SecretsManagerMongoDBRotationSingleUser: Circular Dependency in Lambda Permission Resource

[manuelkasiske4idealo]

Summary

A circular dependency occurs in the CloudFormation template when deploying the SecretsManagerMongoDBRotationSingleUser Lambda function due to how the Lambda permission references the function’s ARN. This issue prevents successful stack deletion.

Steps to Reproduce

1. Deploy the CloudFormation template as provided.
2. Attempt to delete the stack, which may get stuck or fail due to unresolved dependencies.

Circular dependency between resources: [SecretsManagerMongoDBRotationSingleUser, LambdaPermission]

Root Cause

In the template, the Lambda permission references the Lambda function using its ARN:

FunctionName: !GetAtt SecretsManagerMongoDBRotationSingleUser.Arn

This creates an implicit dependency where:

•	The Lambda function must be fully created (with an assigned ARN) before the permission can be created.
•	The Lambda permission is required for the Lambda to function correctly, forming a circular dependency.

Proposed Solution

Suggested Fix:

Replace the ARN reference with a name reference to eliminate the dependency loop:

- FunctionName: !GetAtt SecretsManagerMongoDBRotationSingleUser.Arn
+ FunctionName: !Ref functionName

Why This Fix Works:

•	!Ref functionName uses the logical name of the Lambda function, which is known at creation time and does not require the Lambda to be fully deployed.
•	This change removes the implicit dependency and allows CloudFormation to create resources in the correct order.

Corrected Template Snippet

LambdaPermission:
  Type: AWS::Lambda::Permission
  Properties:
    Action: lambda:InvokeFunction
    FunctionName: !Ref functionName  # ✅ FIX: Replaced ARN with function name
    Principal: !Ref invokingServicePrincipal
    SourceAccount: !Ref AWS::AccountId