(ses): SES->SNS subscription fails due to KinesisFirehoseDestination is null

[atnartur]

Describe the bug

If you try to add an SES event destination to SNS using CDK, CloudFormation fails with the following error during deployment:

Resource handler returned message: "Cannot invoke "software.amazon.awssdk.services.ses.model.KinesisFirehoseDestination.iamRoleARN()" because the return value of "software.amazon.awssdk.services.ses.model.EventDestination.kinesisFirehoseDestination()" is null" (RequestToken: ..., HandlerErrorCode: InternalFailure)

You can find the CDK project's example in the following repository: https://github.com/atnartur/cdk-ses-sns-subscription-bug

A CDK project contains the following infrastructure:

1. SNS topic
2. SES configuration set
3. A configuration set's destination to the SNS topic. The event destination contains only a link to the SNS topic. No Kinesis Firehose been mentioned.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

I expect the resource creation to be completed successfully.

Current Behavior

CDK deployment fails with the following error:

Resource handler returned message: "Cannot invoke "software.amazon.awssdk.services.ses.model.KinesisFirehoseDestination.iamRoleARN()" because the return value of "software.amazon.awssdk.services.ses.model.EventDestination.kinesisFirehoseDestination()" is null" (RequestToken: ..., HandlerErrorCode: InternalFailure)

Reproduction Steps

1. Create CDK project
2. Add the following resources: SNS topic, SES configuration set, a SES->SNS destination.
3. Start the stack deployment

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.171.0 (build 4957967)

Framework Version

No response

Node.js Version

v22.11.0

OS

MacOS

Language

TypeScript

Language Version

TypeScript (5.6.3) | Python (3.9.20)

Other information

No response

[ashishdhingra]

Not reproducible using CDK version 2.172.0 (build 0f666c5). The below CDK code:

import * as cdk from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';
import * as ses from 'aws-cdk-lib/aws-ses';

export class CdktestStackNew extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const snsTopic = new sns.Topic(this, 'TestSnsTopic', {
      fifo: false
    });
    
    const sesConfigSet = new ses.ConfigurationSet(this, "TestSESConfigSet", {
      configurationSetName: "TestSESConfigSet"
    });

    sesConfigSet.addEventDestination('TestSNSDestination', {
      destination: ses.EventDestination.snsTopic(snsTopic)
    });
  }
}

synthesizes to below CloudFormation stack:

Resources:
  TestSnsTopic9011E4C7:
    Type: AWS::SNS::Topic
    Properties:
      FifoTopic: false
    Metadata:
      aws:cdk:path: CdktestStackNew/TestSnsTopic/Resource
  TestSnsTopicPolicy2AC7225E:
    Type: AWS::SNS::TopicPolicy
    Properties:
      PolicyDocument:
        Statement:
          - Action: sns:Publish
            Condition:
              StringEquals:
                AWS:SourceAccount: "<<ACCOUNT-ID>>"
                AWS:SourceArn:
                  Fn::Join:
                    - ""
                    - - "arn:"
                      - Ref: AWS::Partition
                      - :ses:us-east-2:<<ACCOUNT-ID>>:configuration-set/
                      - Ref: TestSESConfigSetA1C354EA
            Effect: Allow
            Principal:
              Service: ses.amazonaws.com
            Resource:
              Ref: TestSnsTopic9011E4C7
            Sid: "0"
        Version: "2012-10-17"
      Topics:
        - Ref: TestSnsTopic9011E4C7
    Metadata:
      aws:cdk:path: CdktestStackNew/TestSnsTopic/Policy/Resource
  TestSESConfigSetA1C354EA:
    Type: AWS::SES::ConfigurationSet
    Properties:
      Name: TestSESConfigSet
    Metadata:
      aws:cdk:path: CdktestStackNew/TestSESConfigSet/Resource
  TestSESConfigSetTestSNSDestinationC6540474:
    Type: AWS::SES::ConfigurationSetEventDestination
    Properties:
      ConfigurationSetName:
        Ref: TestSESConfigSetA1C354EA
      EventDestination:
        Enabled: true
        MatchingEventTypes:
          - send
          - reject
          - bounce
          - complaint
          - delivery
          - open
          - click
          - renderingFailure
          - deliveryDelay
          - subscription
        SnsDestination:
          TopicARN:
            Ref: TestSnsTopic9011E4C7
    DependsOn:
      - TestSnsTopicPolicy2AC7225E
    Metadata:
      aws:cdk:path: CdktestStackNew/TestSESConfigSet/TestSNSDestination/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/22LwQ6CQAxEv4X7UoGY6B29G/Bu1qWYAnYNXSBms/9ugMQDeunMvLxmkB4ySCI9SWyqNu7oDr502rRKT3LzwgL+al9kVF7zWpZ7sR2Z9xeuMyhBAZ9brukx9NqR5RLdbP2yDTiPyO6E4ogX9O9p64QwWwWKHXqDQbGtEBrZjekRsgT2USNEcT+woydCseYHjvNE9vMAAAA=
    Metadata:
      aws:cdk:path: CdktestStackNew/CDKMetadata/Default
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

