Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Resolving cyclical dependencies between AWS CDK CloudFormation stacks

Tags:

amazon-web-services

amazon-cloudformation

aws-cdk

Context, I have a CDK app with two stacks using the following setup:

Stack_A:
    StateMachine_A
    Lambda_A
    S3Bucket_A
    IAMRole_A

Stack_B:
    StateMachine_B
    SageMakerTrainJob_B
    IAMRole_B

StateMachine_A runs Lambda_A using execution role IAMRole_A. A separate step in StateMachine_A writes data to S3Bucket_A. StateMachine_B runs SageMakerTrainJob_B using execution role IAMRole_B. Lambda_A's purpose is to start execution of StateMachine_B, whose SageMakerTrainJob_B needs to read from S3Bucket_A. Therefore, we have to configure the following permissions:

  • IAMRole_A needs startExecution permissions on StateMachine_B.
  • IAMRole_B needs read permissions on S3Bucket_A.

We tried to model this in CDK by creating a direct dependency in Stack_B on Stack_A, using references to IAMRole_A and S3Bucket_A within Stack_B's definition to grant the needed permissions in code. However, this generated the following error:

Error: 'Stack_B' depends on 'Stack_A' (dependency added using stack.addDependency()). Adding this dependency (Stack_A -> Stack_B/IAMRole_B/Resource.Arn) would create a cyclic reference.

Likewise, trying to model the dependency in the other direction gave the same error:

Error: 'Stack_A' depends on 'Stack_B' (dependency added using stack.addDependency()). Adding this dependency (Stack_B -> Stack_A/S3Bucket_A/Resource.Arn) would create a cyclic reference.

Is there any way around this using code dependencies? Are there any recommended best practices for situations like this? Some options we've considered include:

  • Using a third stack that depends on both to give Stack_A and Stack_B access to each other's resources.
  • Creating additional access roles for the necessary resources within each stack and maintaining assumeRole permissions for the Lambda/SageMaker roles somewhere outside of CDK.
  • Putting them all in one stack. Not great for organization and makes the resources really tightly coupled--we may not want StateMachine_A to be the only entry point to StateMachine_B in the future.

Also , I see there were similar-sounding issues during CDK development with CodeCommit/CodePipeline and APIGateway/Lambda. Is this a related bug, or are we just trying to do something that's not supported?

like image 292
user2446256 Avatar asked Feb 19 '20 19:02

user2446256

People also ask

How do you solve circular dependency in CloudFormation?

In this case, we can break the dependency by setting the bucket name on creation, instead of allowing AWS CloudFormation to autogenerate the S3 bucket name. Then we also provide that name to the role, removing the bucket resource reference and thus the dependency loop.

How do you fix cyclic dependency?

There are a couple of options to get rid of circular dependencies. For a longer chain, A -> B -> C -> D -> A , if one of the references is removed (for instance, the D -> A reference), the cyclic reference pattern is broken, as well. For simpler patterns, such as A -> B -> A , refactoring may be necessary.

Why are cyclical dependencies bad?

Cyclic dependencies between components inhibit understanding, testing, and reuse (you need to understand both components to use either). This makes the system less maintainable because understanding the code is harder. Lack of understanding makes changes harder and more error-prone.

What is a circular dependency error in AWS CloudFormation?

Resource A is dependent on Resource B, and Resource B is dependent on Resource A. When AWS CloudFormation assesses that this type of condition exists, you will get a circular dependency error because AWS CloudFormation is unable to clearly determine which resource should be created first.

How to create explicit dependencies between AWS resources?

To create an explicit dependency between resources, you need to select that affected resource and create an addiction to another node that you have to find. Sounds troublesome, isn’t it? Luckily in one of the previous posts, I have explained to you how AWS CDK names particular nodes so you can craft your path. So we need to do the following:

What is the unit of deployment in AWS CDK?

