(events-targets): Wrong role used when adding multiple EventBus targets

[gshpychka]

What is the problem?

When adding an EventBus target to a rule, CDK creates a role that grants PutEvents on the event bus. If we add multiple event buses this way, they will all share a single role that only grant access to the first event bus that we pass.

Reproduction Steps

Consider the following code:

rule = events.Rule(
    self,
    "rule",
    event_pattern=events.EventPattern(
        source=["aws.ecr"],
    ),
)
for i in range(5):
   bus = events.EventBus(self, f"bus-{i}")
   rule.add_target(events_targets.EventBus(bus))

The rule will use a role that only has access to bus-0, and it will use this role for all targets.

What did you expect to happen?

Each target uses a different role with proper access.

What actually happened?

All targets share a role that only grant access to a single target.

CDK CLI Version

2.16

Framework Version

2.16

Node.js Version

17.7.1

OS

MacOS

Language

Typescript, Python

Language Version

No response

Other information

I understand the issue may be here:

aws-cdk/packages/@aws-cdk/aws-events-targets/lib/event-bus.ts

Line 42 in e63a03d

const role = this.props.role ?? singletonEventRole(rule, [this.putEventStatement()]);

[gshpychka]

Okay, here's the issue:
https://github.com/aws/aws-cdk/blob/e63a03dd2d39502328b0f6baf1ee5529038a4f54/packages/%40aws-cdk/aws-events-targets/lib/util.ts#L74:L84

If the rule already has an eventbus target with an auto-generated role, it just returns it without adding the policy statement.

If I understand this correctly, the if statement should only decide whether to create the role, and should still add the statement even if it exists.

[gshpychka]

Actually, why does the role need to be a singleton at all? Wouldn't using separate roles for each target make more sense?