This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
ec2: cross-app usage of VPC #4096
Comments
SomayaB
added
bug
|
I think I'm having this issue, but in Typescript. This code fails: Returns: "All arguments to Vpc.fromLookup() must be concrete (no Tokens)" Where this code works: This is CDK 1.12.0 cdk --version |
|
I also face same issue when I try to use |
|
Same here on TypeScript with CDK 1.12.0 |
|
I am also experiencing this issue. Is there another way we are meant to pass the vpc id between stacks? I want to avoid having to add it in manually. |
|
That's a problem in all languages, as in it is not (currently) possible to pass deploy-time values across environments that aren't co-located (same account AND region). |
|
And this use case can never really work. The reason is that we need to know more about a VPC than its VPC ID: we also need to know all of the subnets, routing tablets, etc, because there are a lot of things people want to do to VPCs and many of the things require detailed knowledge about the VPC layout. The only way to get this going right now is for you infrastructure team to deploy the VPC completely, then use |
rix0rrr
added
feature-request
rix0rrr
changed the title
But how come it works if you hard-code the VPC-id, but doesn't work when importing it? It would still not know anything about the remaining configuration? |
|
Is there any traction on this? As it stands it appears that exporting values from one stack to another simply does not work. I'm facing the same issue in Python. |
|
@maschinetheist As a work around, I used the Hopefully though, this will be fixed. |
Thank you! I was able to make some progress as well, but without using exports: class VPCStack(core.Stack):
def __init__(self, app: core.App, id: str, **kwargs):
super().__init__(app, id, **kwargs)
self.vpc = aws_ec2.Vpc(self, "VPC", nat_gateways=1)
class ConsumingStack(core.Stack):
def __init__(self, app: core.App, id: str, vpc: aws_ec2.Vpc, **kwargs) -> None:
super().__init__(app, id, **kwargs)
# Update VPC routes
self.vpc = vpc
private_subnets = self.vpc.private_subnets
for subnet in private_subnets:
# print(subnet.route_table.route_table_id)
route_table_stack = ec2.CfnRoute(
self, str("MainRouteTable" + random.randint(0, 254)),
route_table_id=subnet.route_table.route_table_id,
destination_cidr_block="10.0.0.0/16"
transit_gateway_id="tgw-123456"
)
vpcstack = VPCStack(app, "VPCStack")
consumingstack = ConsumingStack(app, "ConsumingStack", vpc=vpcstack.vpc) # Import VPC construct from vpcstack
cdk.synth()Of course this will work within an app (across stacks) but not cross-app. For that I will try out |
|
Having the same issue reading DistributionID from CloudFront to pass to stacks using another region. So we are using aws_cloudformation.CustomResource which calls a lambda to read the values we need. The same principal should work for VPC-id but it is a bit like using a sledge hammer to crack a nut. |
|
I encountered this issue when getting the VPC ID from a And I get this error: But, hard coding the vpc works fine: |
|
@jones-chris That mapping will only show up when cdk generates the cloudformation. You should use an if-statement or switch-statement. |
SomayaB
added
@aws-cdk/aws-ec2
|
I'm facing the same issue in typescript in CDK 1.31.0. FYI, in this case, the VPC to be looked up is in the same account and region as the stack being deployed, and I'm passing the correct credentials for this account and region to the synthesis. Below fails. below succeeds What is the exact problem here? Is the issue that the cross stack reference is not looked up at synthesis time, but expected to be looked up only at deploy time? Is there a way that something can be implemented so that these cross stack references could be looked up at synthsis time? It's a big pain to go through all my CDK templates when a VPC ID is changed and copy and paste the text value of the VPCID into the template. I would rather just go |
For now my solution is to hard-code the VPC Name and do the lookup by vpc name rather than VPC ID. It's a temp fix in my eyes but necessary for me to move on w/ my project. |
|
I bumped to this issue when trying to automate VPC CIDR allocation with CustomResource. When passing the cidr value from CustomResouce to L2 - Vpc construct I'm getting 'property must be a concrete CIDR string, got a Token '. Passing the same to L1 CfnVPC works just fine. Btw, I'm using python. |
|
As michaelday008 pointed out the underlying issue here is that there are several phases a CDK app goes through on its journey to deployed stacks.
