aws-cdk-lib/aws-events: Support for Cross Account SNS/SQS/Lambda Targets

[scabraha]

Describe the feature

EventBridge recently released cross account targets which allows customers to send events to SQS queues, SNS topics, Lambda functions, Kinesis Streams, and API Gateway endpoints in another account provided the target account has granted permissions via resource policies. Before this release, SQS/SNS/Lambda required customers to NOT provide a role and the current implementation of CDK supports that constraint. With this release, customers are required to provide a role from the rule's account for cross account resource access.

We're requesting updates to the CDK libraries to allow for roles to be provided for the following constructs:

• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.SqsQueue.html
• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.SnsTopic.html
• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.LambdaFunction.html

Use Case

Customers would like to be able to setup Cross Account targets for SNS/SQS/Lambda targets via our L2 constructs.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.178.0

Environment details (OS name and version, etc.)

Mac OSX 15.3

[pahud]

Yes it seems we could send the custom role to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-events-rule-target.html#cfn-events-rule-target-rolearn ? Making this a p2 FR and we welcome community PRs.

[rrhodes]

Hey, I started looking into this proposed change but I've discovered the following limitation which I think warrants further conversation:

Cannot create a cross-account or cross-region rule for an imported resource (create a stack with the right environment for the imported resource)

If we were to support roles for the target L2 constructs, how do we foresee users managing cross-account resources in CDK? I was expecting to follow a pattern like below:

const fn = lambda.Function.fromFunctionArn(
  this,
  'Function',
  'arn:aws:lambda:us-east-1:123456789012:function:MyFn',
);

const role = new iam.Role(this, 'Role', {
  assumedBy: new iam.ServicePrincipal('events.amazonaws.com'),
});

const rule = new events.Rule(this, 'rule', {
  eventPattern: {
    source: ["aws.ec2"],
  },
});

rule.addTarget(new targets.LambdaFunction(fn, {
  role,
}));

But that's currently not possible under the aforementioned restriction, unless I misunderstand the reported error?