feat(core): cfn constructs (L1s) can now accept constructs as parameters for known resource relationships (#35713)

leonmk-aws · Leon Michalski · commit d8ebe73fdaa5 · 2025-11-06T13:26:41.000+01:00
Closes #<issue number here>. Allow passing L2s and L1s to L1s Added a new relationship decider to parse the relationship information from the database and allow the other deciders to modify the properties / constructors accordingly. The relationship deciders assumes that: - All modules will be built - The properties in the relationship will exist (and have the same naming) In the properties: `readonly role: IamIRoleRef | string;` This is then used in the constructor: `this.role = (props.role as IamIRoleRef)?.roleRef?.roleArn ?? props.role;` If there were multiple possible IxxRef: `(props.targetArn as SqsIQueueRef)?.queueRef?.queueArn ?? (props.targetArn as SnsITopicRef)?.topicRef?.topicArn ?? props.targetArn` The props behave the same way, "flatten" functions are generated to recursively perform the same role that was done in the constructor for non nested properties: ``` function flattenCfnIdentityPoolRoleAttachmentRoleMappingProperty(props: CfnIdentityPoolRoleAttachment.RoleMappingProperty): CfnIdentityPoolRoleAttachment.RoleMappingProperty { return { "ambiguousRoleResolution": props.ambiguousRoleResolution, "identityProvider": props.identityProvider, "rulesConfiguration": (cdk.isResolvableObject(props.rulesConfiguration) ? props.rulesConfiguration : (props.rulesConfiguration ? flattenCfnIdentityPoolRoleAttachmentRulesConfigurationTypeProperty(props.rulesConfiguration) : undefined)), "type": props.type }; } ``` ``` // @ts-ignore TS6133 function flattenCfnCodeSigningConfigAllowedPublishersProperty(props: CfnCodeSigningConfig.AllowedPublishersProperty | cdk.IResolvable): CfnCodeSigningConfig.AllowedPublishersProperty | cdk.IResolvable { if (cdk.isResolvableObject(props)) return props; return { "signingProfileVersionArns": props.signingProfileVersionArns?.map((item: any) => (item as SignerISigningProfileRef)?.signingProfileRef?.signingProfileArn ?? item) }; } ``` ``` this.fileSystemConfigs = (cdk.isResolvableObject(props.fileSystemConfigs) ? props.fileSystemConfigs : (props.fileSystemConfigs ? props.fileSystemConfigs.map(flattenCfnFunctionFileSystemConfigProperty) : undefined)); ``` Properties (the properties in sense of props of a resource but also prop of a type) have a a `relationshipRefs` array containing the relationship information: ```relationshipRefs: [{ typeName: "AWS::IAM::Role", propertyPath: "Arn" }, ...]``` - Checked the diffs between the previously generated code and the new one. - Added snapshot tests - Added unit tests for lambda - Deployed a stack manually consisting of mixes of L1 and L2 resources using the new capabilities this PR adds - [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
@@ -17,6 +17,7 @@ import { CacheBehavior } from './private/cache-behavior';
 import { formatDistributionArn, grant } from './private/utils';
 import * as acm from '../../aws-certificatemanager';
 import * as cloudwatch from '../../aws-cloudwatch';
+import * as elasticloadbalancingv2 from '../../aws-elasticloadbalancingv2';
 import * as iam from '../../aws-iam';
 import * as lambda from '../../aws-lambda';
 import * as s3 from '../../aws-s3';
@@ -716,7 +717,9 @@ export class Distribution extends Resource implements IDistribution {
       const generatedId = Names.uniqueId(scope).slice(-ORIGIN_ID_MAX_LENGTH);
       const distributionId = this.distributionId;
       const originBindConfig = origin.bind(scope, { originId: generatedId, distributionId: Lazy.string({ produce: () => this.distributionId }) });
-      const originId = originBindConfig.originProperty?.id ?? generatedId;
+      const originId = (originBindConfig.originProperty?.id as elasticloadbalancingv2.ILoadBalancerRef)?.loadBalancerRef?.loadBalancerArn
+        ?? originBindConfig.originProperty?.id
+        ?? generatedId;
       const duplicateId = this.boundOrigins.find(boundOrigin => boundOrigin.originProperty?.id === originBindConfig.originProperty?.id);
       if (duplicateId) {
         throw new ValidationError(`Origin with id ${duplicateId.originProperty?.id} already exists. OriginIds must be unique within a distribution`, this);
@@ -741,7 +744,8 @@ export class Distribution extends Resource implements IDistribution {
         );
         return originGroupId;
       }
-      return originBindConfig.originProperty?.id ?? originId;
+      return (originBindConfig.originProperty?.id as elasticloadbalancingv2.ILoadBalancerRef)?.loadBalancerRef?.loadBalancerArn
+        ?? originBindConfig.originProperty?.id ?? originId;
     }
   }
 
diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts
@@ -5046,19 +5046,27 @@ describe('Lambda Function log group behavior', () => {
 });
 
 describe('telemetry metadata', () => {
-  it('redaction happens when feature flag is enabled', () => {
-    const app = new cdk.App();
-    app.node.setContext(cxapi.ENABLE_ADDITIONAL_METADATA_COLLECTION, true);
-    const stack = new cdk.Stack(app);
+  let getPrototypeOfSpy: jest.SpyInstance;
 
+  beforeEach(() => {
     const mockConstructor = {
       [JSII_RUNTIME_SYMBOL]: {
         fqn: 'aws-cdk-lib.aws-lambda.Function',
       },
     };
-    jest.spyOn(Object, 'getPrototypeOf').mockReturnValue({
+    getPrototypeOfSpy = jest.spyOn(Object, 'getPrototypeOf').mockReturnValue({
       constructor: mockConstructor,
     });
+  });
+
+  afterEach(() => {
+    getPrototypeOfSpy.mockRestore();
+  });
+
+  it('redaction happens when feature flag is enabled', () => {
+    const app = new cdk.App();
+    app.node.setContext(cxapi.ENABLE_ADDITIONAL_METADATA_COLLECTION, true);
+    const stack = new cdk.Stack(app);
 
     const fn = new lambda.Function(stack, 'Lambda', {
       code: lambda.Code.fromInline('foo'),
@@ -5089,15 +5097,6 @@ describe('telemetry metadata', () => {
     app.node.setContext(cxapi.ENABLE_ADDITIONAL_METADATA_COLLECTION, false);
     const stack = new cdk.Stack(app);
 
