fix(config): Creating multiple rules from the same lambda (#21594)

fixes #17582 

because the id of ".addPermission" is set to a fixed value of ″permission″, which means that only one can be set in the stack.

1. and add a unique suffix to the id. This will allow multiple custom rules to be handled in one stack.
2. Do the id check before addPermission. This will allow only one permission to be granted to a custom rule from the config service.

Addendum:.
I have created a hash from FunctionName, AccountID, and Region to make the suffix unique.
Therefore, the omitted parts in the test code have been modified to fix the result.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: watany-dev

packages/@aws-cdk/aws-config/lib/rule.ts

@@ -1,7 +1,8 @@
+import { createHash } from 'crypto';
 import * as events from '@aws-cdk/aws-events';
 import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
-import { IResource, Lazy, Resource } from '@aws-cdk/core';
+import { IResource, Lazy, Resource, Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnConfigRule } from './config.generated';
 
@@ -408,11 +409,20 @@ export class CustomRule extends RuleNew {
         messageType: MessageType.SCHEDULED_NOTIFICATION,
       });
     }
-
-    props.lambdaFunction.addPermission('Permission', {
-      principal: new iam.ServicePrincipal('config.amazonaws.com'),
-      sourceAccount: this.env.account,
-    });
+    const hash = createHash('sha256')
+      .update(JSON.stringify({
+        fnName: props.lambdaFunction.functionName.toString,
+        accountId: Stack.of(this).resolve(this.env.account),
+        region: Stack.of(this).resolve(this.env.region),
+      }), 'utf8')
+      .digest('base64');
+    const customRulePermissionId: string = `CustomRulePermission${hash}`;
+    if (!props.lambdaFunction.permissionsNode.tryFindChild(customRulePermissionId)) {
+      props.lambdaFunction.addPermission(customRulePermissionId, {
+        principal: new iam.ServicePrincipal('config.amazonaws.com'),
+        sourceAccount: this.env.account,
+      });
+    };
 
     if (props.lambdaFunction.role) {
       props.lambdaFunction.role.addManagedPolicy(

packages/@aws-cdk/aws-config/test/integ.rule.lit.ts

@@ -38,5 +38,5 @@ class ConfigStack extends cdk.Stack {
   }
 }
 
-new ConfigStack(app, 'aws-cdk-config-rule-integ');
+new ConfigStack(app, 'aws-cdk-config-rule-integ', {});
 app.synth();

packages/@aws-cdk/aws-config/test/integ.scoped-rule.ts

@@ -4,7 +4,7 @@ import * as config from '../lib';
 
 const app = new cdk.App();
 
-const stack = new cdk.Stack(app, 'aws-cdk-config-rule-scoped-integ');
+const stack = new cdk.Stack(app, 'aws-cdk-config-rule-scoped-integ', {});
 
 const fn = new lambda.Function(stack, 'CustomFunction', {
   code: lambda.AssetCode.fromInline('exports.handler = (event) => console.log(event);'),

packages/@aws-cdk/aws-config/test/rule.lit.integ.snapshot/aws-cdk-config-rule-integ.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "21.0.0",
   "files": {
-    "9c0ec14ff7954b877625fb363a75213d58cb40e40acfcb23727388ddf0c52fec": {
+    "99b272ad5d23fb805d1e06b58a04179d8720a36f6aa8cf035eff419db2e87432": {
       "source": {
         "path": "aws-cdk-config-rule-integ.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "9c0ec14ff7954b877625fb363a75213d58cb40e40acfcb23727388ddf0c52fec.json",
+          "objectKey": "99b272ad5d23fb805d1e06b58a04179d8720a36f6aa8cf035eff419db2e87432.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-config/test/rule.lit.integ.snapshot/aws-cdk-config-rule-integ.template.json

