fix(sns): race condition exists between sqs queue policy and sns subscription (#21797)

----

Fixes #20665 by adding a dependency to sqs policy for sns subscriptions.
### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*


This is a follow up to #21259, which got closed for failing for too long

Author: jonnekaunisto

packages/@aws-cdk-containers/ecs-service-extensions/test/publish-subscribe.integ.snapshot/aws-ecs-integ.template.json

@@ -91,6 +91,7 @@
   },
   "SubscriberQueuenestedstackstestNestedStack1topic089C5EB1396F65087": {
    "Type": "AWS::SNS::Subscription",
+   "DependsOn": "SubscriberQueuePolicy25A0799E",
    "Properties": {
     "Protocol": "sqs",
     "TopicArn": {
@@ -109,6 +110,7 @@
   },
   "SubscriberQueuenestedstackstestNestedStack1topic1150E1A929A2C267E": {
    "Type": "AWS::SNS::Subscription",
+   "DependsOn": "SubscriberQueuePolicy25A0799E",
    "Properties": {
     "Protocol": "sqs",
     "TopicArn": {
@@ -127,6 +129,7 @@
   },
   "SubscriberQueuenestedstackstestNestedStack1topic209B8719858511914": {
    "Type": "AWS::SNS::Subscription",
+   "DependsOn": "SubscriberQueuePolicy25A0799E",
    "Properties": {
     "Protocol": "sqs",
     "TopicArn": {

packages/@aws-cdk/aws-cloudformation/test/nested-stack.integ.snapshot/nested-stacks-test.template.json

@@ -396,6 +396,7 @@
   },
   "MyQueueawscdkcodebuildeventsMyTopic550011DCF72DE3ED": {
    "Type": "AWS::SNS::Subscription",
+   "DependsOn": "MyQueuePolicy6BBEDDAC",
    "Properties": {
     "Protocol": "sqs",
     "TopicArn": {

packages/@aws-cdk/aws-events-targets/test/codebuild/project-events.integ.snapshot/aws-cdk-codebuild-events.template.json

@@ -94,6 +94,7 @@
   },
   "MyQueueawscdksnseventtargetMyTopicB7575CD87304D383": {
    "Type": "AWS::SNS::Subscription",
+   "DependsOn": "MyQueuePolicy6BBEDDAC",
    "Properties": {
     "Protocol": "sqs",
     "TopicArn": {

packages/@aws-cdk/aws-events-targets/test/sns/sns-event-rule-target.integ.snapshot/aws-cdk-sns-event-target.template.json

@@ -40,14 +40,14 @@ export class SqsSubscription implements sns.ITopicSubscription {
 
     // add a statement to the queue resource policy which allows this topic
     // to send messages to the queue.
-    this.queue.addToResourcePolicy(new iam.PolicyStatement({
+    const queuePolicyDependable = this.queue.addToResourcePolicy(new iam.PolicyStatement({
       resources: [this.queue.queueArn],
       actions: ['sqs:SendMessage'],
       principals: [snsServicePrincipal],
       conditions: {
         ArnEquals: { 'aws:SourceArn': topic.topicArn },
       },
-    }));
+    })).policyDependable;
 
     // if the queue is encrypted, add a statement to the key resource policy
     // which allows this topic to decrypt KMS keys
@@ -77,6 +77,7 @@ export class SqsSubscription implements sns.ITopicSubscription {
       filterPolicy: this.props.filterPolicy,
       region: this.regionFromArn(topic),
       deadLetterQueue: this.props.deadLetterQueue,
+      subscriptionDependency: queuePolicyDependable,
     };
   }
 

packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts

@@ -1,205 +1,206 @@
 {
- "Resources": {
-  "MyTopic86869434": {
-   "Type": "AWS::SNS::Topic"
-  },
-  "EncryptionMasterKey5BD393B9": {
-   "Type": "AWS::KMS::Key",
-   "Properties": {
-    "KeyPolicy": {
-     "Statement": [
-      {
-       "Action": "kms:*",
-       "Effect": "Allow",
-       "Principal": {
-        "AWS": {
-         "Fn::Join": [
-          "",
-          [
-           "arn:",
-           {
-            "Ref": "AWS::Partition"
-           },
-           ":iam::",
-           {
-            "Ref": "AWS::AccountId"
-           },
-           ":root"
+  "Resources": {
+   "MyTopic86869434": {
+    "Type": "AWS::SNS::Topic"
+   },
+   "EncryptionMasterKey5BD393B9": {
+    "Type": "AWS::KMS::Key",
+    "Properties": {
+     "KeyPolicy": {
+      "Statement": [
+       {
+        "Action": "kms:*",
+        "Effect": "Allow",
+        "Principal": {
+         "AWS": {
+          "Fn::Join": [
+           "",
+           [
+            "arn:",
+            {
+             "Ref": "AWS::Partition"
+            },
+            ":iam::",
+            {
+             "Ref": "AWS::AccountId"
+            },
+            ":root"
+           ]
           ]
-         ]
-        }
-       },
-       "Resource": "*"
-      },
-      {
-       "Action": [
-        "kms:Decrypt",
-        "kms:GenerateDataKey"
-       ],
-       "Condition": {
-        "ArnEquals": {
-         "aws:SourceArn": {
-          "Ref": "MyTopic86869434"
          }
-        }
-       },
-       "Effect": "Allow",
-       "Principal": {
-        "Service": "sns.amazonaws.com"
+        },
+        "Resource": "*"
        },
-       "Resource": "*"
-      }
-     ],
-     "Version": "2012-10-17"
-    }
+       {
+        "Action": [
+         "kms:Decrypt",
+         "kms:GenerateDataKey"
+        ],
+        "Condition": {
+         "ArnEquals": {
+          "aws:SourceArn": {
+           "Ref": "MyTopic86869434"
+          }
+         }
+        },
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "sns.amazonaws.com"
+        },
+        "Resource": "*"
+       }
+      ],
+      "Version": "2012-10-17"
+     }
+    },
+    "UpdateReplacePolicy": "Retain",
+    "DeletionPolicy": "Retain"
    },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
-  },
-  "MyQueueE6CA6235": {
-   "Type": "AWS::SQS::Queue",
-   "Properties": {
-    "KmsMasterKeyId": {
-     "Fn::GetAtt": [
-      "EncryptionMasterKey5BD393B9",
-      "Arn"
-     ]
-    }
+   "MyQueueE6CA6235": {
+    "Type": "AWS::SQS::Queue",
+    "Properties": {
+     "KmsMasterKeyId": {
+      "Fn::GetAtt": [
+       "EncryptionMasterKey5BD393B9",
+       "Arn"
+      ]
+     }
+    },
+    "UpdateReplacePolicy": "Delete",
+    "DeletionPolicy": "Delete"
    },
-   "UpdateReplacePolicy": "Delete",
-   "DeletionPolicy": "Delete"
-  },
-  "MyQueuePolicy6BBEDDAC": {
-   "Type": "AWS::SQS::QueuePolicy",
-   "Properties": {
-    "PolicyDocument": {
-     "Statement": [
-      {
-       "Action": "sqs:SendMessage",
-       "Condition": {
-        "ArnEquals": {
-         "aws:SourceArn": {
-          "Ref": "MyTopic86869434"
+   "MyQueuePolicy6BBEDDAC": {
+    "Type": "AWS::SQS::QueuePolicy",
+    "Properties": {
+     "PolicyDocument": {
+      "Statement": [
+       {
+        "Action": "sqs:SendMessage",
+        "Condition": {
+         "ArnEquals": {
+          "aws:SourceArn": {
+           "Ref": "MyTopic86869434"
+          }
          }
+        },
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "sns.amazonaws.com"
+        },
+        "Resource": {
+         "Fn::GetAtt": [
+          "MyQueueE6CA6235",
+          "Arn"
+         ]
         }
-       },
-       "Effect": "Allow",
-       "Principal": {
-        "Service": "sns.amazonaws.com"
-       },
-       "Resource": {
-        "Fn::GetAtt": [
-         "MyQueueE6CA6235",
-         "Arn"
-        ]
        }
+      ],
+      "Version": "2012-10-17"
+     },
+     "Queues": [
+      {
+       "Ref": "MyQueueE6CA6235"
