Context provider for cross-account CFN stack outputs
See original GitHub issueHi there,
It’ll be a must have to be able to retrieve Stacks outputs from Cloudformation cross-accounts natively with CDK. Not using Exports, because they have some limitations :
- On the account where the stack is deployed only
- The Export “block” the parent Stack if you want to make an update
Use Case
Try to imagine :
- You have created a CMK in Account A.
- You want to use the Arn of the Key to create a Grant for ASG service in Account B
You can’t simply do that with CDK.
This issue is the same with multiple resources created on another Account, like R53, IAM, EndpointServices…
Proposed Solution
Create a native “resolver” and an assume role feature like the “cdk-assume-role-plugin” (ok that last point is another feature request :p) !
I try to merge from Sceptre (Troposphere) to CDK but I have to admit that actually CDK can’t cover & offer a full alternative.
For example, to cover that we use a resolver doing a simple describe (example) :
def resolve(self):
try:
response = self.connection_manager.call(
service="cloudformation",
command="describe_stacks",
kwargs={"StackName": self.stack_name}
)
except ClientError as e:
if "does not exist" in e.response["Error"]["Message"]:
raise Exception(
"Stack with name {} does not exist".format(
self.stack_name
)
)
else:
raise e
else:
outputs = response["Stacks"][0]["Outputs"]
formatted_outputs = dict(
(output["OutputKey"], output["OutputValue"])
for output in outputs
)
try:
return formatted_outputs[self.output_key]
except KeyError:
raise Exception(
"The stack '{}' does not have an output named '{}'".format(
self.stack_name,
self.output_key
)
)
So, in the code we just have to put the Arn of the Role to assume on the Account A, the Name of the Stack & the Cfn Output; like that :
{{AppRoleArn}}:::{{AppPath}}/sns/topic-AutoScaling:::Arn
With CDK : The Arn can for example be in cdk.json as variable and retrieved with a “tryGetContext”. Name of the Stack ? Easy with “stackName”, like the “env” or “description”. The Output ? Easy again, created with the Stack with “CfnOutput”.
Other
I’ve created a Custom solution to be able to do that with CDK :
- You need to import the Arn of the CMK; and the Key only, the Grant can’t be created with an Alias.
- Deploy the Stack creating the CMK with a “cdk […] --outputs-file” with the outputs wanted.
- Get the Arn of the key from the output file and/or create an SSM Parameter from it.
- Created a “lambda.SingletonFunction” to create or revoke this Grant in Account B.
Ok, but now, my code can’t work from scratch if I want to build all my PRD environment for example; yes, I have of course errors because my output file is not created yet… So what ? I have to hardcode the Arn of the Key to create my ASG Grant ? Don’t even think about it
When a CMK is needed with some resources I’ve created, I’ve set the Alias Arn instead of the Key; that way, I can easily name it and set it in my code. But CreateGrant need the Key Arn & it’s not possible to bypass that.
Regards, MG
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:6
- Comments:15 (7 by maintainers)
Top GitHub Comments
Made it as you can see @skinny85 , thanks to you. I think it’s not an isolated pb, I’ve faced the same pb between VpcEndpointService & InterfaceVpcEndpoint.
To go back to the intial request, I think the best way is to provide a native solution to retrieve these outputs/references between Cross Account Stacks directly. Can’t believe I’m the only one trying to get resources created on other Accounts (CMK/IAM/PrivateLinks/R53/TGW…). Using –outputs-file as a workaround to get Cfn outputs locally to be able to create other resources on other accounts from that file is not thinkable…
Thanks @Cloudrage ! We will get those fixed.