Cross stack reference caused "cyclic reference" error

[darren-dazh]

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?
  If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

I created 2 stacks - one for CodeCommit repository, and the other for CodePipeline which takes the previous one as source stage.

class CodeRepo(core.Stack):
......
    self.repo = codecommit.Repository(
            self,
            id='CodeCommitRepo',
            repository_name=repo_name
        )

class MyPipeline(core.Stack):
......
        def __init__(self, scope: core.Construct, id: str, code_repo: codecommit.IRepository) -> None:
            ......
            # create CodePipeline and its stages.
            pipeline = codepipeline.Pipeline(self, id='CodePipeline', pipeline_name='pipeline', restart_execution_on_update=False)

            source_stage = pipeline.add_stage(stage_name='Source')
            source_stage.add_action(
                codepipeline_actions.CodeCommitSourceAction(
                    action_name='action',
                    repository=code_repo,
                    branch='master',
                    output=codepipeline.Artifact(artifact_name='output'),
                    trigger=codepipeline_actions.CodeCommitTrigger.EVENTS
                )
            )

app = core.App() 
repo_stack = CodeRepo(app, 'repo_stack')
pipeline_stack = MyPipeline(app, 'pipeline_stack', repo_stack.repo)

app.synth()

Then I got following error:

File "./venv/lib/python3.6/site-packages/aws_cdk/core/__init__.py", line 2905, in synth
    return jsii.invoke(self, "synth", [])
  File "./venv/lib/python3.6/site-packages/jsii/_kernel/__init__.py", line 104, in wrapped
    return _recursize_dereference(kernel, fn(kernel, *args, **kwargs))
  File "./venv/lib/python3.6/site-packages/jsii/_kernel/__init__.py", line 258, in invoke
    args=_make_reference_for_native(self, args),
  File "./venv/lib/python3.6/site-packages/jsii/_kernel/providers/process.py", line 346, in invoke
    return self._process.send(request, InvokeResponse)
  File "./venv/lib/python3.6/site-packages/jsii/_kernel/providers/process.py", line 316, in send
    raise JSIIError(resp.error) from JavaScriptError(resp.stack)
jsii.errors.JSIIError: 'pipeline_stack' depends on 'repo_stack' (pipeline_stack/CodePipeline/Role/DefaultPolicy/Resource -> repo_stack/CodeCommitRepo/Resource.Arn). Adding this dependency (repo_stack/CodeCommitRepo/pipelinestackCodePipelineA06C8E1EEventRule/Resource -> pipeline_stack/CodePipeline/Resource.Ref) would create a cyclic reference.

An interesting observation is, if i put codecommit.Repository(...) in the pipeline_stack and refer the repo resource as usual, everything works without cyclic dependency.

• What is the expected behavior (or behavior of feature suggested)?
  CDK is expected to handle the dependency issue, as described on aws doc for "Passing Resources from a Different Stack".

• What is the motivation / use case for changing the behavior or adding this feature?

• Please tell us about your environment:

  • CDK CLI Version: 0.36.0
  • Module Version: 0.36.0
  • OS: [ OSX Mojave ]
  • Language: [ Python ]

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

[josjaf]

Is this an error with the codepipeline module?

[skinny85]

It could be related to #3300

[hornetmadness]

I am also having this issue at of v1.98. Whats strange to me, is the IAM stack there is no direct dependency on any other stacks.
If I comment out the "codebuild.PipelineProject.role" it all works fine as its falling back to creating its own iam roles and not the prescribed one. There seems to be some black magic going on here that's causing this cyclic reference

    iam_name=f"alc-ops-IAM-{account_name}"
    iam_stack=IAM(
        scope=app,
        id=iam_name,
        description=iam_name,
        config=cfg.iam,
        env=cdk_env
    )

    pipebuild_stack = PipeBuild(
        scope=app,
        id=f"cdk-{cfg.account_name}-pipebuild-{region}",
        description=f"Created codepipeline and codebuild in {region}",
        config=cfg_ref.pipebuild,
        vpc_stack=vpc_stack,
        codecommit=codecommit_stack,
        iam_stack=iam_stack,
        env=cdk_env,
    )

class PipeBuild(core.Stack):
    def __init__(self,
        scope: core.Construct,
        id: str,
        config,
        vpc_stack,
        codecommit,
        iam_stack,
        **kwargs
    ) -> None:
        super().__init__(scope, id, **kwargs)

        sg=project.vpc.sg_name
        build = codebuild.PipelineProject(
            self, 
            f"build-{project.name}",
            project_name=f"{project.name}-Docker-Build",
            environment=image_switch[project.build_image](),
            environment_variables=project.envs,
            description=project.description,
            timeout=core.Duration.minutes(60),
            vpc=vpc_stack.vpc[project.vpc.vpc_name],
            security_groups=[ vpc_stack.sg[project.vpc.vpc_name][sg] ],
            role=iam_stack.roles[project.role]
        )

