Skip to content

🐛 Fix resource policy limit with many scheduled events#1439

Open
monkut wants to merge 3 commits intomasterfrom
bug/1415-resource-policy-limit-scheduled-events
Open

🐛 Fix resource policy limit with many scheduled events#1439
monkut wants to merge 3 commits intomasterfrom
bug/1415-resource-policy-limit-scheduled-events

Conversation

@monkut
Copy link
Copy Markdown
Collaborator

@monkut monkut commented Mar 11, 2026

Summary

Fixes #1415

  • Each scheduled event called create_event_permission() with a specific SourceArn, adding a new policy statement per rule
  • With many events, this caused the Lambda resource policy to exceed AWS's 20KB limit
  • Replaced per-rule permissions with a single wildcard arn:aws:events:{region}:{account}:rule/* permission added once before scheduling events
  • _clear_policy() already removes old per-rule statements on each zappa update, so the migration from per-rule to wildcard is seamless
  • The wildcard permission still uses SourceAccount to restrict invocations to the same AWS account

Test plan

  • Full test suite passes (271 tests, 2 pre-existing websocket flakes)
  • Manual testing: deploy with 50+ scheduled events to verify policy stays under 20KB

@storkwrangler
🐛 Fix resource policy limit with many scheduled events (#1415)
28edbca 
Each scheduled event added its own AddPermission statement with a specific
SourceArn, causing the Lambda resource policy to exceed AWS's 20KB limit
when many events were configured.

Replace per-rule permissions with a single wildcard permission that covers
all EventBridge rules. _clear_policy() already removes old per-rule
statements on each update, so the migration is seamless.
@coveralls
Copy link
Copy Markdown

coveralls commented Mar 11, 2026
edited
Loading

Coverage Status

coverage: 74.661% (+0.006%) from 74.655%
when pulling 0befd50 on bug/1415-resource-policy-limit-scheduled-events
into 20820e7 on master.

monkut
monkut commented Mar 23, 2026
View reviewed changes
Comment thread zappa/core.py
SourceAccount=account_id,
)
except self.lambda_client.exceptions.ResourceConflictException:
# Permission already exists
Copy link
Copy Markdown
Collaborator Author

@monkut monkut Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add logging that: 'permission already exists'

Comment thread zappa/core.py
# Add a single wildcard permission for all EventBridge rules instead of
# one per rule, to stay within the 20KB resource policy limit (#1415).
has_scheduled_events = any(e.get("expression") or e.get("expressions") for e in events)
if has_scheduled_events:
Copy link
Copy Markdown
Collaborator Author

@monkut monkut Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if has_scheduled_events is false, is it necessary to then loop through events.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

API Gateway Resource Policy limits with too many scheduled events

3 participants

@monkut @coveralls @storkwrangler