fix(aws-events): restrict eventbus statementId to 64 characters (#22296)

Fixes #22120, #21808. Current setup does not allow deployment of the EventBus support stack due to StatementId being larger than 64 characters. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 29, 2022 · fadbfc1 · fadbfc1
1 parent e06d2e6
commit fadbfc1
Show file tree

Hide file tree

Showing 16 changed files with 1,790 additions and 3 deletions.
diff --git a/packages/@aws-cdk/aws-events/lib/rule.ts b/packages/@aws-cdk/aws-events/lib/rule.ts
@@ -368,9 +368,12 @@ export class Rule extends Resource implements IRule {
           // Leaving it in for backwards compatibility.
           stackName: `${targetStack.stackName}-EventBusPolicy-support-${targetRegion}-${sourceAccount}`,
         });
+        const statementPrefix = `Allow-account-${sourceAccount}-`;
         new CfnEventBusPolicy(eventBusPolicyStack, 'GivePermToOtherAccount', {
           action: 'events:PutEvents',
-          statementId: `Allow-account-${sourceAccount}-${this.node.addr}`,
+          statementId: statementPrefix + Names.uniqueResourceName(this, {
+            maxLength: 64 - statementPrefix.length,
+          }),
           principal: sourceAccount,
         });
       }

diff --git a/...account-rule.integ.snapshot/CrossAccountDeployDefaultTestDeployAssertB5328BEF.assets.json b/...account-rule.integ.snapshot/CrossAccountDeployDefaultTestDeployAssertB5328BEF.assets.json
@@ -0,0 +1,32 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "2a53dc40a7dae81c8850e125ab49e5f55d80b7b8ceac86976f2a4119393cab72": {
+      "source": {
+        "path": "asset.2a53dc40a7dae81c8850e125ab49e5f55d80b7b8ceac86976f2a4119393cab72.bundle",
+        "packaging": "zip"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "2a53dc40a7dae81c8850e125ab49e5f55d80b7b8ceac86976f2a4119393cab72.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
+    "06c797cad62334a220096d2292d9e1028ba01ed3582f081c5ddee52bc7e0c494": {
+      "source": {
+        "path": "CrossAccountDeployDefaultTestDeployAssertB5328BEF.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "06c797cad62334a220096d2292d9e1028ba01ed3582f081c5ddee52bc7e0c494.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...count-rule.integ.snapshot/CrossAccountDeployDefaultTestDeployAssertB5328BEF.template.json b/...count-rule.integ.snapshot/CrossAccountDeployDefaultTestDeployAssertB5328BEF.template.json
@@ -0,0 +1,156 @@
+{
+ "Resources": {
+  "AwsApiCallEventBridgedescribeEventBus": {
+   "Type": "Custom::DeployAssert@SdkCallEventBridgedescribeEventBus",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
+      "Arn"
+     ]
+    },
+    "service": "EventBridge",
+    "api": "describeEventBus",
+    "flattenResponse": "true",
+    "salt": "1666817700798"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "AwsApiCallEventBridgedescribeEventBusAssertEqualsEventBridgedescribeEventBusB063C036": {
+   "Type": "Custom::DeployAssert@AssertEquals",
+   "Properties": {
+    "ServiceToken": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F",
+      "Arn"
+     ]
+    },
+    "actual": {
+     "Fn::GetAtt": [
+      "AwsApiCallEventBridgedescribeEventBus",
+      "apiCallResponse.Policy"
+     ]
+    },
+    "expected": "{\"$ObjectLike\":{\"Statement\":{\"$ArrayWith\":[{\"$ObjectLike\":{\"Sid\":{\"$StringLike\":\"Allow-account-987654321\"},\"Principal\":{\"AWS\":\"arn:aws:iam::987654321:root\"},\"Resource\":{\"$StringLike\":\"arn:aws:events:us-east-1:12345678\"}}}]}}}",
+    "salt": "1666817700798"
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Version": "2012-10-17",
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ]
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+     }
+    ],
+    "Policies": [
+     {
+      "PolicyName": "Inline",
+      "PolicyDocument": {
+       "Version": "2012-10-17",
+       "Statement": [
+        {
+         "Action": [
+          "eventbridge:DescribeEventBus"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          "*"
+         ]
+        },
+        {
+         "Action": [
+          "events:DescribeEventBus"
+         ],
+         "Effect": "Allow",
+         "Resource": [
+          "*"
+         ]
+        }
+       ]
+      }
+     }
+    ]
+   }
+  },
+  "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Runtime": "nodejs14.x",
+    "Code": {
+     "S3Bucket": {
+      "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
+     },
+     "S3Key": "2a53dc40a7dae81c8850e125ab49e5f55d80b7b8ceac86976f2a4119393cab72.zip"