'alc-ops-IAM-devops' depends on 'cdk-devops-pipebuild-us-east-1' (alc-ops-IAM-devops -> cdk-devops-pipebuild-us-east-1/build-cdk-customers/Resource.Ref). Adding this dependency (cdk-devops-pipebuild-us-east-1 -> alc-ops-IAM-devops/pipebuild-cdk-customers-build/Resource.Arn) would create a cyclic reference.

[skinny85]

Thanks for reporting @hornetmadness, but I'm having trouble replicating your setup. In this code:

class PipeBuild(core.Stack):
    def __init__(self, scope: core.Construct, id: str,
            config, vpc_stack, codecommit, iam_stack, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        sg=project.vpc.sg_name
        build = codebuild.PipelineProject(
            self,
            f"build-{project.name}",
            project_name=f"{project.name}-Docker-Build",
            environment=image_switch[project.build_image](),
            environment_variables=project.envs,
            description=project.description,
            timeout=core.Duration.minutes(60),
            vpc=vpc_stack.vpc[project.vpc.vpc_name],
            security_groups=[ vpc_stack.sg[project.vpc.vpc_name][sg] ],
            role=iam_stack.roles[project.role]
        )

What is project?

[hornetmadness]

Its just a bit of json

            "pipebuild": [
                {
                    "name": "cdk-customers",
                    "description": "Build docker container for cdk-customer",
                    "build_image": "STANDARD_5_0",
                    "envs":{},
                    "vpc": {
                        "vpc_name": "alc-ops",
                        "subnet_name": "applications",
                        "sg_name": "app_sg"
                    },
                    "timeout": 30,
                    "source_repo": "cdk-customers",
                    "watch_branch": "master",
                    "s3_bucket_name": "pipebuild-cdk-customers",
                    "role": "pipebuild-cdk-customers-build"
                }
            ],

[skinny85]

I still need more information to diagnose this, like what's in IAM, and how are all of these Stacks wired in the entrypoint (otherwise the error message doesn't really make much sense to me).

Any chance you could push a minimal reproduction of this problem to some public GitHub repo @hornetmadness?

[skinny85]

Ah, I probably get it. It's because you've put the Role of the Project in a different Stack. So, the Role needs to know the ARN of the Project (as it has a bunch of permissions that use that), and also the Project needs to know the ARN of the Role (to set it correctly on the Project). Hence, cycle.

This is enough to demonstrate it:

import * as codebuild from '@aws-cdk/aws-codebuild';
import * as iam from '@aws-cdk/aws-iam';
import * as cdk from '@aws-cdk/core';

class IamStack extends cdk.Stack {
    public readonly projectRole: iam.IRole;

    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);

        this.projectRole = new iam.Role(this, 'Role', {
            assumedBy: new iam.AnyPrincipal(),
        });
    }
}

interface ProjectStackProps extends cdk.StackProps {
    readonly projectRole: iam.IRole;
}

class ProjectStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string, props: ProjectStackProps) {
        super(scope, id, props);

        new codebuild.PipelineProject(this, 'Project', {
            role: props.projectRole,
        });
    }
}

const app = new cdk.App();
const iamStack = new IamStack(app, 'IamStack');
new ProjectStack(app, 'ProjectStack', {
    projectRole: iamStack.projectRole,
});
app.synth();

I'm afraid you'll have to structure your Stacks a little differently @hornetmadness.

[skinny85]

Simplest solution - move the IAM Role of the CodeBuild Project to the same Stack as that Project.

[stevenlafl]

It appears any time you create a Role in one stack and reference it in another, it will break entirely. Setting roles in another stack for larger application is a good practice if you have the -same exact role- that would otherwise be created multiple times.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.