Log: 2020/04/02/[$LATEST]ca5fffad2118467bbfad3fc7cc1ffa6a” -
The articles/bug of this are given here.
service: experiment-play-ver04
provider:
name: aws
runtime: python3.7
memorySize: 1024 # optional, in MB, default is 1024
timeout: 300 # optional, in seconds, default is 6
versionFunctions: true # optional, default is true
profile: ${opt:account, 'dev'} # aws account name
region: ${opt:region, 'us-west-2'}
stage: ${opt:stage, 'experiment'}
# Plugin to deploy python dependencies through a docker image.
# Note: Docker must be installed on your system
plugins:
- serverless-python-requirements
custom:
pythonRequirements:
dockerizePip: true
bucketRef:
experiment: experiment-play-ver04
# Lambda functions
functions:
ExperimentPlayVer04:
name : experiment-play-ver04 # actual name in AWS
handler: lambdaMain.lambda_handler
role: ExperimentPlayLambdaRoleVer04
events:
- s3:
bucket: ${self:custom.bucketRef.${self:provider.stage}}
event: s3:ObjectCreated:*
rules:
- prefix: prefix/
- suffix: .csv
resources:
Resources:
ExperimentPlayLambdaCloudwatchVer03:
Properties:
ManagedPolicyName: experiment-play-ver04-lambda-cloudwatch
PolicyDocument:
Statement:
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- arn:aws:logs:*:*:log-group:*
- Action:
- logs:PutLogEvents
Effect: Allow
Resource:
- arn:aws:logs:*:*:log-group:*:*:*
- Action:
- logs:CreateLogGroup
- cloudwatch:PutMetricData
Effect: Allow
Resource:
- '*'
Version: '2012-10-17'
Type: AWS::IAM::ManagedPolicy
ExperimentPlayS3AccessVer04:
Properties:
ManagedPolicyName: experiment-play-ver04-s3-access
PolicyDocument:
Statement:
- Action:
- s3:PutAccountPublicAccessBlock
- s3:GetAccountPublicAccessBlock
- s3:ListAllMyBuckets
- s3:ListJobs
- s3:CreateJob
- s3:HeadBucket
- s3:GetObject
- s3:GetObjectAcl
- s3:PutObject
Effect: Allow
Resource:
- '*'
- Action:
- s3:*
Effect: Allow
Resource:
- { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "ServerlessDeploymentBucket" }]]}
- { "Fn::Join" : ["", ["arn:aws:s3:::${self:custom.bucketRef.${self:provider.stage}}"]]}
Version: '2012-10-17'
Type: AWS::IAM::ManagedPolicy
ExperimentPlayLambdaRoleVer04:
Type: AWS::IAM::Role
Properties:
Path: /service-role/
RoleName: experimentPlayLambdaRoleVer04
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
- events.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- 'Fn::Join':
- ':'
-
- 'arn:aws:iam:'
- Ref: 'AWS::AccountId'
- 'policy/experiment-play-ver04-lambda-cloudwatch'
- 'Fn::Join':
- ':'
-
- 'arn:aws:iam:'
- Ref: 'AWS::AccountId'
- 'policy/experiment-play-ver04-s3-access'
Can anyone tell what could be the issue here?