Circular dependency #1
Description
While attempting to run cdk deploy I received this error:
❌ AthenaQueriesViaLambdaStack failed: Error [ValidationError]: Circular dependency between resources: [queryAthenaServiceRoleDefaultPolicy9FC00DC5, queryAthenaFC3070B8] at Request.extractError (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:46717) at Request.callListeners (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:91771) at Request.emit (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:91219) at Request.emit (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:199820) at Request.transition (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:193373) at AcceptorStateMachine.runTo (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:158245) at /home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:158575 at Request.<anonymous> (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:193665) at Request.<anonymous> (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:199895) at Request.callListeners (/home/ubuntu/.nvm/versions/node/v22.2.0/lib/node_modules/aws-cdk/lib/index.js:401:91939) { code: 'ValidationError', time: 2024-08-31T02:04:04.915Z, requestId: 'c280e6a7-afe0-477d-8a63-b8c07e3c83cd', statusCode: 400, retryable: false, retryDelay: 255.7230751634574 }
I was finally able to resolve it by editing the lib/athena-queries-via-lambda-stack.ts file. The solution involves adding a logGroup definition:
const logGroup = new logs.LogGroup(this, 'LogGroup', { retention: logs.RetentionDays.ONE_WEEK, });
And removing the logs: reference from lambda_queryAthena.
Complete edits
const logGroup = new logs.LogGroup(this, 'LogGroup', {
retention: logs.RetentionDays.ONE_WEEK,
});
lambda_queryAthena.addToRolePolicy(
new aws_iam.PolicyStatement({
effect: aws_iam.Effect.ALLOW,
actions: [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"glue:GetTable",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts"
],
resources: [
`arn:aws:s3:::${INPUT_S3_BUCKET}`,
`arn:aws:s3:::${OUTPUT_S3_BUCKET}`,
`arn:aws:s3:::${INPUT_S3_BUCKET}/${S3_INPUT_PATH}/*`,
`arn:aws:s3:::${OUTPUT_S3_BUCKET}/${S3_OUTPUT_PATH}/*`,
`arn:aws:athena:${REGION}:${ACCOUNT}:workgroup/${ATHENA_WORKGROUP}`,
`arn:aws:glue:${REGION}:${ACCOUNT}:table/${GLUE_DATABASE_NAME}/*`,
`arn:aws:glue:${REGION}:${ACCOUNT}:catalog`,
`arn:aws:glue:${REGION}:${ACCOUNT}:database/${GLUE_DATABASE_NAME}`
]
}));
lambda_queryAthena.addToRolePolicy(
new aws_iam.PolicyStatement({
effect: aws_iam.Effect.ALLOW,
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
resources: [
logGroup.logGroupArn,
]
}));
Hope this helps anyone that has the same problem.