Menu
I am creating S3, SQS, and KMS resources using aws cdk. I enabled encryption on the S3 and SQS resources. When I enabled the notification from S3 to SQS, I am getting a circular dependency error. When I remove the KMS settings from my code, it works.
GitHub repo: https://github.com/techcoderunner/s3-sqs-kms-sample
from aws_cdk import aws_kms as kms
from aws_cdk import aws_s3 as s3
from aws_cdk import aws_sqs as sqs
from aws_cdk import aws_s3_notifications as s3notif
kms_key = kms.Key(self, 'ssl_s3_sqs_kms_key',
alias='sslS3SqsKmsKey',
description='This is kms key',
enabled=True,
enable_key_rotation=True,
policy=kms_policy_document,
)
# Create the S3 bucket
bucket = s3.Bucket(
self, "ssl_s3_bucket_raw_kms",
bucket_name="ssl-s3-bucket-kms-raw",
encryption=s3.BucketEncryption.KMS,
encryption_key=kms_key,
)
# Create the SQS queue
queue = sqs.Queue(
self, "ssl_sqs_event_queue",
queue_name="ssl-sqs-kms-event-queue",
encryption=sqs.QueueEncryption.KMS,
encryption_master_key=kms_key,
)
# Create S3 notification object which points to SQS
notification = s3notif.SqsDestination(queue)
filter1 = s3.NotificationKeyFilter(prefix="home/")
# Attach notificaton event to S3 bucket
bucket.add_event_notification(s3.EventType.OBJECT_CREATED,notification,filter1)
497
To resolve circular dependencies: Then there are three strategies you can use: Look for small pieces of code that can be moved from one project to the other. Look for code that both libraries depend on and move that code into a new shared library. Combine projectA and projectB into one library.
A circular dependency, as the name implies, means that two resources are dependent on each other or that a resource is dependent on itself: Resource A is dependent on Resource B, and Resource B is dependent on Resource A.
A circular dependency occurs when two classes depend on each other. For example, class A needs class B, and class B also needs class A. Circular dependencies can arise in Nest between modules and between providers. While circular dependencies should be avoided where possible, you can't always do so.
Q: What happens when one of the resources in a stack cannot be created successfully? By default, the “automatic rollback on error” feature is enabled. This will direct CloudFormation to only create or update all resources in your stack if all individual operations succeed.
I opened a GitHub bug report for this.
It looks like the root problem is that the following condition is added to the KMS key:
CDK output template ssls3sqskmskey83E47315.Properties.KeyPolicy.Statement[1]:
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": {
"Fn::GetAtt": [
"ssls3bucketrawkms4B1E1122",
"Arn"
]
}
}
},
},
The S3 bucket depends on the KMS key for encryption, and the KMS key has a condition that depends on the S3 bucket.
I was able to deploy the stack after using escape hatches to delete the condition:
# Delete the circular reference
cfn_kms_key = kms_key.node.default_child
cfn_kms_key.add_property_deletion_override("KeyPolicy.Statement.1")
workaround code available here
164
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
