fix(sns-subscriptions): SQS queue encrypted by AWS managed KMS key is allowed to be specified as subscription and dead-letter queue

[tam0ri]

To send message to SQS queues encrypted by KMS from SNS, we need to grant SNS service-principal access to the key by key policy. From this reason, we need to use customer managed key because we can't edit key policy for AWS managed key. However, CDK makes it easy to create such a non-functional subscription.

To prevent CDK from making such a subscription, I added the validation which throw an error when SQS queue encrypted by AWS managed KMS key is specified as subscription or dead-letter queue.

Closes #19796

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[tam0ri]

Exemption Request because this change includes only additional validations. Please let me know if adding integration test is needed.

[corymhall]

Looks good! Just 1 comment

[corymhall]

We also need to handle the case where the queue is imported IQueue in which
case there will not be a default child.

I think we may want to add a new attribute to the IQueue, something like
encryptionType that holds the type of encryption.

[tam0ri]

Hi @corymhall, thank you for your review! I understand your concern.

If users import the queue via fromQueueArn method, CDK cannot determine whether the queue is encrypted by AWS managed KMS key or not.

aws-cdk/packages/aws-cdk-lib/aws-sqs/lib/queue.ts

Lines 268 to 287 in f8a94d8

	public static fromQueueArn(scope: Construct, id: string, queueArn: string): IQueue {
	return Queue.fromQueueAttributes(scope, id, { queueArn });
	}
	/**
	* Import an existing queue
	*/
	public static fromQueueAttributes(scope: Construct, id: string, attrs: QueueAttributes): IQueue {
	const stack = Stack.of(scope);
	const parsedArn = stack.splitArn(attrs.queueArn, ArnFormat.NO_RESOURCE_NAME);
	const queueName = attrs.queueName || parsedArn.resource;
	const queueUrl = attrs.queueUrl || `https://sqs.${parsedArn.region}.${stack.urlSuffix}/${parsedArn.account}/${queueName}`;
	class Import extends QueueBase {
	public readonly queueArn = attrs.queueArn; // arn:aws:sqs:us-east-1:123456789012:queue1
	public readonly queueUrl = queueUrl;
	public readonly queueName = queueName;
	public readonly encryptionMasterKey = attrs.keyArn
	? kms.Key.fromKeyArn(this, 'Key', attrs.keyArn)
	: undefined;

So in my understanding, we can't validate it completely in that case. I think one possible solution is skipping the validation if encryptionMasterKey is undefined to prevent error due to missing default child. Does it make sense?

[corymhall]

I believe users can provide the key in fromQueueAttributes so if the encryptionType is undefined then we don't do the validation.

[tam0ri]

Please let me clarify. In you assumption, what type of value encryptionType has? Is the same value as QueueEncryption enum?
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueEncryption.html

[corymhall]

Yeah I think so.

[corymhall]

Same comment as above

[mrgrain]

@tam0ri Are you still able to address the outstanding comments?

[tam0ri]

@mrgrain
Sorry for delay. I still have a motivation to address this. I develop in my spare time, but I have not been able to take a time recently. I'll try reserving a time for this in this week. Can I take some additional time?

[mrgrain]

@mrgrain
Sorry for delay. I still have a motivation to address this. I develop in my spare time, but I have not been able to take a time recently. I'll try reserving a time for this in this week. Can I take some additional time?

Yes of course! Take as much time you need. If the automation closes this PR, just open a new one and feel free to tag me in it. 😃

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[tam0ri]

@corymhall Sorry for delay, I made some changes per your suggestion. Could you review it again?

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: fff3d75
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).