feat(servicecatalogappregistry-alpha): Introduce flag to control application sharing and association behavior for cross-account stacks

packages/@aws-cdk/aws-servicecatalogappregistry/README.md

@@ -139,6 +139,21 @@ const cdkPipeline = new ApplicationPipelineStack(app, 'CDKApplicationPipelineSta
 });
 ```
 
+By default, ApplicationAssociator will share the Application with the accounts of any cross-account stacks defined in the
+CDK app scope. If you want to turn off this behavior, set the `enableCrossAccountStacks` field to `false`, as shown in
+the example below:
+
+```ts
+const app = new App();
+const associatedApp = new appreg.ApplicationAssociator(app, 'AssociatedApplication', {
+  applications: [appreg.TargetApplication.createApplicationStack({
+    enableCrossAccountStacks: false,
+    applicationName: 'MyAssociatedApplication',
+    env: { account: '123456789012', region: 'us-east-1' },
+  })],
+});
+```
+
 ## Attribute Group
 
 An AppRegistry attribute group acts as a container for user-defined attributes for an application.

packages/@aws-cdk/aws-servicecatalogappregistry/lib/application-associator.ts

@@ -24,7 +24,9 @@ export interface ApplicationAssociatorProps {
  * in case of a `Pipeline` stack, stage underneath the pipeline will not automatically be associated and
  * needs to be associated separately.
  *
- * If cross account stack is detected, then this construct will automatically share the application to consumer accounts.
+ * If cross account stack is detected, then this construct will skip those associations by default. To edit
+ * this behavior, set the `enableCrossAccountStacks` value in TargetApplicationOptions. If set to `true`,
+ * the application will also be automatically shared with the consumer accounts.
  * Cross account feature will only work for non environment agnostic stacks.
  */
 export class ApplicationAssociator extends Construct {
@@ -33,6 +35,7 @@ export class ApplicationAssociator extends Construct {
    */
   private readonly application: IApplication;
   private readonly associatedStages: Set<cdk.Stage> = new Set();
+  private readonly enableCrossAccountStacks?: boolean;
 
   constructor(scope: cdk.App, id: string, props: ApplicationAssociatorProps) {
     super(scope, id);
@@ -42,8 +45,12 @@ export class ApplicationAssociator extends Construct {
     }
 
     const targetApplication = props.applications[0];
-    this.application = targetApplication.bind(scope).application;
-    cdk.Aspects.of(scope).add(new CheckedStageStackAssociator(this));
+    const targetBindResult = targetApplication.bind(scope);
+    this.application = targetBindResult.application;
+    this.enableCrossAccountStacks = targetBindResult.enableCrossAccountStacks;
+    cdk.Aspects.of(scope).add(new CheckedStageStackAssociator(this, {
+      enableCrossAccount: this.enableCrossAccountStacks,
+    }));
   }
 
   /**
@@ -52,7 +59,9 @@ export class ApplicationAssociator extends Construct {
    */
   public associateStage(stage: cdk.Stage): cdk.Stage {
     this.associatedStages.add(stage);
-    cdk.Aspects.of(stage).add(new CheckedStageStackAssociator(this));
+    cdk.Aspects.of(stage).add(new CheckedStageStackAssociator(this, {
+      enableCrossAccount: this.enableCrossAccountStacks,
+    }));
     return stage;
   }
 

packages/@aws-cdk/aws-servicecatalogappregistry/lib/application.ts

@@ -170,14 +170,16 @@ abstract class ApplicationBase extends cdk.Resource implements IApplication {
   }
 
   /**
-   * Associate all stacks present in construct's aspect with application.
+   * Associate all stacks present in construct's aspect with application, including cross-account stacks.
    *
    * NOTE: This method won't automatically register stacks under pipeline stages,
    * and requires association of each pipeline stage by calling this method with stage Construct.
    *
    */
   public associateAllStacksInScope(scope: Construct): void {
-    cdk.Aspects.of(scope).add(new StageStackAssociator(this));
+    cdk.Aspects.of(scope).add(new StageStackAssociator(this, {
+      enableCrossAccount: true,
+    }));
   }
 
   /**

packages/@aws-cdk/aws-servicecatalogappregistry/lib/aspects/stack-associator.ts

@@ -5,6 +5,16 @@ import { ApplicationAssociator } from '../application-associator';
 import { SharePermission } from '../common';
 import { isRegionUnresolved, isAccountUnresolved } from '../private/utils';
 
+export interface StackAssociatorBaseProps {
+  /**
+  * Indicates if the target Application should be shared with the cross-account stack owners and then
+  * associated with the cross-account stacks.
+  *
+  * @default - false
+  */
+  readonly enableCrossAccount?: boolean;
+}
+
 /**
  * Aspect class, this will visit each node from the provided construct once.
  *
@@ -14,6 +24,7 @@ import { isRegionUnresolved, isAccountUnresolved } from '../private/utils';
 abstract class StackAssociatorBase implements IAspect {
   protected abstract readonly application: IApplication;
   protected abstract readonly applicationAssociator?: ApplicationAssociator;
+  protected abstract readonly enableCrossAccount: boolean;
 
   protected readonly sharedAccounts: Set<string> = new Set();
 
@@ -42,6 +53,13 @@ abstract class StackAssociatorBase implements IAspect {
    * @param node A Stage stack.
    */
   private associate(node: Stack): void {
+    if (!isAccountUnresolved(this.application.env.account!, node.account)
+      && node.account != this.application.env.account
+      && !this.enableCrossAccount) {
+      // Skip association when cross-account stack is detected but cross-account sharing/association is not enabled.
+      // A warning would have been displayed as part of `handleCrossAccountStack()`.
+      return;
+    }
     this.application.associateApplicationWithStack(node);
   }
 
@@ -77,7 +95,7 @@ abstract class StackAssociatorBase implements IAspect {
 
   /**
    * Handle cross-account association.
-   * If any stack is evaluated as cross-account than that of application,
+   * If any stack is evaluated as cross-account than that of application, and cross-account option is enabled,
    * then we will share the application to the stack owning account.
    *
    * @param node Cfn stack.
@@ -89,33 +107,43 @@ abstract class StackAssociatorBase implements IAspect {
     }
 
     if (node.account != this.application.env.account && !this.sharedAccounts.has(node.account)) {
-      this.application.shareApplication({
-        accounts: [node.account],
-        sharePermission: SharePermission.ALLOW_ACCESS,
-      });
+      if (this.enableCrossAccount) {
+        this.application.shareApplication({
+          accounts: [node.account],
+          sharePermission: SharePermission.ALLOW_ACCESS,
+        });
 
-      this.sharedAccounts.add(node.account);
+        this.sharedAccounts.add(node.account);
+      } else {
+        this.warning(node, 'Cross-account stack detected but application sharing and association will be skipped because cross-account option is not enabled.');
+        return;
+      }
     }
   }
 }
 
 export class CheckedStageStackAssociator extends StackAssociatorBase {
   protected readonly application: IApplication;
   protected readonly applicationAssociator?: ApplicationAssociator;
+  protected readonly enableCrossAccount: boolean;
 
-  constructor(app: ApplicationAssociator) {
+  constructor(app: ApplicationAssociator, props?: StackAssociatorBaseProps) {
     super();
     this.application = app.appRegistryApplication();
     this.applicationAssociator = app;
+    this.enableCrossAccount = props?.enableCrossAccount ?? false;
   }
+
 }
 
 export class StageStackAssociator extends StackAssociatorBase {
   protected readonly application: IApplication;
   protected readonly applicationAssociator?: ApplicationAssociator;
+  protected readonly enableCrossAccount: boolean;
 
-  constructor(app: IApplication) {
+  constructor(app: IApplication, props?: StackAssociatorBaseProps) {
     super();
     this.application = app;
+    this.enableCrossAccount = props?.enableCrossAccount ?? false;
   }
 }

packages/@aws-cdk/aws-servicecatalogappregistry/lib/target-application.ts

@@ -15,6 +15,14 @@ export interface TargetApplicationCommonOptions extends cdk.StackProps {
     * @deprecated - Use `stackName` instead to control the name and id of the stack
     */
   readonly stackId?: string;
+
+  /**
+    * Determines whether any cross-account stacks defined in the CDK app definition should be associated with the
+    * target application. If set to `true`, the application will be shared with the accounts that own the stacks.
+    *
+    * @default - false
+    */
+  readonly enableCrossAccountStacks?: boolean;
 }
 
 
@@ -80,6 +88,10 @@ export interface BindTargetApplicationResult {
    * Created or imported application.
    */
   readonly application: IApplication;
+  /**
+   * Enables cross-account associations with the target application.
