IAM: Problems sythesizing a role that can read from an SQS queue

[millems]

Java code:

Queue queue = new Queue(this, "source-import-queue",
                        QueueProps.builder()
                                  .withQueueName("source-import")
                                  .build());

Bucket bucket = new Bucket(this, "source-import-bucket",
                           BucketProps.builder()
                                      .withBucketName("source-import")
                                      .build());
bucket.onObjectCreated(queue);
bucket.addLifecycleRule(LifecycleRule.builder()
                                     .withExpirationInDays(30)
                                     .build());

PolicyStatement policyStatement = new PolicyStatement(PolicyStatementEffect.Allow);
policyStatement.addActions("ReceiveMessage", "DeleteMessage", "DeleteMessageBatch");
policyStatement.addResource(queue);

Role role = new Role(this, "source-import-queue-reader",
                     RoleProps.builder()
                              .withAssumedBy(new AccountPrincipal("12345"))
                              .withRoleName("source-import-queue-reader")
                              .build());
role.addToPolicy(policyStatement);

Expected Behavior: Create a role with a policy that allows reading from the queue.

Actual Behavior:

Exception in thread "main" software.amazon.jsii.JsiiException: While synthesizing hello-cdk/source-import-queue-reader/DefaultPolicy/Resource: Trying to resolve() a Construct at /policyDocument/Statement/0/Resource
While synthesizing hello-cdk/source-import-queue-reader/DefaultPolicy/Resource: Trying to resolve() a Construct at /policyDocument/Statement/0/Resource
    --- resource created at ---
    at new Policy (/private/tmp/jsii-kernel-aRMZR8/node_modules/@aws-cdk/aws-iam/lib/policy.js:22:26)
    at Role.addToPolicy (/private/tmp/jsii-kernel-aRMZR8/node_modules/@aws-cdk/aws-iam/lib/role.js:39:34)
    at _wrapSandboxCode (/private/var/folders/x4/0pn8hl6x4kz135bdrmgdlk7xmh2tn2/T/jsii-java-runtime6462445815484053124/jsii-runtime.js:1:84495)

[millems]

Removing the line: policyStatement.addResource(queue); resolves the issue.

[millems]

policyStatement.addResource(queue.getQueueArn()); removes the exception, but I haven't tested to verify it actually works.

[rix0rrr]

Yeah, that is the way.

Another unfortunate case of a too broad type declaration?

[millems]

Seems unintuitive, since I can do bucket.onObjectCreated(queue);, but I guess I understand the distinction.

[RomainMuller]

I guess right now you have to be unfortunately aware of whether you're using a low-level class (will need you to use Ref or GetAtt accessors) or a higher-level class (will just get the object). That's not ideal 😔. Hopefully this fades out significantly as our L2 construct coverage expands and is not much of an issue anymore by then.