How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
20.19.6
Amplify CLI Version
@aws-amplify/cli-internal-gen2-migration-experimental-alpha@0.7.0 (host @aws-amplify/cli 14.3.0) — bug is in the experimental gen2-migration alpha, not the core CLI
What operating system are you using?
macOS
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No changes made to reproduce. The wildcard .../rule/* invoke permission exists on a Gen 1 scheduled function in our app; cloud resources were not altered to produce the bug.
Describe the bug
Running amplify gen2-migration generate (from @aws-amplify/cli-internal-gen2-migration-experimental-alpha@0.7.0) crashes when any Lambda has a resource-based permission for events.amazonaws.com whose Condition.ArnLike["AWS:SourceArn"] ends in :rule/* (a wildcard grant, not a specific rule).
fetchFunctionSchedule in lib/commands/gen2-migration/generate/_infra/aws-fetcher.js derives the rule name by taking the segment after rule/. For a wildcard ARN that segment is the literal . It then calls DescribeRule({ Name: "" }), which EventBridge rejects as an invalid name with a ValidationException. The exception is unhandled and aborts the entire generate run. In our project the trigger is a scheduled function (DelayedSurveyCreation) carrying a .../rule/* permission.
Expected behavior
A wildcard (or otherwise invalid) rule name isn't a real schedule target. fetchFunctionSchedule should treat it as "no schedule found" and continue, instead of aborting the migration.
Reproduction steps
- Create a Lambda
WildcardRuleFn in any account.
- Add a wildcard EventBridge invoke permissions:
aws lambda add-permission \ --function-name WildcardRuleFn \ --statement-id allow-eventbridge-wildcard \ --action lambda:InvokeFunction \ --principal events.amazonaws.com \ --source-arn 'arn:aws:events:us-east-1:<account-id>:rule/*'
- In a Gen 1 project that includes this function, run
npx amplify gen2-migration generate.
- The command throws
ValidationException from DescribeRule and aborts.
Project Identifier
No response
Log output
Details
# Put your logs below this line
ValidationException: 1 validation error detected: Value '*' at 'name' failed to satisfy constraint: Member must satisfy regular expression pattern: [\.\-_A-Za-z0-9]+
at DescribeRuleCommand (…/generate/_infra/aws-fetcher.js → fetchFunctionSchedule)
Additional information
Validate the extracted name against EventBridge's own pattern before the call; return undefined if it doesn't match. In aws-fetcher.js:
- if (!ruleName)
- return undefined;
+ if (!ruleName || !/^[\.\-_A-Za-z0-9]+$/.test(ruleName))
+ return undefined;
const ruleResponse = await this.clients.cloudWatchEvents.send(new client_cloudwatch_events_1.DescribeRuleCommand({ Name: ruleName }));
return ruleResponse.ScheduleExpression;
We apply this in one local patch combined with the orphan-rule fix in the related issue. Related: #14912 [https://github.com//issues/14912].
Before submitting, please confirm:
How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
20.19.6
Amplify CLI Version
@aws-amplify/cli-internal-gen2-migration-experimental-alpha@0.7.0 (host @aws-amplify/cli 14.3.0) — bug is in the experimental gen2-migration alpha, not the core CLI
What operating system are you using?
macOS
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No changes made to reproduce. The wildcard .../rule/* invoke permission exists on a Gen 1 scheduled function in our app; cloud resources were not altered to produce the bug.
Describe the bug
Running amplify gen2-migration generate (from @aws-amplify/cli-internal-gen2-migration-experimental-alpha@0.7.0) crashes when any Lambda has a resource-based permission for events.amazonaws.com whose Condition.ArnLike["AWS:SourceArn"] ends in :rule/* (a wildcard grant, not a specific rule).
fetchFunctionSchedule in lib/commands/gen2-migration/generate/_infra/aws-fetcher.js derives the rule name by taking the segment after rule/. For a wildcard ARN that segment is the literal . It then calls DescribeRule({ Name: "" }), which EventBridge rejects as an invalid name with a ValidationException. The exception is unhandled and aborts the entire generate run. In our project the trigger is a scheduled function (DelayedSurveyCreation) carrying a .../rule/* permission.
Expected behavior
A wildcard (or otherwise invalid) rule name isn't a real schedule target. fetchFunctionSchedule should treat it as "no schedule found" and continue, instead of aborting the migration.
Reproduction steps
WildcardRuleFnin any account.aws lambda add-permission \ --function-name WildcardRuleFn \ --statement-id allow-eventbridge-wildcard \ --action lambda:InvokeFunction \ --principal events.amazonaws.com \ --source-arn 'arn:aws:events:us-east-1:<account-id>:rule/*'npx amplify gen2-migration generate.ValidationExceptionfromDescribeRuleand aborts.Project Identifier
No response
Log output
Details
Additional information
Validate the extracted name against EventBridge's own pattern before the call; return undefined if it doesn't match. In aws-fetcher.js:
We apply this in one local patch combined with the orphan-rule fix in the related issue. Related: #14912 [https://github.com//issues/14912].
Before submitting, please confirm: