Open kornicameister opened 2 years ago
You're running into a circular dependency here for a similar reason as this issue and this issue. Stack B may run code which will cause new policies to be added in Stack A which in turn attempt to reference a resource in Stack B.
These can be tricky to workaround depending on the specific case. If there are no simple escape hatches, then you may be able to introduce a third stack, and/or implement a custom resource which creates and adds the necessary policy once you have the information you need to create the policy.
Describe the bug
Why
I wanted to have a single KMS key used for entire deployment stage (no requirements to have it other way around) that is used in multiple other stacks defining different functionalities.
Approach 1
Why I think it failed with permissions but key was
Because keys imported via https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_kms/Key.html#aws_cdk.aws_kms.Key.from_key_arn do no contain a reference to key originally created in stack A hence calls like https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_kms/Key.html#aws_cdk.aws_kms.Key.add_to_resource_policy do not really work
Approach 2
Approach 3
It's essentially an approach 2 but I have created an alias for the imported key.
How I could make it work and why I haven't
There's a workaround for that problem. I actually need to have:
Fn::Import
where alladd_to_resource_policy
calls work and key policy is correctKey.fromKeyArn
(via SSM) orAlias.fromAliasName
(I compute aliases statically so I can reference them across stacks without any error) for the sake of API gateway authorizerBut it is a bit awkward just by looking at it and I am pretty sure I would have created unmaintainable code just because I would create two dependency points:
Fn::Export
andFn::Import
Expected Behavior
Not quite sure if there's any. I mean I would love the code to work but I cannot get stop thinking that either:
However, I wonder if any calls to
addToResourcePolicies
executed over imported keysKey.fromLookup
,Key.fromKeyArn
orAlias.fromAliasName
should fail. I mean it clearly haven't worked for me and it makes to me that it shouldn't. After all key policy is created the moment key is defined and each of mentioned methods do assume key already exists (in different stack, in different place, manually created or whatever else). If there's a point to this bug: it might be it.Current Behavior
Either:
Reproduction Steps
Possible Solution
N/A
Additional Information/Context
No response
CDK CLI Version
2.41.0
Framework Version
?
Node.js Version
14.17.5
OS
MAC
Language
Python
Language Version
3.10.5
Other information