@@ -62,7 +62,7 @@
     "CustomFunctionServiceRoleD3F73B79"
    ]
   },
-  "CustomFunctionPermission41887A5E": {
+  "CustomFunctionCustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5QED54A3F8": {
    "Type": "AWS::Lambda::Permission",
    "Properties": {
     "Action": "lambda:InvokeFunction",
@@ -107,7 +107,7 @@
     }
    },
    "DependsOn": [
-    "CustomFunctionPermission41887A5E",
+    "CustomFunctionCustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5QED54A3F8",
     "CustomFunctionBADD59E7",
     "CustomFunctionServiceRoleD3F73B79"
    ]

packages/@aws-cdk/aws-config/test/rule.lit.integ.snapshot/manifest.json

@@ -23,7 +23,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9c0ec14ff7954b877625fb363a75213d58cb40e40acfcb23727388ddf0c52fec.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/99b272ad5d23fb805d1e06b58a04179d8720a36f6aa8cf035eff419db2e87432.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -51,10 +51,10 @@
             "data": "CustomFunctionBADD59E7"
           }
         ],
-        "/aws-cdk-config-rule-integ/CustomFunction/Permission": [
+        "/aws-cdk-config-rule-integ/CustomFunction/CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "CustomFunctionPermission41887A5E"
+            "data": "CustomFunctionCustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5QED54A3F8"
           }
         ],
         "/aws-cdk-config-rule-integ/Custom/Resource": [
@@ -104,6 +104,15 @@
             "type": "aws:cdk:logicalId",
             "data": "CheckBootstrapVersion"
           }
+        ],
+        "CustomFunctionCustomRulePermissionXogMcOcBfKkfAgTC3zxpecyWNuSNTUwy6QrCZdRtCdwF5AB15B7": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CustomFunctionCustomRulePermissionXogMcOcBfKkfAgTC3zxpecyWNuSNTUwy6QrCZdRtCdwF5AB15B7",
+            "trace": [
+              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
+            ]
+          }
         ]
       },
       "displayName": "aws-cdk-config-rule-integ"

packages/@aws-cdk/aws-config/test/rule.lit.integ.snapshot/tree.json

@@ -105,9 +105,9 @@
                   "version": "0.0.0"
                 }
               },
-              "Permission": {
-                "id": "Permission",
-                "path": "aws-cdk-config-rule-integ/CustomFunction/Permission",
+              "CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=": {
+                "id": "CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=",
+                "path": "aws-cdk-config-rule-integ/CustomFunction/CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=",
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::Lambda::Permission",
                   "aws:cdk:cloudformation:props": {

packages/@aws-cdk/aws-config/test/rule.test.ts

@@ -91,11 +91,6 @@ describe('rule', () => {
         },
         MaximumExecutionFrequency: 'Six_Hours',
       },
-      DependsOn: [
-        'FunctionPermissionEC8FE997',
-        'Function76856677',
-        'FunctionServiceRole675BB04A',
-      ],
     });
 
     Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
@@ -460,6 +455,49 @@ describe('rule', () => {
     });
   });
 
+  test('create two custom rules and one function', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const fn = new lambda.Function(stack, 'Function', {
+      code: lambda.AssetCode.fromInline('foo'),
+      handler: 'index.handler',
+      runtime: lambda.Runtime.NODEJS_14_X,
+    });
+
+    // WHEN
+    new config.CustomRule(stack, 'Rule1', {
+      configurationChanges: true,
+      description: 'really cool rule',
+      lambdaFunction: fn,
+      maximumExecutionFrequency: config.MaximumExecutionFrequency.SIX_HOURS,
+      configRuleName: 'cool rule 1',
+      periodic: true,
+    });
+    new config.CustomRule(stack, 'Rule2', {
+      configurationChanges: true,
+      description: 'really cool rule',
+      lambdaFunction: fn,
+      configRuleName: 'cool rule 2',
+    });
+
+    // THEN
+    Template.fromStack(stack).resourceCountIs('AWS::Config::ConfigRule', 2);
+    Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 1);
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'Function76856677',
+          'Arn',
+        ],
+      },
+      Principal: 'config.amazonaws.com',
+      SourceAccount: {
+        Ref: 'AWS::AccountId',
+      },
+    });
+  });
   test('create a 0 charactor policy', () => {
     // GIVEN
     const stack = new cdk.Stack();

packages/@aws-cdk/aws-config/test/scoped-rule.integ.snapshot/aws-cdk-config-rule-scoped-integ.assets.json

