Context provider for cross-account CFN stack outputs

Hi there,

It’ll be a must have to be able to retrieve Stacks outputs from Cloudformation cross-accounts natively with CDK. Not using Exports, because they have some limitations :

• On the account where the stack is deployed only
• The Export “block” the parent Stack if you want to make an update

Use Case

Try to imagine :

• You have created a CMK in Account A.
• You want to use the Arn of the Key to create a Grant for ASG service in Account B

You can’t simply do that with CDK.

This issue is the same with multiple resources created on another Account, like R53, IAM, EndpointServices…

Proposed Solution

Create a native “resolver” and an assume role feature like the “cdk-assume-role-plugin” (ok that last point is another feature request :p) !

I try to merge from Sceptre (Troposphere) to CDK but I have to admit that actually CDK can’t cover & offer a full alternative.

For example, to cover that we use a resolver doing a simple describe (example) :

  def resolve(self):
       try:
           response = self.connection_manager.call(
               service="cloudformation",
               command="describe_stacks",
               kwargs={"StackName": self.stack_name}
           )
       except ClientError as e:
           if "does not exist" in e.response["Error"]["Message"]:
               raise Exception(
                   "Stack with name {} does not exist".format(
                       self.stack_name
                   )
               )
           else:
               raise e
       else:
           outputs = response["Stacks"][0]["Outputs"]
       formatted_outputs = dict(
           (output["OutputKey"], output["OutputValue"])
           for output in outputs
       )
       try:
           return formatted_outputs[self.output_key]
       except KeyError:
           raise Exception(
               "The stack '{}' does not have an output named '{}'".format(
                   self.stack_name,
                   self.output_key
               )
           )

So, in the code we just have to put the Arn of the Role to assume on the Account A, the Name of the Stack & the Cfn Output; like that :

{{AppRoleArn}}:::{{AppPath}}/sns/topic-AutoScaling:::Arn

With CDK : The Arn can for example be in cdk.json as variable and retrieved with a “tryGetContext”. Name of the Stack ? Easy with “stackName”, like the “env” or “description”. The Output ? Easy again, created with the Stack with “CfnOutput”.

Other

I’ve created a Custom solution to be able to do that with CDK :

• You need to import the Arn of the CMK; and the Key only, the Grant can’t be created with an Alias.
• Deploy the Stack creating the CMK with a “cdk […] --outputs-file” with the outputs wanted.
• Get the Arn of the key from the output file and/or create an SSM Parameter from it.
• Created a “lambda.SingletonFunction” to create or revoke this Grant in Account B.

Ok, but now, my code can’t work from scratch if I want to build all my PRD environment for example; yes, I have of course errors because my output file is not created yet… So what ? I have to hardcode the Arn of the Key to create my ASG Grant ? Don’t even think about it

When a CMK is needed with some resources I’ve created, I’ve set the Alias Arn instead of the Key; that way, I can easily name it and set it in my code. But CreateGrant need the Key Arn & it’s not possible to bypass that.

Regards, MG

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request