如何使用 AWS CDK 解决 AWS 资源之间的循环依赖

Question

我正在使用 aws cdk 创建 S3、SQS 和 KMS 资源。我在 S3 和 SQS 资源上启用了加密。当我启用从 S3 到 SQS 的通知时，我收到循环依赖错误。当我从我的代码中删除 KMS 设置时，它可以工作。

GitHub 仓库：https://github.com/techcoderunner/s3-sqs-kms-sample

from aws_cdk import aws_kms as kms
from aws_cdk import aws_s3 as s3
from aws_cdk import aws_sqs as sqs
from aws_cdk import aws_s3_notifications as s3notif

kms_key = kms.Key(self, 'ssl_s3_sqs_kms_key',
    alias='sslS3SqsKmsKey',
    description='This is kms key',
    enabled=True,
    enable_key_rotation=True,
    policy=kms_policy_document,
)

# Create the S3 bucket
bucket = s3.Bucket(
    self, "ssl_s3_bucket_raw_kms",
    bucket_name="ssl-s3-bucket-kms-raw",
    encryption=s3.BucketEncryption.KMS,
    encryption_key=kms_key,
)

# Create the SQS queue
queue = sqs.Queue(
    self, "ssl_sqs_event_queue",
    queue_name="ssl-sqs-kms-event-queue",
    encryption=sqs.QueueEncryption.KMS,
    encryption_master_key=kms_key,
)

# Create S3 notification object which points to SQS
notification = s3notif.SqsDestination(queue)
filter1 = s3.NotificationKeyFilter(prefix="home/")

# Attach notificaton event to S3 bucket
bucket.add_event_notification(s3.EventType.OBJECT_CREATED,notification,filter1)

Answer 1

为此我开了一个GitHub bug report。

看起来根本问题是在 KMS 密钥中添加了以下条件：

CDK输出模板ssls3sqskmskey83E47315.Properties.KeyPolicy.Statement[1]:

{
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
         "kms:ReEncrypt*",
         "kms:GenerateDataKey*"
     ],
     "Condition": {
        "ArnLike": {
            "aws:SourceArn": {
                "Fn::GetAtt": [
                    "ssls3bucketrawkms4B1E1122",
                    "Arn"
                 ]
             }
         }
     },
},

S3 bucket依赖KMS key进行加密，KMS key有一个依赖S3 bucket的条件。

解决方法

使用escape hatches 删除条件后，我能够部署堆栈：

# Delete the circular reference
cfn_kms_key = kms_key.node.default_child
cfn_kms_key.add_property_deletion_override("KeyPolicy.Statement.1")

workaround code available here