From cf43b03c0c6231f93ca1db0b24df7c623d55dd2b Mon Sep 17 00:00:00 2001 From: Jonne Kaunisto Date: Sun, 2 Oct 2022 12:01:06 -0700 Subject: [PATCH] fix(sns): race condition exists between sqs queue policy and sns subscription (#21797) ---- Fixes https://github.com/aws/aws-cdk/issues/20665 by adding a dependency to sqs policy for sns subscriptions. ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* This is a follow up to https://github.com/aws/aws-cdk/pull/21259, which got closed for failing for too long --- .../aws-ecs-integ.template.json | 1343 +++++++++++++++++ .../nested-stacks-test.template.json | 3 + .../aws-cdk-codebuild-events.template.json | 1 + .../aws-cdk-sns-event-target.template.json | 1 + .../@aws-cdk/aws-sns-subscriptions/lib/sqs.ts | 5 +- .../aws-cdk-sns-sqs.template.json | 361 ++--- packages/@aws-cdk/aws-sns/lib/subscriber.ts | 11 +- packages/@aws-cdk/aws-sns/lib/topic-base.ts | 14 +- ...ions-tasks-sns-publish-integ.template.json | 1 + 9 files changed, 1554 insertions(+), 186 deletions(-) create mode 100644 packages/@aws-cdk-containers/ecs-service-extensions/test/publish-subscribe.integ.snapshot/aws-ecs-integ.template.json diff --git a/packages/@aws-cdk-containers/ecs-service-extensions/test/publish-subscribe.integ.snapshot/aws-ecs-integ.template.json b/packages/@aws-cdk-containers/ecs-service-extensions/test/publish-subscribe.integ.snapshot/aws-ecs-integ.template.json new file mode 100644 index 0000000000000..56b3d569d5be4 --- /dev/null +++ b/packages/@aws-cdk-containers/ecs-service-extensions/test/publish-subscribe.integ.snapshot/aws-ecs-integ.template.json @@ -0,0 +1,1343 @@ +{ + "Resources": { + "productionenvironmentvpcAEB47DF7": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet1Subnet8D92C089": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.0.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet1" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet1RouteTable6E9ABC21": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet1" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet1RouteTableAssociationA8117374": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPublicSubnet1RouteTable6E9ABC21" + }, + "SubnetId": { + "Ref": "productionenvironmentvpcPublicSubnet1Subnet8D92C089" + } + } + }, + "productionenvironmentvpcPublicSubnet1DefaultRoute524C894D": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPublicSubnet1RouteTable6E9ABC21" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "productionenvironmentvpcIGWE7C39890" + } + }, + "DependsOn": [ + "productionenvironmentvpcVPCGW1B428D07" + ] + }, + "productionenvironmentvpcPublicSubnet1EIP54BA88DB": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet1" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet1NATGateway6075E4CA": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "productionenvironmentvpcPublicSubnet1Subnet8D92C089" + }, + "AllocationId": { + "Fn::GetAtt": [ + "productionenvironmentvpcPublicSubnet1EIP54BA88DB", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet1" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet2Subnet298E6C31": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.64.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet2" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet2RouteTable842A68D7": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet2" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet2RouteTableAssociation0A7549F3": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPublicSubnet2RouteTable842A68D7" + }, + "SubnetId": { + "Ref": "productionenvironmentvpcPublicSubnet2Subnet298E6C31" + } + } + }, + "productionenvironmentvpcPublicSubnet2DefaultRoute92CD697D": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPublicSubnet2RouteTable842A68D7" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "productionenvironmentvpcIGWE7C39890" + } + }, + "DependsOn": [ + "productionenvironmentvpcVPCGW1B428D07" + ] + }, + "productionenvironmentvpcPublicSubnet2EIP14CA46AA": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet2" + } + ] + } + }, + "productionenvironmentvpcPublicSubnet2NATGatewayE1850FCC": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "SubnetId": { + "Ref": "productionenvironmentvpcPublicSubnet2Subnet298E6C31" + }, + "AllocationId": { + "Fn::GetAtt": [ + "productionenvironmentvpcPublicSubnet2EIP14CA46AA", + "AllocationId" + ] + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PublicSubnet2" + } + ] + } + }, + "productionenvironmentvpcPrivateSubnet1Subnet53F632E6": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.128.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PrivateSubnet1" + } + ] + } + }, + "productionenvironmentvpcPrivateSubnet1RouteTable2C6DFF0C": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PrivateSubnet1" + } + ] + } + }, + "productionenvironmentvpcPrivateSubnet1RouteTableAssociation8BA32463": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPrivateSubnet1RouteTable2C6DFF0C" + }, + "SubnetId": { + "Ref": "productionenvironmentvpcPrivateSubnet1Subnet53F632E6" + } + } + }, + "productionenvironmentvpcPrivateSubnet1DefaultRouteFBB3DE6C": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPrivateSubnet1RouteTable2C6DFF0C" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "productionenvironmentvpcPublicSubnet1NATGateway6075E4CA" + } + } + }, + "productionenvironmentvpcPrivateSubnet2Subnet756FB93C": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.192.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PrivateSubnet2" + } + ] + } + }, + "productionenvironmentvpcPrivateSubnet2RouteTable2F77D0D2": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc/PrivateSubnet2" + } + ] + } + }, + "productionenvironmentvpcPrivateSubnet2RouteTableAssociation09188261": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPrivateSubnet2RouteTable2F77D0D2" + }, + "SubnetId": { + "Ref": "productionenvironmentvpcPrivateSubnet2Subnet756FB93C" + } + } + }, + "productionenvironmentvpcPrivateSubnet2DefaultRoute5F9AB6C1": { + "Type": "AWS::EC2::Route", + "Properties": { + "RouteTableId": { + "Ref": "productionenvironmentvpcPrivateSubnet2RouteTable2F77D0D2" + }, + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "productionenvironmentvpcPublicSubnet2NATGatewayE1850FCC" + } + } + }, + "productionenvironmentvpcIGWE7C39890": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-ecs-integ/production-environment-vpc" + } + ] + } + }, + "productionenvironmentvpcVPCGW1B428D07": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + }, + "InternetGatewayId": { + "Ref": "productionenvironmentvpcIGWE7C39890" + } + } + }, + "productionenvironmentclusterC6599D2D": { + "Type": "AWS::ECS::Cluster" + }, + "signupD2AAA171": { + "Type": "AWS::SNS::Topic" + }, + "delete1CCE71FF": { + "Type": "AWS::SNS::Topic" + }, + "PublishertaskdefinitionTaskRoleE8655AA5": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PublishertaskdefinitionTaskRoleDefaultPolicyD6E49F15": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": [ + { + "Ref": "delete1CCE71FF" + }, + { + "Ref": "signupD2AAA171" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PublishertaskdefinitionTaskRoleDefaultPolicyD6E49F15", + "Roles": [ + { + "Ref": "PublishertaskdefinitionTaskRoleE8655AA5" + } + ] + } + }, + "PublishertaskdefinitionA4324C64": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Cpu": 256, + "Environment": [ + { + "Name": "PORT", + "Value": "80" + }, + { + "Name": "SIGN-UP_TOPIC_ARN", + "Value": { + "Ref": "signupD2AAA171" + } + }, + { + "Name": "DELETE_TOPIC_ARN", + "Value": { + "Ref": "delete1CCE71FF" + } + } + ], + "Essential": true, + "Image": "nathanpeck/name", + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-group": { + "Ref": "PublisherlogsDF0C1067" + }, + "awslogs-stream-prefix": "Publisher", + "awslogs-region": { + "Ref": "AWS::Region" + } + } + }, + "Memory": 512, + "Name": "app", + "PortMappings": [ + { + "ContainerPort": 80, + "Protocol": "tcp" + } + ], + "Ulimits": [ + { + "HardLimit": 1024000, + "Name": "nofile", + "SoftLimit": 1024000 + } + ] + } + ], + "Cpu": "256", + "ExecutionRoleArn": { + "Fn::GetAtt": [ + "PublishertaskdefinitionExecutionRole5C00C542", + "Arn" + ] + }, + "Family": "awsecsintegPublishertaskdefinitionD50610D0", + "Memory": "512", + "NetworkMode": "awsvpc", + "RequiresCompatibilities": [ + "EC2", + "FARGATE" + ], + "TaskRoleArn": { + "Fn::GetAtt": [ + "PublishertaskdefinitionTaskRoleE8655AA5", + "Arn" + ] + } + } + }, + "PublishertaskdefinitionExecutionRole5C00C542": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PublishertaskdefinitionExecutionRoleDefaultPolicy681FD8E6": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PublisherlogsDF0C1067", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PublishertaskdefinitionExecutionRoleDefaultPolicy681FD8E6", + "Roles": [ + { + "Ref": "PublishertaskdefinitionExecutionRole5C00C542" + } + ] + } + }, + "PublisherlogsDF0C1067": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": "Publisher-logs", + "RetentionInDays": 30 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "PublisherserviceService9EB00F60": { + "Type": "AWS::ECS::Service", + "Properties": { + "Cluster": { + "Ref": "productionenvironmentclusterC6599D2D" + }, + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "DesiredCount": 1, + "EnableECSManagedTags": false, + "LaunchType": "FARGATE", + "NetworkConfiguration": { + "AwsvpcConfiguration": { + "AssignPublicIp": "DISABLED", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "PublisherserviceSecurityGroupC7B0C0D0", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "productionenvironmentvpcPrivateSubnet1Subnet53F632E6" + }, + { + "Ref": "productionenvironmentvpcPrivateSubnet2Subnet756FB93C" + } + ] + } + }, + "TaskDefinition": { + "Ref": "PublishertaskdefinitionA4324C64" + } + } + }, + "PublisherserviceSecurityGroupC7B0C0D0": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "aws-ecs-integ/Publisher-service/SecurityGroup", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + } + } + }, + "signupqueue33AFF2E6": { + "Type": "AWS::SQS::Queue", + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "signupqueuePolicy185ADC00": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sqs:SendMessage", + "Condition": { + "ArnEquals": { + "aws:SourceArn": { + "Ref": "signupD2AAA171" + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "signupqueue33AFF2E6", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "Queues": [ + { + "Ref": "signupqueue33AFF2E6" + } + ] + } + }, + "signupqueueawsecsintegsignup8DE00B29CE828029": { + "Type": "AWS::SNS::Subscription", + "DependsOn": "signupqueuePolicy185ADC00", + "Properties": { + "Protocol": "sqs", + "TopicArn": { + "Ref": "signupD2AAA171" + }, + "Endpoint": { + "Fn::GetAtt": [ + "signupqueue33AFF2E6", + "Arn" + ] + } + } + }, + "EventsDeadLetterQueue404572C7": { + "Type": "AWS::SQS::Queue", + "Properties": { + "MessageRetentionPeriod": 1209600 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "EventsQueueB96EB0D2": { + "Type": "AWS::SQS::Queue", + "Properties": { + "RedrivePolicy": { + "deadLetterTargetArn": { + "Fn::GetAtt": [ + "EventsDeadLetterQueue404572C7", + "Arn" + ] + }, + "maxReceiveCount": 3 + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "EventsQueuePolicyF3E925EC": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sqs:SendMessage", + "Condition": { + "ArnEquals": { + "aws:SourceArn": { + "Ref": "delete1CCE71FF" + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "EventsQueueB96EB0D2", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "Queues": [ + { + "Ref": "EventsQueueB96EB0D2" + } + ] + } + }, + "EventsQueueawsecsintegdeleteF56807768162F4C0": { + "Type": "AWS::SNS::Subscription", + "DependsOn": "EventsQueuePolicyF3E925EC", + "Properties": { + "Protocol": "sqs", + "TopicArn": { + "Ref": "delete1CCE71FF" + }, + "Endpoint": { + "Fn::GetAtt": [ + "EventsQueueB96EB0D2", + "Arn" + ] + } + } + }, + "WorkertaskdefinitionTaskRole1EBF20D6": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "WorkertaskdefinitionTaskRoleDefaultPolicy45EAFD8C": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "EventsQueueB96EB0D2", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "signupqueue33AFF2E6", + "Arn" + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "WorkertaskdefinitionTaskRoleDefaultPolicy45EAFD8C", + "Roles": [ + { + "Ref": "WorkertaskdefinitionTaskRole1EBF20D6" + } + ] + } + }, + "WorkertaskdefinitionBF93A675": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Cpu": 256, + "Environment": [ + { + "Name": "PORT", + "Value": "80" + }, + { + "Name": "WORKER_QUEUE_URI", + "Value": { + "Ref": "EventsQueueB96EB0D2" + } + } + ], + "Essential": true, + "Image": "nathanpeck/name", + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-group": { + "Ref": "Workerlogs2994AC4D" + }, + "awslogs-stream-prefix": "Worker", + "awslogs-region": { + "Ref": "AWS::Region" + } + } + }, + "Memory": 512, + "Name": "app", + "PortMappings": [ + { + "ContainerPort": 80, + "Protocol": "tcp" + } + ], + "Ulimits": [ + { + "HardLimit": 1024000, + "Name": "nofile", + "SoftLimit": 1024000 + } + ] + } + ], + "Cpu": "256", + "ExecutionRoleArn": { + "Fn::GetAtt": [ + "WorkertaskdefinitionExecutionRole3C1A1848", + "Arn" + ] + }, + "Family": "awsecsintegWorkertaskdefinition32B60762", + "Memory": "512", + "NetworkMode": "awsvpc", + "RequiresCompatibilities": [ + "EC2", + "FARGATE" + ], + "TaskRoleArn": { + "Fn::GetAtt": [ + "WorkertaskdefinitionTaskRole1EBF20D6", + "Arn" + ] + } + } + }, + "WorkertaskdefinitionExecutionRole3C1A1848": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "WorkertaskdefinitionExecutionRoleDefaultPolicy6E199B19": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Workerlogs2994AC4D", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "WorkertaskdefinitionExecutionRoleDefaultPolicy6E199B19", + "Roles": [ + { + "Ref": "WorkertaskdefinitionExecutionRole3C1A1848" + } + ] + } + }, + "Workerlogs2994AC4D": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": "Worker-logs", + "RetentionInDays": 30 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "WorkerserviceService68C5A5C3": { + "Type": "AWS::ECS::Service", + "Properties": { + "Cluster": { + "Ref": "productionenvironmentclusterC6599D2D" + }, + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "EnableECSManagedTags": false, + "LaunchType": "FARGATE", + "NetworkConfiguration": { + "AwsvpcConfiguration": { + "AssignPublicIp": "DISABLED", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "WorkerserviceSecurityGroup1CDDB904", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "productionenvironmentvpcPrivateSubnet1Subnet53F632E6" + }, + { + "Ref": "productionenvironmentvpcPrivateSubnet2Subnet756FB93C" + } + ] + } + }, + "TaskDefinition": { + "Ref": "WorkertaskdefinitionBF93A675" + } + } + }, + "WorkerserviceSecurityGroup1CDDB904": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "aws-ecs-integ/Worker-service/SecurityGroup", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "VpcId": { + "Ref": "productionenvironmentvpcAEB47DF7" + } + } + }, + "WorkerserviceTaskCountTarget6636D808": { + "Type": "AWS::ApplicationAutoScaling::ScalableTarget", + "Properties": { + "MaxCapacity": 10, + "MinCapacity": 1, + "ResourceId": { + "Fn::Join": [ + "", + [ + "service/", + { + "Ref": "productionenvironmentclusterC6599D2D" + }, + "/", + { + "Fn::GetAtt": [ + "WorkerserviceService68C5A5C3", + "Name" + ] + } + ] + ] + }, + "RoleARN": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" + ] + ] + }, + "ScalableDimension": "ecs:service:DesiredCount", + "ServiceNamespace": "ecs" + } + }, + "WorkerserviceTaskCountTargetEventsQueueautoscalingpolicyD12B62ED": { + "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", + "Properties": { + "PolicyName": "awsecsintegWorkerserviceTaskCountTargetEventsQueueautoscalingpolicyDBD40B57", + "PolicyType": "TargetTrackingScaling", + "ScalingTargetId": { + "Ref": "WorkerserviceTaskCountTarget6636D808" + }, + "TargetTrackingScalingPolicyConfiguration": { + "CustomizedMetricSpecification": { + "Dimensions": [ + { + "Name": "QueueName", + "Value": { + "Fn::GetAtt": [ + "EventsQueueB96EB0D2", + "QueueName" + ] + } + } + ], + "MetricName": "BacklogPerTask", + "Namespace": "production-Worker", + "Statistic": "Average", + "Unit": "Count" + }, + "TargetValue": 