search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.5k stars 3.84k forks source link

[aws-cloudtrail] cross-account `Trail`s cannot specify SNS topic #11387

Open NGL321 opened 3 years ago

NGL321 commented 3 years ago

Continuation of: #9013 References internal ticket

When creating a new trail using an SNS topic from secondary account (see code sample below). Trail creation fails.

const externAccountTopic = sns.Topic.fromTopicArn(
   this, 
   'TopicName',
   'TOPIC_ARN_SECONDARY_ACCOUNT'
);

const multiAccountTrail = new cloudtrail.Trail(this, 'MultiAccountTrail', {
   bucket: dataEventTrailBucket,
   enableFileValidation: true,
   isMultiRegionTrail: true,
   snsTopic: externAccountTopic,
   trailName: 'MultiAccountTrail'
});

Fails with exception:

"SNS Topic does not exist or the topic policy is incorrect! (Service: AWSCloudTrail; Status Code: 400; Error Code: InsufficientSnsTopicPolicyException; Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx; Proxy: null)"

Related Issue

It looks like this was brought-up before, and largely addressed (initial concern was multi-region), but not fixed for multi-account.

Original Issue: #9013 Fixing PR: #9239

Environment

Other

This is :bug: Bug Report

github-actions[bot] commented 2 years ago

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

tguedes-lastwall commented 1 year ago

This is still an issue in 2.92.0

FilipPyrek commented 12 months ago

Yeah, this issue is still there. Trail construct still doesn't work for multi account-multi region setup.

For example issue with SNS described here: https://github.com/aws/aws-cdk/issues/9013#issuecomment-714827297

mrgrain commented 12 months ago

Thanks for reporting. Re-opened. @peterwoodworth Can you have another look at this please?

peterwoodworth commented 12 months ago

Yes, if you take the example in the initial post I'm getting a separate error after using an escape hatch to specify an arn. Here's the code,

const externAccountTopic = sns.Topic.fromTopicArn(
   this, 
   'TopicName',
   'TOPIC_ARN_SECONDARY_ACCOUNT'
);

const multiAccountTrail = new cloudtrail.Trail(this, 'MultiAccountTrail', {
   bucket: dataEventTrailBucket,
   enableFileValidation: true,
   isMultiRegionTrail: true,
   snsTopic: externAccountTopic,
   trailName: 'MultiAccountTrail'
});

(multiAccountTrail.node.defaultChild as cloudtrail.CfnTrail).addPropertyOverride('SnsTopicName', 'TOPIC_ARN_SECONDARY_ACCOUNT');

And here's the error:

Screenshot 2023-09-13 at 4 15 09 PM

It's a separate error message than if the topic arn didn't exist, however I'm unable to figure out why this is throwing here.

Since the Topic is in a separate account, the call to create the topic policy that permits CloudTrail to publish will not succeed. This will have to be added to your other account if it is not already created. I thought this was what was causing the error, but manually adding it to the Topic in the other account didn't get me past the error. I'm likely missing some other policy that I need, will be able to check tomorrow

FilipPyrek commented 11 months ago

Maybe try classic SNS topic, not FIFO @peterwoodworth. Classic SNS topic worked for me.

peterwoodworth commented 11 months ago

Yep, seems to work on classic for me! In that case the code block above works as a workaround, and we cannot create the policy for this on the Topic which has to be done ahead of time, but we can pass the arn to CloudFormation instead of just the name to make this work without an escape hatch.

HCrane commented 6 months ago

Just wanting to push as i stumbled upon this issue as of right now! Keep up the good work!