aws-sns-subscriptions: Adding SqsSubscription on SNS topic does not create correct queue policy for SQS when SNS topic is present in opt-in AWS regions #32526
Comments
rahuldeverani
added
bug
github-actions
bot
added
the
@aws-cdk/aws-sns
|
This should be fairly easy to handle using |
|
I started with the integration test for the PR to confirm the issue, and I do the following error when attempting to post a message across a default and an opt-in version: |
|
Reproducible using code below: Topic had been manually created in Opt-in Running Resources:
queue276F7297:
Type: AWS::SQS::Queue
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: CdktestStackNew/queue/Resource
queuePolicy89DB7105:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Action: sqs:SendMessage
Condition:
ArnEquals:
aws:SourceArn: arn:aws:sns:ap-southeast-4:<<ACCOUNT-ID>>:TestOptInTopic
Effect: Allow
Principal:
Service: sns.amazonaws.com
Resource:
Fn::GetAtt:
- queue276F7297
- Arn
Version: "2012-10-17"
Queues:
- Ref: queue276F7297
Metadata:
aws:cdk:path: CdktestStackNew/queue/Policy/Resource
queueCdktestStackNewTopic1B7F5337F1CEB735:
Type: AWS::SNS::Subscription
Properties:
Endpoint:
Fn::GetAtt:
- queue276F7297
- Arn
Protocol: sqs
RawMessageDelivery: true
Region: ap-southeast-4
TopicArn: arn:aws:sns:ap-southeast-4:<<ACCOUNT-ID>>:TestOptInTopic
DependsOn:
- queuePolicy89DB7105
Metadata:
aws:cdk:path: CdktestStackNew/queue/CdktestStackNewTopic1B7F5337/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/1WKwQ6CMBBEv4V7WaEx0bP+gIJ3U8qaLGAL3VZimv67wSYmXmbmzYyE+iChKtTKpe7HcqIOYuuVHoVa+R55YYjXgAHF+WFy+OrFTqTfvzJjEmwYYhs61o5mT9Zsjz++2Zn0STGmtG0Nsg1OYxLG9ggD7171EWQF+2JgotIF4+mJ0GT/AO+S86CwAAAA
Metadata:
aws:cdk:path: CdktestStackNew/CDKMetadata/Default
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value<String>
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]The service principal of the generated policy document is |
ashishdhingra
added
p2
investigating
|
#32542 addresses this issue for both |
Describe the bug
When adding sqs subscription on SNS topic where the SNS topic is cross region and is present in opt-in AWS regions , then the queue policy attached to SQS queue is not correct.
The policy generated for sqs queue is like:
Here the Service in principal should be sns.opt-in-region.amazonaws.com instead of sns.amazonaws.com . Check this for more details: https://docs.aws.amazon.com/sns/latest/dg/sns-cross-region-delivery.html
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
The queue policy should have the right principal as: sns.opt-in-region.amazonaws.com
Current Behavior
currently , when the sns topic is in opt-in AWS region, then also the sqs queue policy has principal as sns.amazonaws.com.
Reproduction Steps
Possible Solution
In case if the SNS topic is present in opt-in regions, queue policy can be changed to add the opt-in region in the principal of sqs queue policy.
We have a workaround where we can explicitly add queue policy, but it would be better if CDK could handle this case as well.
Additional Information/Context
Seems like this is coming from here: https://github.com/aws/aws-cdk/blob/bf026bdd8557305d427510af49f1bc538d439cb6/packages/aws-cdk-lib/aws-sns-subscriptions/lib/sqs.ts#L39C11-L39C30
CDK CLI Version
2.173.0
Framework Version
No response
Node.js Version
v23.1.0
OS
MacOs
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: