Skip to content

Commit

Permalink
fix(events): cross-account event targets that have a Role are broken (#…
Browse files Browse the repository at this point in the history
…15717)

When we started supporting cross-region event targets, we needed
to add a role to the event-bus target. At that point, we also
opted to fall back to the role that the event target requested
for itself.

However, that was wrong: the role used in that place is *only*
for passing events between event buses, and *never* for triggering
the actual target.

Solution: don't fall back, only use a special role for event passing.
In fact, don't even do it if the target isn't in a different region,
because apparently it's not necessary for cross-account event
passing at all.

Refactor the `events` code a little to make clear what is happening
and why, because it was starting to get messy.

Fixes #15639.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
rix0rrr authored Aug 13, 2021
1 parent a308cac commit f570c94
Show file tree
Hide file tree
Showing 3 changed files with 291 additions and 126 deletions.
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { arrayWith, countResources, expect, haveResourceLike, not, objectLike } from '@aws-cdk/assert-internal';
import { ABSENT, arrayWith, countResources, expect, haveResourceLike, not, objectLike } from '@aws-cdk/assert-internal';
import * as codebuild from '@aws-cdk/aws-codebuild';
import * as codecommit from '@aws-cdk/aws-codecommit';
import * as codepipeline from '@aws-cdk/aws-codepipeline';
Expand Down Expand Up @@ -38,6 +38,91 @@ nodeunitShim({
test.done();
},

'cross-account CodeCommit Repository Source does not use target role in source stack'(test: Test) {
// Test for https://github.com/aws/aws-cdk/issues/15639
const app = new App();
const sourceStack = new Stack(app, 'SourceStack', { env: { account: '1234', region: 'north-pole' } });
const targetStack = new Stack(app, 'TargetStack', { env: { account: '5678', region: 'north-pole' } });

const repo = new codecommit.Repository(sourceStack, 'MyRepo', {
repositoryName: 'my-repo',
});

const sourceOutput = new codepipeline.Artifact();
new codepipeline.Pipeline(targetStack, 'MyPipeline', {
stages: [
{
stageName: 'Source',
actions: [
new cpactions.CodeCommitSourceAction({ actionName: 'Source', repository: repo, output: sourceOutput }),
],
},
{
stageName: 'Build',
actions: [
new cpactions.CodeBuildAction({ actionName: 'Build', project: new codebuild.PipelineProject(targetStack, 'MyProject'), input: sourceOutput }),
],
},
],
});

// THEN - creates a Rule in the source stack targeting the pipeline stack's event bus using a generated role
expect(sourceStack).to(haveResourceLike('AWS::Events::Rule', {
EventPattern: {
source: ['aws.codecommit'],
resources: [
{ 'Fn::GetAtt': ['MyRepoF4F48043', 'Arn'] },
],
},
Targets: [{
RoleARN: ABSENT,
Arn: {
'Fn::Join': ['', [
'arn:',
{ 'Ref': 'AWS::Partition' },
':events:north-pole:5678:event-bus/default',
]],
},
}],
}));

// THEN - creates a Rule in the pipeline stack using the role to start the pipeline
expect(targetStack).to(haveResourceLike('AWS::Events::Rule', {
'EventPattern': {
'source': [
'aws.codecommit',
],
'resources': [
{
'Fn::Join': [
'',
[
'arn:',
{ 'Ref': 'AWS::Partition' },
':codecommit:north-pole:1234:my-repo',
],
],
},
],
},
'Targets': [
{
'Arn': {
'Fn::Join': ['', [
'arn:',
{ 'Ref': 'AWS::Partition' },
':codepipeline:north-pole:5678:',
{ 'Ref': 'MyPipelineAED38ECF' },
]],
},
'RoleArn': { 'Fn::GetAtt': ['MyPipelineEventsRoleFAB99F32', 'Arn'] },
},
],
}));

test.done();
},

'does not poll for source changes and uses Events for CodeCommitTrigger.EVENTS'(test: Test) {
const stack = new Stack();

Expand Down
Loading

0 comments on commit f570c94

Please sign in to comment.