12

I am creating S3, SQS, and KMS resources using aws cdk. I enabled encryption on the S3 and SQS resources. When I enabled the notification from S3 to SQS, I am getting a circular dependency error. When I remove the KMS settings from my code, it works.

GitHub repo: https://github.com/techcoderunner/s3-sqs-kms-sample

from aws_cdk import aws_kms as kms
from aws_cdk import aws_s3 as s3
from aws_cdk import aws_sqs as sqs
from aws_cdk import aws_s3_notifications as s3notif

kms_key = kms.Key(self, 'ssl_s3_sqs_kms_key',
    alias='sslS3SqsKmsKey',
    description='This is kms key',
    enabled=True,
    enable_key_rotation=True,
    policy=kms_policy_document,
)

# Create the S3 bucket
bucket = s3.Bucket(
    self, "ssl_s3_bucket_raw_kms",
    bucket_name="ssl-s3-bucket-kms-raw",
    encryption=s3.BucketEncryption.KMS,
    encryption_key=kms_key,
)

# Create the SQS queue
queue = sqs.Queue(
    self, "ssl_sqs_event_queue",
    queue_name="ssl-sqs-kms-event-queue",
    encryption=sqs.QueueEncryption.KMS,
    encryption_master_key=kms_key,
)

# Create S3 notification object which points to SQS
notification = s3notif.SqsDestination(queue)
filter1 = s3.NotificationKeyFilter(prefix="home/")

# Attach notificaton event to S3 bucket
bucket.add_event_notification(s3.EventType.OBJECT_CREATED,notification,filter1)
Sachin Suresh
  • 121
  • 1
  • 6

1 Answers1

1

I opened a GitHub bug report for this.

It looks like the root problem is that the following condition is added to the KMS key:

CDK output template ssls3sqskmskey83E47315.Properties.KeyPolicy.Statement[1]:

{
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
         "kms:ReEncrypt*",
         "kms:GenerateDataKey*"
     ],
     "Condition": {
        "ArnLike": {
            "aws:SourceArn": {
                "Fn::GetAtt": [
                    "ssls3bucketrawkms4B1E1122",
                    "Arn"
                 ]
             }
         }
     },
},

The S3 bucket depends on the KMS key for encryption, and the KMS key has a condition that depends on the S3 bucket.

Workaround

I was able to deploy the stack after using escape hatches to delete the condition:

# Delete the circular reference
cfn_kms_key = kms_key.node.default_child
cfn_kms_key.add_property_deletion_override("KeyPolicy.Statement.1")

workaround code available here

Ryan
  • 1,482
  • 2
  • 11
  • 19