15 + } + } + }, + "WorkerserviceTaskCountTargetsignupqueueautoscalingpolicyB7321DB7": { + "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", + "Properties": { + "PolicyName": "awsecsintegWorkerserviceTaskCountTargetsignupqueueautoscalingpolicyDF93FC37", + "PolicyType": "TargetTrackingScaling", + "ScalingTargetId": { + "Ref": "WorkerserviceTaskCountTarget6636D808" + }, + "TargetTrackingScalingPolicyConfiguration": { + "CustomizedMetricSpecification": { + "Dimensions": [ + { + "Name": "QueueName", + "Value": { + "Fn::GetAtt": [ + "signupqueue33AFF2E6", + "QueueName" + ] + } + } + ], + "MetricName": "BacklogPerTask", + "Namespace": "production-Worker", + "Statistic": "Average", + "Unit": "Count" + }, + "TargetValue": 30 + } + } + }, + "BackLogPerTaskCalculatorFunctionServiceRoleEFA723A4": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "BackLogPerTaskCalculatorFunctionServiceRoleDefaultPolicyB6B10266": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "ecs:DescribeServices", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "productionenvironmentclusterC6599D2D", + "Arn" + ] + } + } + }, + "Effect": "Allow", + "Resource": { + "Ref": "WorkerserviceService68C5A5C3" + } + }, + { + "Action": [ + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "EventsQueueB96EB0D2", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "signupqueue33AFF2E6", + "Arn" + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "BackLogPerTaskCalculatorFunctionServiceRoleDefaultPolicyB6B10266", + "Roles": [ + { + "Ref": "BackLogPerTaskCalculatorFunctionServiceRoleEFA723A4" + } + ] + } + }, + "BackLogPerTaskCalculatorFunction95AA21D5": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Ref": "AssetParametersa820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91S3Bucket1FFDEA8D" + }, + "S3Key": { + "Fn::Join": [ + "", + [ + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParametersa820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91S3VersionKeyA60C027B" + } + ] + } + ] + }, + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "||", + { + "Ref": "AssetParametersa820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91S3VersionKeyA60C027B" + } + ] + } + ] + } + ] + ] + } + }, + "Role": { + "Fn::GetAtt": [ + "BackLogPerTaskCalculatorFunctionServiceRoleEFA723A4", + "Arn" + ] + }, + "Environment": { + "Variables": { + "CLUSTER_NAME": { + "Ref": "productionenvironmentclusterC6599D2D" + }, + "SERVICE_NAME": { + "Fn::GetAtt": [ + "WorkerserviceService68C5A5C3", + "Name" + ] + }, + "NAMESPACE": "production-Worker", + "QUEUE_NAMES": { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "EventsQueueB96EB0D2", + "QueueName" + ] + }, + ",", + { + "Fn::GetAtt": [ + "signupqueue33AFF2E6", + "QueueName" + ] + } + ] + ] + } + } + }, + "Handler": "index.queue_handler", + "Runtime": "python3.9" + }, + "DependsOn": [ + "BackLogPerTaskCalculatorFunctionServiceRoleDefaultPolicyB6B10266", + "BackLogPerTaskCalculatorFunctionServiceRoleEFA723A4" + ] + }, + "BacklogPerTaskScheduledRuleB871DD15": { + "Type": "AWS::Events::Rule", + "Properties": { + "ScheduleExpression": "rate(1 minute)", + "State": "ENABLED", + "Targets": [ + { + "Arn": { + "Fn::GetAtt": [ + "BackLogPerTaskCalculatorFunction95AA21D5", + "Arn" + ] + }, + "Id": "Target0" + } + ] + } + }, + "BacklogPerTaskScheduledRuleAllowEventRuleawsecsintegBackLogPerTaskCalculatorFunctionEB2B91C7CCD725BB": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": { + "Fn::GetAtt": [ + "BackLogPerTaskCalculatorFunction95AA21D5", + "Arn" + ] + }, + "Principal": "events.amazonaws.com", + "SourceArn": { + "Fn::GetAtt": [ + "BacklogPerTaskScheduledRuleB871DD15", + "Arn" + ] + } + } + }, + "WorkerBackLogPerTaskCalculatorLogsA4B5AF42": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": { + "Fn::Join": [ + "", + [ + "/aws/lambda/", + { + "Ref": "BackLogPerTaskCalculatorFunction95AA21D5" + } + ] + ] + }, + "RetentionInDays": 3 + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "AssetParametersa820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91S3Bucket1FFDEA8D": { + "Type": "String", + "Description": "S3 bucket for asset \"a820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91\"" + }, + "AssetParametersa820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91S3VersionKeyA60C027B": { + "Type": "String", + "Description": "S3 key for asset version \"a820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91\"" + }, + "AssetParametersa820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91ArtifactHashC1953821": { + "Type": "String", + "Description": "Artifact hash for asset \"a820140ad8525b8ed56ad2a7bcd9da99d6afc2490e8c91e34620886c011bdc91\"" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudformation/test/nested-stack.integ.snapshot/nested-stacks-test.template.json b/packages/@aws-cdk/aws-cloudformation/test/nested-stack.integ.snapshot/nested-stacks-test.template.json index fdf6b0f116170..1ebcfc8679fec 100644 --- a/packages/@aws-cdk/aws-cloudformation/test/nested-stack.integ.snapshot/nested-stacks-test.template.json +++ b/packages/@aws-cdk/aws-cloudformation/test/nested-stack.integ.snapshot/nested-stacks-test.template.json @@ -91,6 +91,7 @@ }, "SubscriberQueuenestedstackstestNestedStack1topic089C5EB1396F65087": { "Type": "AWS::SNS::Subscription", + "DependsOn": "SubscriberQueuePolicy25A0799E", "Properties": { "Protocol": "sqs", "TopicArn": { @@ -109,6 +110,7 @@ }, "SubscriberQueuenestedstackstestNestedStack1topic1150E1A929A2C267E": { "Type": "AWS::SNS::Subscription", + "DependsOn": "SubscriberQueuePolicy25A0799E", "Properties": { "Protocol": "sqs", "TopicArn": { @@ -127,6 +129,7 @@ }, "SubscriberQueuenestedstackstestNestedStack1topic209B8719858511914": { "Type": "AWS::SNS::Subscription", + "DependsOn": "SubscriberQueuePolicy25A0799E", "Properties": { "Protocol": "sqs", "TopicArn": { diff --git a/packages/@aws-cdk/aws-events-targets/test/codebuild/project-events.integ.snapshot/aws-cdk-codebuild-events.template.json b/packages/@aws-cdk/aws-events-targets/test/codebuild/project-events.integ.snapshot/aws-cdk-codebuild-events.template.json index 54a4e956859bc..4d8c799d34fb8 100644 --- a/packages/@aws-cdk/aws-events-targets/test/codebuild/project-events.integ.snapshot/aws-cdk-codebuild-events.template.json +++ b/packages/@aws-cdk/aws-events-targets/test/codebuild/project-events.integ.snapshot/aws-cdk-codebuild-events.template.json @@ -396,6 +396,7 @@ }, "MyQueueawscdkcodebuildeventsMyTopic550011DCF72DE3ED": { "Type": "AWS::SNS::Subscription", + "DependsOn": "MyQueuePolicy6BBEDDAC", "Properties": { "Protocol": "sqs", "TopicArn": { diff --git a/packages/@aws-cdk/aws-events-targets/test/sns/sns-event-rule-target.integ.snapshot/aws-cdk-sns-event-target.template.json b/packages/@aws-cdk/aws-events-targets/test/sns/sns-event-rule-target.integ.snapshot/aws-cdk-sns-event-target.template.json index a667accb07652..cd1aa126d0ea2 100644 --- a/packages/@aws-cdk/aws-events-targets/test/sns/sns-event-rule-target.integ.snapshot/aws-cdk-sns-event-target.template.json +++ b/packages/@aws-cdk/aws-events-targets/test/sns/sns-event-rule-target.integ.snapshot/aws-cdk-sns-event-target.template.json @@ -94,6 +94,7 @@ }, "MyQueueawscdksnseventtargetMyTopicB7575CD87304D383": { "Type": "AWS::SNS::Subscription", + "DependsOn": "MyQueuePolicy6BBEDDAC", "Properties": { "Protocol": "sqs", "TopicArn": { diff --git a/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts b/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts index 3d9acff2d2a65..ce55f1778265a 100644 --- a/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts +++ b/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts @@ -40,14 +40,14 @@ export class SqsSubscription implements sns.ITopicSubscription { // add a statement to the queue resource policy which allows this topic // to send messages to the queue. - this.queue.addToResourcePolicy(new iam.PolicyStatement({ + const queuePolicyDependable = this.queue.addToResourcePolicy(new iam.PolicyStatement({ resources: [this.queue.queueArn], actions: ['sqs:SendMessage'], principals: [snsServicePrincipal], conditions: { ArnEquals: { 'aws:SourceArn': topic.topicArn }, }, - })); + })).policyDependable; // if the queue is encrypted, add a statement to the key resource policy // which allows this topic to decrypt KMS keys @@ -77,6 +77,7 @@ export class SqsSubscription implements sns.ITopicSubscription { filterPolicy: this.props.filterPolicy, region: this.regionFromArn(topic), deadLetterQueue: this.props.deadLetterQueue, + subscriptionDependency: queuePolicyDependable, }; } diff --git a/packages/@aws-cdk/aws-sns-subscriptions/test/sns-sqs.lit.integ.snapshot/aws-cdk-sns-sqs.template.json b/packages/@aws-cdk/aws-sns-subscriptions/test/sns-sqs.lit.integ.snapshot/aws-cdk-sns-sqs.template.json index 35da3fc55b6d7..0abd3a705bc75 100644 --- a/packages/@aws-cdk/aws-sns-subscriptions/test/sns-sqs.lit.integ.snapshot/aws-cdk-sns-sqs.template.json +++ b/packages/@aws-cdk/aws-sns-subscriptions/test/sns-sqs.lit.integ.snapshot/aws-cdk-sns-sqs.template.json @@ -1,205 +1,206 @@ { - "Resources": { - "MyTopic86869434": { - "Type": "AWS::SNS::Topic" - }, - "EncryptionMasterKey5BD393B9": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" + "Resources": { + "MyTopic86869434": { + "Type": "AWS::SNS::Topic" + }, + "EncryptionMasterKey5BD393B9": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Condition": { - "ArnEquals": { - "aws:SourceArn": { - "Ref": "MyTopic86869434" } - } - }, - "Effect": "Allow", - "Principal": { - "Service": "sns.amazonaws.com" + }, + "Resource": "*" }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } + { + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Condition": { + "ArnEquals": { + "aws:SourceArn": { + "Ref": "MyTopic86869434" + } + } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "MyQueueE6CA6235": { - "Type": "AWS::SQS::Queue", - "Properties": { - "KmsMasterKeyId": { - "Fn::GetAtt": [ - "EncryptionMasterKey5BD393B9", - "Arn" - ] - } + "MyQueueE6CA6235": { + "Type": "AWS::SQS::Queue", + "Properties": { + "KmsMasterKeyId": { + "Fn::GetAtt": [ + "EncryptionMasterKey5BD393B9", + "Arn" + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "MyQueuePolicy6BBEDDAC": { - "Type": "AWS::SQS::QueuePolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sqs:SendMessage", - "Condition": { - "ArnEquals": { - "aws:SourceArn": { - "Ref": "MyTopic86869434" + "MyQueuePolicy6BBEDDAC": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sqs:SendMessage", + "Condition": { + "ArnEquals": { + "aws:SourceArn": { + "Ref": "MyTopic86869434" + } } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "MyQueueE6CA6235", + "Arn" + ] } - }, - "Effect": "Allow", - "Principal": { - "Service": "sns.amazonaws.com" - }, - "Resource": { - "Fn::GetAtt": [ - "MyQueueE6CA6235", - "Arn" - ] } + ], + "Version": "2012-10-17" + }, + "Queues": [ + { + "Ref": "MyQueueE6CA6235" } - ], - "Version": "2012-10-17" - }, - "Queues": [ - { - "Ref": "MyQueueE6CA6235" - } - ] - } - }, - "MyQueueawscdksnssqsMyTopic9361DEA223429051": { - "Type": "AWS::SNS::Subscription", - "Properties": { - "Protocol": "sqs", - "TopicArn": { - "Ref": "MyTopic86869434" - }, - "Endpoint": { - "Fn::GetAtt": [ - "MyQueueE6CA6235", - "Arn" ] - }, - "RedrivePolicy": { - "deadLetterTargetArn": { + } + }, + "MyQueueawscdksnssqsMyTopic9361DEA223429051": { + "DependsOn": "MyQueuePolicy6BBEDDAC", + "Type": "AWS::SNS::Subscription", + "Properties": { + "Protocol": "sqs", + "TopicArn": { + "Ref": "MyTopic86869434" + }, + "Endpoint": { "Fn::GetAtt": [ - "DeadLetterQueue9F481546", + "MyQueueE6CA6235", "Arn" ] + }, + "RedrivePolicy": { + "deadLetterTargetArn": { + "Fn::GetAtt": [ + "DeadLetterQueue9F481546", + "Arn" + ] + } } } - } - }, - "DeadLetterQueue9F481546": { - "Type": "AWS::SQS::Queue", - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "DeadLetterQueuePolicyB1FB890C": { - "Type": "AWS::SQS::QueuePolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sqs:SendMessage", - "Condition": { - "ArnEquals": { - "aws:SourceArn": { - "Ref": "MyTopic86869434" + }, + "DeadLetterQueue9F481546": { + "Type": "AWS::SQS::Queue", + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "DeadLetterQueuePolicyB1FB890C": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sqs:SendMessage", + "Condition": { + "ArnEquals": { + "aws:SourceArn": { + "Ref": "MyTopic86869434" + } } + }, + "Effect": "Allow", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Resource": { + "Fn::GetAtt": [ + "DeadLetterQueue9F481546", + "Arn" + ] } - }, - "Effect": "Allow", - "Principal": { - "Service": "sns.amazonaws.com" - }, - "Resource": { - "Fn::GetAtt": [ - "DeadLetterQueue9F481546", - "Arn" - ] } + ], + "Version": "2012-10-17" + }, + "Queues": [ + { + "Ref": "DeadLetterQueue9F481546" } - ], - "Version": "2012-10-17" - }, - "Queues": [ + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ { - "Ref": "DeadLetterQueue9F481546" + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } ] } } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file + } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-sns/lib/subscriber.ts b/packages/@aws-cdk/aws-sns/lib/subscriber.ts index a52ee834cab11..34753caf09c2f 100644 --- a/packages/@aws-cdk/aws-sns/lib/subscriber.ts +++ b/packages/@aws-cdk/aws-sns/lib/subscriber.ts @@ -1,4 +1,4 @@ -import { Construct } from 'constructs'; +import { Construct, IDependable } from 'constructs'; import { SubscriptionOptions } from './subscription'; import { ITopic } from './topic-base'; @@ -24,6 +24,15 @@ export interface TopicSubscriptionConfig extends SubscriptionOptions { * subscribing to. */ readonly subscriberId: string; + + /** + * The resources that need to be created before the subscription can be safely created. + * For example for SQS subscription, the subscription needs to have a dependency on the SQS queue policy + * in order for the subscription to successfully deliver messages. + * + * @default - empty list + */ + readonly subscriptionDependency?: IDependable; } /** diff --git a/packages/@aws-cdk/aws-sns/lib/topic-base.ts b/packages/@aws-cdk/aws-sns/lib/topic-base.ts index 01a12275d7bb0..4ace7453d7c67 100644 --- a/packages/@aws-cdk/aws-sns/lib/topic-base.ts +++ b/packages/@aws-cdk/aws-sns/lib/topic-base.ts @@ -80,8 +80,8 @@ export abstract class TopicBase extends Resource implements ITopic { /** * Subscribe some endpoint to this topic */ - public addSubscription(subscription: ITopicSubscription): Subscription { - const subscriptionConfig = subscription.bind(this); + public addSubscription(topicSubscription: ITopicSubscription): Subscription { + const subscriptionConfig = topicSubscription.bind(this); const scope = subscriptionConfig.subscriberScope || this; let id = subscriptionConfig.subscriberId; @@ -95,10 +95,18 @@ export abstract class TopicBase extends Resource implements ITopic { throw new Error(`A subscription with id "${id}" already exists under the scope ${scope.node.path}`); } - return new Subscription(scope, id, { + const subscription = new Subscription(scope, id, { topic: this, ...subscriptionConfig, }); + + // Add dependency for the subscription, for example for SQS subscription + // the queue policy has to deploy before the subscription is created + if (subscriptionConfig.subscriptionDependency) { + subscription.node.addDependency(subscriptionConfig.subscriptionDependency); + } + + return subscription; } /** diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sns/publish.integ.snapshot/aws-stepfunctions-tasks-sns-publish-integ.template.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sns/publish.integ.snapshot/aws-stepfunctions-tasks-sns-publish-integ.template.json index 243b67ba89b15..8cca2d08cb99d 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/sns/publish.integ.snapshot/aws-stepfunctions-tasks-sns-publish-integ.template.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/sns/publish.integ.snapshot/aws-stepfunctions-tasks-sns-publish-integ.template.json @@ -45,6 +45,7 @@ }, "showmethemessagesawsstepfunctionstaskssnspublishintegcooltopic8388C976F1D63091": { "Type": "AWS::SNS::Subscription", + "DependsOn": "showmethemessagesPolicyB08B04B0", "Properties": { "Protocol": "sqs", "TopicArn": {