[cloudfront] Distribution with S3Origin causes cyclic reference when Bucket is referenced cross-stack #10399

benagricola · 2020-09-16T16:45:55Z

When using the experimental cloudfront.Distribution construct with an S3Origin, a cyclic reference is created if the s3.Bucket that the origin references is in a different stack in the same app. This appears to happen when attempting to reference the S3CanonicalUserId field used when autoconfiguring the cloudfront.OriginAccessIdentity.

Reproduction Steps

Gist here: https://gist.github.com/benagricola/7a9382db2518947c2cd2e2cc84c0d95c

What did you expect to happen?

Cloudfront distribution created successfully, and referenced S3 bucket configured with the right OAI.

What actually happened?

Upon synth:

Error: 'buckets' depends on 'distribution' (buckets -> distribution/web-distribution/Origin1/S3Origin/Resource.S3CanonicalUserId). Adding this dependency (distribution -> buckets/bucket/Resource.RegionalDomainName) would create a cyclic reference.
    at DistributionStack._addAssemblyDependency (cdk/node_modules/@aws-cdk/core/lib/stack.ts:691:13)
    at Object.addDependency (cdk/node_modules/@aws-cdk/core/lib/deps.ts:52:20)
    at DistributionStack.addDependency (cdk/node_modules/@aws-cdk/core/lib/stack.ts:448:5)
    at resolveValue (cdk/node_modules/@aws-cdk/core/lib/private/refs.ts:102:12)
    at Object.resolveReferences (cdk/node_modules/@aws-cdk/core/lib/private/refs.ts:32:24)
    at Object.prepareApp (cdk/node_modules/@aws-cdk/core/lib/private/prepare-app.ts:36:5)
    at Object.synthesize (cdk/node_modules/@aws-cdk/core/lib/private/synthesis.ts:21:3)
    at App.synth (cdk/node_modules/@aws-cdk/core/lib/stage.ts:175:23)
    at process.<anonymous> (cdk/node_modules/@aws-cdk/core/lib/app.ts:112:45)
    at Object.onceWrapper (events.js:300:26)
Subprocess exited with error 1

Environment

CLI Version : 1.63.0
Framework Version: 1.63.0
Node.js Version: 12.13.1
OS : Catalina
Language (Version): Typescript (4.0.2)

Other

As discussed in gitter, can be worked around by importing the bucket from Arn:

const bucketFromArn = s3.Bucket.fromBucketArn(this, 'app-bucket', bucket.bucketArn)

But this means OAI is not automatically configured.

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

robert-pitt-foodhub · 2020-09-24T22:09:59Z

I am also running in this issue trying to develop a core stack containing an ApiGateway/CloudFront//Domain/HostedZone etc and then having separate stacks for different areas of the platform that connect into the API.

Error: 'falcon-development-core' depends on 'falcon-development-i18n' (falcon-development-core -> falcon-development-i18n/i18n-translations-assets/Resource.RegionalDomainName). Adding this dependency (falcon-development-i18n -> falcon-development-core/distro/Origin2/S3Origin/Resource.S3CanonicalUserId) would create a cyclic reference.

    at I18nStack._addAssemblyDependency (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/stack.ts:691:13)
    at Object.addDependency (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/deps.ts:52:20)
    at I18nStack.addDependency (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/stack.ts:448:5)
    at resolveValue (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/private/refs.ts:102:12)
    at Object.resolveReferences (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/private/refs.ts:32:24)
    at Object.prepareApp (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/private/prepare-app.ts:36:5)
    at Object.synthesize (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/private/synthesis.ts:21:3)
    at FalconApplication.synth (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/stage.ts:175:23)
    at process.<anonymous> (/Users/rpitt-mbp/Projects/falcon-api/node_modules/@aws-cdk/core/lib/app.ts:112:45)
    at Object.onceWrapper (events.js:422:26)

…lic references An S3Origin uses a bucket as a Distribution origin; it creates an OriginAccessIdentity, and grants that identity read permissions on the bucket. This creates cyclic references when the bucket is location in a different stack as the distribution. The bucket has a dependency on the generated OAI user for the BucketPolicy, and the Distribution has a dependency on the bucket's domain name for the origin. The fix detects a cross-stack bucket and re-parents the OAI in the bucket's stack. fixes #10399

…lic references An S3Origin creates an OriginAccessIdentity, and grants that identity read permissions on the bucket. This creates cyclic references when the bucket is located in a different stack than the distribution. The bucket has a dependency on the generated OAI user for the BucketPolicy, and the Distribution has a dependency on the bucket's domain name for the origin. The fix detects a cross-stack bucket and re-parents the OAI in the bucket's stack to prevent cylic references. fixes #10399

…lic references An S3Origin creates an OriginAccessIdentity, and grants that identity read permissions on the bucket. This creates cyclic references when the bucket is located in a different stack than the distribution. The bucket has a dependency on the generated OAI user for the BucketPolicy, and the Distribution has a dependency on the bucket's domain name for the origin. The fix detects a cross-stack bucket and re-parents the OAI in the bucket's stack to prevent cyclic references. fixes #10399

…lic references (#10696) An S3Origin creates an OriginAccessIdentity, and grants that identity read permissions on the bucket. This creates cyclic references when the bucket is located in a different stack than the distribution. The bucket has a dependency on the generated OAI user for the BucketPolicy, and the Distribution has a dependency on the bucket's domain name for the origin. The fix detects a cross-stack bucket and re-parents the OAI in the bucket's stack to prevent cyclic references. fixes #10399

github-actions · 2020-10-05T14:28:25Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

benagricola added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 16, 2020

github-actions bot assigned njlynch Sep 16, 2020

github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Sep 16, 2020

njlynch added effort/medium Medium work item – several days of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 17, 2020

njlynch mentioned this issue Oct 5, 2020

fix(cloudfront-origins): S3Origins with cross-stack buckets cause cyclic references #10696

Merged

njlynch added the in-progress This issue is being actively worked on. label Oct 5, 2020

mergify bot closed this as completed in #10696 Oct 5, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[cloudfront] Distribution with S3Origin causes cyclic reference when Bucket is referenced cross-stack #10399

[cloudfront] Distribution with S3Origin causes cyclic reference when Bucket is referenced cross-stack #10399

benagricola commented Sep 16, 2020

robert-pitt-foodhub commented Sep 24, 2020

github-actions bot commented Oct 5, 2020