Bad cross-stack reference / token related to env passed to stacks

[jacques-]

When referencing a policy created in one stack from another stack, I get a bad token that cannot be resolved. However, weirdly, this happens only when I pass the same env to both stacks. If I pass account and region to one stack, and only e.g. the region to the second stack it works as expected.

I'm doing something a little odd by using an aspect to apply permissions boundary (from https://github.com/aws/aws-cdk/issues/3242), so no idea if there is another way to achieve the same thing (applying permissions boundary to all roles created.

Something else that is odd, is that if I specify the reference in an output in the second stack, it also fixes the reference (albeit in a very different way).

Reproduction Steps

#!/usr/bin/env python3

from aws_cdk import core
from aws_cdk import aws_iam
from aws_cdk import aws_ssm
from aws_cdk import aws_codebuild
from typing import Union
import jsii
from aws_cdk import aws_iam, core
from jsii._reference_map import _refs
from jsii._utils import Singleton


@jsii.implements(core.IAspect)
class PermissionsBoundaryAspect:
    def __init__(self, permission_boundary: Union[aws_iam.ManagedPolicy, str]) -> None:
        self.permission_boundary = permission_boundary

    def visit(self, construct_ref: core.IConstruct) -> None:
        if isinstance(construct_ref, jsii._kernel.ObjRef) and hasattr(construct_ref, 'ref'):
            kernel = Singleton._instances[jsii._kernel.Kernel]  # The same object is available as: jsii.kernel
            resolve = _refs.resolve(kernel, construct_ref)
        else:
            resolve = construct_ref

        def _walk(obj):
            """
            The recursive walk function, should not be called direcly.
            """
            if isinstance(obj, aws_iam.Role):
                cfn_role = obj.node.find_child('Resource')
                policy_arn = self.permission_boundary if isinstance(self.permission_boundary, str) else self.permission_boundary.managed_policy_arn
                cfn_role.add_property_override('PermissionsBoundary', policy_arn)
            else:
                if hasattr(obj, 'permissions_node'):
                    for c in obj.permissions_node.children:
                        _walk(c)
                if hasattr(obj, 'node') and obj.node.children:
                    for c in obj.node.children:
                        _walk(c)

        _walk(resolve)


class AlphaStack(core.Stack):
    def __init__(self, scope: core.Construct, **kwargs) -> None:
        super().__init__(scope, self.__class__.__name__, **kwargs)
        self.test_policy = aws_iam.ManagedPolicy(
            self, "test_policy",
            managed_policy_name=self.stack_name+"-"+"test_policy")
        self.test_policy.add_statements(aws_iam.PolicyStatement())


class BetaStack(core.Stack):
    def __init__(self, scope: core.Construct, policy, **kwargs) -> None:
        super().__init__(scope, self.__class__.__name__, **kwargs)
        project_name = "test"
        repo_name = "test"
        project = aws_codebuild.Project(
            self, project_name, project_name=project_name,
            source=aws_codebuild.Source.bit_bucket(
                owner="test",
                repo=repo_name),
            cache=aws_codebuild.Cache.local(aws_codebuild.LocalCacheMode.CUSTOM),
            environment=aws_codebuild.BuildEnvironment(build_image=aws_codebuild.LinuxBuildImage.AMAZON_LINUX_2)
        )
        # Weirdly, uncommenting this fixes things.
        # core.CfnOutput(self, "test_output", value=policy.managed_policy_arn, export_name="test")


app = core.App()

env1 = core.Environment(account="111111111111", region="eu-west-1")
env2 = core.Environment(account="111111111111")
env3 = core.Environment(region="eu-west-1")

alpha_stack = AlphaStack(app, env=env1)
# Changing env1 to env2 (or env3) fixes things again
beta_stack = BetaStack(app, alpha_stack.test_policy, env=env1)
beta_stack.node.apply_aspect(PermissionsBoundaryAspect(alpha_stack.test_policy))

app.synth()

Error Log

The error I get is essentially an "Unresolved resource dependencies" as described here: https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-template-validation/

Environment

• **CLI Version :1.21.1
• **Framework Version:1.21.1
• **OS :macos
• **Language :python

Other

---

This is 🐛 Bug Report

[jacques-]

Hi, would be great to understand what the expected behaviour is here.

Is there any additional information I can provide that would help the process?

[jacques-]

Why is this not a bug?

[jacques-]

Any progress here?

[rix0rrr]

Fairly sure that adding overrides does not create the implicit stack reference that you need for this to work.

You are better off creating the Export and Fn::ImportValue manually.