(aws-events): cross-region event rules breaks cross-account codepipelines

[jdvornek]

Upgrading from <=1.112.0 caused my cross-account codepipelines to be undeployable. I have a multi-account setup with CodeCommit repositories hosted in one account triggering CodePipelines in several different accounts. Following CDK upgrade deployment fails with

Access to the resource arn:aws:iam::9876543210:role/SomeRole is denied. Reason: Cross-account pass role is not allowed.

It appears as though the change in #14731 alters the change of the rule target to include a roleArn, at least that appears to be the difference in what is synthesized.

Reproduction Steps

Apologies if this is somewhat convoluted, I've attempted to extract an example that best represents the situation as it exists in my application. If you need more detail or more color around the situation, let me know.

app.js

#!/usr/bin/env node
const config = require('../lib/config.json');

const cdk = require('@aws-cdk/core');
const { SourceStack } = require('../lib/SourceStack');
const { PipelineStack } = require('../lib/PipelineStack');

const app = new cdk.App();
new SourceStack(app, 'EventsIssueSourceStack', {
  env: config.envs.account_a,
});
new PipelineStack(app, 'EventsIssuePipelineStack', {
  env: config.envs.account_b,
});

config.json

{
  "envs": {
    "account_a": { "account": "0123456789", "region": "us-east-1" },
    "account_b": { "account": "9876543210", "region": "us-east-1" }
  }
}

SourceStack.js

const cdk = require('@aws-cdk/core');
const codecommit = require('@aws-cdk/aws-codecommit')

class SourceStack extends cdk.Stack {

  constructor(scope, id, props) {
    super(scope, id, props);

    new codecommit.Repository(this, 'Repo', {
      repositoryName: 'SomeRepository'
    });
  }
}

module.exports = { SourceStack }

PipelineStack.js

const cdk = require('@aws-cdk/core');
const codecommit = require('@aws-cdk/aws-codecommit');
const codepipeline = require('@aws-cdk/aws-codepipeline');
const actions = require('@aws-cdk/aws-codepipeline-actions');

const config = require('./config.json');

class RepositoryReference extends cdk.Stack {
  constructor(scope, id, props) {
    super(scope, id, props);
    this.repo = codecommit.Repository.fromRepositoryName(this, 'RepositoryRef', props.repo_name);
  }
}

class PipelineStack extends cdk.Stack {

  constructor(scope, id, props) {
    super(scope, id, props);
    this.props = props;

    const repo_ref = new RepositoryReference(this, 'RepoRef', {
      env:       config.envs.account_a,
      repo_name: 'SomeRepository'
    });
    
    this.source_output = new codepipeline.Artifact('SourceOutput');

    this.pipeline = new codepipeline.Pipeline(this, 'Pipeline', {
      stages: [
        {
          stageName: 'Source',
          actions:   [
            new actions.CodeCommitSourceAction({
                                                 actionName: 'SourceCheckout',
                                                 repository: repo_ref.repo,
                                                 output:     this.source_output
                                               })
          ]
        },
        {
          stageName: 'IrrelevantPlaceholder',
          actions:   [
            new actions.ManualApprovalAction({
                                               actionName: 'Approval'
                                             })
          ]
        }
      ]
    });
  }

}

module.exports = { PipelineStack };

What did you expect to happen?

I expected the application to deploy and function as it did in version <=1.112.0.

What actually happened?

I received an error:

Access to the resource arn:aws:iam::9876543210:role/SomeRole is denied. Reason: Cross-account pass role is not allowed. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: AccessDeniedException; Request ID: 01234-abcd-xyz; Proxy: null)

Environment

• CDK CLI Version : 1.114.0
• Framework Version: 1.114.0
• Node.js Version: v14.17.3
• OS : OSX 11.4
• Language (Version): javascript

Other

It would seem to me that the cross-region events features should be rolled back or put on a flag if a quick fix is not available. As of now I'm effectively locked at version 1.112.0.

---

This is 🐛 Bug Report

[rix0rrr]

I'm suprised that this setup used to work at all, given that it looks like CodePipeline doesn't seem to support cross-account CodeCommit repositories. There is no mention of an account field here: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-CodeCommit.html

And when I try your code for myself, I get this error in CodePipeline:

[jdvornek]

I must have missed a dependency between the two stacks, please try deploying SourceStack first manually or add an explicit dependency. Again, I was trying to replicate something illustrative from a much larger application here.

There's a published guide for a cross-account codepipeline, but really under the hood, it is just cross-account event delivery.

[rix0rrr]

Yes, I've seen it work now which is crazy.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.