lambda: EventSourceMapping in 2.159.0 introduced Tags, which are not supported in eu-west-2

[shylaharild]

Describe the bug

Hello Team,

In our project, we updated the CDK version from 2.158.0 to 2.160.0 and encountered the error "Unsupported resource type for tagging or invalid ARN" when attempting to deploy the CDK stack.

Our project contains the following resources

1. A Lambda Function
2. An SQS Queue
3. A Lambda SQS Event Source

The error occurs when the SQS Event Source is added to the Lambda function and inadvertently attempts to add tags to the EventSourceMapping resource, automatically created as part of this action. We do not set the tags, but it seems that the AWS CDK does that for us.

According to the CDK documentation, Event Source Mapping does not natively support tags. AWS documentation also confirms that tags are only supported for AWS::Lambda::EventSourceMapping resources as part of AWS CloudFormation stack-based groups.

This feature is available only in the us-east-1 region and has not yet been rolled out to other regions, such as eu-west-2. Since we use the ^ symbol in the package version numbers, the install command automatically upgrades to the latest version, which lacks the required tag support, thus causing the stack deployment to fail.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.158.0

Expected Behavior

The CDK Stack deployment to successfully create all the resources mentioned above in the eu-west-2 region without error.

Fix used:

At the moment, we are using the workaround given in the Possible Solution section below or set the version to 2.158.0

Current Behavior

Stack deployment is successful when we hardcode the CDK version to 2.158.0 which means we will be missing out on other upgrades and features.

When the version is set to > 2.158.0, then the deployment fails in the eu-west-2 region.

Reproduction Steps

In your stack, add the following sample code to create the SQS Queue, Lambda Function and Event Source Mapping and deploy the stack to the eu-west-2 region. Make sure you set the CDK version to the latest (> 2.158.0)

const sqsQueue = new Queue(
  this,
  "events-queue",
  {
    queueName: "testing-queue",
    deliveryDelay: Duration.seconds(0),
    retentionPeriod: Duration.days(4),
    receiveMessageWaitTime: Duration.seconds(0),
    visibilityTimeout: Duration.minutes(16),
  },
);

const eventSource = new SqsEventSource(
  sqsQueue,
  {
    enabled: true,
  },
);

const lambda = new Function(this, 'Function', {
  runtime: Runtime.NODEJS_18_X,
  handler: 'index.handler',
  code: Code.fromInline('exports.handler = async function(event, context) {}'),
});

lambda.addEventSource(eventSource);

Possible Solution

This is not a fix but a workaround that we are using to solve this issue in the eu-west-2 region.

const sqsQueue = new Queue(
  this,
  "events-queue",
  {
    queueName: "testing-queue",
    deliveryDelay: Duration.seconds(0),
    retentionPeriod: Duration.days(4),
    receiveMessageWaitTime: Duration.seconds(0),
    visibilityTimeout: Duration.minutes(16),
  },
);

const eventSource = new SqsEventSource(
  sqsQueue,
  {
    enabled: true,
  },
);

const lambda = new Function(this, 'Function', {
  runtime: Runtime.NODEJS_18_X,
  handler: 'index.handler',
  code: Code.fromInline('exports.handler = async function(event, context) {}'),
});

const esm = new EventSourceMapping(this, "EventSourceMapping", {
  target: lambda,
  eventSourceArn: eventSource.queue.queueArn,
});

const cfnEsm = esm.node.defaultChild as CfnEventSourceMapping;
cfnEsm.addPropertyDeletionOverride("Tags");

Additional Information/Context

Related Github Issues:

#31532
cloudformation-coverage-roadmap #2137

CFN Resource Specification:
us-east-1 region: CloudFormationResourceSpecification
eu-west-2 region: CloudFormationResourceSpecification

CDK CLI Version

2.160.0

Framework Version

No response

Node.js Version

20.17

OS

Mac, Linux, Ubuntu

Language

TypeScript

Language Version

No response

Other information

No response

[sri-scc]

The workaround may be effective for some cases where the stacks do not have dependencies. However, in our situation, we had other CloudFormation stacks dependent on this stack that includes the Event Source Mapping resource. As a result, applying the L1 construct workaround required us to destroy both this stack and all associated stacks before recreating them with the necessary changes.

While the workaround is technically functional, it involves destructive actions, making it impractical for higher environments, such as production, where stacks cannot easily be recreated.

[khushail]

Hi @shylaharild , thanks for reaching out.

I see that tags are available in eu-west-2 as seen in this resource specification doc.

I also tried to repro the issue by deploying the given code in eu-west-2 and it succeeds without any error.

PS. - I am using cdk version-2.162

Please feel free to correct me if something is missed. Also could you share more information how I can repro this in my account.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[alexbird-hunterindustries]

A note for others experiencing this: we discovered that if you don't have the necessary permissions for tagging a lambda, AWS returns a 400 error instead of a 403 -- it says "tags not supported" instead of "not authorized to tag".