Skip to content

Commit

Permalink
fix(appsync): incorrect region used for imported Cognito user pool (a…
Browse files Browse the repository at this point in the history
…ws#20193)

Replaces all uses of `resource.stack.region` with `resource.env.region`
so that imported resources can provide a different region than the
current stack, wich can result in invalid configuration.

Applying the same treatment to occurrences of `resources.stack.account`
as this is also surfaced as `resources.env.account`.

Fixes aws#20195

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
RomainMuller authored and wphilipw committed May 23, 2022
1 parent 9d565ed commit 796e1ee
Show file tree
Hide file tree
Showing 16 changed files with 30 additions and 30 deletions.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ export class HttpRoute extends Resource implements IHttpRoute {
// path variable and all that follows with a wildcard.
const iamPath = path.replace(/\{.*?\}.*/, '*');

return `arn:aws:execute-api:${this.stack.region}:${this.stack.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`;
return `arn:aws:execute-api:${this.env.region}:${this.env.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`;
}

public grantInvoke(grantee: iam.IGrantable, options: GrantInvokeOptions = {}): iam.Grant {
Expand Down
8 changes: 4 additions & 4 deletions packages/@aws-cdk/aws-appsync/lib/data-source.ts
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,7 @@ export class DynamoDbDataSource extends BackedDataSource {
type: 'AMAZON_DYNAMODB',
dynamoDbConfig: {
tableName: props.table.tableName,
awsRegion: props.table.stack.region,
awsRegion: props.table.env.region,
useCallerCredentials: props.useCallerCredentials,
},
});
Expand Down Expand Up @@ -337,7 +337,7 @@ export class RdsDataSource extends BackedDataSource {
type: 'RELATIONAL_DATABASE',
relationalDatabaseConfig: {
rdsHttpEndpointConfig: {
awsRegion: props.serverlessCluster.stack.region,
awsRegion: props.serverlessCluster.env.region,
dbClusterIdentifier: Lazy.string({
produce: () => {
return Stack.of(this).formatArn({
Expand Down Expand Up @@ -399,7 +399,7 @@ export class ElasticsearchDataSource extends BackedDataSource {
super(scope, id, props, {
type: 'AMAZON_ELASTICSEARCH',
elasticsearchConfig: {
awsRegion: props.domain.stack.region,
awsRegion: props.domain.env.region,
endpoint: `https://${props.domain.domainEndpoint}`,
},
});
Expand All @@ -426,7 +426,7 @@ export class OpenSearchDataSource extends BackedDataSource {
super(scope, id, props, {
type: 'AMAZON_OPENSEARCH_SERVICE',
openSearchServiceConfig: {
awsRegion: props.domain.stack.region,
awsRegion: props.domain.env.region,
endpoint: `https://${props.domain.domainEndpoint}`,
},
});
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
Original file line number Diff line number Diff line change
Expand Up @@ -633,7 +633,7 @@ export class GraphqlApi extends GraphqlApiBase {
if (!config) return undefined;
return {
userPoolId: config.userPool.userPoolId,
awsRegion: config.userPool.stack.region,
awsRegion: config.userPool.env.region,
appIdClientRegex: config.appIdClientRegex,
defaultAction: config.defaultAction || UserPoolDefaultAction.ALLOW,
};
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-batch/lib/compute-environment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -581,7 +581,7 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment
return props.computeResources.spotFleetRole;
} else if (props.computeResources.type === ComputeResourceType.SPOT) {
return iam.Role.fromRoleArn(this, 'Resource-SpotFleet-Role',
`arn:${this.stack.partition}:iam::${this.stack.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`);
`arn:${this.stack.partition}:iam::${this.env.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`);
}
}

Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-cloud9/lib/environment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment {
this.environmentId = c9env.ref;
this.ec2EnvironmentArn = c9env.getAtt('Arn').toString();
this.ec2EnvironmentName = c9env.getAtt('Name').toString();
this.ideUrl = `https://${this.stack.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`;
this.ideUrl = `https://${this.env.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`;
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
super(scope, id);

// Create a simple Function if we're already in us-east-1; otherwise create a cross-region stack.
const regionIsUsEast1 = !Token.isUnresolved(this.stack.region) && this.stack.region === 'us-east-1';
const regionIsUsEast1 = !Token.isUnresolved(this.env.region) && this.env.region === 'us-east-1';
const { edgeFunction, edgeArn } = regionIsUsEast1
? this.createInRegionFunction(props)
: this.createCrossRegionFunction(id, props);
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts
Original file line number Diff line number Diff line change
Expand Up @@ -612,8 +612,8 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn
private validateCanLookupSupportedAzs(subnets: ISubnet[], serviceName: string) {

// Having any of these be true will cause the AZ lookup to fail at synthesis time
const agnosticAcct = Token.isUnresolved(this.stack.account);
const agnosticRegion = Token.isUnresolved(this.stack.region);
const agnosticAcct = Token.isUnresolved(this.env.account);
const agnosticRegion = Token.isUnresolved(this.env.region);
const agnosticService = Token.isUnresolved(serviceName);