@@ -1,15 +1,15 @@
 {
   "version": "21.0.0",
   "files": {
-    "334d65f391737c79c5dd4a7f1fd9b8b58c86d362835cfcfd1a3873245cb214e0": {
+    "ce24448515abcdc66d5b46f4e7b5a3a4bad2eda8fa9f00dde24710cbc9860c87": {
       "source": {
         "path": "aws-cdk-config-rule-scoped-integ.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "334d65f391737c79c5dd4a7f1fd9b8b58c86d362835cfcfd1a3873245cb214e0.json",
+          "objectKey": "ce24448515abcdc66d5b46f4e7b5a3a4bad2eda8fa9f00dde24710cbc9860c87.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-config/test/scoped-rule.integ.snapshot/aws-cdk-config-rule-scoped-integ.template.json

@@ -62,7 +62,7 @@
     "CustomFunctionServiceRoleD3F73B79"
    ]
   },
-  "CustomFunctionPermission41887A5E": {
+  "CustomFunctionCustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5QED54A3F8": {
    "Type": "AWS::Lambda::Permission",
    "Properties": {
     "Action": "lambda:InvokeFunction",
@@ -103,7 +103,7 @@
     }
    },
    "DependsOn": [
-    "CustomFunctionPermission41887A5E",
+    "CustomFunctionCustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5QED54A3F8",
     "CustomFunctionBADD59E7",
     "CustomFunctionServiceRoleD3F73B79"
    ]

packages/@aws-cdk/aws-config/test/scoped-rule.integ.snapshot/manifest.json

@@ -23,7 +23,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/334d65f391737c79c5dd4a7f1fd9b8b58c86d362835cfcfd1a3873245cb214e0.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ce24448515abcdc66d5b46f4e7b5a3a4bad2eda8fa9f00dde24710cbc9860c87.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -51,10 +51,10 @@
             "data": "CustomFunctionBADD59E7"
           }
         ],
-        "/aws-cdk-config-rule-scoped-integ/CustomFunction/Permission": [
+        "/aws-cdk-config-rule-scoped-integ/CustomFunction/CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=": [
           {
             "type": "aws:cdk:logicalId",
-            "data": "CustomFunctionPermission41887A5E"
+            "data": "CustomFunctionCustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5QED54A3F8"
           }
         ],
         "/aws-cdk-config-rule-scoped-integ/Custom/Resource": [
@@ -74,6 +74,15 @@
             "type": "aws:cdk:logicalId",
             "data": "CheckBootstrapVersion"
           }
+        ],
+        "CustomFunctionPermission41887A5E": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CustomFunctionPermission41887A5E",
+            "trace": [
+              "!!DESTRUCTIVE_CHANGES: WILL_DESTROY"
+            ]
+          }
         ]
       },
       "displayName": "aws-cdk-config-rule-scoped-integ"

packages/@aws-cdk/aws-config/test/scoped-rule.integ.snapshot/tree.json

@@ -105,9 +105,9 @@
                   "version": "0.0.0"
                 }
               },
-              "Permission": {
-                "id": "Permission",
-                "path": "aws-cdk-config-rule-scoped-integ/CustomFunction/Permission",
+              "CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=": {
+                "id": "CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=",
+                "path": "aws-cdk-config-rule-scoped-integ/CustomFunction/CustomRulePermissionbM1jVaicvRO9SDCiAbsQcYrOlESEtMwrrF9ZQQRvd5Q=",
                 "attributes": {
                   "aws:cdk:cloudformation:type": "AWS::Lambda::Permission",
                   "aws:cdk:cloudformation:props": {