IoT custom resource - possible race condition

0

Not sure if it's just me, or if anyone else has experienced this possible race condition, but I have an IoT custom resource construct like the following in a large stack:

      const thing = new cr.AwsCustomResource(this, 'thing', {
        onCreate: {
          service: 'Iot',
          action: 'createThing',
          parameters: {
            thingName: '001',
            thingTypeName: 'thing-type'
          },
          physicalResourceId: cr.PhysicalResourceId.of(Date.now().toString()),
        },
        onDelete: {
          service: 'Iot',
          action: 'deleteThing',
          parameters: {
            thingName: '001'
          },
        },
        policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
          resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
        }),
      });
      thing.node.addDependency(thingType);

...that sometimes runs fine following a cdk deploy, and sometimes throws a message like this:

18:14:21 | CREATE_FAILED        | Custom::AWS                         | thing/Resource/Default
Received response status [FAILED] from custom resource. Message returned: User: arn:aws:sts::123456789012:assumed-role/Dev-AWS679xxx-xxx/Dev-AWS679xxx-xxx is not authorized to perform: iot:CreateThing on resource: arn:aws:iot:xxx:xxx:thing/001 because no identity-based policy allows the iot:CreateThing action (RequestId: xxxxx)

It's as if sometimes the policy is not attached to the assumed role in time before the action to create the thing is carried out.

I'll see if I can produce a small stack that can repeat the condition but in the meantime I'm sending this out in case others have experienced this behaviour.

Thanks, Gary

gary
질문됨 2년 전324회 조회
1개 답변
0

Hi - Thanks for reaching out. Are you hard coding this or this is just an example. Also for race condition I am assuming that you may have another thread/procedure trying to do the same at the same time. If yes, do you want to check existence of the IoT thing in IoT core before proceeding and if exists, then do run this construct. Just a thought.

profile pictureAWS
전문가
답변함 2년 전
  • Hi Nitin, creation of this thing using this construct is just for test purposes. This construct creates the thing. I need to use a custom resource here because I want to add the thing to a thing types (and cannot do this using the cfn L1 construct). I have nothing else trying to do anything in parallel, it's all left to cdk/cfn. Sometimes cdk attaches the policy (see the policy statement in the custom resource) and executes the construct in that order, sometimes it tries to execute the construct before the policy is attached. At least, that's what I think is happening. I'll investigate further

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