// Having subnets with Token AZs can cause the endpoint to be created with no subnets, failing at deployment time
Expand Down
8 changes: 4 additions & 4 deletions packages/@aws-cdk/aws-ecs/lib/base/base-service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -510,7 +510,7 @@ export abstract class BaseService extends Resource
resources: ['*'],
}));

const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
this.taskDefinition.addToTaskRolePolicy(new iam.PolicyStatement({
actions: [
'logs:CreateLogStream',
Expand Down Expand Up @@ -558,7 +558,7 @@ export abstract class BaseService extends Resource
'kms:*',
],
resources: ['*'],
principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.stack.account}:root`)],
principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.env.account}:root`)],
}));

if (logging === ExecuteCommandLogging.DEFAULT || this.cluster.executeCommandConfiguration?.logConfiguration?.cloudWatchEncryptionEnabled) {
Expand All @@ -571,9 +571,9 @@ export abstract class BaseService extends Resource
'kms:Describe*',
],
resources: ['*'],
principals: [new iam.ServicePrincipal(`logs.${this.stack.region}.amazonaws.com`)],
principals: [new iam.ServicePrincipal(`logs.${this.env.region}.amazonaws.com`)],
conditions: {
ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:*` },
ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*` },
},
}));
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ export abstract class BaseLoadBalancer extends Resource {
actions: ['s3:PutObject'],
principals: [logsDeliveryServicePrincipal],
resources: [
bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.stack.account}/*`),
bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.env.account}/*`),
],
conditions: {
StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-elasticsearch/lib/domain.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1110,7 +1110,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain {
metricName,
dimensionsMap: {
DomainName: this.domainName,
ClientId: this.stack.account,
ClientId: this.env.account,
},
...props,
}).attachTo(this);
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ export class LustreFileSystem extends FileSystemBase {
this.fileSystem.applyRemovalPolicy(props.removalPolicy);

this.fileSystemId = this.fileSystem.ref;
this.dnsName = `${this.fileSystemId}.fsx.${this.stack.region}.${Aws.URL_SUFFIX}`;
this.dnsName = `${this.fileSystemId}.fsx.${this.env.region}.${Aws.URL_SUFFIX}`;
this.mountName = this.fileSystem.attrLustreMountName;
}

Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-opensearchservice/lib/domain.ts
Original file line number Diff line number Diff line change
Expand Up @@ -883,7 +883,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain {
metricName,
dimensionsMap: {
DomainName: this.domainName,
ClientId: this.stack.account,
ClientId: this.env.account,
},
...props,
}).attachTo(this);
Expand Down
8 changes: 4 additions & 4 deletions packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts
Original file line number Diff line number Diff line change
Expand Up @@ -101,14 +101,14 @@ abstract class AccessPointBase extends core.Resource implements IAccessPoint {
/** Implement the {@link IAccessPoint.domainName} field. */
get domainName(): string {
const urlSuffix = this.stack.urlSuffix;
return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${urlSuffix}`;
return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${urlSuffix}`;
}

/** Implement the {@link IAccessPoint.regionalDomainName} field. */
get regionalDomainName(): string {
const urlSuffix = this.stack.urlSuffix;
const region = this.stack.region;
return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${region}.${urlSuffix}`;
const region = this.env.region;
return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${region}.${urlSuffix}`;
}

/** Implement the {@link IAccessPoint.virtualHostedUrlForObject} method. */
Expand Down Expand Up @@ -252,4 +252,4 @@ export class AccessPoint extends AccessPointBase {
}),
);
}
}
}
6 changes: 3 additions & 3 deletions packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ export class LambdaSubscription implements sns.ITopicSubscription {
if (topic.stack !== this.fn.stack) {
// only if we know the region, will not work for
// env agnostic stacks
if (!Token.isUnresolved(topic.stack.region) &&
(topic.stack.region !== this.fn.stack.region)) {
return topic.stack.region;
if (!Token.isUnresolved(topic.env.region) &&
(topic.env.region !== this.fn.env.region)) {
return topic.env.region;
}
}
return undefined;
Expand Down
6 changes: 3 additions & 3 deletions packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,9 @@ export class SqsSubscription implements sns.ITopicSubscription {
if (topic.stack !== this.queue.stack) {
// only if we know the region, will not work for
// env agnostic stacks
if (!Token.isUnresolved(topic.stack.region) &&
(topic.stack.region !== this.queue.stack.region)) {
return topic.stack.region;
if (!Token.isUnresolved(topic.env.region) &&
(topic.env.region !== this.queue.env.region)) {
return topic.env.region;
}
}
return undefined;
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/core/lib/resource.ts
Original file line number Diff line number Diff line change
Expand Up @@ -315,4 +315,4 @@ function mimicReference(refSource: any, producer: IStringProducer): string {
return producer.produce(context);
}
}(reference, reference.target, reference.displayName));
}
}

0 comments on commit 796e1ee

Please sign in to comment.