+   */
+  readonly enableCrossAccountStacks: boolean;
 }
 
 /**
@@ -108,6 +120,7 @@ class CreateTargetApplication extends TargetApplication {
 
     return {
       application: appRegApplication,
+      enableCrossAccountStacks: this.applicationOptions.enableCrossAccountStacks ?? false,
     };
   }
 }
@@ -128,6 +141,7 @@ class ExistingTargetApplication extends TargetApplication {
     const appRegApplication = Application.fromApplicationArn(applicationStack, 'ExistingApplication', this.applicationOptions.applicationArnValue);
     return {
       application: appRegApplication,
+      enableCrossAccountStacks: this.applicationOptions.enableCrossAccountStacks ?? false,
     };
   }
 }

packages/@aws-cdk/aws-servicecatalogappregistry/test/application-associator.test.ts

@@ -97,7 +97,38 @@ describe('Scope based Associations with Application with Cross Region/Account',
     });
   }),
 
-  test('ApplicationAssociator with cross region stacks inside cdkApp throws error', () => {
+  test('ApplicationAssociator with cross account stacks inside cdkApp gives warning if enableCrossAccountStacks is not provided', () => {
+    new appreg.ApplicationAssociator(app, 'MyApplication', {
+      applications: [appreg.TargetApplication.createApplicationStack({
+        applicationName: 'MyAssociatedApplication',
+        stackName: 'MyAssociatedApplicationStack',
+        env: { account: 'account2', region: 'region' },
+      })],
+    });
+
+    const crossAccountStack = new cdk.Stack(app, 'crossRegionStack', {
+      env: { account: 'account', region: 'region' },
+    });
+    Annotations.fromStack(crossAccountStack).hasWarning('*', 'Cross-account stack detected but application sharing and association will be skipped because cross-account option is not enabled.');
+  });
+
+  test('ApplicationAssociator with cross account stacks inside cdkApp gives warning if enableCrossAccountStacks is set to true', () => {
+    new appreg.ApplicationAssociator(app, 'MyApplication', {
+      applications: [appreg.TargetApplication.createApplicationStack({
+        applicationName: 'MyAssociatedApplication',
+        stackName: 'MyAssociatedApplicationStack',
+        enableCrossAccountStacks: true,
+        env: { account: 'account', region: 'region' },
+      })],
+    });
+
+    const crossAccountStack = new cdk.Stack(app, 'crossRegionStack', {
+      env: { account: 'account2', region: 'region' },
+    });
+    Annotations.fromStack(crossAccountStack).hasNoWarning('*', 'Cross-account stack detected but application sharing and association will be skipped because cross-account option is not enabled.');
+  });
+
+  test('ApplicationAssociator with cross region stacks inside cdkApp gives warning', () => {
     new appreg.ApplicationAssociator(app, 'MyApplication', {
       applications: [appreg.TargetApplication.createApplicationStack({
         applicationName: 'MyAssociatedApplication',

packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application-associator.cross-account-stack-enabled.js.snapshot/ApplicationAssociatorTestDefaultTestDeployAssert2A5F2DB9.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "30.1.0",
+  "files": {
+    "19dd33f3c17e59cafd22b9459b0a8d9bedbd42252737fedb06b2bcdbcf7809cc": {
+      "source": {
+        "path": "ApplicationAssociatorTestDefaultTestDeployAssert2A5F2DB9.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "19dd33f3c17e59cafd22b9459b0a8d9bedbd42252737fedb06b2bcdbcf7809cc.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application-associator.cross-account-stack-enabled.js.snapshot/ApplicationAssociatorTestDefaultTestDeployAssert2A5F2DB9.template.json

@@ -0,0 +1,48 @@
+{
+ "Resources": {
+  "AppRegistryAssociation": {
+   "Type": "AWS::ServiceCatalogAppRegistry::ResourceAssociation",
+   "Properties": {
+    "Application": "AppRegistryAssociatedApplication",
+    "Resource": {
+     "Ref": "AWS::StackId"
+    },
+    "ResourceType": "CFN_STACK"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-servicecatalogappregistry/test/integ.application-associator.cross-account-stack-enabled.js.snapshot/TestAppRegistryApplicationStack.assets.json

@@ -0,0 +1,20 @@
+{
+  "version": "30.1.0",
+  "files": {
+    "a1890781394947f4a79fb1f55a5bd79d964364631d75cceb228c576a071c908d": {
+      "source": {
+        "path": "TestAppRegistryApplicationStack.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "689943422764-us-east-1": {
+          "bucketName": "cdk-hnb659fds-assets-689943422764-us-east-1",
+          "objectKey": "a1890781394947f4a79fb1f55a5bd79d964364631d75cceb228c576a071c908d.json",
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::689943422764:role/cdk-hnb659fds-file-publishing-role-689943422764-us-east-1"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}