feat(events-target): enable adding role for sns target to support cross account targets

[cawofeso]

Issue

In Jan 2025 AWS announced support cross-account targets for Amazon EventBridge Event Buses. For this to work source event bus rules must have an IAM role that allows them to send events to specific targets.

Currently there is no way to add a role to an SNS target which means that one is unable to add an SNS target from a different account. This pr is to enable adding role when adding an SNS target which follows a similar convention to other targets like Codebuild that allows adding a role

This relates to issue raised - #33328

Reason for this change

Without this change unable to add a cross account SNS target for Amazon EventBridge Event Buses using the CDK L2 construct

Description of changes

Updated the SNS target to allow one to include a role.

This follows similar approach to other targets such as Codebuild that allows one to include a role (https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-events-targets/lib/codebuild.ts#L46)

Description of how you validated changes

Updated Unit and Integration Tests

Checklist

• [ x ] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[cawofeso]

Exemption Request: Appropriate changes have been made to snapshot to ensure a role is created that Eventbridge can assume.

Build failing due to breaking change with IAM role however this should not have any impact on users given a role with the correct permissions will still be automatically generated mimicking the same behaviour to what it does now

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 84428f1
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[paulhcsun]

Hi @cawofeso, while a role with the correct permissions would be created it is still considered a breaking change since existing stacks would have resources deleted. We do not allow this in stable modules so this change cannot be accepted as is.

[cawofeso]

Hi @cawofeso, while a role with the correct permissions would be created it is still considered a breaking change since existing stacks would have resources deleted. We do not allow this in stable modules so this change cannot be accepted as is.

@paulhcsun I wanted to add this on as firstly it's been added for other targets and secondly adding it ensures that if multiple events have the same target, they will share a role.

We really do need cdk to support cross account target with SNS so I am happy to take off using singletonEventRole function and for it to default to the current behaviour should the user not provide a role but again people might request in the future that if multiple events have the same target, they should share a role.

[cawofeso]

I've noticed someone else has also decide to do almost the same pr so closing this pr - #33976. Please can someone review that pr asap as this is an issue for a lot of users

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.