fix(aws-autoscaling): notificationTargetArn should be optional in Lif…

…ecycleHook (aws#16187)

This makes the notificationTargetArn optional in LifecycleHook. CloudFormation docs specify it as optional [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-as-lifecyclehook.html). Closes aws#14641. 
To achieve this, the `role` parameter was made optional. To avoid breaking users, a role is provided if users specify a `notificationTarget` (which they currently all do, as it is a required property) and is not provided otherwise.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

allowed-breaking-changes.txt

@@ -86,3 +86,10 @@ removed:@aws-cdk/aws-stepfunctions-tasks.EmrCreateClusterProps.autoTerminationPo
 # Changed property securityGroupId to optional because either securityGroupId or 
 # securityGroupName is required. Therefore securityGroupId is no longer mandatory.
 weakened:@aws-cdk/cloud-assembly-schema.SecurityGroupContextQuery
+
+# refactor autoscaling lifecycle hook target bind() methods to make role optional by
+# having bind() methods create the role if it isn't passed to them 
+incompatible-argument:@aws-cdk/aws-autoscaling-hooktargets.FunctionHook.bind
+incompatible-argument:@aws-cdk/aws-autoscaling-hooktargets.QueueHook.bind
+incompatible-argument:@aws-cdk/aws-autoscaling-hooktargets.TopicHook.bind
+incompatible-argument:@aws-cdk/aws-autoscaling.ILifecycleHookTarget.bind

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/common.ts

@@ -0,0 +1,17 @@
+// eslint-disable-next-line import/order
+import * as iam from '@aws-cdk/aws-iam';
+
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import * as constructs from 'constructs';
+
+export function createRole(scope: constructs.Construct, _role?: iam.IRole) {
+  let role = _role;
+  if (!role) {
+    role = new iam.Role(scope, 'Role', {
+      assumedBy: new iam.ServicePrincipal('autoscaling.amazonaws.com'),
+    });
+  }
+
+  return role;
+}

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/index.ts

@@ -1,3 +1,4 @@
+export * from './common';
 export * from './queue-hook';
 export * from './topic-hook';
 export * from './lambda-hook';

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/lambda-hook.ts

@@ -4,11 +4,12 @@ import * as lambda from '@aws-cdk/aws-lambda';
 import * as sns from '@aws-cdk/aws-sns';
 import * as subs from '@aws-cdk/aws-sns-subscriptions';
 
+import { createRole } from './common';
 import { TopicHook } from './topic-hook';
 
 // keep this import separate from other imports to reduce chance for merge conflicts with v2-main
 // eslint-disable-next-line no-duplicate-imports, import/order
-import { Construct } from '@aws-cdk/core';
+import { Construct } from 'constructs';
 
 /**
  * Use a Lambda Function as a hook target
@@ -23,16 +24,23 @@ export class FunctionHook implements autoscaling.ILifecycleHookTarget {
   constructor(private readonly fn: lambda.IFunction, private readonly encryptionKey?: kms.IKey) {
   }
 
-  public bind(scope: Construct, lifecycleHook: autoscaling.ILifecycleHook): autoscaling.LifecycleHookTargetConfig {
-    const topic = new sns.Topic(scope, 'Topic', {
+  /**
+   * If the `IRole` does not exist in `options`, will create an `IRole` and an SNS Topic and attach both to the lifecycle hook.
+   * If the `IRole` does exist in `options`, will only create an SNS Topic and attach it to the lifecycle hook.
+   */
+  public bind(_scope: Construct, options: autoscaling.BindHookTargetOptions): autoscaling.LifecycleHookTargetConfig {
+    const topic = new sns.Topic(_scope, 'Topic', {
       masterKey: this.encryptionKey,
     });
+
+    const role = createRole(_scope, options.role);
+
     // Per: https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse
     // Topic's grantPublish() is in a base class that does not know there is a kms key, and so does not
     // grant appropriate permissions to the kms key. We do that here to ensure the correct permissions
     // are in place.
-    this.encryptionKey?.grant(lifecycleHook.role, 'kms:Decrypt', 'kms:GenerateDataKey');
+    this.encryptionKey?.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey');
     topic.addSubscription(new subs.LambdaSubscription(this.fn));
-    return new TopicHook(topic).bind(scope, lifecycleHook);
+    return new TopicHook(topic).bind(_scope, { lifecycleHook: options.lifecycleHook, role });
   }
 }

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/queue-hook.ts

@@ -1,6 +1,10 @@
 import * as autoscaling from '@aws-cdk/aws-autoscaling';
 import * as sqs from '@aws-cdk/aws-sqs';
-import { Construct } from '@aws-cdk/core';
+import { createRole } from './common';
+
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import { Construct } from 'constructs';
 
 /**
  * Use an SQS queue as a hook target
@@ -9,8 +13,19 @@ export class QueueHook implements autoscaling.ILifecycleHookTarget {
   constructor(private readonly queue: sqs.IQueue) {
   }
 
-  public bind(_scope: Construct, lifecycleHook: autoscaling.ILifecycleHook): autoscaling.LifecycleHookTargetConfig {
-    this.queue.grantSendMessages(lifecycleHook.role);
-    return { notificationTargetArn: this.queue.queueArn };
+  /**
+   * If an `IRole` is found in `options`, grant it access to send messages.
+   * Otherwise, create a new `IRole` and grant it access to send messages.
+   *
+   * @returns the `IRole` with access to send messages and the ARN of the queue it has access to send messages to.
+   */
+  public bind(_scope: Construct, options: autoscaling.BindHookTargetOptions): autoscaling.LifecycleHookTargetConfig {
+    const role = createRole(_scope, options.role);
+    this.queue.grantSendMessages(role);
+
+    return {
+      notificationTargetArn: this.queue.queueArn,
+      createdRole: role,
+    };
   }
 }

packages/@aws-cdk/aws-autoscaling-hooktargets/lib/topic-hook.ts

@@ -1,6 +1,10 @@
 import * as autoscaling from '@aws-cdk/aws-autoscaling';
 import * as sns from '@aws-cdk/aws-sns';
-import { Construct } from '@aws-cdk/core';
+import { createRole } from './common';
+
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import { Construct } from 'constructs';
 
 /**
  * Use an SNS topic as a hook target
@@ -9,8 +13,19 @@ export class TopicHook implements autoscaling.ILifecycleHookTarget {
   constructor(private readonly topic: sns.ITopic) {
   }
 
-  public bind(_scope: Construct, lifecycleHook: autoscaling.ILifecycleHook): autoscaling.LifecycleHookTargetConfig {
-    this.topic.grantPublish(lifecycleHook.role);
-    return { notificationTargetArn: this.topic.topicArn };
+  /**
+   * If an `IRole` is found in `options`, grant it topic publishing permissions.
+   * Otherwise, create a new `IRole` and grant it topic publishing permissions.
+   *
+   * @returns the `IRole` with topic publishing permissions and the ARN of the topic it has publishing permission to.
+   */
+  public bind(_scope: Construct, options: autoscaling.BindHookTargetOptions): autoscaling.LifecycleHookTargetConfig {
+    const role = createRole(_scope, options.role);
+    this.topic.grantPublish(role);
+
+    return {
+      notificationTargetArn: this.topic.topicArn,
+      createdRole: role,
+    };
   }
 }