fix(aws-events): restrict eventbus statementId to 64 characters

[sennyeya]

Fixes #22120, #21808.

Current setup does not allow deployment of the EventBus support stack due to StatementId being larger than 64 characters.

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

• This PR adds new unconventional dependencies following the process described here

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[aws-cdk-automation]

The Pull Request Linter fails with the following errors:

❌ The title of this pull request does not follow the Conventional Commits format, see https://www.conventionalcommits.org/.

PRs must pass status checks before we can provide a meaningful review.

Pull Request updated. Dissmissing previous PRLinter Review.

[aws-cdk-automation]

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

Pull Request updated. Dissmissing previous PRLinter Review.

[aws-cdk-automation]

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

Pull Request updated. Dissmissing previous PRLinter Review.

[aws-cdk-automation]

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

Pull Request updated. Dissmissing previous PRLinter Review.

[aws-cdk-automation]

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

Pull request has been modified.

[aws-cdk-automation]

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

[TheRealAmazonKendra]

Please see inline comment. Also, per PR Linter, we need integ tests.

[TheRealAmazonKendra]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[sennyeya]

Please see inline comment. Also, per PR Linter, we need integ tests.

Just wanting to verify, what would the integ tests be testing? I have no experience in the EventBridge space.

[TheRealAmazonKendra]

Please see inline comment. Also, per PR Linter, we need integ tests.

Just wanting to verify, what would the integ tests be testing? I have no experience in the EventBridge space.

Basically, this never could have deployed. We need a test that includes this functionality to prove that the deployment succeeds. This one is tricky because it requires cross account tests so rather than a fully functional test, we'd need steps taken to manually verify the test. As an example of this, see @corymhall's integ test here: https://github.com/aws/aws-cdk/pull/22122/files#diff-106ed5ff6c61e370348bf17a02cb29ccc3d438c6af02ef2f70453cd3e73a237e

[sennyeya]

@TheRealAmazonKendra Just following up on this, I managed to setup an integ test that does what I want it to do but it's failing at

eventVerification.assertAtPath('Policy.Statement.0.Sid', ExpectedResult.stringLikeRegexp( 'Allow-account-'));

with the error message:

CustomResource attribute error: Vendor response doesn't contain apiCallResponse.Policy.Statement.0.Sid key in object arn:aws:cloudformation:us-east-1:ACCOUNT:stack/CrossAccountDeployDefaultTestDeployAssertB5328BEF/72124930-4f37-11ed-8394-0ec240785f9f|AwsApiCallEventBridgedescribeEventBus|1062e942-73a5-450d-93f4-ac0dddadd57d in S3 bucket cloudformation-custom-resource-storage-useast1

Even though the logs show:

"Status": "SUCCESS",
    "Reason": "OK",
    "PhysicalResourceId": "AwsApiCallEventBridgedescribeEventBus",
    "StackId": "arn:aws:cloudformation:us-east-1:ACCOUNT:stack/CrossAccountDeployDefaultTestDeployAssertB5328BEF/72124930-4f37-11ed-8394-0ec240785f9f",
    "RequestId": "7de3f5fe-fec8-4253-80b3-a6706fa0f3f3",
    "LogicalResourceId": "AwsApiCallEventBridgedescribeEventBus",
    "NoEcho": false,
    "Data": {
        "apiCallResponse.Name": "default",
        "apiCallResponse.Arn": "arn:aws:events:us-east-1:546328076441:event-bus/default",
        "apiCallResponse.Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Allow-account-SECOND_ACCOUNT-FromCrossAccouuleStackMyRule68A189ED\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::SECOND_ACCOUNT:root\"},\"Action\":\"events:PutEvents\",\"Resource\":\"arn:aws:events:us-east-1:ACCOUNT:event-bus/default\"}]}"
    }

Any ideas on what's causing the error message? I think the JSON notation (Policy.Statement.0.Sid) is correct?

[TheRealAmazonKendra]

@TheRealAmazonKendra Just following up on this, I managed to setup an integ test that does what I want it to do but it's failing at

eventVerification.assertAtPath('Policy.Statement.0.Sid', ExpectedResult.stringLikeRegexp( 'Allow-account-'));

with the error message:

CustomResource attribute error: Vendor response doesn't contain apiCallResponse.Policy.Statement.0.Sid key in object arn:aws:cloudformation:us-east-1:ACCOUNT:stack/CrossAccountDeployDefaultTestDeployAssertB5328BEF/72124930-4f37-11ed-8394-0ec240785f9f|AwsApiCallEventBridgedescribeEventBus|1062e942-73a5-450d-93f4-ac0dddadd57d in S3 bucket cloudformation-custom-resource-storage-useast1

Even though the logs show:

"Status": "SUCCESS",
    "Reason": "OK",
    "PhysicalResourceId": "AwsApiCallEventBridgedescribeEventBus",
    "StackId": "arn:aws:cloudformation:us-east-1:ACCOUNT:stack/CrossAccountDeployDefaultTestDeployAssertB5328BEF/72124930-4f37-11ed-8394-0ec240785f9f",
    "RequestId": "7de3f5fe-fec8-4253-80b3-a6706fa0f3f3",
    "LogicalResourceId": "AwsApiCallEventBridgedescribeEventBus",
    "NoEcho": false,
    "Data": {
        "apiCallResponse.Name": "default",
        "apiCallResponse.Arn": "arn:aws:events:us-east-1:546328076441:event-bus/default",
        "apiCallResponse.Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Allow-account-SECOND_ACCOUNT-FromCrossAccouuleStackMyRule68A189ED\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::SECOND_ACCOUNT:root\"},\"Action\":\"events:PutEvents\",\"Resource\":\"arn:aws:events:us-east-1:ACCOUNT:event-bus/default\"}]}"
    }

Any ideas on what's causing the error message? I think the JSON notation (Policy.Statement.0.Sid) is correct?

It's been flattened as a string. You'd want to look for

eventVerification.assertAtPath('Policy', ExpectedResult.stringLikeRegexp( 'Allow-account-'));

I think you could also just do

eventVerification.expect(ExpectedResult.objectLike({
  Policy: {
    Version: '2021-10-17',
    Statement: [
      {
        Sid: Match.stringLikeRegexp('Allow-acount-'),
        Effect: 'Allow',
        Principal: {
          AWS: Match.stringLikeRegexp('arn:aws;iam::')
        },
        Action: 'events:PutEvents',
        Resource: Match.stringLikeRegexp('arn:aws:events:us-east-1:')
      }
    ]
  }
}

This may not be precisely correct because I may have misplaces a comma or not gotten the json quite right, but this general format should get you there.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[TheRealAmazonKendra]

@Mergifyio update

[mergify]

update

❌ Base branch update has failed

refusing to allow a GitHub App to create or update workflow .github/workflows/auto-approve.yml without workflows permission
err-code: D93E6

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: f4c56e2
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).