This deploys fine as shwon below:

✨  Synthesis time: 5.17s

CdktestStackNew: start: Building d226933025d157b0d4b657c799927541d08e2f278c0ea13d2bba1e95da53214d:<<ACCOUNT-ID>>-us-east-2
CdktestStackNew: success: Built d226933025d157b0d4b657c799927541d08e2f278c0ea13d2bba1e95da53214d:<<ACCOUNT-ID>>-us-east-2
CdktestStackNew: start: Publishing d226933025d157b0d4b657c799927541d08e2f278c0ea13d2bba1e95da53214d:<<ACCOUNT-ID>>-us-east-2
CdktestStackNew: success: Published d226933025d157b0d4b657c799927541d08e2f278c0ea13d2bba1e95da53214d:<<ACCOUNT-ID>>-us-east-2
Stack undefined
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────────┬────────┬─────────────┬───────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource        │ Effect │ Action      │ Principal                 │ Condition                                                                                                           │
├───┼─────────────────┼────────┼─────────────┼───────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${TestSnsTopic} │ Allow  │ sns:Publish │ Service:ses.amazonaws.com │ "StringEquals": {                                                                                                   │
│   │                 │        │             │                           │   "AWS:SourceAccount": "<<ACCOUNT-ID>>",                                                                              │
│   │                 │        │             │                           │   "AWS:SourceArn": "arn:${AWS::Partition}:ses:us-east-2:<<ACCOUNT-ID>>:configuration-set/${TestSESConfigSetA1C354EA}" │
│   │                 │        │             │                           │ }                                                                                                                   │
└───┴─────────────────┴────────┴─────────────┴───────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Do you wish to deploy these changes (y/n)? y
CdktestStackNew: deploying... [1/1]
CdktestStackNew: creating CloudFormation changeset...
CdktestStackNew | 0/6 | 12:01:05 PM | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack                 | CdktestStackNew User Initiated
CdktestStackNew | 0/6 | 12:01:12 PM | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack                 | CdktestStackNew User Initiated
CdktestStackNew | 0/6 | 12:01:14 PM | CREATE_IN_PROGRESS   | AWS::CDK::Metadata                         | CDKMetadata/Default (CDKMetadata) 
CdktestStackNew | 0/6 | 12:01:14 PM | CREATE_IN_PROGRESS   | AWS::SES::ConfigurationSet                 | TestSESConfigSet (TestSESConfigSetA1C354EA) 
CdktestStackNew | 0/6 | 12:01:14 PM | CREATE_IN_PROGRESS   | AWS::SNS::Topic                            | TestSnsTopic (TestSnsTopic9011E4C7) 
CdktestStackNew | 0/6 | 12:01:15 PM | CREATE_IN_PROGRESS   | AWS::CDK::Metadata                         | CDKMetadata/Default (CDKMetadata) Resource creation Initiated
CdktestStackNew | 0/6 | 12:01:15 PM | CREATE_IN_PROGRESS   | AWS::SNS::Topic                            | TestSnsTopic (TestSnsTopic9011E4C7) Resource creation Initiated
