fix(logs-destinations): missing dependency to Permission Policy created by LambdaDestination (#24823)

Fixes #21941

Credit to @daschaa for their [original PR](#22100 (comment))

Author: joel-aws

packages/@aws-cdk/aws-logs-destinations/lib/lambda.ts

@@ -6,7 +6,7 @@ import { Construct } from 'constructs';
 /**
  * Options that may be provided to LambdaDestination
  */
-export interface LambdaDestinationOptions{
+export interface LambdaDestinationOptions {
   /** Whether or not to add Lambda Permissions.
    * @default true
    */
@@ -24,13 +24,22 @@ export class LambdaDestination implements logs.ILogSubscriptionDestination {
   public bind(scope: Construct, logGroup: logs.ILogGroup): logs.LogSubscriptionDestinationConfig {
     const arn = logGroup.logGroupArn;
     if (this.options.addPermissions !== false) {
-      this.fn.addPermission('CanInvokeLambda', {
+      const permissionId = 'CanInvokeLambda';
+      this.fn.addPermission(permissionId, {
         principal: new iam.ServicePrincipal('logs.amazonaws.com'),
         sourceArn: arn,
         // Using SubScription Filter as scope is okay, since every Subscription Filter has only
         // one destination.
         scope,
       });
+      // Need to add a dependency, otherwise the SubscriptionFilter can be created before the
+      // Permission that allows the interaction.
+      const cfnPermission = scope.node.tryFindChild(
+        permissionId,
+      ) as lambda.CfnPermission;
+      if (cfnPermission) {
+        scope.node.addDependency(cfnPermission);
+      }
     }
     return { arn: this.fn.functionArn };
   }

packages/@aws-cdk/aws-logs-destinations/package.json

@@ -73,6 +73,10 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assertions": "0.0.0",
+    "@aws-cdk/aws-events": "0.0.0",
+    "@aws-cdk/aws-events-targets": "0.0.0",
+    "@aws-cdk/aws-lambda-destinations": "0.0.0",
+    "@aws-cdk/aws-sqs": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
     "@aws-cdk/integ-tests": "0.0.0",

packages/@aws-cdk/aws-logs-destinations/test/integ.lambda.js.snapshot/LambdaIntegDefaultTestDeployAssert7BC530B7.assets.json

@@ -0,0 +1,32 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "33583035258f91f2130bb9759626b0a4b2fe7fad9f3e63d427ce5cdc3447b820": {
+      "source": {
+        "path": "asset.33583035258f91f2130bb9759626b0a4b2fe7fad9f3e63d427ce5cdc3447b820.bundle",
+        "packaging": "zip"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "33583035258f91f2130bb9759626b0a4b2fe7fad9f3e63d427ce5cdc3447b820.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
+    "c8724f7396e55c5282f174d8ce47850ce496ad92024bf7cb532b4885c9ce593a": {
+      "source": {
+        "path": "LambdaIntegDefaultTestDeployAssert7BC530B7.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "c8724f7396e55c5282f174d8ce47850ce496ad92024bf7cb532b4885c9ce593a.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-logs-destinations/test/integ.lambda.js.snapshot/LambdaIntegDefaultTestDeployAssert7BC530B7.template.json

@@ -0,0 +1,177 @@
+{
+ "Resources": {
+  "AwsApiCallEventBridgeputEvents": {
+   "Type": "Custom::DeployAssert@SdkCallEventBridgeputEvents",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
+      "Arn"
+     ]
+    },
+    "service": "EventBridge",
+    "api": "putEvents",
+    "parameters": {
+     "Entries": [
+      {
+       "Detail": "{\"foo\":\"bar\"}",
+       "DetailType": "cdk-integ-custom-rule",
+       "Source": "cdk-lambda-integ"
+      }
+     ]
+    },
+    "flattenResponse": "false",
+    "salt": "1680014156730"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Version": "2012-10-17",
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ]
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+     }
+    ],
+    "Policies": [
+     {
+      "PolicyName": "Inline",
+      "PolicyDocument": {
+       "Version": "2012-10-17",
+       "Statement": [
+        {
+         "Action": [
+          "eventbridge:PutEvents"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          "*"
+         ]
+        },
+        {
+         "Effect": "Allow",
+         "Action": [
+          "events:PutEvents"
+         ],
+         "Resource": [
+          "*"
+         ]
+        },
+        {
+         "Action": [
+          "sqs:ReceiveMessage"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          "*"
+         ]
+        }
+       ]
+      }
+     }
+    ]
+   }
+  },
+  "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Runtime": "nodejs14.x",
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "33583035258f91f2130bb9759626b0a4b2fe7fad9f3e63d427ce5cdc3447b820.zip"
+    },
+    "Timeout": 120,
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73",
+      "Arn"
+     ]
+    }
+   }
+  },
+  "AwsApiCallSQSreceiveMessage": {
+   "Type": "Custom::DeployAssert@SdkCallSQSreceiveMessage",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
+      "Arn"
+     ]
+    },
+    "service": "SQS",
+    "api": "receiveMessage",
+    "expected": "{\"$ObjectLike\":{\"Messages\":[{\"Body\":{\"$StringLike\":\"\\\"responsePayload\\\":\\\"success\\\"\"}}]}}",
+    "parameters": {
+     "QueueUrl": {
+      "Fn::ImportValue": "lambda-logssubscription-integ:ExportsOutputRefQueue4A7E3555425E8BD3"
+     },
+     "WaitTimeSeconds": 20
+    },
+    "flattenResponse": "false",
+    "salt": "1680014156731"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Outputs": {
+  "AssertionResultsAwsApiCallSQSreceiveMessage": {
+   "Value": {
+    "Fn::GetAtt": [
+     "AwsApiCallSQSreceiveMessage",
+     "assertion"
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}