fix(cdk-lib): Pass lookupRoleArn to NestedStackSynthesizer (#26116)

NestedStack's synthesizer doesn't receive the lookupRoleArn from the parent stack synthesizer, so the NestedStack tries with local credentials (of the deployment account) instead of assuming a cross-account role (on the target account) as regular non-nested Stack would do. This PR aims to add lookupRoleArn reference to the StackSynthesizer class and IStackSynthesizer, so it can be use on the NestedStack to explicitly set an IAM role in case of parent stack having one already defined, so CDK uses the role instead of local credentials. Closes #25171. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jun 27, 2023 · 3c29223 · 3c29223
1 parent f9d4573
commit 3c29223
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 2 deletions.
diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/default-synthesizer.ts
@@ -344,6 +344,13 @@ export class DefaultStackSynthesizer extends StackSynthesizer implements IReusab
     return this.qualifier;
   }
 
+  /**
+   * The role used to lookup for this stack
+   */
+  public get lookupRole(): string | undefined {
+    return this.lookupRoleArn;
+  }
+
   public bind(stack: Stack): void {
     super.bind(stack);
 

diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/nested.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/nested.ts
@@ -19,6 +19,10 @@ export class NestedStackSynthesizer extends StackSynthesizer {
     return this.parentDeployment.bootstrapQualifier;
   }
 
+  public get lookupRole(): string | undefined {
+    return this.parentDeployment.lookupRole;
+  }
+
   public addFileAsset(asset: FileAssetSource): FileAssetLocation {
     // Forward to parent deployment. By the magic of cross-stack references any parameter
     // returned and used will magically be forwarded to the nested stack.
@@ -34,6 +38,6 @@ export class NestedStackSynthesizer extends StackSynthesizer {
   public synthesize(session: ISynthesisSession): void {
     // Synthesize the template, but don't emit as a cloud assembly artifact.
     // It will be registered as an S3 asset of its parent instead.
-    this.synthesizeTemplate(session);
+    this.synthesizeTemplate(session, this.lookupRole);
   }
 }
diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/stack-synthesizer.ts
@@ -28,6 +28,13 @@ export abstract class StackSynthesizer implements IStackSynthesizer {
     return undefined;
   }
 
+  /**
+   * The role used to lookup for this stack
+   */
+  public get lookupRole(): string | undefined {
+    return undefined;
+  }
+
   private _boundStack?: Stack;
 
   /**

diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/types.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/types.ts
@@ -13,6 +13,13 @@ export interface IStackSynthesizer {
    */
   readonly bootstrapQualifier?: string;
 
+  /**
+   * The role used to lookup for this stack
+   *
+   * @default - no role
+   */
+  readonly lookupRole?: string;
+
   /**
    * Bind to the stack this environment is going to be used on
    *

diff --git a/packages/aws-cdk-lib/core/test/stack-synthesis/new-style-synthesis.test.ts b/packages/aws-cdk-lib/core/test/stack-synthesis/new-style-synthesis.test.ts
@@ -2,7 +2,7 @@ import * as fs from 'fs';
 import * as cxschema from '../../../cloud-assembly-schema';
 import { ArtifactType } from '../../../cloud-assembly-schema';
 import * as cxapi from '../../../cx-api';
-import { App, Aws, CfnResource, ContextProvider, DefaultStackSynthesizer, FileAssetPackaging, Stack } from '../../lib';
+import { App, Aws, CfnResource, ContextProvider, DefaultStackSynthesizer, FileAssetPackaging, Stack, NestedStack } from '../../lib';
 import { ISynthesisSession } from '../../lib/stack-synthesizers/types';
 import { evaluateCFN } from '../evaluate-cfn';
 
@@ -15,6 +15,7 @@ const CFN_CONTEXT = {
 describe('new style synthesis', () => {
   let app: App;
   let stack: Stack;
+  let nestedStack: NestedStack;
 
   beforeEach(() => {
     app = new App({
@@ -187,6 +188,24 @@ describe('new style synthesis', () => {
 
   });
 
+  test('nested Stack uses the lookup role ARN of the parent stack', () => {
+    // GIVEN
+    const myapp = new App();
+    const mystack = new Stack(myapp, 'mystack', {
+      synthesizer: new DefaultStackSynthesizer({
+        generateBootstrapVersionRule: false,
+      }),
+      env: {
+        account: '111111111111', region: 'us-east-1',
+      },
+    });
+    nestedStack = new NestedStack(mystack, 'nestedStack');
+
+    // THEN
+    expect(nestedStack.synthesizer.lookupRole).toEqual('arn:${AWS::Partition}:iam::111111111111:role/cdk-hnb659fds-lookup-role-111111111111-us-east-1');
+
+  });
+
   test('add file asset', () => {
     // WHEN
     const location = stack.synthesizer.addFileAsset({