CDK Unable to Add CodeStarNotification to CodePipeline

Question

I use CDK to deploy a codepipeline. It works fine until I try to add notification for codepipeline success/fail events. It gives CREATE_FAILED error with message Resource handler returned message: "Invalid request provided: AWS::CodeStarNotifications::NotificationRule" (RequestToken: bb566fd0-1ac9-5d61-03fe-f9c27b4196fa, HandlerErrorCode: InvalidRequest). What could be the reason? Thanks.

import * as codepipeline from "@aws-cdk/aws-codepipeline";
import * as codepipeline_actions from "@aws-cdk/aws-codepipeline-actions";
import * as codestar_noti from "@aws-cdk/aws-codestarnotifications";
import * as sns from "@aws-cdk/aws-sns";

    const pipeline = new codepipeline.Pipeline(...);
    const topicArn = props.sns_arn_for_developer;
    const targetTopic = sns.Topic.fromTopicArn(
      this,
      "sns-notification-topic",
      topicArn
    );
    new codestar_noti.NotificationRule(this, "Notification", {
      detailType: codestar_noti.DetailType.BASIC,
      events: [
        "codepipeline-pipeline-pipeline-execution-started",
        "codepipeline-pipeline-pipeline-execution-failed",
        "codepipeline-pipeline-pipeline-execution-succeeded",
        "codepipeline-pipeline-pipeline-execution-canceled",
      ],
      source: pipeline,
      targets: [targetTopic],
    });

Here is the snippet of generated cloudformation tempalte.

    "Notification2267453E": {
      "Type": "AWS::CodeStarNotifications::NotificationRule",
      "Properties": {
        "DetailType": "BASIC",
        "EventTypeIds": [
          "codepipeline-pipeline-pipeline-execution-started",
          "codepipeline-pipeline-pipeline-execution-failed",
          "codepipeline-pipeline-pipeline-execution-succeeded",
          "codepipeline-pipeline-pipeline-execution-canceled"
        ],
        "Name": "sagemakerbringyourownNotification36194CEC",
        "Resource": {
          "Fn::Join": [
            "",
            [
              "arn:",
              {
                "Ref": "AWS::Partition"
              },
              ":codepipeline:ap-southeast-1:305326993135:",
              {
                "Ref": "sagemakerbringyourownpipeline0A8C43B1"
              }
            ]
          ]
        },
        "Targets": [
          {
            "TargetAddress": "arn:aws:sns:ap-southeast-1:305326993135:whitespace_alerts",
            "TargetType": "SNS"
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "sagemaker-bring-your-own/Notification/Resource"
      }
    },

@gshpychka, yes, it exists. I have to mannually add permission into the AssessPolicy of the SNS Topic for the notification to work. — Qinjie, Feb 09 '22 at 05:06
@Qinjie Can you explain what you mean by "add permission into the AssessPolicy of the SNS Topic." What permission do you have to add? And were you unable to add it through CDK? — fool4jesus, Feb 26 '22 at 15:56
@fool4jesus, when you view a SNS topic details, you will see Subscriptions, Access policy, Delivery retry policy etc at the bottom. Click on "Access policy". — Qinjie, Feb 28 '22 at 02:16

score 4 · Answer 1 · answered Jul 12 '22 at 21:18

4

FWIW, I got the exact same error "Invalid request provided: AWS::CodeStarNotifications::NotificationRule" from a CDK app where the Topic was created (not imported). It turned out to be a transient issue, because it succeeded the second time without any changes. I suspect it was due to a very large ECR image which was build the first time as part of the deploy and which took quite some time. My speculation is that the Topic timed out and got into some kind of weird state waiting for the NotificationRule to be created.

answered Jul 12 '22 at 21:18

Kris Dover

544
5
9

1

Same for me, it succeeded the second time. – Vasiliki Oct 19 '22 at 09:24
Same here. Deleted stack and ran it again. – badfun Jan 11 '23 at 19:00
I found this error message in CloudTrail. "*Creation of this role might take up to 15 minutes. Until it exists, notification rule creation will fail. Wait 15 minutes, and then try again. If this is is not the first time you are creating a notification rule, there might be a problem with a network connection, or one or more AWS services might be experiencing issues*" – Sujith C P Jun 05 '23 at 12:00

score 0 · Accepted Answer · answered Feb 09 '22 at 09:02

This is because imported resources cannot be modified. As you pointed out in the comments, setting up the notification involves modifying the Topic resource, specifically its access policy.

Reference: https://docs.aws.amazon.com/cdk/v2/guide/resources.html#resources_importing

score 0 · Answer 3 · answered Jun 06 '22 at 06:27

I was able to solve this by doing the following in that order:

First removing the below statement from the resource policy of the SNS topic.
Then deploying the stack(which interestingly doesn't add anything to the resource policy)
Once the stack deployment finishes, update the resource policy manually to add the below statement.

    {
      "Sid": "AWSCodeStarNotifications_publish",
      "Effect": "Allow",
      "Principal": {
        "Service": "codestar-notifications.amazonaws.com"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:ap-south-1:xxxxxxxxx:test"
    }

CDK Unable to Add CodeStarNotification to CodePipeline

3 Answers3

Linked