search

awslabs / aws-deployment-framework

The AWS Deployment Framework (ADF) is an extensive and flexible framework to manage and deploy resources across multiple AWS accounts and regions based on AWS Organizations.
Apache License 2.0
662 stars 226 forks source link

[Bug]: After upgrade to 4.0.0 the emails are not sent anymore #769

Open AndreiDiaconovici opened 2 weeks ago

AndreiDiaconovici commented 2 weeks ago

Is there an existing issue for this?

Describe the bug

After the upgrade to 4.0.0 the emails alerts are not sent anymore during CodePipelines run. (STARTED, FAILED, SUCCEEDED) I have checked the EventBridge rule and it's triggered successfully but the invocation to SNS fails.

image

Expected Behavior

To send emails.

Current Behavior

Steps To Reproduce

No response

Possible Solution

No response

Additional Information/Context

No response

ADF Version

4.0.0

Contributing a fix?

AndreiDiaconovici commented 2 weeks ago

Greetings,

It seems that the KMS Condition with SourceArn is not working.

  KMSKey:
    Type: AWS::KMS::Key
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      Description: Used by Assumed Roles in Accounts accounts to Encrypt/Decrypt code
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Id: !Ref AWS::StackName
        Statement:
          - Sid: Allows admin of the key
            Effect: Allow
            Principal:
              AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
            Action:
              - "kms:CancelKeyDeletion"
              - "kms:Create*"
              - "kms:Decrypt"
              - "kms:Delete*"
              - "kms:Describe*"
              - "kms:DescribeKey"
              - "kms:Disable*"
              - "kms:Enable*"
              - "kms:Encrypt"
              - "kms:GenerateDataKey*"
              - "kms:Get*"
              - "kms:List*"
              - "kms:Put*"
              - "kms:ReEncrypt*"
              - "kms:Revoke*"
              - "kms:ScheduleKeyDeletion"
              - "kms:Update*"
            Resource: "*"
          - Sid: Allow use of the key
            Effect: Allow
            Principal:
              AWS: "*"
            Action:
              - kms:Decrypt
              - kms:DescribeKey
              - kms:Encrypt
              - kms:GenerateDataKey*
              - kms:ReEncryptFrom
              - kms:ReEncryptTo
            Resource: "*"
            Condition:
              StringEquals:
                aws:PrincipalOrgID: !Ref OrganizationId
          - Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Effect: Allow
            Principal:
              Service:
                - sns.amazonaws.com
                - codecommit.amazonaws.com
            Resource: "*"
            Condition:
              StringEquals:
                "aws:SourceAccount": !Ref AWS::AccountId
          - Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
            Resource: "*"
            Condition:
              ArnLike:
                "aws:SourceArn": !Sub "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"

By changing the Condition of events.amazonaws.com to use "aws:ResourceAccount": !Ref AWS::AccountId instead of aws:SourceArn works.