fix(events): now EventBus.grantPutEventsTo correctly handles service principals (under feature flag)

[scorbiere]

Issue #22080

Closes #22080.

Reason for this change

When trying to grant PutEvents permissions to an AWS Service Principal using grantPutEventsTo, the method performed a no-op without any warnings or errors. This prevented users from properly granting permissions to service principals, even though this is a valid use case that can be done through the AWS Console. The change implements the correct behavior by creating an EventBusPolicy when dealing with service principals.

Description of changes

• Added special handling for service principals in EventBus.grantPutEventsTo method
• When granting permissions to a service principal, creates an EventBusPolicy instead of attempting to modify IAM policies
• Returns iam.Grant.drop() for service principals to indicate permissions are handled via EventBusPolicy
• Added test cases to verify both service principal and IAM principal scenarios

Describe any new or updated permissions being added

The change introduces the creation of EventBusPolicy resources with events:PutEvents permission when granting access to service principals. This is not a new permission, but rather a different way of granting the same permission through resource-based policies instead of identity-based policies.

Description of how you validated changes

Added new test cases that verify:

• EventBusPolicy is correctly created when granting permissions to service principals
• IAM policies are correctly created when granting permissions to IAM roles/users

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.38%. Comparing base (e307404) to head (96717bb).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33729   +/-   ##
=======================================
  Coverage   82.38%   82.38%           
=======================================
  Files         120      120           
  Lines        6937     6937           
  Branches     1170     1170           
=======================================
  Hits         5715     5715           
  Misses       1119     1119           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.38% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[moelasmar]

this is not a generic solution. We still have issues with other Principle types that does not implement addToPrincipalPolicy (or it can not linked to a Policy resource), like AccountPrincipal, AnyPrincipal.

EventBus resource supports the ResourcePolicy (AWS::Events::EventBusPolicy) .. so we should make the EventBus L2 to implement the interface IResourceWithPolicy, and to implements addToResourcePolicy function which looks it is already there.

Then you can change the implementation of this function from iam.Grant.addToPrincipal to be iam.Grant.addToPrincipalOrResource

[moelasmar]

one more thing, I am not sure if it is Ok to create multiple EventBusPolicy resources for the same EventBus or not .. we need to have an integ test case for that.

[moelasmar]

thanks Seb for raising this PR, I left some comment

[moelasmar]

to understand, what we are checking here different than the check in line 118

[scorbiere]

Right, this is confusing and this 2nd assertion doesn't add much value. I will re-write the assertions with helper functions in order to improve the readability.

[moelasmar]

I think in this integ test case, there is no difference between with feature flag, and without. In both cases the permissions will be added to the Role .. may be this test case is designed to verify that the current customer code will stay working. so, can we have a new integ test case to verify the new behaviour of grant method, and also, to verify that we can call grant method more than one in the new approach.

[moelasmar]

I think this test case is still valid, right ?

[scorbiere]

Yes, good catch.

[moelasmar]

I think the test title is wrong.

[moelasmar]

this one as well, has a wrong title

[moelasmar]

same here as well

[moelasmar]

what is the difference between this check and check in line 217

[moelasmar]

Thanks Seb, I still have some concern about the new integration test case

[moelasmar]

nit comment, and you can ignore it .. I believe the assert statement itself is clear, and does not need to be wrapped in a function

[scorbiere]

Fair enough, but I prefer the readability of the method name in the test.

[moelasmar]

nit: this test case is not a cross account test case, and there is no big difference vs test case creates only resource policy for service principal with source account condition from this change POV.

[scorbiere]

Right, I will remove it.

[moelasmar]

nit: I also believe this test case is redundant, I think from this change POV, the Service principal with account condition is not different from a normal service principal

[scorbiere]

Right, I will remove it as well.

[moelasmar]

similar to the previous comment, I expect to see some normal string value, instead of ref intrinsic function.

[moelasmar]

to understand, why do we care about this token .. how may this value change the process of adding the permissions?

[scorbiere]

This case was making sense when I was trying to use the Grant.addToPrincipalOrResource(...) method in EventBusBase.grantPutEventsTo(...). Which not the strategy used anymore. I will remove this test.

[moelasmar]

Can you add a test case to grant an imported role that is not managed by the CDK application. I expect in this scenario, we should see an Event Resource Policy instead of identity policy.

[scorbiere]

I will add that test case, but the template generated is:

ImportedRoleIdPolicy878A765C :: {
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": "events:PutEvents",
              "Effect": "Allow",
              "Resource": {
                "Fn::GetAtt": [ "EventBus7B8748AA", "Arn" ],
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "PolicyName": "ImportedRoleIdPolicy878A765C",
        "Roles": [ "importedRoleName" ]
      },
      "Type": "AWS::IAM::Policy"
    }

Even when I use iam.Role.fromRoleArn(...). The code in Grant.addToPrincipal(...) call directly ImportedRole.addToPrincipalPolicy(...)

[moelasmar]

when you call fromRolexxx function, set mutable flag to false .. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.FromRoleArnOptions.html#mutable

This means that CDK could not attach policies to this Role.

[moelasmar]

this test case is also miss leading, if you checked the generated template, you will find the following:

• TargetEventBuscdkEventsServicePrincipalGrant11A8AC78 Event resource policy that grant events.amazonaws.com service to put event on eventBus TargetEventBus43DE6DE2 (this is the point we need to verify)
• But also, you will find ForwardingRuleEventsRoleDefaultPolicy5A4528E2 identity policy that grant role ForwardingRuleEventsRole9F12172A to put events on EventBus TargetEventBus43DE6DE2, and this role is attached to EventRule ForwardingRule6039FF0D which is linked to EventBus SourceEventBusA326BD45

So, I am not sure which policy is applied. .. can you try to change this logic, to add a lambda function that try to put some event to an event bus, and do not grant the function itself, but grant the Lambda Service, and see if this will work or not

[scorbiere]

Good catch, it seems that the EventBus class implementation (link) of the method bind automatically tries to add the put event policy on its associated role (type iam.IRole), which is not compatible with the service principal we are using in this integ test.

Since I can't think of a realistic use case where we would only use a service principal role, I will remove this integ test.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 96717bb
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.