how do we avoid cyclic references in CDK SST for example I s Serverless Stack #help

how do we avoid cyclic references in CDK/SST? for ...

Sam Hulick

08/12/2021, 9:26 PM

how do we avoid cyclic references in CDK/SST? for example, I set up Cognito in my “core” stack. later on, in my “media-processor” stack which depends on core, I need to add more permissions to authorized Cognito users:

Copy code

props!.cognitoAuth.attachPermissionsForAuthUsers([
      [uploadProcessorFunc, 'grantInvoke'],
    ]);

This results in a cyclic dependency error.

Copy code

Error: 'dev-microservices-core' depends on 'dev-microservices-media-processor' (dev-microservices-core -> dev-microservices-media-processor/UploadProcFunc/Resource.Arn). Adding this dependency (dev-microservices-media-processor -> dev-microservices-core/UploadBucket/Bucket/Resource.Arn) would create a cyclic reference.

Sam Hulick

08/12/2021, 9:31 PM

in my previous Serverless Framework setup, I just hardcoded the ARN of the function. not really ideal

Sam Hulick

08/12/2021, 9:36 PM

adding this to the file that defines the auth works. but if there’s a better way, lemme know

Copy code

new iam.PolicyStatement({
      actions: ['lambda:InvokeFunction'],
      effect: iam.Effect.ALLOW,
      resources: [
        `arn:aws:lambda:${stack.region}:${stack.account}:function:${stack.stackName}-uploadProcessor`,
      ],
    }),

Frank

08/12/2021, 10:00 PM

Theoretically this should be possible. The Core stack doesn’t have to depend on the Processor stack. You should be able to export the IAM role in the Core stack, and create an IAM policy in the Processor stack.

Sam Hulick

08/12/2021, 10:04 PM

I’m not sure what that would look like 🤔 Cognito (in the Core stack) needs to grant auth’d users permissions related to the MediaProcessor stack. but if I pass Cognito into that stack, then Core depends on MediaProcessor and vice-versa

Frank

08/12/2021, 10:12 PM

I’m looking at CloudFormation doc, to attach a policy to a role, u can either: • have the Role define the Policy inline, hence the role depends on the function’s arn; or • have the Policy reference the Role, hence the role isn’t dependent on anything

Frank

08/12/2021, 10:13 PM

This is doing the former

Copy code

props!.cognitoAuth.attachPermissionsForAuthUsers([
      [uploadProcessorFunc, 'grantInvoke'],
    ]);

Sam Hulick

08/12/2021, 10:34 PM

I still can’t wrap my head around how to flip that around. like.. you can’t do:

Copy code

uploadProcessorFunc.grantInvoke(...authenticatedCognitoUsers.. somehow)

Sam Hulick

08/12/2021, 10:38 PM

oh wait

Copy code

uploadProcessorFunc.grantInvoke(props!.cognitoAuth.iamAuthRole);

edit: nope, same error

Sam Hulick

08/12/2021, 10:45 PM

ok.. THIS should work. sorry man, still coming to grips w/ CDK 😄

Copy code

new iam.Policy(this, 'Foo', {
      roles: [props!.cognitoAuth.iamAuthRole],
      statements: [
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: ['lambda:InvokeFunction'],
          resources: [uploadProcessorFunc.functionArn],
        }),
      ],
    });

Sam Hulick

08/13/2021, 12:05 AM

it’s funny, all this time (a couple of years at least) I’ve been using CloudFormation, I had no idea you could flip that around and create a policy to attach to a role. for some reason I always thought had to define the policy at the time of role creation

Frank

08/13/2021, 1:53 AM

Yeah, and the CFN doc isn’t of much help 🤷‍♂️

Frank

08/13/2021, 1:53 AM

Did you manage to break the cyclical dependency?

Sam Hulick

08/13/2021, 2:42 AM

yessir! the code right above did the trick. thanks for your help 🙂

4 Views

Open in Slack

Previous Next