-    const mockConstructor = {
-      [JSII_RUNTIME_SYMBOL]: {
-        fqn: 'aws-cdk-lib.aws-lambda.Function',
-      },
-    };
-    jest.spyOn(Object, 'getPrototypeOf').mockReturnValue({
-      constructor: mockConstructor,
-    });
-
     const fn = new lambda.Function(stack, 'Lambda', {
       code: lambda.Code.fromInline('foo'),
       handler: 'index.handler',
@@ -5107,6 +5106,148 @@ describe('telemetry metadata', () => {
     expect(fn.node.metadata).toStrictEqual([]);
   });
 });
+describe('L1 Relationships', () => {
+  it('simple union', () => {
+    const stack = new cdk.Stack();
+    const role = new iam.Role(stack, 'SomeRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
+    new lambda.CfnFunction(stack, 'MyLambda', {
+      code: { zipFile: 'foo' },
+      role: role, // Simple Union
+    });
+    Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+      Properties: {
+        Role: { 'Fn::GetAtt': ['SomeRole6DDC54DD', 'Arn'] },
+      },
+    });
+  });
+
+  it('array of unions', () => {
+    const stack = new cdk.Stack();
+    const role = new iam.Role(stack, 'SomeRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
+    const layer1 = new lambda.LayerVersion(stack, 'LayerVersion1', {
+      code: lambda.Code.fromAsset(path.join(__dirname, 'my-lambda-handler')),
+      compatibleRuntimes: [lambda.Runtime.PYTHON_3_13],
+    });
+    const layer2 = new lambda.LayerVersion(stack, 'LayerVersion2', {
+      code: lambda.Code.fromAsset(path.join(__dirname, 'my-lambda-handler')),
+      compatibleRuntimes: [lambda.Runtime.PYTHON_3_13],
+    });
+    new lambda.CfnFunction(stack, 'MyLambda', {
+      code: { zipFile: 'foo' },
+      role: role,
+      layers: [layer1, layer2], // Array of Unions
+    });
+    Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+      Properties: {
+        Role: { 'Fn::GetAtt': ['SomeRole6DDC54DD', 'Arn'] },
+        Layers: [{ Ref: 'LayerVersion139D4D7A8' }, { Ref: 'LayerVersion23E5F3CEA' }],
+      },
+    });
+  });
+
+  it('nested union', () => {
+    const stack = new cdk.Stack();
+    const role = new iam.Role(stack, 'SomeRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
+    const bucket = new s3.Bucket(stack, 'MyBucket');
+
+    new lambda.CfnFunction(stack, 'MyLambda', {
+      code: {
+        s3Bucket: bucket, // Nested union
+      },
+      role: role,
+    });
+    Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+      Properties: {
+        Role: { 'Fn::GetAtt': ['SomeRole6DDC54DD', 'Arn'] },
+        Code: { S3Bucket: { Ref: 'MyBucketF68F3FF0' } },
+      },
+    });
+  });
+
+  it('deeply nested union', () => {
+    const stack = new cdk.Stack();
+    const topic = new sns.CfnTopic(stack, 'Topic');
+
+    new lambda.CfnEventInvokeConfig(stack, 'EventConfig', {
+      functionName: 'myFunction',
+      qualifier: '$LATEST',
+      destinationConfig: {
+        onFailure: {
+          destination: topic, // Deeply nested: destinationConfig -> onFailure -> destination (union)
+        },
+      },
+    });
+    Template.fromStack(stack).hasResource('AWS::Lambda::EventInvokeConfig', {
+      Properties: {
+        DestinationConfig: {
+          OnFailure: {
+            Destination: { Ref: 'Topic' },
+          },
+        },
+      },
+    });
+  });
+
+  it('nested array of unions', () => {
+    const stack = new cdk.Stack();
+    const role = new iam.Role(stack, 'SomeRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
+    const securityGroup = new ec2.SecurityGroup(stack, 'SG', {
+      vpc: new ec2.Vpc(stack, 'VPC'),
+    });
+    new lambda.CfnFunction(stack, 'MyLambda', {
+      code: { zipFile: 'foo' },
+      role: role,
+      vpcConfig: {
+        securityGroupIds: [securityGroup], // Nested array of union
+      },
+    });
+    Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+      Properties: {
+        Role: { 'Fn::GetAtt': ['SomeRole6DDC54DD', 'Arn'] },
+        VpcConfig: {
+          SecurityGroupIds: [{ 'Fn::GetAtt': ['SGADB53937', 'GroupId'] }],
+        },
+      },
+    });
+  });
+
+  it('tokens should be passed as is', () => {
+    const stack = new cdk.Stack();
+    const role = new iam.Role(stack, 'SomeRole', {
+      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+    });
+    const bucket = new s3.Bucket(stack, 'MyBucket');
+
+    const codeToken = cdk.Token.asAny({
+      resolve: () => ({ s3Bucket: bucket.bucketName }),
+    });
+
+    const fsConfigToken = cdk.Token.asAny({
+      resolve: () => ([{ arn: 'TestArn', localMountPath: '/mnt' }]),
+    });
+
+    new lambda.CfnFunction(stack, 'MyLambda', {
+      code: codeToken,
+      role: role,
+      fileSystemConfigs: fsConfigToken,
+    });
+    Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+      Properties: {
+        Role: { 'Fn::GetAtt': ['SomeRole6DDC54DD', 'Arn'] },
+        Code: { S3Bucket: { Ref: 'MyBucketF68F3FF0' } },
+        FileSystemConfigs: [{ Arn: 'TestArn', LocalMountPath: '/mnt' }],
+      },
+    });
+  });
+});
 
 function newTestLambda(scope: constructs.Construct) {
   return new lambda.Function(scope, 'MyLambda', {
diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts
@@ -2354,7 +2354,7 @@ export class Bucket extends BucketBase {
 
     const objectLockConfiguration = this.parseObjectLockConfig(props);
     const replicationConfiguration = this.renderReplicationConfiguration(props);
-    this.replicationRoleArn = replicationConfiguration?.role;
+    this.replicationRoleArn = (replicationConfiguration?.role as iam.IRoleRef)?.roleRef?.roleArn ?? replicationConfiguration?.role;
     this.objectOwnership = props.objectOwnership;
     this.transitionDefaultMinimumObjectSize = props.transitionDefaultMinimumObjectSize;
     const resource = new CfnBucket(this, 'Resource', {
diff --git a/tools/@aws-cdk/spec2cdk/lib/cdk/relationship-decider.ts b/tools/@aws-cdk/spec2cdk/lib/cdk/relationship-decider.ts
@@ -5,7 +5,15 @@ import { createModuleDefinitionFromCfnNamespace } from '../cfn2ts/pkglint';
 import { log } from '../util';
 
 // For now we want relationships to be applied only for these services
-export const RELATIONSHIP_SERVICES: string[] = [];
+const RELATIONSHIP_SERVICES = [
+  'iam',
+  'apigateway',
+  'ec2',
+  'cloudfront',
+  'kms',
+  's3',
+  'lambda',
+];
 
 /**
  * Represents a cross-service property relationship that enables references
