search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.58k stars 3.88k forks source link

(route53-patterns): certificate-redirect-stack cannot reference ... Set crossRegionReferences=true to enable cross region references #29453

Open andreialecu opened 7 months ago

andreialecu commented 7 months ago

Describe the bug

I'm attempting to remove some deprecation and I set "@aws-cdk/aws-route53-patters:useCertificate": "true" however, I'm running into this error:

Error: Stack "certificate-redirect-stack-c8b5b42c242cdd1d88a8dbbb939528db6298ad5b05" cannot reference {.../...DotAppZone/Resource[Ref]} in stack "...". Cross stack references are only supported for stacks deployed to the same environment or between nested stacks and their parent stack. Set crossRegionReferences=true to enable cross region references

My stack already has crossRegionReferences: true in its props.

Expected Behavior

No error

Current Behavior

See error above

Reproduction Steps

cdk.json:

{
  "app": "npx ts-node bin/cloud-infra.ts",
  "versionReporting": false,
  "context": {
    "aws-cdk:enableDiffNoFail": "true",
    "@aws-cdk/core:stackRelativeExports": "true",
    "@aws-cdk/aws-route53-patters:useCertificate": "true"
  }
}
     new route53patterns.HttpsRedirect(this, "RedirectWwwToNonWww", {
      recordNames: [`www.${domain}`],
      targetDomain: domain,
      zone,
    });

Possible Solution

I noticed that in here: https://github.com/aws/aws-cdk/blob/840ec977b09a48395c6be411250836edbc81b14c/packages/aws-cdk-lib/aws-route53-patterns/lib/website-redirect.ts#L134-L136 there's no crossRegionReferences: true.

That seems suspect; shouldn't that stack also enable cross-region references?

Additional Information/Context

No response

CDK CLI Version

2.130.0

Framework Version

No response

Node.js Version

20

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

pahud commented 7 months ago

Can you share more about the details?

Are you trying to build http redirect in a region out of us-east-1? Which region are you deploying? And, can you share more about how you created the stack?

andreialecu commented 7 months ago

Deploying in eu-west-1.

For a while, we've been using the deprecated DnsValidatedCertificate construct and have migrated to the new cross-region certificates instead.

Some warnings remained, and that's because HttpsRedirect still uses DnsValidatedCertificate unless that new flag (@aws-cdk/aws-route53-patters:useCertificate) is enabled.

Enabling this flag was intended to create the certificate in us-east-1 using the new cross-region references functionality, but it appears it isn't working.

I don't see how it would work without crossRegionReferences: true in the new Stack() instantiation.

andreialecu commented 7 months ago

PR that implemented this initially: https://github.com/aws/aws-cdk/pull/23575 (/cc @corymhall)

I believe the integration test may be wrong here: https://github.com/aws/aws-cdk/pull/23575/files#diff-f979b7bb5df1e4840178e9c77eea1a18ccc87711a1dd71bf271d09ab60ec984dR14-R17

It doesn't specifically enable the flag, so it tests the old behavior.

andreialecu commented 7 months ago

Repro:

const app = new App({
  postCliContext: {
    "@aws-cdk/aws-route53-patters:useCertificate": true,
  },
});

const props: StackProps = {
  env: { account: "...", region: "eu-west-1" },
  crossRegionReferences: true,
};

const stack = new Stack(app, "Redirect-Test-Stack", props);
new HttpsRedirect(stack, "redirect", {
  zone: new route53.HostedZone(
    this,
    "HostedZone",
    {
      zoneName: "some.domain",
    },
  ),
  recordNames: [`integ.some.domain`],
  targetDomain: "aws.amazon.com",
});
andreialecu commented 7 months ago

It appears that enabling crossRegionReferences: true, on the certificates construct's stack results in a cyclic reference.

I opened a draft PR here which shows the new error: https://github.com/aws/aws-cdk/pull/29464

Let's move discussion there.