(@aws-cdk/aws-dynamodb): DynamoDb Replication: Cannot exceed quota for PoliciesPerRole: 10

[reinismu]

Cannot exceed quota for PoliciesPerRole: 10 (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: 3bd4add0-36e4-44ad-8e98-947977c0a638; Proxy: null)

Starting from version 1.92.0 I can't deploy my global tables.

#13300 seems like this is the change that introduced this bug for me.

Reproduction Steps

What did you expect to happen?

What actually happened?

Environment

• CDK CLI Version : 1.92.0
• Framework Version: 1.92.0
• Node.js Version: v12.6.0
• OS : arch linux
• Language (Version): TypeScript

Other

---

This is 🐛 Bug Report

[jogold]

How many tables and replica regions do you have in your stack?

[reinismu]

@jogold I have 11 tables and 9 of them are replicated in another region as well

[jogold]

@skinny85 this is indeed #13300, there's a limit of 10 managed policies per role and we now create 2 managed policies per table... any suggestion?

[skinny85]

I just want to understand the exact numbers here...

From what I see, we create 2 Policies, yes, but we attach them to different Roles:

aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/table.ts

Lines 1473 to 1474 in aa45ede

	const onEventHandlerPolicy = new SourceTableAttachedPolicy(this, provider.onEventHandler.role!);
	const isCompleteHandlerPolicy = new SourceTableAttachedPolicy(this, provider.isCompleteHandler.role!);

. So, we should be able to create 10 replicas, and only the 11th one should cause this error...

@reinismu can you clarify your answer a little bit? Because I don't exactly follow. Can you show the replicationRegions that you use in your code, and how many of them?

Thanks,
Adam

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[reinismu]

Sorry, missed the comment.

        const episodesTable = new Table(this, `${PREFIX}-series`, {
            partitionKey: {
                name: 'seriesId',
                type: AttributeType.STRING,
            },
            tableName: `${PREFIX}-series`,
            billingMode: BillingMode.PAY_PER_REQUEST,
            replicationRegions: replicationRegions,
            removalPolicy: REMOVAL_POLICY,
            pointInTimeRecovery,
        });

I have in total 9 tables with replicationRegions

replicationRegions comes from environment variables. Now we use eu-central-1 and ap-southeast-1

[skinny85]

Sorry, to clarify: you have 9 separate Table instances, and each is replicated to 2 regions?

[reinismu]

Yes :)

[skinny85]

Interesting! I just tried this:

class ExampleStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);

        for (let i = 1; i <= 9; i++) {
            new dynamodb.Table(this, `Table${i}`, {
                partitionKey: {
                    name: 'Id',
                    type: dynamodb.AttributeType.STRING,
                },
                replicationRegions: ['eu-central-1', 'ap-southeast-1'],
                removalPolicy: cdk.RemovalPolicy.DESTROY,
            });
        }
    }
}

const app = new cdk.App();

new ExampleStack(app, 'ExampleStack');

and it deployed successfully!

Can you try it on your end? Maybe the error is somewhere else?

Thanks,
Adam

[reinismu]

Not sure what's wrong, but your example doesn't work for me.

Template format error: Unresolved resource dependencies [Table7Replicaeucentral1E0F0C4BF] in the Resources block of the template

Can you try increasing 9 to 15 or something. Just to check.

I upgraded my main infra stack to 1.95.1 and the issue is still there. In total it tries to create 20 Managed policies

[skinny85]

Hmm, that's very concerning. That error shouldn't happen for a such a simple template.

Can you push to a GitHub repo the minimal reproduction that makes you see that error? I'm curious what is causing it.

[reinismu]

I figured it out, Tho more by luck than error message. My main region is eu-central-1 so I can't have it in replicationRegions.

I'm deploying the example project and will try to break it now

[reinismu]

Aha got it!

I deployed first with for (let i = 1; i <= 9; i++) { and then did another deploy with for (let i = 1; i <= 12; i++) { and it broke.

Not sure if deploying it 2x does anything, but can try

[skinny85]

OK, at least I was able to reproduce the Unresolved resource dependencies error that you got 😜.

[skinny85]

First part of the fix: #13889

[skinny85]

Yep, I was able to reproduce the original error with 11 Tables (not sure how you're getting it with just 9, but that's besides the point). The problem is the Roles for the Custom Resource framework handlers. We create a separate Policy for each replicated Table, and attach all of them to those Roles, here:

aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/table.ts

Lines 1473 to 1474 in 93dac4c

	const onEventHandlerPolicy = new SourceTableAttachedPolicy(this, provider.onEventHandler.role!);
	const isCompleteHandlerPolicy = new SourceTableAttachedPolicy(this, provider.isCompleteHandler.role!);

This is a tough one... I think the only way to do this properly is to somehow count how many Custom::DynamoDBReplica resources we have in the Stack, and once that number exceeds 10, we need to create new handlers (and thus Roles) for the Lambdas the custom resource framework needs.

@reinismu for now, I would split the resources into multiple Stacks, so that no Stack has more than 10 Tables with replicas.

@jogold any ideas on how to handle this?

