[AWS::Kinesis::ResourcePolicy] - [BUG] - Stream consumer resource policy fails to create #2442
Description
Name of the resource
AWS::Kinesis::StreamConsumer
Resource Name
No response
Issue Description
If you define a resource policy for a stream consumer, it will fail to create. Based on the error message, it's likely the internal handler doesn't wait for the stream consumer to become active.
There is a workaround: if you add an explicit DependsOn relationship between the stream consumer and the resource policy, the resource policy will be created.
Expected Behavior
The resource policy CFN resource should be created
Observed Behavior
The resource fails to create with:
Resource handler returned message: "Consumer test-consumer with creation timestamp xxxx under stream test-stream and account xxx is not in ACTIVE status. (Service: Kinesis, Status Code: 400, Request ID: xxx, Extended Request ID: xxx) (SDK Attempt Count: 1)" (RequestToken: xxx, HandlerErrorCode: AlreadyExists)
Test Cases
Minimal reproducible template fragment:
{
"Resources": {
"testconsumer": {
"Type": "AWS::Kinesis::StreamConsumer",
"Properties": {
"ConsumerName": "test-consumer",
"StreamARN": {
"Fn::GetAtt": ["testconsumer", "Arn"]
}
}
},
"testconsumerpolicy": {
"Type": "AWS::Kinesis::ResourcePolicy",
"Properties": {
"ResourceArn": {
"Fn::GetAtt": ["testconsumer", "ConsumerARN"]
},
"ResourcePolicy": {
"Statement": [
{
"Action": [
"kinesis:DescribeStreamConsumer",
"kinesis:SubscribeToShard"
],
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:root"
}
},
"Resource": {
"Fn::GetAtt": ["testconsumer", "ConsumerARN"]
}
}
],
"Version": "2012-10-17"
}
}
}
}
}Other Details
This happens only for the stream consumer; creating a resource policy for the stream works as expected.