SecretsManagerMongoDBRotationSingleUser: Circular Dependency in Lambda Permission Resource #153
Description
Summary
A circular dependency occurs in the CloudFormation template when deploying the SecretsManagerMongoDBRotationSingleUser Lambda function due to how the Lambda permission references the function’s ARN. This issue prevents successful stack deletion.
Steps to Reproduce
- Deploy the CloudFormation template as provided.
- Attempt to delete the stack, which may get stuck or fail due to unresolved dependencies.
Circular dependency between resources: [SecretsManagerMongoDBRotationSingleUser, LambdaPermission]
Root Cause
In the template, the Lambda permission references the Lambda function using its ARN:
FunctionName: !GetAtt SecretsManagerMongoDBRotationSingleUser.Arn
This creates an implicit dependency where:
• The Lambda function must be fully created (with an assigned ARN) before the permission can be created.
• The Lambda permission is required for the Lambda to function correctly, forming a circular dependency.
Proposed Solution
Suggested Fix:
Replace the ARN reference with a name reference to eliminate the dependency loop:
- FunctionName: !GetAtt SecretsManagerMongoDBRotationSingleUser.Arn
+ FunctionName: !Ref functionName
Why This Fix Works:
• !Ref functionName uses the logical name of the Lambda function, which is known at creation time and does not require the Lambda to be fully deployed.
• This change removes the implicit dependency and allows CloudFormation to create resources in the correct order.
Corrected Template Snippet
LambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref functionName # ✅ FIX: Replaced ARN with function name
Principal: !Ref invokingServicePrincipal
SourceAccount: !Ref AWS::AccountId