sns_subscriptions: Breaking change from issue 19796 where an exception was added for code that works #26719
Comments
MurraySpeight
added
bug
|
Thanks for reporting this @MurraySpeight, It appears to me that the AWS managed key for SQS has the proper permissions. Here's the policy for the one in my console (since I can't find the docs for this): {
"Version": "2012-10-17",
"Id": "auto-sqs-1",
"Statement": [
{
"Sid": "Allow access through Simple Queue Service (SQS) for all principals in the account that are authorized to use SQS",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789012",
"kms:ViaService": "sqs.us-east-1.amazonaws.com"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource": "*"
}
]
} |
peterwoodworth
added
p0
effort/small
|
Have you verified that this setup actually works, or just that it deploys? I can get it to deploy, but I'm not sure if the redrive functionality will work (I'm not sure exactly how to force that to occur to test). I see this warning in the console on my subscription 
|
peterwoodworth
added
the
response-requested
|
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
the
closing-soon
|
Hi @peterwoodworth, yes this deploys and works as expected. My SQS queue is subscribed to the topic and is receiving events. The DLQ redrive functionality also works and I do not get the message in the console you see - but DLQs aren't relevant to this problem because the exception occurs with just an SQS trying to subscribe to a topic without DLQs configured. |
github-actions
bot
removed
closing-soon
|
We also see the same issue after upgrading to 2.89.0 import sns = require('aws-cdk-lib/aws-sns');
import sqs = require('aws-cdk-lib/aws-sqs');
// ...
const failureQueue = new sqs.Queue(this, failureQueueName, {
queueName: failureQueueName,
encryption: sqs.QueueEncryption.KMS_MANAGED,
retentionPeriod: Duration.days(14),
visibilityTimeout: Duration.seconds(60),
});
failureTopic.addSubscription(
new SqsSubscription(failureQueue, {
rawMessageDelivery: true,
})
);FYI: Before the upgrade, the SQS queue was deployed successfully with SSE enabled using SSE-KMS (with master key |
Hey @MurraySpeight Thanks for providing the example! When I deploy your code, it does work. However the queue is actually encrypted with a customer managed key. 
This is because we silently do this check at the moment: if (encryption !== QueueEncryption.KMS && props.encryptionMasterKey) {
encryption = QueueEncryption.KMS; // KMS is implied by specifying an encryption key
}Can you please confirm for me:
Basically I think being able to specify
Hi @lixx Thanks for providing these details. I cannot get your example to work. |
@peterwoodworth I think the policy is maybe missing permissions for Edit: It tested various policies, and it's the |
mrgrain
added
the
response-requested
|
@lixx I did some more resource (see post above) and I don't believe this does work. The code snippet you've provided does synth and deploy, but the subscription does not actually work. If you can provide me with more details, I'm happy to investigate further. Until then, I am assuming you've run into a similar situation as @MurraySpeight and will consider the issue fixed with the change in #26884 |
github-actions
bot
removed
the
response-requested
|
@mrgrain the queues are encrypted with a customer managed key as I believe this is the only way to encrypt when subscribing to a cross-account SNS topic. I have made your suggested change of changing the So my understanding of this issue from your above description is I was incorrectly configuring the queue but pre-v2.89 CDK was silently fixing my mistake by overriding to the I think a warning here would be massively helpful e.g. Thanks for your help resolving this! |
…vided (#26886) In #19796 we added additional validation to sns subscription. For that purpose the Queue `encryptionType` was exposed as a public property. However the PR forgot to take into account that the provided `encryption` property is automatically changed when a `encryptionMasterKey` is provided. This PR ensures that the public `encryptionType` has the correct value. Additionally, adds a warning for an incorrect configuration scenario where `encryptionMasterKey` is provided together with an `encryption` other than QueueEncryption.KMS. This feature was supposed to allow users to simply provide an encryption key and have the encryption type being selected automatically. However it now unintentionally allows for wrong configurations that are silently fixed, e.g. setting QueueEncryption.UNENCRYPTED and providing an encryption key. The warning keeps backwards compatibility, but instructs users to fix their configuration. Closes #26719 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
Merging of change from issue #19796 has caused a breaking change in my CDK project. Creating new issue to create attention to the problem and quoting comment I put on the closed issue below:
@NGL321 @bmoffatt it looks like this change is preventing my originally working CDK on v2.88 to no longer synth on v2.89.
I am currently using an SSE enabled queue subscribed to a topic and with the necessary IAM privileges mentioned here https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse the CDK was synthing and deploying in CloudFormation without issue. Now that I have upgraded CDK, the code is refusing to synth with this new exception!
Here is what the code I am using looks like:
Expected Behavior
Calling
addSubscriptionmethod on a topic with a subscription to an SSE SQS queue using a customer key to work without exception.Current Behavior
SQS queue encrypted by AWS managed KMS key cannot be used as SNS subscriptionexception message thrown when callingaddSubscriptionmethod on a topic with a subscription to an SSE SQS queue using a customer key.Reproduction Steps
Code in main description. Specifically:
Possible Solution
Back out change made on issue #19796
Additional Information/Context
No response
CDK CLI Version
2.89
Framework Version
No response
Node.js Version
18
OS
Linux
Language
Typescript
Language Version
No response
Other information
CDK versions before 2.89 do not have this issue.
The text was updated successfully, but these errors were encountered: