From 3e0393e63e84d631545734425482deae687520f1 Mon Sep 17 00:00:00 2001 From: Romain Marcadier Date: Thu, 5 May 2022 03:09:41 +0200 Subject: [PATCH] fix(appsync): incorrect region used for imported Cognito user pool (#20193) Replaces all uses of `resource.stack.region` with `resource.env.region` so that imported resources can provide a different region than the current stack, wich can result in invalid configuration. Applying the same treatment to occurrences of `resources.stack.account` as this is also surfaced as `resources.env.account`. Fixes #20195 ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts | 2 +- packages/@aws-cdk/aws-appsync/lib/data-source.ts | 8 ++++---- packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts | 2 +- packages/@aws-cdk/aws-batch/lib/compute-environment.ts | 2 +- packages/@aws-cdk/aws-cloud9/lib/environment.ts | 2 +- .../aws-cloudfront/lib/experimental/edge-function.ts | 2 +- packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts | 4 ++-- packages/@aws-cdk/aws-ecs/lib/base/base-service.ts | 8 ++++---- .../lib/shared/base-load-balancer.ts | 2 +- packages/@aws-cdk/aws-elasticsearch/lib/domain.ts | 2 +- packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts | 2 +- packages/@aws-cdk/aws-opensearchservice/lib/domain.ts | 2 +- packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts | 8 ++++---- packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts | 6 +++--- packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts | 6 +++--- packages/@aws-cdk/core/lib/resource.ts | 2 +- 16 files changed, 30 insertions(+), 30 deletions(-) diff --git a/packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts b/packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts index a7f2e13b99cd4..46305911d4143 100644 --- a/packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts +++ b/packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts @@ -236,7 +236,7 @@ export class HttpRoute extends Resource implements IHttpRoute { // path variable and all that follows with a wildcard. const iamPath = path.replace(/\{.*?\}.*/, '*'); - return `arn:aws:execute-api:${this.stack.region}:${this.stack.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`; + return `arn:aws:execute-api:${this.env.region}:${this.env.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`; } public grantInvoke(grantee: iam.IGrantable, options: GrantInvokeOptions = {}): iam.Grant { diff --git a/packages/@aws-cdk/aws-appsync/lib/data-source.ts b/packages/@aws-cdk/aws-appsync/lib/data-source.ts index 7781f0c57d0af..fccaece50790f 100644 --- a/packages/@aws-cdk/aws-appsync/lib/data-source.ts +++ b/packages/@aws-cdk/aws-appsync/lib/data-source.ts @@ -219,7 +219,7 @@ export class DynamoDbDataSource extends BackedDataSource { type: 'AMAZON_DYNAMODB', dynamoDbConfig: { tableName: props.table.tableName, - awsRegion: props.table.stack.region, + awsRegion: props.table.env.region, useCallerCredentials: props.useCallerCredentials, }, }); @@ -337,7 +337,7 @@ export class RdsDataSource extends BackedDataSource { type: 'RELATIONAL_DATABASE', relationalDatabaseConfig: { rdsHttpEndpointConfig: { - awsRegion: props.serverlessCluster.stack.region, + awsRegion: props.serverlessCluster.env.region, dbClusterIdentifier: Lazy.string({ produce: () => { return Stack.of(this).formatArn({ @@ -399,7 +399,7 @@ export class ElasticsearchDataSource extends BackedDataSource { super(scope, id, props, { type: 'AMAZON_ELASTICSEARCH', elasticsearchConfig: { - awsRegion: props.domain.stack.region, + awsRegion: props.domain.env.region, endpoint: `https://${props.domain.domainEndpoint}`, }, }); @@ -426,7 +426,7 @@ export class OpenSearchDataSource extends BackedDataSource { super(scope, id, props, { type: 'AMAZON_OPENSEARCH_SERVICE', openSearchServiceConfig: { - awsRegion: props.domain.stack.region, + awsRegion: props.domain.env.region, endpoint: `https://${props.domain.domainEndpoint}`, }, }); diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts index 5d7cce7131cbb..3ef0b348ad768 100644 --- a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts +++ b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts @@ -633,7 +633,7 @@ export class GraphqlApi extends GraphqlApiBase { if (!config) return undefined; return { userPoolId: config.userPool.userPoolId, - awsRegion: config.userPool.stack.region, + awsRegion: config.userPool.env.region, appIdClientRegex: config.appIdClientRegex, defaultAction: config.defaultAction || UserPoolDefaultAction.ALLOW, }; diff --git a/packages/@aws-cdk/aws-batch/lib/compute-environment.ts b/packages/@aws-cdk/aws-batch/lib/compute-environment.ts index 80f2b2c4e1e6d..d73643a1d6320 100644 --- a/packages/@aws-cdk/aws-batch/lib/compute-environment.ts +++ b/packages/@aws-cdk/aws-batch/lib/compute-environment.ts @@ -581,7 +581,7 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment return props.computeResources.spotFleetRole; } else if (props.computeResources.type === ComputeResourceType.SPOT) { return iam.Role.fromRoleArn(this, 'Resource-SpotFleet-Role', - `arn:${this.stack.partition}:iam::${this.stack.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`); + `arn:${this.stack.partition}:iam::${this.env.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`); } } diff --git a/packages/@aws-cdk/aws-cloud9/lib/environment.ts b/packages/@aws-cdk/aws-cloud9/lib/environment.ts index a28b2627c3b34..5dced968ac40e 100644 --- a/packages/@aws-cdk/aws-cloud9/lib/environment.ts +++ b/packages/@aws-cdk/aws-cloud9/lib/environment.ts @@ -143,7 +143,7 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment { this.environmentId = c9env.ref; this.ec2EnvironmentArn = c9env.getAtt('Arn').toString(); this.ec2EnvironmentName = c9env.getAtt('Name').toString(); - this.ideUrl = `https://${this.stack.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`; + this.ideUrl = `https://${this.env.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`; } } diff --git a/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts b/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts index 4aec3508fc904..f7f2b445a3306 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts @@ -55,7 +55,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion { super(scope, id); // Create a simple Function if we're already in us-east-1; otherwise create a cross-region stack. - const regionIsUsEast1 = !Token.isUnresolved(this.stack.region) && this.stack.region === 'us-east-1'; + const regionIsUsEast1 = !Token.isUnresolved(this.env.region) && this.env.region === 'us-east-1'; const { edgeFunction, edgeArn } = regionIsUsEast1 ? this.createInRegionFunction(props) : this.createCrossRegionFunction(id, props); diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts index e8b37bb10d15f..9cd9a81a31f30 100644 --- a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts @@ -612,8 +612,8 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn private validateCanLookupSupportedAzs(subnets: ISubnet[], serviceName: string) { // Having any of these be true will cause the AZ lookup to fail at synthesis time - const agnosticAcct = Token.isUnresolved(this.stack.account); - const agnosticRegion = Token.isUnresolved(this.stack.region); + const agnosticAcct = Token.isUnresolved(this.env.account); + const agnosticRegion = Token.isUnresolved(this.env.region); const agnosticService = Token.isUnresolved(serviceName); // Having subnets with Token AZs can cause the endpoint to be created with no subnets, failing at deployment time diff --git a/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts b/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts index 4e5de4c90eacf..df4a9fd4d372e 100644 --- a/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts +++ b/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts @@ -510,7 +510,7 @@ export abstract class BaseService extends Resource resources: ['*'], })); - const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*'; + const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*'; this.taskDefinition.addToTaskRolePolicy(new iam.PolicyStatement({ actions: [ 'logs:CreateLogStream', @@ -558,7 +558,7 @@ export abstract class BaseService extends Resource 'kms:*', ], resources: ['*'], - principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.stack.account}:root`)], + principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.env.account}:root`)], })); if (logging === ExecuteCommandLogging.DEFAULT || this.cluster.executeCommandConfiguration?.logConfiguration?.cloudWatchEncryptionEnabled) { @@ -571,9 +571,9 @@ export abstract class BaseService extends Resource 'kms:Describe*', ], resources: ['*'], - principals: [new iam.ServicePrincipal(`logs.${this.stack.region}.amazonaws.com`)], + principals: [new iam.ServicePrincipal(`logs.${this.env.region}.amazonaws.com`)], conditions: { - ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:*` }, + ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*` }, }, })); } diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts index b7e13aafae83d..046bb917867bf 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts @@ -266,7 +266,7 @@ export abstract class BaseLoadBalancer extends Resource { actions: ['s3:PutObject'], principals: [logsDeliveryServicePrincipal], resources: [ - bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.stack.account}/*`), + bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.env.account}/*`), ], conditions: { StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' }, diff --git a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts index 5a9705cf190fa..61dcd87e862ef 100644 --- a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts +++ b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts @@ -1110,7 +1110,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { metricName, dimensionsMap: { DomainName: this.domainName, - ClientId: this.stack.account, + ClientId: this.env.account, }, ...props, }).attachTo(this); diff --git a/packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts b/packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts index 7b145252941cb..57e62a5be3143 100644 --- a/packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts +++ b/packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts @@ -206,7 +206,7 @@ export class LustreFileSystem extends FileSystemBase { this.fileSystem.applyRemovalPolicy(props.removalPolicy); this.fileSystemId = this.fileSystem.ref; - this.dnsName = `${this.fileSystemId}.fsx.${this.stack.region}.${Aws.URL_SUFFIX}`; + this.dnsName = `${this.fileSystemId}.fsx.${this.env.region}.${Aws.URL_SUFFIX}`; this.mountName = this.fileSystem.attrLustreMountName; } diff --git a/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts b/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts index 58129ee3d15df..24d5a91fea54d 100644 --- a/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts +++ b/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts @@ -883,7 +883,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain { metricName, dimensionsMap: { DomainName: this.domainName, - ClientId: this.stack.account, + ClientId: this.env.account, }, ...props, }).attachTo(this); diff --git a/packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts b/packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts index a99fd64669f81..7d0804aa3367a 100644 --- a/packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts +++ b/packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts @@ -101,14 +101,14 @@ abstract class AccessPointBase extends core.Resource implements IAccessPoint { /** Implement the {@link IAccessPoint.domainName} field. */ get domainName(): string { const urlSuffix = this.stack.urlSuffix; - return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${urlSuffix}`; + return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${urlSuffix}`; } /** Implement the {@link IAccessPoint.regionalDomainName} field. */ get regionalDomainName(): string { const urlSuffix = this.stack.urlSuffix; - const region = this.stack.region; - return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${region}.${urlSuffix}`; + const region = this.env.region; + return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${region}.${urlSuffix}`; } /** Implement the {@link IAccessPoint.virtualHostedUrlForObject} method. */ @@ -252,4 +252,4 @@ export class AccessPoint extends AccessPointBase { }), ); } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts b/packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts index 99e2bdb919280..a74e73f00fdb4 100644 --- a/packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts +++ b/packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts @@ -59,9 +59,9 @@ export class LambdaSubscription implements sns.ITopicSubscription { if (topic.stack !== this.fn.stack) { // only if we know the region, will not work for // env agnostic stacks - if (!Token.isUnresolved(topic.stack.region) && - (topic.stack.region !== this.fn.stack.region)) { - return topic.stack.region; + if (!Token.isUnresolved(topic.env.region) && + (topic.env.region !== this.fn.env.region)) { + return topic.env.region; } } return undefined; diff --git a/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts b/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts index 10c218dd3ef38..6d79b78c8a12b 100644 --- a/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts +++ b/packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts @@ -85,9 +85,9 @@ export class SqsSubscription implements sns.ITopicSubscription { if (topic.stack !== this.queue.stack) { // only if we know the region, will not work for // env agnostic stacks - if (!Token.isUnresolved(topic.stack.region) && - (topic.stack.region !== this.queue.stack.region)) { - return topic.stack.region; + if (!Token.isUnresolved(topic.env.region) && + (topic.env.region !== this.queue.env.region)) { + return topic.env.region; } } return undefined; diff --git a/packages/@aws-cdk/core/lib/resource.ts b/packages/@aws-cdk/core/lib/resource.ts index cdd116afd86b9..d3f57e3250c3f 100644 --- a/packages/@aws-cdk/core/lib/resource.ts +++ b/packages/@aws-cdk/core/lib/resource.ts @@ -315,4 +315,4 @@ function mimicReference(refSource: any, producer: IStringProducer): string { return producer.produce(context); } }(reference, reference.target, reference.displayName)); -} \ No newline at end of file +}