(custom_resources): incorrect IAM prefix generated for CloudWatch actions

[konoui]

Describe the bug

AwsCustomResource in custom_resources generates an incorrect IAM action prefix monitoring:<action> for CloudWatch actions. The correct prefix should be cloudwatch:<action>.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The generated IAM action prefix should be cloudwatch:<action>.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html

Amazon CloudWatch (service prefix: cloudwatch) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

Current Behavior

The generated IAM action prefix is monitoring:<action>.

Reproduction Steps

1. Use AwsCustomResource to create a resource for a CloudWatch action (e.g., tagResource).
2. Run cdk synth.
3. Observe the generated IAM policy in the synthesized template.

new custom_resources.AwsCustomResource(this, "CustomResource", {
  onCreate: {
    service: "CloudWatch",
    action: "tagResource",
    parameters: {
      ResourceARN: "dummy",
      Tags: [{ Key: "Name", Value: "prod" }],
    },
    physicalResourceId: custom_resources.PhysicalResourceId.of("add_tag"),
  },
  policy: custom_resources.AwsCustomResourcePolicy.fromSdkCalls({
    resources: custom_resources.AwsCustomResourcePolicy.ANY_RESOURCE,
  }),
});

cdk synth

(snip)
  CustomResourceCustomResourcePolicy887CD354:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: monitoring:TagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: CustomResourceCustomResourcePolicy887CD354
      Roles:
        - Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
(snip)

Possible Solution

The issue seems to originate in the sdk-v3-metadata.json file, which maps CloudWatch actions to the incorrect prefix monitoring.

https://github.com/aws/aws-cdk/blob/v2.176.0/packages/aws-cdk-lib/custom-resources/lib/helpers-internal/sdk-v3-metadata.json#L198

Additional Information/Context

No response

CDK CLI Version

2.176.0

Framework Version

No response

Node.js Version

v22.8.0

OS

macOS Monterey

Language

TypeScript

Language Version

No response

Other information

No response

[ashishdhingra]

Reproducible using CDK version 2.176.0 (build 899965d). It generates the following CFN template:

Resources:
  CustomResource8CDCD7A7:
    Type: Custom::AWS
    Properties:
      ServiceToken:
        Fn::GetAtt:
          - AWS679f53fac002430cb0da5b7982bd22872D164C4C
          - Arn
      Create: '{"service":"CloudWatch","action":"tagResource","parameters":{"ResourceARN":"dummy","Tags":[{"Key":"Name","Value":"prod"}]},"physicalResourceId":{"id":"add_tag"}}'
      InstallLatestAwsSdk: false
    DependsOn:
      - CustomResourceCustomResourcePolicy887CD354
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Metadata:
      aws:cdk:path: CdktestStackNew/CustomResource/Resource/Default
  CustomResourceCustomResourcePolicy887CD354:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action: monitoring:TagResource
            Effect: Allow
            Resource: "*"
        Version: "2012-10-17"
      PolicyName: CustomResourceCustomResourcePolicy887CD354
      Roles:
        - Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
    Metadata:
      aws:cdk:path: CdktestStackNew/CustomResource/CustomResourcePolicy/Resource
  AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: "2012-10-17"
      ManagedPolicyArns:
        - Fn::Join:
            - ""
            - - "arn:"
              - Ref: AWS::Partition
              - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
    Metadata:
      aws:cdk:path: CdktestStackNew/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource
  AWS679f53fac002430cb0da5b7982bd22872D164C4C:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: cdk-hnb659fds-assets-<<ACCOUNT-ID>>-us-east-2
        S3Key: ce2f3595a340d6c519a65888ef97e3b9b64f053f83608e32cc28162e22d7d99a.zip
      Handler: index.handler
      Role:
        Fn::GetAtt:
          - AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
          - Arn
      Runtime: nodejs20.x
      Timeout: 120
    DependsOn:
      - AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
    Metadata:
      aws:cdk:path: CdktestStackNew/AWS679f53fac002430cb0da5b7982bd2287/Resource
      aws:asset:path: asset.ce2f3595a340d6c519a65888ef97e3b9b64f053f83608e32cc28162e22d7d99a
      aws:asset:is-bundled: false
      aws:asset:property: Code
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/12Oyw6CMBBFv8V9GRWNukUS1wY+gIxlJAOlTZhWYgj/buqDhat75tzcZFLYHg+wWeEoia67xPANptKj7pQO4l1fDSQuDJoEslHytyu+SuEo1WSwv9UIU8m2MeSdvQSrPTurFsjvi5wVYw/T1RnWz1h8qXCG4hlzVrKrUIS8QBZDyQ7OQXfkzyg0q7834uzHC7yHpceGbTMr62qCVtaP7QnSDexXrTAnQ7Cee4Liky/B7auRDQEAAA==
    Metadata:
      aws:cdk:path: CdktestStackNew/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Findings:

• Policy action is generated here by using awsSdkToIamAction() helper method.
• awsSdkToIamAction() helper method uses normalizeServiceName() to get the JS V3 service name.
• v2ToV3Mapping() loads sdk-v2-to-v3.json.
• Currently, sdk-v2-to-v3.json doesn't have a mapping for CloudWatch. So here, it just returns service name 9in lower case), i.e., cloudwatch.
• Thereafter, here, it tries to determine iamPrefix by invoking v3Metadata().
• v3Metadata() loads sdk-v3-metadata.json.
• In sdk-v3-metadata.json, cloudwatch is mapped to monitoring iamPrefix.

Refer PR #31874 (this is still pending ownership by CDK squad since integration snapshots update need to be done differently) on how to use /scripts/update-sdkv3-parameters-model.sh to generate new sdk-v2-to-v3.json (it perhaps also generates new packages/aws-cdk-lib/custom-resources/lib/helpers-internal/sdk-v3-metadata.json). However, in the PR run as well, it had incorrect mapping for cloudwatch service.

PR which introduced sdk-v3-metadata.json #27313. It mentions below:

From SDKv3 models, extract a new sdk-v3-metadata.json which contains the following information:

• IAM prefix for every service
• A list of APIs that end in the word Command, so we can disambiguate around these.