Cannot create multiple AWS Events Rules for different accounts #8010
Description
As per here, it should be possible to create a Rule that allows events created in one account to reach a target located in another AWS account. However, when I try to enable 2 different accounts to write to a third account, I get an error:
# account 111111111111 is my target account
# account 222222222222 is a source account for events that should be allowed to write to the target account
# account 333333333333 is a source account for events that has been successfully created
0/3 | 17:58:03 | CREATE_IN_PROGRESS | AWS::Events::EventBusPolicy | EventBusPolicy-222222222222-eu-west-2-111111111111 /GivePermToOtherAccount (GivePermToOtherAccount)
1/3 | 17:58:03 | CREATE_FAILED | AWS::Events::EventBusPolicy | EventBusPolicy-222222222222-eu-west-2-111111111111 /GivePermToOtherAccount (GivePermToOtherAccount) MySid already exists in stack arn:aws:cloudformation:eu-west-2:111111111111 :stack/MaiaDeployStack-EventBusPolicy-support-eu-west-2-333333333333/c0a66800-96cb-11ea-8439-064d74357b0e
Rule.addTarget (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-kernel-iNrMkc\node_modules\@aws-cdk\aws-events\lib\rule.js:140:21)
\_ new Rule (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-kernel-iNrMkc\node_modules\@aws-cdk\aws-events\lib\rule.js:42:18)
\_ C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-java-runtime8230751485493606750\jsii-runtime.js:7853:49
\_ Kernel._wrapSandboxCode (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-java-runtime8230751485493606750\jsii-runtime.js:8313:20)
\_ Kernel._create (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-java-runtime8230751485493606750\jsii-runtime.js:7853:26)
\_ Kernel.create (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-java-runtime8230751485493606750\jsii-runtime.js:7600:21)
\_ KernelHost.processRequest (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-java-runtime8230751485493606750\jsii-runtime.js:7388:28)
\_ KernelHost.run (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-java-runtime8230751485493606750\jsii-runtime.js:7328:14)
\_ Immediate._onImmediate (C:\Users\JOHN~1.TIP\AppData\Local\Temp\jsii-java-runtime8230751485493606750\jsii-runtime.js:7331:37)
Reproduction Steps
I can't share my code, but I think this should also demonstrate the issue (although I haven't tested it), taken from the docs. My actual code is trying to wire up CodeDeploy events in several different accounts and send them to single lambda in a single account.
app = App()
stack1 = Stack(app, "Stack1", env=Environment(account=account1, region="us-east-1"))
repo = codecommit.Repository(stack1, "Repository")
stack2 = Stack(app, "Stack2", env=Environment(account=account2, region="us-east-1"))
project_s2 = codebuild.Project(stack2, "Project")
stack3 = Stack(app, "Stack3", env=Environment(account=account3, region="us-east-1"))
project_s3 = codebuild.Project(stack3, "Project")
repo.on_commit("OnCommit",
target=targets.CodeBuildProject(project_s2)
)
repo.on_comment("OnComment",
target=targets.CodeBuildProject(project_s3)
)Error Log
Error is as per stack trace above.
Environment
- CLI Version : 1.28.0
- Framework Version: 1.32.1
- OS : Windows
- Language : Java
Other
I think the issue is here: https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-events/lib/rule.ts#L247
A stack is created in the target account that defines an EventBusPolicy which permits the source account to send events to the target account. That policy contains a Sid called MySid. I think the issue may be because when another source account is defined, there is an attempt to create a further Sid called MySid in the target account, causing the conflict.
I think the fix is to not use the string MySid, but instead to use something that will be unique. Given that this auto-created stack contains just the policy, perhaps we could reuse the stack id here?
This is 🐛 Bug Report