-
Notifications
You must be signed in to change notification settings - Fork 4.3k
feat(events): dead letter queue for Lambda Targets #11617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 2 commits
6037b9f
4dfb84e
4155dcf
c41ab25
6762031
b675341
ac9c261
f06bce4
0c2286f
a3fc59d
838b4f4
59b45f5
e946549
c51f234
9895806
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,8 @@ | ||
| import * as events from '@aws-cdk/aws-events'; | ||
| import * as iam from '@aws-cdk/aws-iam'; | ||
| import * as lambda from '@aws-cdk/aws-lambda'; | ||
| import { Construct, ConstructNode, IConstruct, Names } from '@aws-cdk/core'; | ||
| import * as sqs from '@aws-cdk/aws-sqs'; | ||
| import { Construct, ConstructNode, IConstruct, Names, Stack } from '@aws-cdk/core'; | ||
|
|
||
| /** | ||
| * Obtain the Role for the EventBridge event | ||
|
|
@@ -45,3 +46,36 @@ export function addLambdaPermission(rule: events.IRule, handler: lambda.IFunctio | |
| }); | ||
| } | ||
| } | ||
|
|
||
|
|
||
| export function addToDeadLetterQueueResourcePolicy(rule: events.IRule, queue: sqs.IQueue) { | ||
DaWyz marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| const ruleParsedStack = Stack.of(rule); | ||
|
||
| const queueParsedStack = Stack.of(queue); | ||
|
|
||
| if (ruleParsedStack.region !== queueParsedStack.region) { | ||
|
||
| throw new Error(`Cannot assign Dead Letter Queue to the rule ${rule}. Both the queue and the rule must be in the same region`); | ||
DaWyz marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| } | ||
|
|
||
| // Skip Resource Policy creation if the Queue is not in the same account. | ||
| // There is no way to add a target onto an imported rule, so we can assume we will run the following code only | ||
| // in the account where the rule is created. | ||
|
Comment on lines
+63
to
+65
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There is also a common use case where a stack creates a rule on a bus in another account. Will this work when the rule is in a different account than the target and the queue?
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually, looks like it will work based on the blog (last role). But it does mean that the rule and the queue can be in separate accounts. The comment is just not quite accurate. |
||
|
|
||
| if (ruleParsedStack.account === queueParsedStack.account) { | ||
| const policyStatementId = `AllowEventRule${Names.nodeUniqueId(rule.node)}`; | ||
|
|
||
| queue.addToResourcePolicy(new iam.PolicyStatement({ | ||
| sid: policyStatementId, | ||
| principals: [new iam.ServicePrincipal('events.amazonaws.com')], | ||
| effect: iam.Effect.ALLOW, | ||
| actions: ['sqs:SendMessage'], | ||
| resources: [queue.queueArn], | ||
| conditions: { | ||
| ArnEquals: { | ||
| 'aws:SourceArn': rule.ruleArn, | ||
| }, | ||
| }, | ||
| })); | ||
| } else { | ||
| // Maybe we could post a warning telling the user to create the permission in the target account manually ? | ||
DaWyz marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| } | ||
| } | ||
Uh oh!
There was an error while loading. Please reload this page.