[skinny85]

I wonder whether the logic of counting to 10 can be nicely encapsulated in the getOrCreate () method here:

aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/replica-provider.ts

Lines 28 to 32 in 93dac4c

	public static getOrCreate(scope: Construct, props: ReplicaProviderProps = {}) {
	const stack = Stack.of(scope);
	const uid = '@aws-cdk/aws-dynamodb.ReplicaProvider';
	return stack.node.tryFindChild(uid) as ReplicaProvider ?? new ReplicaProvider(stack, uid, props);
	}

, so that not much of the client code has to change...

Also, I think I found another potential error with this feature: today, ReplicaProvider is a singleton in a Stack, except there is a replicationTimeout property that you can pass it when creating it. Pretty sure the replicationTimeout property will be completely ignored if set on a second table that has any global replicas in one Stack...

[jogold]

Also, I think I found another potential error with this feature: today, ReplicaProvider is a singleton in a Stack, except there is a replicationTimeout property that you can pass it when creating it. Pretty sure the replicationTimeout property will be completely ignored if set on a second table that has any global replicas in one Stack...

You are correct. What do you suggest here? Should we throw if a different value is set on a second table? Include the value in the uid?

[jogold]

I wonder whether the logic of counting to 10 can be nicely encapsulated in the getOrCreate () method here:

Not a really a fan of this counting solution but I can't think of another one...

Implementing it in getOrCreate() is just a matter of adding Math.floor(counter/10) in the uid?

[reinismu]

Could ask CloudFormation team why there is this limit? Maybe it's not that hard to get rid of it.

[jogold]

Could ask CloudFormation team why there is this limit? Maybe it's not that hard to get rid of it.

It's an IAM limit: Managed policies attached to an IAM role https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html

You can request to increase it to 20.

[reinismu]

Ohh I see, I guess no way around that then.

Even if I request it to 20 there would still be someone who will encounter this issue :/

[skinny85]

Also, I think I found another potential error with this feature: today, ReplicaProvider is a singleton in a Stack, except there is a replicationTimeout property that you can pass it when creating it. Pretty sure the replicationTimeout property will be completely ignored if set on a second table that has any global replicas in one Stack...

You are correct. What do you suggest here? Should we throw if a different value is set on a second table? Include the value in the uid?

Probably including the value of timeout in the UID is the way to go here.

[skinny85]

I wonder whether the logic of counting to 10 can be nicely encapsulated in the getOrCreate () method here:

Not a really a fan of this counting solution but I can't think of another one...

Implementing it in getOrCreate() is just a matter of adding Math.floor(counter/10) in the uid?

@jogold is there any way we can do a similar trick that you're doing right now, just with inline policies except managed policies? Since there is no limit on the number of inline policies. Maybe change the logical ID of the inline policy based on the properties of the Table that can cause replacement? Would that work?

[jogold]

Maybe change the logical ID of the inline policy based on the properties of the Table that can cause replacement? Would that work?

This should be possible but would restrict users from using tokens in those properties?

[skinny85]

Yeah, you're right, it wouldn't be as fool-proof as the current trick... I guess counting to 10 is the way to go here!

[jogold]

Probably including the value of timeout in the UID is the way to go here.

Actually we cannot do this. For users already using a timeout if we include it in the uid it will impact the logical ID of the Lambda backing the custom resource. This means that the service token of the custom resource must be updated and this is not allowed in CF.

No problem for counting to 10 because we can maintain the existing uid (and thus logical ids) up to 10: see #14054

[reinismu]

Seems like I'm stuck at the old version for my project :/

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[irobertson]

Just ran into this today; leaving comment to avoid issue auto-closing.

[oleg-slapdash]

Try setting @aws-cdk/aws-iam:minimizePolicies feature flag https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.PolicyDocumentProps.html#minimize

[Tengda]

I have more than 10 tables with db replication and got the same error...

[FelixRelli]

Just ran into increased 20 limit. @aws-cdk/aws-iam:minimizePolicies does not help.

[nestorFigliuolo]

Anyone was able to fix this? We are experiencing the same problem and because the problem is currently on already created stack we are unable to split it on multiple stacks. Any help would be greatly appreciated

[tobiasviehweger]

Running into this as well... having to split my persistence into different stacks because of such an arbitrary low limit is extremely unfortunate.

[rix0rrr]

This issue was for the existing Table construct, which used custom resources to implement table replication. We no longer recommend the use of the Table construct.

Instead, the TableV2 construct has been released in 2.95.1 (#27023) which maps to the AWS::DynamoDB::GlobalTable resource, has better support for replication and does not suffer from the issue described here.

---

Be aware that there are additional deployment steps involved in a migration from Table to TableV2. You need to do a RETAIN deployment, a delete deployment, then change the code to use TableV2 and then use cdk import. A link to a full guide will be posted once it is available.

Here are some other resources to get you started (using CfnGlobalTable instead of TableV2) if you want to get going on the migration:

• Migrating from Table to CfnGlobalTable, by Samaneh Utter, an AWS Senior Solutions Architect
• AWS CDK and Amazon DynamoDB Global Tables, by Wojciech Matuszewski from Stedi
• Migrating from Table to CfnGlobalTable, by Sharon Diskin from CloudBit