CdktestStackNew | 1/6 | 12:01:15 PM | CREATE_COMPLETE      | AWS::CDK::Metadata                         | CDKMetadata/Default (CDKMetadata) 
CdktestStackNew | 1/6 | 12:01:15 PM | CREATE_IN_PROGRESS   | AWS::SES::ConfigurationSet                 | TestSESConfigSet (TestSESConfigSetA1C354EA) Resource creation Initiated
CdktestStackNew | 2/6 | 12:01:15 PM | CREATE_COMPLETE      | AWS::SNS::Topic                            | TestSnsTopic (TestSnsTopic9011E4C7) 
CdktestStackNew | 3/6 | 12:01:15 PM | CREATE_COMPLETE      | AWS::SES::ConfigurationSet                 | TestSESConfigSet (TestSESConfigSetA1C354EA) 
CdktestStackNew | 3/6 | 12:01:15 PM | CREATE_IN_PROGRESS   | AWS::SNS::TopicPolicy                      | TestSnsTopic/Policy (TestSnsTopicPolicy2AC7225E) 
CdktestStackNew | 3/6 | 12:01:16 PM | CREATE_IN_PROGRESS   | AWS::SNS::TopicPolicy                      | TestSnsTopic/Policy (TestSnsTopicPolicy2AC7225E) Resource creation Initiated
CdktestStackNew | 4/6 | 12:01:16 PM | CREATE_COMPLETE      | AWS::SNS::TopicPolicy                      | TestSnsTopic/Policy (TestSnsTopicPolicy2AC7225E) 
CdktestStackNew | 4/6 | 12:01:17 PM | CREATE_IN_PROGRESS   | AWS::SES::ConfigurationSetEventDestination | TestSESConfigSet/TestSNSDestination (TestSESConfigSetTestSNSDestinationC6540474) 
CdktestStackNew | 4/6 | 12:01:18 PM | CREATE_IN_PROGRESS   | AWS::SES::ConfigurationSetEventDestination | TestSESConfigSet/TestSNSDestination (TestSESConfigSetTestSNSDestinationC6540474) Resource creation Initiated
CdktestStackNew | 4/6 | 12:01:18 PM | CREATE_IN_PROGRESS   | AWS::SES::ConfigurationSetEventDestination | TestSESConfigSet/TestSNSDestination (TestSESConfigSetTestSNSDestinationC6540474) Eventual consistency check initiated
CdktestStackNew | 4/6 | 12:01:18 PM | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack                 | CdktestStackNew Eventual consistency check initiated
CdktestStackNew | 5/6 | 12:01:28 PM | CREATE_COMPLETE      | AWS::SES::ConfigurationSetEventDestination | TestSESConfigSet/TestSNSDestination (TestSESConfigSetTestSNSDestinationC6540474) 
CdktestStackNew | 6/6 | 12:01:29 PM | CREATE_COMPLETE      | AWS::CloudFormation::Stack                 | CdktestStackNew 

 ✅  CdktestStackNew

✨  Deployment time: 30.83s

Stack ARN:
arn:aws:cloudformation:us-east-2:<<ACCOUNT-ID>>:stack/CdktestStackNew/d2324ca0-b8c3-11ef-84a6-063726075461

✨  Total time: 36s

@atnartur Could you please try using the latest version of CDK (you should update both your package.json followed by npm install and CDK CLI).

Thanks,
Ashish

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[atnartur]

I'm investigating the issue to add more details about the bug. I will add them next week.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[atnartur]

Since I met an InternalFailure error, it looks like it was a glitch on the AWS CloudFormation side. This week it started to work, and I delivered the functionality using AWS CDK.

@ashishdhingra thanks for your assistance!

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.