aws
Naming Conflict in AWS CDK v2.128: addRotationSingleUser Lambda Naming Collision Across Multiple Stacks with Identical Node IDs
Describe the bug
Bug Description
Context: The issue arises when creating a ServerlessCluster in AWS CDK, particularly when using the same logical ID (node id) for this resource in multiple CDK projects. This problem occurs even if these projects are deployed in the same AWS region.
Problem: Despite different stackNames being specified in each project, a naming conflict occurs for the addRotationSingleUser Lambda function associated with the ServerlessCluster. This leads to an error stating that the resource already exists.
Root Cause: It appears that the naming mechanism for the addRotationSingleUser Lambda function does not appropriately differentiate between the CDK stack ID (node id) and the stackName. This results in a naming collision, as the Lambda function's name is generated based on the node id only, without considering the unique stackName of each project.
Expected Behavior: The name for each addRotationSingleUser Lambda function should be unique across different stacks, especially when they have distinct stackNames. The naming convention should incorporate both the stackName and the node id to ensure uniqueness, avoiding conflicts across multiple CDK projects deployed in the same region.
Expected Behavior
The new ServerlessCluster is in a different stack, so the rotation single user should not exist.
Current Behavior
Deployment fails with a rotation single user resource already exists.
CREATE_FAILED | AWS::Lambda::Function | SecretsManagerRDSMySQLRotationSingleUser testauroramysqlclusterRotationSingleUser3DBEDD21 already exists in stack arn:aws:cloudformation:XXXXXXX stack.
Reproduction Steps
Issue Summary
The Secrets Manager rotation single user is incorrectly named in two CDK projects. Both projects use "test" as the logical identifier but have different stackNames. They also use a shared construct library to create a Serverless Cluster.
Project 1: Seattle
-
CDK Stack Creation
new cdk.Stack(app, "test", { stackName: "cdk-seattle", }); const auroraInstance = new ServerlessCluster(this, "aurora-mysql-cluster", { /* ... */ }); auroraInstance.addRotationSingleUser({ automaticallyAfter: Duration.days(30), }); -
Generated Names
- Incorrect SecretsManagerRDSMySQLRotationSingleUser:
testauroramysqlclusterRotationSingleUser3DBEDD21 - Correct SecretsManagerRDSMySQLRotationSingleUserRole:
cdk-seattle-SecretsManagerRDSMySQLRot-2kTqohOcS6Lh
- Incorrect SecretsManagerRDSMySQLRotationSingleUser:
Project 2: Florida
-
CDK Stack Creation
new cdk.Stack(app, "test", { stackName: "cdk-florida", }); const auroraInstance = new ServerlessCluster(this, "aurora-mysql-cluster", { /* ... */ }); auroraInstance.addRotationSingleUser({ automaticallyAfter: Duration.days(30), }); -
Generated Names
- Incorrect SecretsManagerRDSMySQLRotationSingleUser:
testauroramysqlclusterRotationSingleUserDFBEDD21 - Correct SecretsManagerRDSMySQLRotationSingleUserRole:
cdk-florida-SecretsManagerRDSMySQLRot-2GlqohOcS6Lh
- Incorrect SecretsManagerRDSMySQLRotationSingleUser:
Issue Description
- The rotation single user secret name should be based on the
stackNamerather than the logical identifiertest. - Correct naming should follow the pattern:
cdk-[stackName]auroramysqlclusterRotationSingleUser[UniqueID].
Possible Solution
Use the stack name instead of the logical id for the lambda name.
Additional Information/Context
No response
CDK CLI Version
2.128
Framework Version
3.431.0
Node.js Version
v20.11.1
OS
Ubuntu 23
Language
TypeScript
Language Version
Typescript 5.2.2
Other information
No response
Are you seeing the collision of lambda functions or the secrets?
I just defined this stack class
export class DummyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const cluster = new rds.ServerlessCluster(this, 'Cluster', {
engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
parameterGroup: rds.ParameterGroup.fromParameterGroupName(this, 'ParameterGroup', 'default.aurora-postgresql11'),
vpc: getDefaultVpc(this),
});
cluster.addRotationSingleUser({
automaticallyAfter: Duration.days(30),
});
}
}
And deploy two stacks using the same class
new DummyStack(app, 'dummy-stack1', { env });
new DummyStack(app, 'dummy-stack2', { env });
But I didn't see the collision of any resources. Did I miss anything?
Use a short name for the stack node id, in this case, "test", and you have a defined stackName in the properties:
test stack-project-1-test
new DummyStack(app, 'test', {
env: {
account: defaultAccount,
region: "us-west-2",
},
stackName: "stack-project-1-test"
});
cdk synth test
cdk deploy test
Look at the deployed physical IDs of the resources. Everything is fine except the lambda attached to the nested stack.
