fix(secretsmanager): fixed unreliable lambda rotation schedule resour…

…ce creation

packages/@aws-cdk-testing/framework-integ/test/aws-secretsmanager/test/integ.lambda-rotation.js.snapshot/cdk-integ-secret-lambda-rotation.template.json

@@ -144,7 +144,10 @@
     "RotationRules": {
      "AutomaticallyAfterDays": 30
     }
-   }
+   },
+   "DependsOn": [
+    "LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677"
+   ]
   },
   "SecretPolicy06C9821C": {
    "Type": "AWS::SecretsManager::ResourcePolicy",

packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts

@@ -100,7 +100,8 @@ export class RotationSchedule extends Resource {
         );
       }
 
-      props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));
+      const grant = props.rotationLambda.grantInvoke(new iam.ServicePrincipal('secretsmanager.amazonaws.com'));
+      grant.applyBefore(this);
 
       props.rotationLambda.addToRolePolicy(
         new iam.PolicyStatement({

packages/aws-cdk-lib/aws-secretsmanager/test/rotation-schedule.test.ts

@@ -629,3 +629,25 @@ describe('manual rotations', () => {
     checkRotationNotSet(Duration.millis(0));
   });
 });
+
+test('rotation schedule should have a dependency on lambda permissions', () => {
+  // GIVEN
+  const secret = new secretsmanager.Secret(stack, 'Secret');
+  const rotationLambda = new lambda.Function(stack, 'Lambda', {
+    runtime: lambda.Runtime.NODEJS_14_X,
+    code: lambda.Code.fromInline('export.handler = event => event;'),
+    handler: 'index.handler',
+  });
+
+  // WHEN
+  secret.addRotationSchedule('RotationSchedule', {
+    rotationLambda,
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResource('AWS::SecretsManager::RotationSchedule', {
+    DependsOn: [
+      'LambdaInvokeN0a2GKfZP0JmDqDEVhhu6A0TUv3NyNbk4YMFKNc69846677',
+    ],
+  });
+});