fix(core): allow override with cross-stack references

[tmokmss]

closes #18882

The problem is described in the original issue, and below is what I found as the root cause and how it can be fixed.

---

Previously when we used a cross-stack reference in override, it was not resolved as an Fn::ImportValue.

To make it an Fn::ImportValue, we need to get every token in an app and find references (tokens that references resources outside of its stack) from them. The related code is here:

aws-cdk/packages/@aws-cdk/core/lib/private/refs.ts

Lines 139 to 140 in 810d736

	function findAllReferences(root: IConstruct) {
	const result = new Array<{ source: CfnElement, value: CfnReference }>();

To get all the tokens in an app, we use RememberingTokenResolver, which remembers every token it has found during resolution. So basically this resolver must be used on every resolution to find all the tokens.

aws-cdk/packages/@aws-cdk/core/lib/private/resolve.ts

Lines 270 to 276 in 810d736

	export class RememberingTokenResolver extends DefaultTokenResolver {
	private readonly tokensSeen = new Set<IResolvable>();
	public resolveToken(t: IResolvable, context: IResolveContext, postProcessor: IPostProcessor) {
	this.tokensSeen.add(t);
	return super.resolveToken(t, context, postProcessor);
	}

However, the resolver is not used specifically when we resolve tokens in raw overrides. Actually the current interface of postProcess function of PostResolveToken class makes It difficult to use an external resolver.

aws-cdk/packages/@aws-cdk/core/lib/cfn-resource.ts

Lines 374 to 380 in 810d736

	const resolvedRawOverrides = Tokenization.resolve(this.rawOverrides, {
	scope: this,
	resolver: CLOUDFORMATION_TOKEN_RESOLVER,
	// we need to preserve the empty elements here,
	// as that's how removing overrides are represented as
	removeEmpty: false,
	});

That is why, in this PR, we move the resolution process outside of the postProcess, allowing to resolve tokens in raw overrides with the RememberingTokenResolver resolver.

This change also simplifies the current implementation of deepMerge as a side product.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[tmokmss]

Exemption Request

Existing integration tests already cover the changes of this PR. Also, aws-cdk-lib/core does not have any existing integ test.

[TheRealAmazonKendra]

Please make sure that your PR body describes the problem the PR is solving, and the design approach and alternatives considered. Explain why the PR solves the problem. A link to an issue is helpful, but does not replace an explanation of your thought process (See Contributing Guide, Pull Requests).

From the context you've provided I don't totally understand the problem being solved or how your solution fixes it. Please update the body of your PR to provide this context.

We also definitely need an integration test on this. While we don't have any in core, you can pick any module to put this into practice with. We should also run this through the testing pipeline so I'm going to add that label here as well.

[TheRealAmazonKendra]

instanceof is not safe in all contexts. See this PR for how we do this in other places.

[tmokmss]

I don't understand why instanceof should not be used here. The PR has no description and it is not even merged. Could you explain a bit more in detail?

[corymhall]

Essentially instanceOf cannot be guaranteed to work reliably since it is
possible to have multiple copies of a library installed and instanceOf will view
each copy as a different object.

This PR has some additional context

The method we are using instead is to create an isIntrinsic method

[tmokmss]

Clarification Request

Why I should not use instanceof?

[tmokmss]

Exemption Request

Currently integ-runner does not seem to support multiple-stacks deployment, which makes it difficult to test this scenario.

Also, this change only affects synth phase, not deployment phase, so I believe we don't need any integration test here.

ERROR      test/integ.cfn-resource 4.098s
      "cdk-integ" can only operate on apps with a single stack.

  If your app has multiple stacks, specify which stack to select by adding this to your test source:

      /// !cdk-integ STACK ...

  Available stacks: Stack1 Stack2 (wildcards are also supported)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[tmokmss]

I just changed a random integ test to keep the PR open. I'll revert it after a review.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[gitpod-io]

Pull request has been modified.

[corymhall]

Couple of questions

[corymhall]

Essentially instanceOf cannot be guaranteed to work reliably since it is
possible to have multiple copies of a library installed and instanceOf will view
each copy as a different object.

This PR has some additional context

The method we are using instead is to create an isIntrinsic method

[corymhall]

It looks like we are passing the context through to the postProcess, but it
isn't making its way all the way through to the processor. Is there a way we
could pass it all the way through and use that to replace the
Tokenization.resolve function?

[tmokmss]

Thanks, I'll check that way

[tmokmss]

@corymhall
I investigated it, and please correct me if my understanding is wrong 🙏

If we take that approach, we can use context.resolve here instead of Tokenization.resolve, and it can also settle the issue.

aws-cdk/packages/aws-cdk-lib/core/lib/cfn-resource.ts

Lines 441 to 447 in 04323c4

	const resolvedRawOverrides = Tokenization.resolve(this.rawOverrides, {
	scope: this,
	resolver: CLOUDFORMATION_TOKEN_RESOLVER,
	// we need to preserve the empty elements here,
	// as that's how removing overrides are represented as
	removeEmpty: false,
	});

The disadvantage is that, to pass the context, we have to change the signature of _toCloudFormation function something like _toCloudFormation(context?) (context must be optional because currently not all the callers have context available.) It requires changes in many files and will complicate the code. Given that I don't think it is a preferred approach.

Isn't it simpler and more reasonable to resolve tokens outside of the postProcess function?

[corymhall]

I was thinking of adding it to the PostResolveToken processor method as an optional property

aws-cdk/packages/aws-cdk-lib/core/lib/util.ts

Line 82 in b1e649a

constructor(value: any, private readonly processor: (x: any) => any) {

.

So then it would be something like

[this.logicalId]: new PostResolveToken({
            ...
          }, (resourceDef, context) => {

[rix0rrr]

I like Cory's solution. PostResolveToken is private and so is free to have its API changed. This will (hopefully?) cleanly achieve the desired solution.

[tmokmss]

@corymhall @rix0rrr
Thanks, I think I have to study about CDK tokens more 😄 Will try the approach anyway.

One question is, why not resolve tokens after the deepMerge? (i.e. my original approach 905d5ed)
It can remove some hacks currently implemented like removeEmpty: false or MERGE_EXCLUDE_KEYS, and simplify the existing logic.

Is it performance-wise reason (to reduce recursion), or is there any edge case not to work properly that I am not aware of?

[corymhall]

Meant to request changes.

Pull request has been modified.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[tmokmss]

Hi @corymhall could you review this again? Idk why it's in CHANGES REQUESTED state but it's ready for review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: cdae366
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).