+    },
+    "Timeout": 120,
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "SingletonFunction1488541a7b23466481b69b4408076b81Role37ABCE73",
+      "Arn"
+     ]
+    }
+   }
+  }
+ },
+ "Outputs": {
+  "AssertionResultsAssertEqualsEventBridgedescribeEventBusfd3cf7d971587606ecf8442a4cb30f1b": {
+   "Value": {
+    "Fn::GetAtt": [
+     "AwsApiCallEventBridgedescribeEventBusAssertEqualsEventBridgedescribeEventBusB063C036",
+     "data"
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...oss-account-rule.integ.snapshot/EventBusPolicy-987654321-test-region-12345678.assets.json b/...oss-account-rule.integ.snapshot/EventBusPolicy-987654321-test-region-12345678.assets.json
@@ -0,0 +1,20 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "462c696e4c93ec0e97ebd5917666e8ded21f0a81055e38f6683a27853ca79fd4": {
+      "source": {
+        "path": "EventBusPolicy-987654321-test-region-12345678.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "12345678-test-region": {
+          "bucketName": "cdk-hnb659fds-assets-12345678-test-region",
+          "objectKey": "462c696e4c93ec0e97ebd5917666e8ded21f0a81055e38f6683a27853ca79fd4.json",
+          "region": "test-region",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::12345678:role/cdk-hnb659fds-file-publishing-role-12345678-test-region"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...s-account-rule.integ.snapshot/EventBusPolicy-987654321-test-region-12345678.template.json b/...s-account-rule.integ.snapshot/EventBusPolicy-987654321-test-region-12345678.template.json
@@ -0,0 +1,46 @@
+{
+ "Resources": {
+  "GivePermToOtherAccount": {
+   "Type": "AWS::Events::EventBusPolicy",
+   "Properties": {
+    "StatementId": "Allow-account-987654321-FromCrossAccountRuleStackMyRule68A189ED",
+    "Action": "events:PutEvents",
+    "Principal": "987654321"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...k/aws-events/test/cross-account-rule.integ.snapshot/FromCrossAccountRuleStack.assets.json b/...k/aws-events/test/cross-account-rule.integ.snapshot/FromCrossAccountRuleStack.assets.json
@@ -0,0 +1,20 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "c6101587e135a4563e666bf1dd45e671ba4c4bc60130f3b8167502cbc174aa70": {
+      "source": {
+        "path": "FromCrossAccountRuleStack.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "987654321-test-region": {
+          "bucketName": "cdk-hnb659fds-assets-987654321-test-region",
+          "objectKey": "c6101587e135a4563e666bf1dd45e671ba4c4bc60130f3b8167502cbc174aa70.json",
+          "region": "test-region",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::987654321:role/cdk-hnb659fds-file-publishing-role-987654321-test-region"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
diff --git a/...aws-events/test/cross-account-rule.integ.snapshot/FromCrossAccountRuleStack.template.json b/...aws-events/test/cross-account-rule.integ.snapshot/FromCrossAccountRuleStack.template.json
@@ -0,0 +1,74 @@
+{
+ "Resources": {
+  "MyRuleA44AB831": {
+   "Type": "AWS::Events::Rule",
+   "Properties": {
+    "EventPattern": {
+     "detail": {
+      "foo": [
+       "bar"
+      ]
+     },
+     "detail-type": [
+      "cdk-integ-custom-rule"
+     ],
+     "source": [
+      "cdk-integ"
+     ]
+    },
+    "State": "ENABLED",
+    "Targets": [
+     {
+      "Arn": {
+       "Fn::Join": [
+        "",
+        [
+         "arn:",
+         {
+          "Ref": "AWS::Partition"
+         },
+         ":events:test-region:12345678:event-bus/default"
+        ]
+       ]
+      },
+      "Id": "SQS"
+     }
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}
diff --git a/...cdk/aws-events/test/cross-account-rule.integ.snapshot/ToCrossAccountRuleStack.assets.json b/...cdk/aws-events/test/cross-account-rule.integ.snapshot/ToCrossAccountRuleStack.assets.json
@@ -0,0 +1,20 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "0d750187c0e1bc77f1edfc3af57e55036907d6dfaef463a7acfdc0c42325a18c": {
+      "source": {
+        "path": "ToCrossAccountRuleStack.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "12345678-test-region": {
+          "bucketName": "cdk-hnb659fds-assets-12345678-test-region",
+          "objectKey": "0d750187c0e1bc77f1edfc3af57e55036907d6dfaef463a7acfdc0c42325a18c.json",
+          "region": "test-region",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::12345678:role/cdk-hnb659fds-file-publishing-role-12345678-test-region"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}