sns_subscriptions: Breaking change from issue 19796 where an exception was added for code that works #26719
Description
Describe the bug
Merging of change from issue #19796 has caused a breaking change in my CDK project. Creating new issue to create attention to the problem and quoting comment I put on the closed issue below:
@NGL321 @bmoffatt it looks like this change is preventing my originally working CDK on v2.88 to no longer synth on v2.89.
I am currently using an SSE enabled queue subscribed to a topic and with the necessary IAM privileges mentioned here https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse the CDK was synthing and deploying in CloudFormation without issue. Now that I have upgraded CDK, the code is refusing to synth with this new exception!
Here is what the code I am using looks like:
import { RemovalPolicy } from "aws-cdk-lib";
import { Queue, QueueEncryption } from "aws-cdk-lib/aws-sqs";
import { Construct } from "constructs";
import { Topic } from "aws-cdk-lib/aws-sns";
import { SqsSubscription } from "aws-cdk-lib/aws-sns-subscriptions";
import { Key } from "aws-cdk-lib/aws-kms";
import { Effect, PolicyStatement, ServicePrincipal } from "aws-cdk-lib/aws-iam";
import { StageProps } from "@ros-aws-coop/shared-constructs";
interface SubscriptionQueueProps {
stageName: string;
}
export class SubscriptionQueue extends Construct {
public readonly dlq;
public readonly subDlq;
public readonly queue;
constructor(
scope: Construct,
id: string,
props: StageProps<SubscriptionQueueProps>
) {
super(scope, id);
const key = new Key(this, "Key");
const keyAlias = key.addAlias(`my-sqs-${props.stageName}`);
keyAlias.applyRemovalPolicy(RemovalPolicy.DESTROY);
this.dlq = new Queue(scope, "SqsDlq", {
encryption: QueueEncryption.KMS_MANAGED,
encryptionMasterKey: keyAlias,
enforceSSL: true
});
this.subDlq = new Queue(scope, "SubDlq", {
encryption: QueueEncryption.KMS_MANAGED,
encryptionMasterKey: keyAlias,
enforceSSL: true
});
this.queue = new Queue(scope, "Queue", {
encryption: QueueEncryption.KMS_MANAGED,
encryptionMasterKey: keyAlias,
enforceSSL: true,
deadLetterQueue: {
queue: this.dlq,
maxReceiveCount: 1
}
});
const someTopic = Topic.fromTopicArn(
this,
"TopicInAnotherAccount",
"arn:aws:sns:us-east-1:12345678910:topicinanotheraccount"
);
someTopic.addSubscription(
new SqsSubscription(this.queue, {
rawMessageDelivery: true,
deadLetterQueue: this.subDlq
})
);
// Allow SNS topics to write into the queue
keyAlias.addToResourcePolicy(
new PolicyStatement({
sid: "sns-allow",
effect: Effect.ALLOW,
resources: [someTopic.topicArn],
principals: [new ServicePrincipal("sns")],
actions: ["kms:Decrypt", "kms:GenerateDataKey"]
})
);
}
}Expected Behavior
Calling addSubscription method on a topic with a subscription to an SSE SQS queue using a customer key to work without exception.
Current Behavior
SQS queue encrypted by AWS managed KMS key cannot be used as SNS subscription exception message thrown when calling addSubscription method on a topic with a subscription to an SSE SQS queue using a customer key.
Reproduction Steps
Code in main description. Specifically:
someTopic.addSubscription(
new SqsSubscription(this.queue, {
rawMessageDelivery: true,
deadLetterQueue: this.subDlq
})
);
Possible Solution
Back out change made on issue #19796
Additional Information/Context
No response
CDK CLI Version
2.89
Framework Version
No response
Node.js Version
18
OS
Linux
Language
Typescript
Language Version
No response
Other information
CDK versions before 2.89 do not have this issue.