These steps happen strongly one after the other. So information gathered in a later step can never be used in an earlier phase. Now let's look at the steps described in this ticket and in which phase they happen. Object Model phase
CFN Deployment
So whenever a piece of information in generated during the later phase it will be a Token in CDK and can never be used in one the action of the first phase. This is why:
So how to solve this? For lookups you could, as already mentioned, always import by name or any other tag instead of using an id. Alternatively, you can always do the lookups, imports, etc in a script before invoking CDK and provide the values as context. I hope this helps with some of the confusion of why certain things work and do not work and why it is not easily possible to "fix" this or why this is not a bug but working as intended. |
|
I am not sure I can follow. Is the VPC created using the CDK app or not? If it is created in the same app you can use the instance cross stack. IF not you should be able to look it up as it already exists. Can you elaborate? |
I can't get my head around why you want to pass the I can understand for things that are more dynamic, like |
|
I was able to synth and deploy without hard-coding. In separate CDK package, i have Then using Another method is to use We need to implement |
I have discovered that this is not only the case for exporting (for example) the VPC id, but for many (maybe all?) id/arn-like properties that I try to export. I get the
There's probably more! This should really be fixed. I do have a workaround for now: many resources can be looked up by adding tags to them. Example with VPC: In one stack self.prod_vpc = ec2.Vpc(self, 'ECSVPCProd', max_azs=2)
Tags.of(self.prod_vpc).add('source-ag:environment-type', 'prod')In another stack: vpc = ec2.Vpc.from_lookup(self, 'VpcLookup', tags={'source-ag:environment-type':'prod'})Hope this helps for people having trouble with this! |
|
I have stopped using CloudFormation export/imports altogether, and rely on parameter store instead like @miaekim suggested, and it works very well. However, for legacy cloudformation stacks where you gradually migrate to CDK it becomes cumbersome, but I guess you can create SSM parameters via CloudFormation as well. |
|
So for people coming to this place for help, basically there are 2 options for mitigating this issue:
|
|
However, security groups, etc. still need to be hard coded. I think that SSM does not help solve the safety issue when deleting with stack dependencies in cross-applications. |
|
I was also running into this and solved it via SSM. How come this is not implemented? Isn't this kind of a standard use-case for going micro-services like architectures where each service ships with infra? |
|
As some described above I was able to circumvent the problem using the aws sdk. My solution looks like this In the VPC stack // export the vpc id as cfn output
new cdk.CfnOutput(this, 'my-vpc-id', {
exportName: 'my-vpc-id',
value: this.vpc.vpcId,
})In your other stack install aws-sdk npm install aws-sdk --saveGet the output using the sdk, and pass it to your stack: import * as CloudFormation from 'aws-sdk/clients/cloudformation'
const cf = new CloudFormation({ region: process.env.AWS_REGION })
const getExportValue = (expts: { "Exports": { "Name": string, "Value": string}[] }) => (name: string) =>
expts.Exports.filter((expt) => expt.Name.localeCompare(name) == 0)[0].Value
const getConfig = () => cf.listExports().promise()
const app = new cdk.App()
getConfig().then((conf: any) => {
const vpcId = getExportValue(conf)("my-vpc-id")
console.log(`Using vpcId ${vpcId}`)
return new MyStack(app, ',my-stack', { vpcId })
}) |
|
SOLUTION!!! Best of all it's simple and works pretty much as you would expect it. Took much digging and points out the issue with the documentation on something that is really still bleeding edge. First: It looks like everything that accesses a cdk. call (efs, ec2, vpn, ext) occurs after the stack is uploaded to AWS. And this is after all the checks are done prior. Which means things like "cdk.CfnParameter" are just a Token as they haven't actually run yet. And in fact, all the code you put in your working file does not run sequentially like you would expect when using the cdk. functions. So while you may be declaring a variable based of an input parameter at the top, cdk. functions that are below it may run first. Second: The Answer- -c or --context And you retrieve it thusly: You can even take it a step further and be more GitOpsy about it. (Is too a word. I'm an author. I get to make up words.) On the main branch of your project (assuming you used cdk init) you'll have a file called cdk.json. Primarily used for the cdk to pass access info for your AWS account as well as other things. However, you can add to it. Everything "prod" down I added. Note that all additions are in the "context" json. So first you get the command line value: Then you get the json branch you want to use (nicely stored in git and versioned): And from there you used it exactly as you would expect: Hope this helps a lot of people. |
|
I would like to point out that the inability of the CDK to import VPC IDs from another CF stack export also means that CF will not be aware of this dependency. For example, modification of the export name will be allowed. This will break the CDK stack, which will only be detected the next time the stack is synthesized. (Could not find export with name xyz.) This is not the case with plain old cloudformation files, as the |
|
How come there's no way to import a VPC by id into a different stack? The issue is 3 years old! |
|
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
|
Just chiming in to say that CDK has been amazing to use.... until I tried to create (or rather cross reference) VPCs. Given how seemless and enjoyable the rest of the process has been, slamming into the brick wall that is VPC cross referencing has been a nightmare. I ran into a similar issue with Dynamo tables, but that's a fairly easy work around because you can reference them by ID. I followed the recommended steps listed here and just made it cross reference, but then as soon as I did something as simple as change the subnet a lambda in a different stack used, I ran into the dreaded cannot delete export error, which was worsened by the I'm now having to delete half of my stacks just to break a single reference one of them has to a single subnet, which seems frustrating (luckily CDK makes it easy to spin them right back up again! 😂) Definitely learned my lesson reg. cross reference, will be storing the values in SSM, which seems to be the solution and isn't that painful. After using CDK for a few months, the cross reference issue has definitely taken up most of my time, and resulted in the most swear words per minute. |
|
FYI: I solved this by adding aws-sdk to my cdk, and then using it to pull CFN exports: |
Great workaround. I hope AWS comes up with a CDK oriented solution soon. |
|
So if I'm following all of the discussion I believe that there are two issues here, one being weak references, which is a feature that is being discussed and designed but hasn't been implemented that allows referencing values cross stack in a way that avoids the dreaded "can't delete stack because export value is used by x" loop and would replace the need for storing vpcId in an SSM parameter. To sum up some discussion for anyone stumbling on this issue now and looking for solutions.
That being said, I believe what this issue is asking for is essentially weak references, so I'm going to convert it to a discussion in case anyone has more questions. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
and others
❓ General Issue
The Question
I am trying to build a sample to pass
vpcIdacross stacks. It's fine if I passvpcIdas the stack property, however, the reality is, the vpc stack may be built by the infra team with native cloudformation templates and export thevpcIdin the Outputs and the App team may build application with CDK in that VPC. All the App team knows is the export name and have to build an app stack in that VPC.In
TypeScriptI can simply get thevpcIdasStringbycdk.Fn.importValue('ExportedVpcId')And
However, in Python I got this error:
It looks like
cdk.Fn.importValue()inTypeScriptreturnsStringbutcore.Fn.import_value()inPythonreturnsToken.Not sure if this is a valid issue. Any guidance is highly appreciated.
Environment
Other information
https://gitter.im/awslabs/aws-cdk?at=5d7f7b8636461106bb29e96e
The text was updated successfully, but these errors were encountered: