Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(events-targets): Wrong role used when adding multiple EventBus targets #19407

Closed
gshpychka opened this issue Mar 15, 2022 · 3 comments · Fixed by #20479
Closed

(events-targets): Wrong role used when adding multiple EventBus targets #19407

gshpychka opened this issue Mar 15, 2022 · 3 comments · Fixed by #20479
Assignees
@comcalvi
Labels
@aws-cdk/aws-events-targets bug This issue is a bug. effort/small Small work item – less than a day of effort in-progress This issue is being actively worked on. p1

Comments

@gshpychka
Copy link
Contributor

What is the problem?

When adding an EventBus target to a rule, CDK creates a role that grants PutEvents on the event bus. If we add multiple event buses this way, they will all share a single role that only grant access to the first event bus that we pass.

Reproduction Steps

Consider the following code:

rule = events.Rule(
    self,
    "rule",
    event_pattern=events.EventPattern(
        source=["aws.ecr"],
    ),
)
for i in range(5):
   bus = events.EventBus(self, f"bus-{i}")
   rule.add_target(events_targets.EventBus(bus))

The rule will use a role that only has access to bus-0, and it will use this role for all targets.

What did you expect to happen?

Each target uses a different role with proper access.

What actually happened?

All targets share a role that only grant access to a single target.

CDK CLI Version

2.16

Framework Version

2.16

Node.js Version

17.7.1

OS

MacOS

Language

Typescript, Python

Language Version

No response

Other information

I understand the issue may be here:

aws-cdk/packages/@aws-cdk/aws-events-targets/lib/event-bus.ts

Line 42 in e63a03d

const role = this.props.role ?? singletonEventRole(rule, [this.putEventStatement()]);

@gshpychka gshpychka added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 15, 2022
@gshpychka
Copy link
Contributor Author

gshpychka commented Mar 15, 2022
edited
Loading

Okay, here's the issue:
https://github.com/aws/aws-cdk/blob/e63a03dd2d39502328b0f6baf1ee5529038a4f54/packages/%40aws-cdk/aws-events-targets/lib/util.ts#L74:L84

If the rule already has an eventbus target with an auto-generated role, it just returns it without adding the policy statement.

If I understand this correctly, the if statement should only decide whether to create the role, and should still add the statement even if it exists.

@ryparker ryparker added the p1 label Mar 15, 2022
@gshpychka
Copy link
Contributor Author

Actually, why does the role need to be a singleton at all? Wouldn't using separate roles for each target make more sense?

@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Mar 18, 2022
@rix0rrr rix0rrr removed their assignment Mar 18, 2022
@comcalvi comcalvi self-assigned this May 24, 2022
@comcalvi comcalvi added the in-progress This issue is being actively worked on. label May 24, 2022
This was referenced May 24, 2022
Merged
Closed
@mergify mergify bot closed this as completed in #20479 Jun 1, 2022
mergify bot pushed a commit that referenced this issue Jun 1, 2022
@comcalvi
fix(events-targets): EventBus IAM statements are only added for the f…
74318c7 
…irst target (#20479)

If the `EventBus` constructor is called with no arguments, then attaching more than a single target to its policy will silently fail to add them. This is because of a strange edge case in the implementation that was not accounted for previously; it is possible for `props.role` to be `undefined`, yet `singletonEventRole()` is still capable of finding the desired role. `singletonEventRole()` does not add the new statements to any IAM policies that it finds, so as a result adding multiple targets does not add any of them.

Fixes #19407.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jun 1, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@comcalvi comcalvi

Labels
@aws-cdk/aws-events-targets bug This issue is a bug. effort/small Small work item – less than a day of effort in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(events-targets): EventBus IAM statements are only added for the first target comcalvi/aws-cdk
4 participants
@rix0rrr @ryparker @gshpychka @comcalvi