feat(scheduler): base target methods and lambda invoke target

[filletofish]

This PR contains implementation for Schedule Targets:

1. Creates a separate module for targets
2. Support imported resources, but not cross account, cross region resources as we discussed in RFC. The unit tests should cover 4 cases (target and role within the same stack, target is imported, role is imported, target and role are imported),
3. I have moved out class Schedule from private package to depend on it in schedule-targets unit tests.

Implementation is based on RFC: https://github.com/aws/aws-cdk-rfcs/blob/master/text/0474-event-bridge-scheduler-l2.md

Advances #23394

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[filletofish]

Created role and stack in the same account. Otherwise lambda.Function.grantInvoke fails as it assumes that function is imported (from a different account). See

aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts

Line 528 in 0e2c169

if (!permissionNode && !this._skipPermissions) {

Also, grantInvoke method creates permission on Lambda function itself (updates resource policy) if the role is in the different account. See

aws-cdk/packages/aws-cdk-lib/aws-lambda/test/function.test.ts

Line 1425 in 0e2c169

test('with an imported role (from a different account)', () => {

[Jacco]

In the code we prepared this had a lot more beef.

1. You use one role named 'SchedulesRole' for all targets in the current stack. The more targets there are the less "least privilege' this will get. Personally I think one role per target makes more sense then one role per stack.
2. The code we started with had Stack.of(schedule) and then stack.node.tryFindChild(id) in stead of scope.node.tryFindChild. If you find the role for a target it is fine.

[Jacco]

3. Why do we not also narrow down of the use of the role to "aws:SourceArn" "aws:SourceAccount"

[filletofish]

I originally preferred this implementation inspired by events.target (

aws-cdk/packages/aws-cdk-lib/aws-events-targets/lib/util.ts

Lines 63 to 81 in e479bd4

	/**
	* Obtain the Role for the EventBridge event
	*
	* If a role already exists, it will be returned. This ensures that if multiple
	* events have the same target, they will share a role.
	* @internal
	*/
	export function singletonEventRole(scope: IConstruct): iam.IRole {
	const id = 'EventsRole';
	const existing = scope.node.tryFindChild(id) as iam.IRole;
	if (existing) { return existing; }
	const role = new iam.Role(scope as Construct, id, {
	roleName: PhysicalName.GENERATE_IF_NEEDED,
	assumedBy: new iam.ServicePrincipal('events.amazonaws.com'),
	});
	return role;
	}

) as it seemed simpler to me. However, I agree that the least privilege policy is a good point. Now I understand where the complexity is coming from.

[filletofish]

@Jacco I have removed condition for checking sourceArn as it created a circular dependency between schedule -> target -> role -> schedule.

In your original prototype it was implemented as:

 const scheduleArn = Arn.format({
    service: 'scheduler',
    resourceName: `${schedule.group.groupName}/${schedule.scheduleName}`,
    resource: 'schedule'
  }, Stack.of(schedule));
  const principal = new iam.PrincipalWithConditions(new iam.ServicePrincipal('scheduler.amazonaws.com'), {
    'StringEquals': {
        "aws:SourceArn": scheduleArn,
        "aws:SourceAccount": schedule.env.account,
    }
  })

It didn't create a dependency cycle in your code, as now the scheduleName is a reference to the CFN resource instead of just a string:

    this.scheduleName = this.getResourceNameAttribute(resource.ref);

[filletofish]

@Jacco similarly, there was an option to create a condition for sourceArn here. But it would create a dependency cycle between target and schedule.

[filletofish]

Had to specify environment here, otherwise schedule creation failed with an error that target and schedule should be in the same region / account. That's because we consider target and schedule to be in different accounts if one of their accounts is unresolved.

See sameEnvDimension implementation.

Let me know if that's a problem

[kaizencc]

A few minor comments mostly to get more information. But my main comment is that I would like to see the README first, as that is usually the entrypoint to the PR as a reviewer.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[kaizencc]

@filletofish I'm ready to approve this, just some minor stuff surrounding docs.

Next up has to be adding integ tests where appropriate. We won't accept any more additions until the integ tests are up and running.

[kaizencc]

TIL as well, but take a look at this file here

tl;dr: cross env tests need to use 234567890123

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[kaizencc]

@aws-cdk/aws-lambda-python-alpha: ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'OpenSSL 1.0.2k-fips  26 Jan 2017'. See: https://github.com/urllib3/urllib3/issues/2168

wtf?

Pull request has been modified.

[kaizencc]

@filletofish still another error related to this PR it seems

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 0dfc2aa
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).