       }
-     ],
-     "Version": "2012-10-17"
-    },
-    "Queues": [
-     {
-      "Ref": "MyQueueE6CA6235"
-     }
-    ]
-   }
-  },
-  "MyQueueawscdksnssqsMyTopic9361DEA223429051": {
-   "Type": "AWS::SNS::Subscription",
-   "Properties": {
-    "Protocol": "sqs",
-    "TopicArn": {
-     "Ref": "MyTopic86869434"
-    },
-    "Endpoint": {
-     "Fn::GetAtt": [
-      "MyQueueE6CA6235",
-      "Arn"
      ]
-    },
-    "RedrivePolicy": {
-     "deadLetterTargetArn": {
+    }
+   },
+   "MyQueueawscdksnssqsMyTopic9361DEA223429051": {
+    "DependsOn": "MyQueuePolicy6BBEDDAC",
+    "Type": "AWS::SNS::Subscription",
+    "Properties": {
+     "Protocol": "sqs",
+     "TopicArn": {
+      "Ref": "MyTopic86869434"
+     },
+     "Endpoint": {
       "Fn::GetAtt": [
-       "DeadLetterQueue9F481546",
+       "MyQueueE6CA6235",
        "Arn"
       ]
+     },
+     "RedrivePolicy": {
+      "deadLetterTargetArn": {
+       "Fn::GetAtt": [
+        "DeadLetterQueue9F481546",
+        "Arn"
+       ]
+      }
      }
     }
-   }
-  },
-  "DeadLetterQueue9F481546": {
-   "Type": "AWS::SQS::Queue",
-   "UpdateReplacePolicy": "Delete",
-   "DeletionPolicy": "Delete"
-  },
-  "DeadLetterQueuePolicyB1FB890C": {
-   "Type": "AWS::SQS::QueuePolicy",
-   "Properties": {
-    "PolicyDocument": {
-     "Statement": [
-      {
-       "Action": "sqs:SendMessage",
-       "Condition": {
-        "ArnEquals": {
-         "aws:SourceArn": {
-          "Ref": "MyTopic86869434"
+   },
+   "DeadLetterQueue9F481546": {
+    "Type": "AWS::SQS::Queue",
+    "UpdateReplacePolicy": "Delete",
+    "DeletionPolicy": "Delete"
+   },
+   "DeadLetterQueuePolicyB1FB890C": {
+    "Type": "AWS::SQS::QueuePolicy",
+    "Properties": {
+     "PolicyDocument": {
+      "Statement": [
+       {
+        "Action": "sqs:SendMessage",
+        "Condition": {
+         "ArnEquals": {
+          "aws:SourceArn": {
+           "Ref": "MyTopic86869434"
+          }
          }
+        },
+        "Effect": "Allow",
+        "Principal": {
+         "Service": "sns.amazonaws.com"
+        },
+        "Resource": {
+         "Fn::GetAtt": [
+          "DeadLetterQueue9F481546",
+          "Arn"
+         ]
         }
-       },
-       "Effect": "Allow",
-       "Principal": {
-        "Service": "sns.amazonaws.com"
-       },
-       "Resource": {
-        "Fn::GetAtt": [
-         "DeadLetterQueue9F481546",
-         "Arn"
-        ]
        }
+      ],
+      "Version": "2012-10-17"
+     },
+     "Queues": [
+      {
+       "Ref": "DeadLetterQueue9F481546"
       }
-     ],
-     "Version": "2012-10-17"
-    },
-    "Queues": [
+     ]
+    }
+   }
+  },
+  "Parameters": {
+   "BootstrapVersion": {
+    "Type": "AWS::SSM::Parameter::Value<String>",
+    "Default": "/cdk-bootstrap/hnb659fds/version",
+    "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+   }
+  },
+  "Rules": {
+   "CheckBootstrapVersion": {
+    "Assertions": [
      {
-      "Ref": "DeadLetterQueue9F481546"
+      "Assert": {
+       "Fn::Not": [
+        {
+         "Fn::Contains": [
+          [
+           "1",
+           "2",
+           "3",
+           "4",
+           "5"
+          ],
+          {
+           "Ref": "BootstrapVersion"
+          }
+         ]
+        }
+       ]
+      },
+      "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
      }
     ]
    }
   }
- },
- "Parameters": {
-  "BootstrapVersion": {
-   "Type": "AWS::SSM::Parameter::Value<String>",
-   "Default": "/cdk-bootstrap/hnb659fds/version",
-   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
-  }
- },
- "Rules": {
-  "CheckBootstrapVersion": {
-   "Assertions": [
-    {
-     "Assert": {
-      "Fn::Not": [
-       {
-        "Fn::Contains": [
-         [
-          "1",
-          "2",
-          "3",
-          "4",
-          "5"
-         ],
-         {
-          "Ref": "BootstrapVersion"
-         }
-        ]
-       }
-      ]
-     },
-     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
-    }
-   ]
-  }
- }
-}
+ }

packages/@aws-cdk/aws-sns-subscriptions/test/sns-sqs.lit.integ.snapshot/aws-cdk-sns-sqs.template.json

@@ -1,4 +1,4 @@
-import { Construct } from 'constructs';
+import { Construct, IDependable } from 'constructs';
 import { SubscriptionOptions } from './subscription';
 import { ITopic } from './topic-base';
 
@@ -24,6 +24,15 @@ export interface TopicSubscriptionConfig extends SubscriptionOptions {
    * subscribing to.
    */
   readonly subscriberId: string;
+
+  /**
+   * The resources that need to be created before the subscription can be safely created.
+   * For example for SQS subscription, the subscription needs to have a dependency on the SQS queue policy
+   * in order for the subscription to successfully deliver messages.
+   *
+   * @default - empty list
+   */
+  readonly subscriptionDependency?: IDependable;
 }
 
 /**

packages/@aws-cdk/aws-sns/lib/subscriber.ts

@@ -80,8 +80,8 @@ export abstract class TopicBase extends Resource implements ITopic {
   /**
    * Subscribe some endpoint to this topic
    */
-  public addSubscription(subscription: ITopicSubscription): Subscription {
-    const subscriptionConfig = subscription.bind(this);
+  public addSubscription(topicSubscription: ITopicSubscription): Subscription {
+    const subscriptionConfig = topicSubscription.bind(this);
 
     const scope = subscriptionConfig.subscriberScope || this;
     let id = subscriptionConfig.subscriberId;
@@ -95,10 +95,18 @@ export abstract class TopicBase extends Resource implements ITopic {
       throw new Error(`A subscription with id "${id}" already exists under the scope ${scope.node.path}`);
     }
 
-    return new Subscription(scope, id, {
+    const subscription = new Subscription(scope, id, {
       topic: this,
       ...subscriptionConfig,
     });
+
+    // Add dependency for the subscription, for example for SQS subscription
+    // the queue policy has to deploy before the subscription is created
+    if (subscriptionConfig.subscriptionDependency) {
+      subscription.node.addDependency(subscriptionConfig.subscriptionDependency);
+    }
+
+    return subscription;
   }
 
   /**

packages/@aws-cdk/aws-sns/lib/topic-base.ts

@@ -45,6 +45,7 @@
   },
   "showmethemessagesawsstepfunctionstaskssnspublishintegcooltopic8388C976F1D63091": {
    "Type": "AWS::SNS::Subscription",
+   "DependsOn": "showmethemessagesPolicyB08B04B0",
    "Properties": {
     "Protocol": "sqs",
     "TopicArn": {