I would assume it should be named:
stackproject1testtestauroraclusterRotationSingleUser4B86C1AB
not
testauroraclusterRotationSingleUser4B86C1AB
Then you have another cdk project, and its named project-2.
```typescript
new DummyStack(app, 'test', {
env: {
account: defaultAccount,
region: "us-west-2",
},
stackName: "stack-project-2-test"
});
cdk synth and deploy.
Since the lambda has a logical id from the node id,
testauroraclusterRotationSingleUser4B86C1AB
it fails.
:59:33 AM | CREATE_FAILED | AWS::Lambda::Function | SecretsManagerRDSMySQLRotationSingleUser
testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-pr
oject-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f
5:59:40 AM | CREATE_FAILED | AWS::CloudFormation::Stack | auroraclusterRotationSingleUserD321448F
Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-
JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [Sec
retsManagerRDSMySQLRotationSingleUser].
❌ test (stack-project-2-test) failed: Error: The stack named stack-project-2-test failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f, Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [SecretsManagerRDSMySQLRotationSingleUser].
at FullCloudFormationDeployment.monitorDeployment (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:431:10615)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.deployStack2 [as deployStack] (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:196750)
at async /usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:178719
❌ Deployment failed: Error: The stack named stack-project-2-test failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f, Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [SecretsManagerRDSMySQLRotationSingleUser].
at FullCloudFormationDeployment.monitorDeployment (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:431:10615)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.deployStack2 [as deployStack] (/usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:196750)
at async /usr/local/share/nvm/versions/node/v20.11.1/lib/node_modules/aws-cdk/lib/index.js:434:178719
The stack named stack-project-2-test failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: testauroraclusterRotationSingleUser4B86C1AB already exists in stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-1-test-auroraclusterRotationSingleUserD321448F-1CVRCIUOH0CP9/9d7eb400-d07d-11ee-9841-0a140a4fd92f, Embedded stack arn:aws:cloudformation:us-west-2:500015096253:stack/stack-project-2-test-auroraclusterRotationSingleUserD321448F-JWOM5DHHY7VB/52c4a5e0-d07e-11ee-8cc3-020158796edf was not successfully created: The following resource(s) failed to create: [SecretsManagerRDSMySQLRotationSingleUser].
new DummyStack(app, 'test', {
env: {
account: defaultAccount,
region: "us-west-2",
},
stackName: "stack-project-1-test"
});
OK looks like you are having two stacks in the same cdk app with exactly the same id and custom stackName. Is there any reason you have to use the same stack ID like that? I think this would have some potential name collisions as a lot of the auto generated resource names would include the stack id as part of its suffix. I am not sure if this is a bug we need to fix but we generally don't encourage that.
Clarification and Identification of the Problem:
It seems there's a misunderstanding in the discussion. The key point to clarify is that we are dealing with two completely separate projects, not a single project with multiple stacks. This is crucial because it negates the possibility of a synthetic error due to duplicate stack IDs within the same CDK app.
Example Projects Involved:
- Processing Library Project with
ProcessorStack - Analytics Library Project with
AnalyticsStack
Both projects use a shared library construct, which includes the setupAuroraCluster function. Here's the implementation in each project:
// ProcessorStack in Processing Library Project
new ProcessorStack(app, 'test', {
stackName: "processor-stack-test"
});
// AnalyticsStack in Analytics Library Project
new AnalyticsStack(app, 'test', {
stackName: "analytics-stack-test"
});
Observed Issue:
- The
ProcessorStacksuccessfully creates an Aurora Cluster and its corresponding rotation single user Lambda. - The
AnalyticsStackfails to create the rotation single user Lambda due to a naming conflict.
Core Problem:
- The lambda generated by
addRotationSingleUseris not incorporating the stack name into its naming convention, leading to conflicts across different projects. - Current Lambda Naming (Problematic):
testauroraclusterRotationSingleUserXXXXX - Expected Lambda Naming (Solution): Incorporate the stack name for uniqueness, e.g.,
processorstacktestauroraclusterRotationSingleUserXXXXXandanalyticsstacktestauroraclusterRotationSingleUserXXXXX.
K looks like you are having two stacks in the same cdk app with exactly the same
idand customstackName. Is there any reason you have to use the same stack ID like that? I think this would have some potential name collisions as a lot of the auto generated resource names would include the stack id as part of its suffix. I am not sure if this is a bug we need to fix but we generally don't encourage that.
You can not have 2 cdk apps with the same id in a project. Synth would throw an error. But we do use a common naming convention so scripts can be used across projects.
** Sample Framework Example **
new ProcessorStack(app, "test", {
stackName: "processor-stack-test"
});
new ProcessorStack(app, "dev", {
stackName: "processor-stack-dev"
});
new ProcessorStack(app, "staging", {
stackName: "processor-stack-staging"
});
new ProcessorStack(app, "prod", {
stackName: "processor-stack-prod"
});