Getting around circular CloudFormation Dependencies: S3-Event-Lambda-Role


Getting around circular CloudFormation dependencies

Several posts complain about the inability of CloudFormation to apply a Lambda event function to an S3 Bucket with an dynamically generated name.

The standard UseCase is an S3 Bucket with a Lambda event notification. In this special case the Bucket has a dynamically generated name. This cannot be done by pure CloudFormation!

How to work around this circular depency? Let me show you an easy way:

In AWS Blog: Handling circular dependency errors in AWS CloudFormation [AWS1] and serverless hero Ben Kehoe writes here .[BEN1]

This will not work

So in pure CloudFormation this is not possible:


That is because we have a circular dependency. As [AWS1] says: “The bucket notification is dependent on the Lambda function and the Lambda function is dependent on the execution role, which is dependent on the S3 bucket.”

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
    Type: AWS::S3::Bucket     
    Type: AWS::Serverless::Function
      CodeUri: s3://bucketname/ # Add in an S3 URI where you have code Lambda Code
      Runtime: python2.7
      Handler: index.handler
        - Version: 2012-10-17
            - Effect: Allow
              Action: s3:GetObject*
              Resource: !Sub "arn:aws:s3:::${Bucket}*"
              Ref: Bucket
            Events: s3:ObjectCreated:*
          Type: S3

So we have to decouple things. We can do that by first creating the bucket and the lambda function and bringing them together after that.

The way to extend CloudFormation is a custom resource. That is a Lambda Function wich acts as a CloudFormation resource. This “bring together” function gets notified to create or update or delete itself.

You could also do this as an AWS cli script after creation of the CloudFormation stack. But if you do that, you won’t have the stack itself as a whole functional unit. But beeing lazy, the question is: do I really have to code this all by myself? - Answer is no - CDK to the rescue.

This will work


CDK code

If you create an CDK app with cdk init app --language=typescript you just have to get some imports:

import {Bucket,EventType} from '@aws-cdk/aws-s3';
import {LambdaDestination} from '@aws-cdk/aws-s3-notifications';
import {Function, Runtime, Code} from '@aws-cdk/aws-lambda'

And replace // The code that defines your stack goes here with this snippet:

export class CfnGraphStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // S3
    const bucket = new Bucket(this, "testbucketmpa",{
      removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code

     // Lambda
    const lambda = new Function(this, 'HelloHandler', {
      code: Code.asset(path.join(__dirname,  '../lambda')),
      handler: 'hello.handler',
      runtime: Runtime.NODEJS_8_10,
      memorySize: 1024

    // S3 -> Lambda
    bucket.addEventNotification(EventType.OBJECT_CREATED, new LambdaDestination(lambda));


Of course there have to be a node Lambda function in the dir lambda

The CDK has already added the “bring together” Lambda function. And it is all happening under the hood, we just add the EventNotifcation in the ts code to the Bucket.

Generated template

    Type: Custom::S3BucketNotifications
        Ref: testbucketmpaAE8E5392
          - Events:
              - s3:ObjectCreated:*
                - HelloHandler2E4FBA4D
                - Arn
      - HelloHandlerAllowBucketNotificationsFromCfnGraphStacktestbucketmpa0C1D72A46851358B

This snippet from the generated CloudFormation (cdk synth) shows the Custom Ressource which waits (with DependsOn until the AWS::Lambda::Permission is created.)

The Lambda Function is created inline:

    Type: AWS::Lambda::Function
      Description: AWS CloudFormation handler for "Custom::S3BucketNotifications" resources (@aws-cdk/aws-s3)
        ZipFile: >-
          exports.handler = (event, context) => {
              const s3 = new (require('aws-sdk').S3)();
              const https = require("https");
              const url = require("url");
              log(JSON.stringify(event, undefined, 2));
              return s3.putBucketNotificationConfiguration(req, (err, data) => {

Its creates the BucketNotificatioConfiguration and you’re done!