(events): CDK tries to create event bus rules that already exist

[mazayan]

I have a cdk project that creates a codepipeline resource in account B but has a source action to reference CodeCommit in account A. I have been able to successfully deploy this pipeline. However, when I go to create a different CDK project with a different codepipeline resource in account B, referencing a different repository in account A, I receive an error with the EventBusPolicy. CDK is not recognizing that I already have an EventBusPolicy stack deployed in account B. I tried to just deploy my Code & Pipeline stack but it auto deploys the EventBusPolicy stack.

Account 1111111111 contains the code in CodeCommit (Account A)
Account 22222222 contains the CodePipeline resource (Account B)

npx cdk deploy --context ENV=beta networking-CodeStack-beta

Including dependency stacks: EventBusPolicy-22222222-us-east-1-1111111111EventBusPolicy-22222222-us-east-1-1111111111 (networking-PipelineStack-beta-EventBusPolicy-support-us-east-1-22222222) 
🚀  Using profile central-beta for account 1111111111 in mode ForReading


EventBusPolicy-22222222-us-east-1-1111111111 (networking-PipelineStack-beta-EventBusPolicy-support-us-east-1-22222222): deploying...


 🚀  Using profile central-beta for account 1111111111 in mode ForWriting


[0%] start: Publishing b0abee557362fdfca631d3aa69f57c993fad1fc23d7d40b5187b0beaea38e5a7:1111111111-us-east-1
[100%] success: Published b0abee557362fdfca631d3aa69f57c993fad1fc23d7d40b5187b0beaea38e5a7:1111111111-us-east-1
networking-PipelineStack-beta-EventBusPolicy-support-us-east-1-22222222: creating CloudFormation changeset...
4:25:14 PM | CREATE_FAILED        | AWS::Events::EventBusPolicy | GivePermToOtherAccount
Allow-account-22222222 already exists in stack arn:aws:cloudformation:us-east-1:1111111111:stack/TemplatePipelineStack-EventBusPolicy-suppo
rt-us-east-1-22222222/66225df0-3afc-11eb-a431-0ed670f6c675

        Rule.addTarget (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-events/lib/rule.ts:246:11)
        \_ Import.onEvent (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codecommit/lib/repository.ts:148:10)
        \_ Import.onStateChange (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codecommit/lib/repository.ts:157:23)
        \_ Import.onReferenceUpdated (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codecommit/lib/repository.ts:179:23)
        \_ Import.onCommit (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codecommit/lib/repository.ts:225:23)
        \_ CodeCommitSourceAction.bound (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts
:134:29)
        \_ CodeCommitSourceAction.bind (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline-actions/lib/action.ts:59:17)
        \_ RichAction.bind (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline/lib/private/rich-action.ts:26:24)
        \_ Pipeline._attachActionToPipeline (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:409:37)
        \_ Stage.attachActionToPipeline (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline/lib/private/stage.ts:141:27)
        \_ Stage.addAction (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline/lib/private/stage.ts:91:29)
        \_ new Stage (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline/lib/private/stage.ts:38:12)
        \_ Pipeline.addStage (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:332:19)
        \_ new Pipeline (/Users/user/Desktop/networking/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:316:12)
        \_ new PipelineStack (/Users/user/Desktop/networking/lib/pipeline/PipelineStack.ts:182:26)
        \_ Object.<anonymous> (/Users/user/Desktop/networking/bin/cdk.ts:26:1)
        \_ Module._compile (internal/modules/cjs/loader.js:1137:30)
        \_ Module.m._compile (/Users/user/Desktop/networking/node_modules/ts-node/src/index.ts:1056:23)
        \_ Module._extensions..js (internal/modules/cjs/loader.js:1157:10)

Reproduction Steps

Stripped out some code to show only what is relevant

CodeStack:

export class CodeStack extends Stack {
  stageConfig: IStageConfig;
  public readonly repository: codecommit.IRepository;

  constructor(scope: Construct, id: string, props: ICodeStackProps) {
    super(scope, id, props);
    this.stageConfig = props.stageConfig;
    const env = this.node.tryGetContext('ENV');

    this.repository = codecommit.Repository.fromRepositoryArn(
      this,
      'AppRepository',
      `arn:aws:codecommit:${this.region}:${this.account}:${this.stageConfig.repoName}`
    );
  }
}

PipelineStack:

interface IPipelineProps extends StackProps {
  stageConfig: IStageConfig;
  readonly repository: codecommit.IRepository;
}

export class PipelineStack extends Stack {
  stageConfig: IStageConfig;

  constructor(scope: Construct, id: string, props: IPipelineProps) {
    super(scope, id, props);
    this.stageConfig = props.stageConfig;
    const env = this.node.tryGetContext('ENV');
    var branchName = env;
    const sourceArtifact = new codepipeline.Artifact();
    const testedOutput = new codepipeline.Artifact();
    const cloudAssemblyArtifact = new codepipeline.Artifact();

    const codebuildpro = new codebuild.PipelineProject(this, 'CodeBuildPro', {
      environment: {
        buildImage: codebuild.LinuxBuildImage.STANDARD_3_0,
        computeType: codebuild.ComputeType.SMALL,
        privileged: false
      },
      buildSpec: codebuild.BuildSpec.fromSourceFilename('buildspec.yml'),
      role: codebuildRole
    });

    const codePipeline = new codepipeline.Pipeline(this, 'CodePipeline', {
      pipelineName: this.stageConfig.repoName,
      artifactBucket: artifactBucket,
      role: codepipelineRole,
      stages: [
        {
          stageName: 'CodeCommitSource',
          actions: [
            new codepipeline_actions.CodeCommitSourceAction({
              actionName: 'CodeCommitSource',
              output: sourceArtifact,
              repository: props.repository,
              role: crossAccountRole,
              branch: branchName
            })
          ]
        },
        {
          stageName: 'Build',
          actions: [
            new codepipeline_actions.CodeBuildAction({
              actionName: 'CodeBuild',
              project: codebuildpro,
              input: sourceArtifact,
              outputs: [testedOutput],
              type: codepipeline_actions.CodeBuildActionType.TEST,
              role: codebuildRole
            })
          ]
        }
      ]
    });


    const cdkPipeline = new CdkPipeline(this, 'CdkPipeline', {
      selfMutating: false,
      codePipeline,
      cloudAssemblyArtifact
    });
  }
}

What did you expect to happen?

I expected CDK to either recognize that an eventbuspolicy already existed between account A & B, or create a new one with a new ID.

What actually happened?

CDK failed to create the eventbusy policy stack (per error log above)

Environment

• CDK CLI Version : 1.83.0
• Framework Version:
• Node.js Version: v12.18.4
• OS : Mac
• Language (Version): TypeScript (4.1.3)

Other

I found this other issue that I think is related #8010. The statement ID was changed but it still is not unique enough to handle multiple deployments of a cross account source reference to the same account.
commit for reference: skinny85@4044dd4

---

This is 🐛 Bug Report

[skinny85]

Hey @mazayan ,

thanks for opening the issue. You're right that this is probably an issue with multiple EventBus policies (I don't think #8010 is actually related to this one).

Let me investigate. For now, note that you can use the -e argument to cdk deploy to only deploy the the Pipeline Stack:

$ npm run cdk deploy -e MyPipelineStack

Thanks,
Adam

[skinny85]

Actually - I believe we already have a PR fixing this issue! #12538

[skinny85]

Thanks @mazayan !