The unit of deployment in the AWS CDK is called a stack. All AWS resources defined within the scope of a stack, either directly or indirectly, are provisioned as a single unit. Because AWS CDK stacks are implemented through AWS CloudFormation stacks, they have the same limitations as in AWS CloudFormation.

How does AWS CloudFormation handle multiple resources in a template?

When you define multiple resources in a template, AWS CloudFormation tries to create those resources in a parallel fashion (for speed) while also trying to extract correct dependencies based on the use of references when necessary. However, you can control resource-creation order by utilizing the DependsOn attribute within a resource.

Video Answer

2 Answers

Circular references are always tricky. This isn't a problem that is unique to the CDK. As you explain the problem logically you see where things start to break down. CloudFormation must create any resources that another resource depends on before it can create the dependent resource. There isn't a one solution fits all approach to this, but I'll give some ideas that work.

  1. Promote shared resources to another stack. In your case the S3 bucket needs to be used by both stacks, so if that is in a stack that runs before both you can create the S3 bucket, use an export/import in stack B to reference the S3 bucket, and use and export/import in stack A to reference both the S3 bucket and the state machine in B.
  2. Use wildcards in permissions. Often you can know the name, or enough of the name, of a resource to use wildcards in your permissions. You want to keep the permissions tightly scoped, but quite often a partial name match is good enough. Use this option with caution, of course. Also keep in mind that many resources can be named by you. Many prefer not to do this ever, and some resources you shouldn't (like and S3 bucket), but I often find it's easier to name things.
  3. Create a custom resource to tie things together. If you have a true circular dependency that cannot be resolved (even in the same stack) you may need to use a custom resource to do the work for you. A prime example of this is S3 bucket events.
like image 85
Jason Wadsworth Avatar answered Sep 17 '22 08:09

Jason Wadsworth

In addition to the guidelines by Jason, I'd like to mention a fourth option:

You can also try to decouple the two stacks by moving more towards an event driven architecture. While you can't resolve the dependency of IAMRole_B needs read permissions on S3Bucket_A in this example, you can resolve the dependency IAMRole_A needs startExecution permissions on StateMachine_B. Stack A could introduce an EventBridge where StateMachine_A raises an event as soon as it is finished. StateMachine_B can subscribe to this event and start as soon as it has been risen. The stacks would look like the following:

Stack_A:
    StateMachine_A
    Event_A
    S3Bucket_A
    IAMRole_A

Stack_B:
    StateMachine_B
    SageMakerTrainJob_B
    IAMRole_B

You would still have two dependencies:

  • IAMRole_B needs read permissions on Event_A.
  • IAMRole_B needs read permissions on S3Bucket_A.
like image 34
Scorpio Avatar answered Sep 18 '22 08:09

Scorpio
Sign in to Comment

Related questions

AWS Aurora server sometimes responds with "Unknown Database: ..."
AWS Spot Instance Limit
Spring JMS listener acknowledging even when exception
ZipArchive::close(): Failure to create temporary file in AWS EC2 Linux
Is it possible to create a Scheduled Rule from CloudWatch for a Lambda State Function Set
Is it possible to use AWS CodePipeline with Lightsail?
AWS API Gateway custom authorizer. How to access principalId in lambda
CloudFormation passing parameters from CodePipeline
Scale up ElasticBeanStalk environment programmatically
How to get the latest lambda version in cloudformation yml?
dynamoDB auto scale is slow
AWS FileSystemCredentials is not a constructor
DynamoDB: Best hash/sort keys for my use case [confusion with AppSync/GraphQL]
Can not access S3 via VPC endpoint in Lambda
Using SAM application how to define body mapping templates
RDS MySQL Storage Full ... When DB usage is low
Unable to access ECR repository from separate account via `docker pull`
Configure AWS Cloud9 to use Anaconda Python Environment
Can't access EKS api server endpoint within VPC when private access is enabled
ALB is not propagating response headers correctly

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!