core: CrossRegion References does'nt work withn exporting to multiple regions.

[mrpackethead]

Describe the bug

The bug fix provided in release 2.77.0

core: crossRegionReferences doesn't work when exporting to multiple regions (#25190) (89b26b8), closes #24464

Does not appear to have resolved the issue.

The inline policy for the CustomRegionExportWriter... Role is only providing access to a single zone. Synthed cf template., you can see this.

"CustomCrossRegionExportWriterCustomResourceProviderRoleC951B1E1": {
  "Type": "AWS::IAM::Role",
  "Properties": {
   "AssumeRolePolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
     {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
       "Service": "lambda.amazonaws.com"
      }
     }
    ]
   },
   "ManagedPolicyArns": [
    {
     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    }
   ],
   "Policies": [
    {
     "PolicyName": "Inline",
     "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
       {
        "Effect": "Allow",
        "Resource": [
         "arn:aws:ssm:ap-southeast-1:8xxxxxxxxxxxx2:parameter/cdk/exports/*"
        ],
        "Action": [
         "ssm:DeleteParameters",
         "ssm:ListTagsForResource",
         "ssm:GetParameters",
         "ssm:PutParameter"
        ]
       }
      ]
     }
    }
   ]
  },


"ExportsWriterapsoutheast2235C849A8E92266D": {
  "Type": "Custom::CrossRegionExportWriter",
  "Properties": {
   "ServiceToken": {
    "Fn::GetAtt": [
     "CustomCrossRegionExportWriterCustomResourceProviderHandlerD8786E8A",
     "Arn"
    ]
   },
   "WriterProps": {
    "region": "ap-southeast-2",
    "exports": {
     "/cdk/exports/ap-southeast-2-centralVPC/supportInfrauseast1FnGetAttearthIPAMPoolIpamPoolId4B9BFE48": {
      "Fn::GetAtt": [
       "earthIPAMPool",
       "IpamPoolId"
      ]
     },
     "/cdk/exports/ap-southeast-2-centralVPC/supportInfrauseast1Refloggingbucket6D73BD53592114C2": {
      "Ref": "loggingbucket6D73BD53"
     },
     "/cdk/exports/ap-southeast-2-workloadVPC/supportInfrauseast1FnGetAttearthIPAMPoolIpamPoolId4B9BFE48": {
      "Fn::GetAtt": [
       "earthIPAMPool",
       "IpamPoolId"
      ]
     },
     "/cdk/exports/ap-southeast-2-workloadVPC/supportInfrauseast1Refloggingbucket6D73BD53592114C2": {
      "Ref": "loggingbucket6D73BD53"
     }
    }
   }
  },
  "UpdateReplacePolicy": "Delete",
  "DeletionPolicy": "Delete",
  "Metadata": {
   "aws:cdk:path": "supportInfra/ExportsWriterapsoutheast2235C849A/Resource/Default"
  }
 }
},

Expected Behavior

should have added multiple regions.

Current Behavior

only added one region.

Reproduction Steps

import * as cdk from 'aws-cdk-lib';
import { Stack } from 'aws-cdk-lib';

const app = new cdk.App();
var sourceStack = new Stack(app, 'sourceStack', {  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'us-east-1' } });
var hostedZone = new cdk.aws_route53.HostedZone(sourceStack, "hostedZone", { zoneName: 'test.local'});

var destRegion1Stack = new Stack(app, 'Region1Stack',  {  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'ap-southeast-1' }, crossRegionReferences: true });
new cdk.aws_route53.TxtRecord(destRegion1Stack, "FirstARecord", { zone: hostedZone, recordName: 'ap-southeast-1', values: ['ap-southeast-1'] });

var destRegion2Stack = new Stack(app, 'Region2Stack',  {  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'ap-southeast-2' }, crossRegionReferences: true });
new cdk.aws_route53.TxtRecord(destRegion2Stack, "SecondARecord", { zone: hostedZone, recordName: 'ap-southeast-2', values: ['ap-southeast-2'] });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.77.0

Framework Version

No response

Node.js Version

16.15.1

OS

Amazon Linux 2

Language

Typescript

Language Version

No response

Other information

No response

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[curquhart]

Just wondering when this will be released? (specifically, for go, as I'm not sure if the releases all happen at the same time)... Thanks :)

[wirjo]

Thanks @corymhall!

I'm still getting the below error on CDK version 2.87.0 (build 9fca790):

CREATE_FAILED        | Custom::CrossRegionExportWriter 
Received response status [FAILED] from custom resource. Message returned: InvalidResourceId: UnknownError

I have 3 stacks deploying to us-east-1 (just for ACM SSL certificates as Cross-Region Certificate construct was deprecated), us-west-1 and ap-southeast-2.

Looking at the CloudFormation, it appears that the Custom::CrossRegionExportWriter resource cannot be created.

UPDATE: This seems to be an issue with the latest CDK version 2.87. The Lambda resource runtime appears to be upgraded to Node 18. I downgraded to CDK version 2.69 and now it works.

UPDATE 2: Note downgrading to 2.69 means that this issue still exists #24464 as it's only fixed in 2.77.

[dhstockwell]

I'm also deploying cross-region SSL certificates in addition to using RDS.ClusterInstance.serverlessV2 writers. Because serverlessV2 was introduced in 2.82 I had to dig and found out that this issue was re-fixed in 2.83.1 and re-broken somewhere beyond that version (confirmed broken on 2.85 and 2.87). For now, I'm locked to that one specific version

[pascalbayer]

Running into the same issues with CDK version 2.87.0 (build 9fca790). Can't seem to get the Custom::CrossRegionExportWriter resource to create successfully.

Here's the error I'm seeing:

08:42:51 | CREATE_FAILED        | Custom::CrossRegionExportWriter | ExportsWritereuwest
Received response status [FAILED] from custom resource. Message returned: InvalidResourceId: UnknownError

From what I can see in CloudFormation, looks like the hiccup is happening when the Custom::CrossRegionExportWriter resource is being created.

Just to mention, the issue isn't showing up in version 2.83.1. But given the deprecation of cross-account certificates, getting this sorted in the latest version is pretty crucial.

[wirjo]

Thanks for confirming. I speculate it's due to the Lambda runtime upgrade of the Lambda export writer.

Pinging @corymhall onto this.

[joshmurrayeu]

Hey guys, any updates on this bug? I'm also trying to create some SSL certificates in us-east-1 and use them in the eu-west-2 region. Thanks!

cc @wirjo
cc @corymhall

[corymhall]

@joshmurrayeu @wirjo this should be fixed in the latest version released last week (v2.88.0) are you still seeing the issue after upgrading?

[joshmurrayeu]

@joshmurrayeu @wirjo this should be fixed in the latest version released last week (v2.88.0) are you still seeing the issue after upgrading?

Hey @corymhall, thanks for the prompt response. Yup, I was on 2.87.0 - sorry guys.