[sqs] Circular dependency between resources when encrypting sqs queue with kms and assigning target to rule
See original GitHub issueI am setting up an event bridge rule that will forward events from Macie to sqs. Everything works fine until I add encryptionMasterKey
to the queue. I either have to remove the .encryptionMasterKey
or remove the .target()
to avoid circular dependency error.
Reproduction Steps
val queue = Queue.Builder.create(scope, "MacieReportQueue")
.queueName("MacieReportQueue")
// TODO: FIXME: KMS Circular dependency error when combined with target
// https://github.com/aws/aws-cdk/issues/3067
.encryption(QueueEncryption.KMS)
.encryptionMasterKey(key)
.build()
val target = SqsQueue.Builder.create(queue).build()
val rule = Rule.Builder.create(scope, "MacieToSqsEventBridgeRule")
.ruleName("MacieToSqsEventBridgeRule")
.description("Sends messages to SQS if Macie finds sensitive information")
.targets(listOf(target))
.eventPattern(EventPattern.builder()
.source(listOf("aws.macie"))
.build()
)
.build()
What did you expect to happen?
No circular dependency error. Queue should be encrypted.
What actually happened?
Circular dependency between resources: [MacieReportQueue7D1A954B, MacieReportQueuePolicy84D89C73, MacieToSqsEventBridgeRule498CF606, MacieReportQueueKeyAliasA0A0C899, MacieReportQueueKeyF608AAD8]
Environment
- **CLI Version :1.67.0 (build 2b4dd71)
- **Framework Version:1.67.0
- Node.js Version: v14.13.1
- OS : Mac 10.14.6
- Language (Version): Java 8
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (6 by maintainers)
Top Results From Across the Web
Key management - Amazon Simple Queue Service
The policy for this KMS key includes permissions for all principals in the account (that are authorized to use Amazon SQS) to use...
Read more >How to solve circular dependency between AWS resources ...
I enabled encryption on the S3 and SQS resources. When I enabled the notification from S3 to SQS, I am getting a circular...
Read more >SQS Queues as an EventBridge Rule Target (with ...
In this article, I show you how to set up SQS queues and SQS FIFO queues as a target of an Event Bridge...
Read more >@aws-cdk/aws-sqs | Yarn - Package Manager
Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, ...
Read more >This module provides the ability to manage AWS resources
In the simplest case, this allows you to create new EC2 instances from Puppet code. More importantly, it allows you to describe your...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I’m using the CFN class to circumvent this problem for now.
You will also need to define the following permissions
Taking a look at this one. I’m planning to remove the condition from being added here: https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-events-targets/lib/sqs.ts#L58-L60 in the case where the queue is encrypted.