fix(aws-autoscaling): notificationTargetArn should be optional in LifecycleHook

allowed-breaking-changes.txt

@@ -86,3 +86,10 @@ removed:@aws-cdk/aws-stepfunctions-tasks.EmrCreateClusterProps.autoTerminationPo
 # Changed property securityGroupId to optional because either securityGroupId or 
 # securityGroupName is required. Therefore securityGroupId is no longer mandatory.
 weakened:@aws-cdk/cloud-assembly-schema.SecurityGroupContextQuery
+
+# refactor autoscaling lifecycle hook target bind() methods to make role optional by
+# having bind() methods create the role if it isn't passed to them 
+incompatible-argument:@aws-cdk/aws-autoscaling-hooktargets.FunctionHook.bind
+incompatible-argument:@aws-cdk/aws-autoscaling-hooktargets.QueueHook.bind
+incompatible-argument:@aws-cdk/aws-autoscaling-hooktargets.TopicHook.bind
+incompatible-argument:@aws-cdk/aws-autoscaling.ILifecycleHookTarget.bind

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/lambda-hook.ts

@@ -8,7 +8,7 @@ import { TopicHook } from './topic-hook';
 
 // keep this import separate from other imports to reduce chance for merge conflicts with v2-main
 // eslint-disable-next-line no-duplicate-imports, import/order
-import { Construct } from '@aws-cdk/core';
+import { Construct } from 'constructs';
 
 /**
  * Use a Lambda Function as a hook target
@@ -23,16 +23,23 @@ export class FunctionHook implements autoscaling.ILifecycleHookTarget {
   constructor(private readonly fn: lambda.IFunction, private readonly encryptionKey?: kms.IKey) {
   }
 
-  public bind(scope: Construct, lifecycleHook: autoscaling.ILifecycleHook): autoscaling.LifecycleHookTargetConfig {
-    const topic = new sns.Topic(scope, 'Topic', {
+  /**
+   * If the `IRole` does not exist in `options`, will create an `IRole` and an SNS Topic and attach both to the lifecycle hook.
+   * If the `IRole` does exist in `options`, will only create an SNS Topic and attach it to the lifecycle hook.
+   */
+  public bind(_scope: Construct, options: autoscaling.BindHookTargetOptions): autoscaling.LifecycleHookTargetConfig {
+    const topic = new sns.Topic(_scope, 'Topic', {
       masterKey: this.encryptionKey,
     });
+
+    const role = autoscaling.createRole(_scope, options.role);
+
     // Per: https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse
     // Topic's grantPublish() is in a base class that does not know there is a kms key, and so does not
     // grant appropriate permissions to the kms key. We do that here to ensure the correct permissions
     // are in place.
-    this.encryptionKey?.grant(lifecycleHook.role, 'kms:Decrypt', 'kms:GenerateDataKey');
+    this.encryptionKey?.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey');
     topic.addSubscription(new subs.LambdaSubscription(this.fn));
-    return new TopicHook(topic).bind(scope, lifecycleHook);
+    return new TopicHook(topic).bind(_scope, { lifecycleHook: options.lifecycleHook, role });
   }
 }

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/queue-hook.ts

@@ -1,6 +1,9 @@
 import * as autoscaling from '@aws-cdk/aws-autoscaling';
 import * as sqs from '@aws-cdk/aws-sqs';
-import { Construct } from '@aws-cdk/core';
+
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import { Construct } from 'constructs';
 
 /**
  * Use an SQS queue as a hook target
@@ -9,8 +12,19 @@ export class QueueHook implements autoscaling.ILifecycleHookTarget {
   constructor(private readonly queue: sqs.IQueue) {
   }
 
-  public bind(_scope: Construct, lifecycleHook: autoscaling.ILifecycleHook): autoscaling.LifecycleHookTargetConfig {
-    this.queue.grantSendMessages(lifecycleHook.role);
-    return { notificationTargetArn: this.queue.queueArn };
+  /**
+   * If an `IRole` is found in `options`, grant it access to send messages.
+   * Otherwise, create a new `IRole` and grant it access to send messages.
+   *
+   * @returns the `IRole` with access to send messages and the ARN of the queue it has access to send messages to.
+   */
+  public bind(_scope: Construct, options: autoscaling.BindHookTargetOptions): autoscaling.LifecycleHookTargetConfig {
+    const role = autoscaling.createRole(_scope, options.role);
+    this.queue.grantSendMessages(role);
+
+    return {
+      notificationTargetArn: this.queue.queueArn,
+      createdRole: role,
+    };
   }
 }

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/topic-hook.ts

@@ -1,6 +1,9 @@
 import * as autoscaling from '@aws-cdk/aws-autoscaling';
 import * as sns from '@aws-cdk/aws-sns';
-import { Construct } from '@aws-cdk/core';
+
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import { Construct } from 'constructs';
 
 /**
  * Use an SNS topic as a hook target
@@ -9,8 +12,19 @@ export class TopicHook implements autoscaling.ILifecycleHookTarget {
   constructor(private readonly topic: sns.ITopic) {
   }
 
-  public bind(_scope: Construct, lifecycleHook: autoscaling.ILifecycleHook): autoscaling.LifecycleHookTargetConfig {
-    this.topic.grantPublish(lifecycleHook.role);
-    return { notificationTargetArn: this.topic.topicArn };
+  /**
+   * If an `IRole` is found in `options`, grant it topic publishing permissions.
+   * Otherwise, create a new `IRole` and grant it topic publishing permissions.
+   *
+   * @returns the `IRole` with topic publishing permissions and the ARN of the topic it has publishing permission to.
+   */
+  public bind(_scope: Construct, options: autoscaling.BindHookTargetOptions): autoscaling.LifecycleHookTargetConfig {
+    const role = autoscaling.createRole(_scope, options.role);
+    this.topic.grantPublish(role);
+
+    return {
+      notificationTargetArn: this.topic.topicArn,
+      createdRole: role,
+    };
   }
 }