Trigger: Token strings not resolving #28017
Description
Describe the bug
Hi Team,
Just opening this ticket where the "Token" strings are not resolving during deployment and stays as "Token" strings ${Token[TOKEN.664]}. This results in the error below:
"3 validation errors detected: Value '${Token[TOKEN.664]}' at 'tags.1.member.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\p{L}\p{Z}\p{N}_.:/=+\-@]*;
The error above is thrown against the "AWS::IAM::Role" which the Trigger construct creates because the value of its tag is a token string ${Token[TOKEN.664]} which did not resolve during deployment and is not a valid value for a Tag.
For context, the setup here is that stack-level tags are being applied to the resources in the CDK stack (see code below) where its Tag value is retrieved from a resolvable token SSM parameter.
const stringValue = ssm.StringParameter.fromStringParameterAttributes(this, 'MyValue', {
parameterName: 'StringParameter',
// 'version' can be specified but is optional.
}).stringValue;
const func = new lambda.Function(this, 'MyFunction', {
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_18_X,
code: lambda.Code.fromInline('foo'),
});
const trigger = new triggers.Trigger(this, 'MyTrigger', {
handler: func,
timeout: cdk.Duration.minutes(10),
invocationType: triggers.InvocationType.EVENT,
});
# Apply stack-level tags where value come from the SSM parameter
cdk.Tags.of(this).add("test", stringValue)
The value of these tags come from an SSM parameter stringValue which is a resolvable token. This error seems to occur when creating the IAM role that the parent construct Trigger creates:
* AWS::IAM::Role
* AWS::Lambda::Version
* AWS::Lambda::Function
* Custom::Trigger
Comparing this with a similar parent construct AwsCustomResource, the token strings are resolving during deployment and the tags are appropriately propagating to its child resources (AWS::IAM::Role, AWS::Lambda::Function).
const stringValue = ssm.StringParameter.fromStringParameterAttributes(this, 'MyValue', {
parameterName: 'StringParameter',
// 'version' can be specified but is optional.
}).stringValue;
const getParameter = new cr.AwsCustomResource(this, 'GetParameter', {
onUpdate: { // will also be called for a CREATE event
service: 'SSM',
action: 'getParameter',
parameters: {
Name: 'my-parameter',
WithDecryption: true,
},
physicalResourceId: cr.PhysicalResourceId.of(Date.now().toString()), // Update physical id to always fetch the latest version
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
}),
});
cdk.Tags.of(this).add("test", stringValue)
Hence, I'm presuming there is an issue with the Trigger construct such that token strings passed to its child resources are not resolving during deployment. I also noticed within the template that the "Tags" are not propagating to the child resources (Role, Lambda Function) during synthesis when compared to AwsCustomResources where "Tags" are visible in the synthesized template.
I also did some additional testing and this time just passing tag values as a simple string instead of SSM parameters and the deployment went through for Trigger and propagated the tags to the child resources but this wasn't still visible in the template.
Are you able to give me an idea to why this happens, perhaps there is a gap with the Trigger construct? Is this a bug?
Expected Behavior
Token strings of stack-level tags applied on child resources of Trigger not resolved during deployment
Current Behavior
Token strings of stack-level tags applied on child resources of Trigger to be resolved during deployment
Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.88.0
Framework Version
No response
Node.js Version
v18.7.0
OS
Windows
Language
TypeScript
Language Version
TypeScript
Other information
No response