fix(events-targets): circular dependency when adding a KMS-encrypted …

…SQS queue (#14638)

fixes #11158


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-events-targets/lib/sqs.ts

@@ -52,14 +52,15 @@ export class SqsQueue implements events.IRuleTarget {
    * @see https://docs.aws.amazon.com/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#sqs-permissions
    */
   public bind(rule: events.IRule, _id?: string): events.RuleTargetConfig {
+    // Only add the rule as a condition if the queue is not encrypted, to avoid circular dependency. See issue #11158.
+    const principalOpts = this.queue.encryptionMasterKey ? {} : {
+      conditions: {
+        ArnEquals: { 'aws:SourceArn': rule.ruleArn },
+      },
+    };
+
     // deduplicated automatically
-    this.queue.grantSendMessages(new iam.ServicePrincipal('events.amazonaws.com',
-      {
-        conditions: {
-          ArnEquals: { 'aws:SourceArn': rule.ruleArn },
-        },
-      }),
-    );
+    this.queue.grantSendMessages(new iam.ServicePrincipal('events.amazonaws.com', principalOpts));
 
     return {
       arn: this.queue.queueArn,

packages/@aws-cdk/aws-events-targets/package.json

@@ -93,6 +93,7 @@
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kinesis": "0.0.0",
     "@aws-cdk/aws-kinesisfirehose": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
     "@aws-cdk/aws-logs": "0.0.0",
     "@aws-cdk/aws-sns": "0.0.0",
@@ -114,6 +115,7 @@
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kinesis": "0.0.0",
     "@aws-cdk/aws-kinesisfirehose": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "@aws-cdk/aws-lambda": "0.0.0",
     "@aws-cdk/aws-logs": "0.0.0",
     "@aws-cdk/aws-sns": "0.0.0",

packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.expected.json

@@ -1,5 +1,53 @@
 {
   "Resources": {
+    "MyKey6AB29FA6": {
+      "Type": "AWS::KMS::Key",
+      "Properties": {
+        "KeyPolicy": {
+          "Statement": [
+            {
+              "Action": "kms:*",
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:",
+                      {
+                        "Ref": "AWS::Partition"
+                      },
+                      ":iam::",
+                      {
+                        "Ref": "AWS::AccountId"
+                      },
+                      ":root"
+                    ]
+                  ]
+                }
+              },
+              "Resource": "*"
+            },
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "events.amazonaws.com"
+              },
+              "Resource": "*"
+            }
+          ],
+          "Version": "2012-10-17"
+        }
+      },
+      "UpdateReplacePolicy": "Retain",
+      "DeletionPolicy": "Retain"
+    },
     "MyRuleA44AB831": {
       "Type": "AWS::Events::Rule",
       "Properties": {
@@ -20,6 +68,14 @@
     },
     "MyQueueE6CA6235": {
       "Type": "AWS::SQS::Queue",
+      "Properties": {
+        "KmsMasterKeyId": {
+          "Fn::GetAtt": [
+            "MyKey6AB29FA6",
+            "Arn"
+          ]
+        }
+      },
       "UpdateReplacePolicy": "Delete",
       "DeletionPolicy": "Delete"
     },
@@ -34,16 +90,6 @@
                 "sqs:GetQueueAttributes",
                 "sqs:GetQueueUrl"
               ],
-              "Condition": {
-                "ArnEquals": {
-                  "aws:SourceArn": {
-                    "Fn::GetAtt": [
-                      "MyRuleA44AB831",
-                      "Arn"
-                    ]
-                  }
-                }
-              },
               "Effect": "Allow",
               "Principal": {
                 "Service": "events.amazonaws.com"

packages/@aws-cdk/aws-events-targets/test/sqs/integ.sqs-event-rule-target.ts

@@ -1,4 +1,5 @@
 import * as events from '@aws-cdk/aws-events';
+import * as kms from '@aws-cdk/aws-kms';
 import * as sqs from '@aws-cdk/aws-sqs';
 import * as cdk from '@aws-cdk/core';
 import * as targets from '../../lib';
@@ -12,11 +13,17 @@ const app = new cdk.App();
 
 const stack = new cdk.Stack(app, 'aws-cdk-sqs-event-target');
 
+const key = new kms.Key(stack, 'MyKey');
+
 const event = new events.Rule(stack, 'MyRule', {
   schedule: events.Schedule.rate(cdk.Duration.minutes(1)),
 });
 
-const queue = new sqs.Queue(stack, 'MyQueue');
+const queue = new sqs.Queue(stack, 'MyQueue', {
+  encryption: sqs.QueueEncryption.KMS,
+  encryptionMasterKey: key,
+});
+
 event.addTarget(new targets.SqsQueue(queue));
 
 app.synth();