Skip to content

fix: Work around limit in lambda policy size #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: Work around limit in lambda policy size #60

wants to merge 1 commit into from

Conversation

zbstof
Copy link
Contributor

@zbstof zbstof commented Sep 27, 2024
edited
Loading

There's limit on the policy size (20KB) for lambda policy

Currently failing with

│ Error: adding Lambda Permission (arn:aws:lambda:us-east-2:591234544403:function:model-inference-development-datadog-forwarder/_aws_sagemaker_Endpoints_recs-ranker-rn-scribd-has-read-after-AllowExecutionFromCloudWatchLogs): PolicyLengthExceededException: The final policy size (20782) is bigger than the limit (20480).
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "e220c7fb-c4c9-4b93-9f15-beba592a3afc"
│   },
│   Message_: "The final policy size (20782) is bigger than the limit (20480).",
│   Type: "User"
│ }
│
│   with module.datadog[0].aws_lambda_permission.allow_cloudwatch_logs_to_call_dd_lambda_handler["/aws/sagemaker/Endpoints/recs-ranker-rn-scribd-has-read-after"],
│   on .terraform/modules/datadog/logs_monitoring_cloudwatch_log.tf line 10, in resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler":
│   10: resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
}

Current size of lambda policy:

$ aws lambda get-policy --function-name model-inference-development-datadog-forwarder | jq -r '.Policy' | wc
       1       1   20090

@zbstof
fix: Work around limit in lambda policy size
4666dd5 
Currently failing with
```
│ Error: adding Lambda Permission (arn:aws:lambda:us-east-2:591234544403:function:model-inference-development-datadog-forwarder/_aws_sagemaker_Endpoints_recs-ranker-rn-scribd-has-read-after-AllowExecutionFromCloudWatchLogs): PolicyLengthExceededException: The final policy size (20782) is bigger than the limit (20480).
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "e220c7fb-c4c9-4b93-9f15-beba592a3afc"
│   },
│   Message_: "The final policy size (20782) is bigger than the limit (20480).",
│   Type: "User"
│ }
│
│   with module.datadog[0].aws_lambda_permission.allow_cloudwatch_logs_to_call_dd_lambda_handler["/aws/sagemaker/Endpoints/recs-ranker-rn-scribd-has-read-after"],
│   on .terraform/modules/datadog/logs_monitoring_cloudwatch_log.tf line 10, in resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler":
│   10: resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
}
```
@xianwill xianwill self-requested a review September 27, 2024 14:42
@xianwill
Copy link

xianwill commented Sep 27, 2024
edited
Loading

@zbstof This issue seems to indicate wildcards may not work as expected here. Also, logically, this seems to become a full grant to all cloudwatch groups in the AWS account rather than explicit permissions for specific log groups which smells funny.

@xianwill xianwill closed this Sep 27, 2024
@zbstof zbstof deleted the sbytsko/fix-lambda-policy branch September 30, 2024 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xianwill xianwill Awaiting requested review from xianwill

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zbstof @xianwill