RFS deployment fails when a service control policy requires Lambda functions to be in VPC

Description

A user reported in GitHub issue [link to issue] that they are unable to deploy the reindex-from-snapshot solution because their AWS account has a service control policy that prohibits Lambda functions without VPC settings.

Even though the user provided a vpcId in cdk.context.json configuration, the CustomS3AutoDeleteObject Lambda function (and potentially others) are still being created without VPC settings, causing the deployment to fail with a Service Control Policy explicit deny error.

Error Observed :

Acceptance Criteria:

Modify the CDK code to ensure all Lambda functions created as part of the RFS deployment (including CustomS3AutoDeleteObject and any other helper functions) respect the VPC configuration provided in cdk.context.json

Environment

None

Activity

Show:

Pro tip: press M to comment

Jugal Chauhan
April 9, 2025 at 8:08 PM

We are not making this documentation change at this point, because this has been an issue for a single customer so far. We believe we may cause more issues with our artifacts (for ex, S3 bucket) leaving behind, once stacks are removed.

Jugal Chauhan
April 9, 2025 at 8:02 PM

We can consider removing the "artifactBucketRemovalPolicy": "DESTROY" option from our documentation

Resize issue view side panel

Done

Pinned fields

Click on the next to a field label to start pinning.

Details

Assignee

Unassigned

Reporter

Jugal Chauhan

Story Points

Fix versions

MAv2.4

Priority

High

Parent

MIGRATIONS-2404 OEduringMA2.3Release

Created April 4, 2025 at 9:18 PM

Updated April 9, 2025 at 8:08 PM

Resolved April 9, 2025 at 8:08 PM