CDK: EventBridge Rule with an SqsQueue, KMS_MANAGED encryption target doesn't error #30549
Labels
@aws-cdk/aws-events
Related to CloudWatch Events
bug
This issue is a bug.
closed-for-staleness
This issue was automatically closed because it hadn't received any attention in a while.
needs-reproduction
This issue needs reproduction.
response-requested
Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Describe the bug
Setting up EventBridge with a rule to a KMS_MANAGED SQS queue is invalid according to: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse
CDK synth should error out and force the developer to configure SQS using a customer master key
Expected Behavior
For CDK synth to error out
Current Behavior
Allows the configuration synth and be pushed. No warning or logs are provided that makes users aware of this behavior except the documentation.
Reproduction Steps
aws_events_targets
callsgrantSendMessages
on the Queue expecting this to grant all of the required permissions. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events-targets/lib/sqs.ts#L72)grantSendMessages
only configuresgrantEncryptDecrypt
if the queue has a CMK and aencryptionMasterKey
property. (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue-base.ts#L228) ((The key policy for a KMS managed key cannot be configured and does not include this permission.))encryptionMasterKey
is unset. https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-sqs/lib/queue.ts#L482[An SQS queue cannot use KMS_MANAGED encryption when using AWS services as an event source.](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse)Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.135
Framework Version
No response
Node.js Version
v16.17.1
OS
Macos 14.5
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: