aws-events: EventBus and EventBusPolicy only accept a single statement

[ctobolski]

Describe the bug

The EventBus only accepts a single IAM statement in the policy. If I want to grant multiple principals different access to a bus, it should be possible with addToResourcePolicy, but that method explicitly denies additional statements. Defining an EventBusPolicy does not alleviate the issue, because EventBusPolicy also only accepts a single iam.PolicyStatement.

Expected Behavior

The documentation for EventBusPolicy and EventBus indicate that additional permissions should be added through the addToResourcePolicy method.
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBus.html#applywbrremovalwbrpolicypolicy
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusPolicy.html

Policies define the operations that are allowed on this resource.

You almost never need to define this construct directly.

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically >create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

Prefer to use addToResourcePolicy() instead.

Expected behavior would be that addToResourcePolicy creates or updates the existing resource policy with additional statements.

Current Behavior

New statements are silently ignored, and the construct does not support adding additional permissions.
It looks like the behavior to only accept a single statement is codified in the addToResourcePolicy implementation. Shouldn't the policy contain a policy document rather than a single statement?

https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-events/lib/event-bus.ts#L341

It seems odd that not having a SID would cause an error to be thrown, while not adding new permissions would allow execution to continue and potentially deploy a change that doesn't have the correct policy.

Reproduction Steps

Create a bus, add multiple resource policies

import * as events from 'aws-cdk-lib/aws-events';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class BusStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props: cdk.StackProps) {
    super(scope, id, props);
    const bus = new events.EventBus(this, 'my-bus', {
      eventBusName: 'my-bus'
    });

    const externalPrincipal1 = new iam.AccountPrincipal('someaccountid');
    const addPublishForFooSource = new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      principals: [externalPrincipal1],
      sid: `uniquesid1`,
      resources: [bus.eventBusArn],
      actions: ['events:PutEvents'],
    });
    addPublishForFooSource.addCondition('StringEquals', { 'events:source': ['foo'] });
    //succeeds
    bus.addToResourcePolicy(addPublishForFooSource);

    const externalPrincipal2 = new iam.AccountPrincipal('someotheraccountid');
    const  addPublishForBarSource = new iam.PolicyStatement({
      effect: iam.Effect.ALLOW,
      principals: [externalPrincipal2],
      sid: `uniquesid2`,
      resources: [bus.eventBusArn],
      actions: ['events:PutEvents'],
    });
    addPublishForFooSource.addCondition('StringEquals', { 'events:source': ['bar'] });
    //no error thrown, but no policy update
    bus.addToResourcePolicy(addPublishForBarSource);
  }
}

Possible Solution

Modify the EventBusPolicy to accept a PolicyDocument rather than a PolicyStatement, and update the addToResourcePolicy to append new statements to the existing policy.

Additional Information/Context

No response

CDK CLI Version

2.69

Framework Version

No response

Node.js Version

v16.17.1

OS

OSX

Language

Typescript

Language Version

No response

Other information

No response

[khushail]

Hi @ctobolski , thanks for reporting this issue and sharing the code snippet. I am able to reproduce this.

Currently I am marking this as P2 (which would mean it won't be worked upon immediately). We use +1s to help prioritize our work, and are happy to re-evaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for re-prioritization.

However if you would like to contribute, here is the contributing guide to get started.

[micro-jumbo]

👍🏼

[jsvasquez]

+1 and fixing.

I'll take care of this.

[postsa]

@ctobolski + @khushail I opened up #27340 with a fix.

It looks like the behavior to only accept a single statement is codified in the addToResourcePolicy implementation. Shouldn't the policy contain a policy document rather than a single statement?

Currently, the CFN construct for an EventBusPolicy takes only a single statement. However, updating addToResourcePolicy to accept additional statements on subsequent calls and creating new a policy for each results in the expected behavior.

[postsa]

@jsvasquez if you have a chance to review the above I would appreciate it!

[bs-u27]

+1

[phadadi]

+1

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.