core: Custom::CrossRegionExportWriter fails with InvalidResourceId: UnknownError

[JonWallsten]

Describe the bug

I'm using crossRegionReferences to use my Hosted Zone created in region eu-west-1 for my Certificate created in us-east-1 but the exported value is never created and fails with InvalidResourceId: UnknownError when I deploy. Downgrading to 2.69 fixes the issue.

Expected Behavior

The deploy should work without any errors. The SSM parameter should be created.

Current Behavior

The deploy fails with the following error:

Error processing event:  InvalidResourceId: UnknownError
    at deserializeAws_json1_1InvalidResourceIdResponse (/var/runtime/node_modules/@aws-sdk/client-ssm/dist-cjs/protocols/Aws_json1_1.js:7669:23)
    at deserializeAws_json1_1ListTagsForResourceCommandError (/var/runtime/node_modules/@aws-sdk/client-ssm/dist-cjs/protocols/Aws_json1_1.js:5473:25)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
    at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:13:20
    at async StandardRetryStrategy.retry (/var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)
    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22
    at async isInUse (/var/task/index.js:5:87)
    at async /var/task/index.js:3:932
    at async Promise.all (index 0) {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: 'ff52df1c-c7bd-44cd-8c70-9ef10075ef40',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  __type: 'InvalidResourceId'
}

CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored

Request:

{
    "RequestType": "Create",
    "ServiceToken": "arn:aws:lambda:eu-west-1:***:function:HostedZoneStack-CustomCrossRegionExportWriterCusto-oj2kKqRu7LRG",
    "ResponseURL": "...",
    "StackId": "arn:aws:cloudformation:eu-west-1:***:stack/HostedZoneStack/c980a370-20be-11ee-b44d-0a884cc475df",
    "RequestId": "ae7984ed-4a67-4ed4-b3df-6c60d1d23889",
    "LogicalResourceId": "ExportsWriteruseast10F67B507DDE2E818",
    "ResourceType": "Custom::CrossRegionExportWriter",
    "ResourceProperties": {
        "ServiceToken": "arn:aws:lambda:eu-west-1:***:function:HostedZoneStack-CustomCrossRegionExportWriterCusto-oj2kKqRu7LRG",
        "WriterProps": {
            "exports": {
                "/cdk/exports/CertificateWAF2Stack/HostedZoneStackeuwest1RefHoztedZoneStackHostedZone662869C91D9E1585": "Z0515350ARL1Q47HQ75Z"
            },
            "region": "us-east-1"
        }
    }
}

Reproduction Steps

const hostedZoneStack = new HoztedZoneStack(app, 'HostedZoneStack', {
    zoneName: AWS_DOMAIN,
    env: AWS_ENV,
    crossRegionReferences: true
});

const certificateStack = new CertificateWaf2Stack(app, 'CertificateWAF2Stack', {
    domainName: AWS_DOMAIN,
    hostedZone: hostedZoneStack.hostedZone,
    aclName: ACL_NAME,
    wafScope: WAF_SCOPE,
    env: AWS_ENV_GLOBAL,
    crossRegionReferences: true
});

import { Stack, StackProps, Tags } from 'aws-cdk-lib';
import { HostedZone } from 'aws-cdk-lib/aws-route53';
import { Construct } from 'constructs';

type Props = StackProps & {
    zoneName: string;
};

export class HoztedZoneStack extends Stack {
    public readonly hostedZone: HostedZone;

    constructor(scope: Construct, id: string, props: Props) {
        super(scope, id, props);

        this.hostedZone = new HostedZone(this, 'HoztedZoneStackHostedZone', {
            zoneName: props.zoneName
        });

        // Add tags
        Tags.of(this.hostedZone).add('Name', props.zoneName);
    }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.87.0

Framework Version

No response

Node.js Version

18.14.1

OS

Windows 10 x64

Language

Typescript

Language Version

5.1.6

Other information

No response

[pahud]

Does this error come from CertificateWaf2Stack?

Can you share the content of CertificateWaf2Stack?

Same issue here, entirely not related to Route53 or ACM/WAF/Whatever CertificateWaf2Stack contains. Ran into it when trying to deploy a VPC that is set to crossRegionReferences: true.

Using the stack as follows:

const vpcStack = new VpcStack(stack, "VpcStack", {
    env,
    stage,
    projectName,
    crossRegionReferences: true
});

Contents of stack:

constructor(scope: Stack, id: string, props: ICustomProps) {
    super(scope, `${id}-${props.stage}-${props.projectName}`, props);
    const { stage, projectName } = props;
    Tags.of(this).add("stage", stage);

    this.vpc = new ec2.Vpc(this, "Vpc", {
      maxAzs: 2,
      vpcName: "vpc-test",
      natGateways: 1,
      ipAddresses: ec2.IpAddresses.cidr("10.0.0.0/16"),
      enableDnsHostnames: true,
      enableDnsSupport: true,
      subnetConfiguration: [
        {
          cidrMask: 20,
          name: "Public",
          subnetType: ec2.SubnetType.PUBLIC
        },
        {
          cidrMask: 20,
          name:  "Private",
          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS
        },
        {
          cidrMask: 20,
          name: "Data",
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED
        }
      ],
    });
    
// Some interface endpoints here as well, mostly to do with ECS and SSM
}

Error was exactly the same:
Error processing event: InvalidResourceId: UnknownError
without any other information to pinpoint the issue.

Edit: Wanted to mention that I reverted to 2.80 (just randomly chosen between 2.77 and 2.87) and that worked fine with the same setup.

[JonWallsten]

@pahud: The error is from HostedZoneStack, it's trying to create a value FOR the CertificateWaf2Stack if I understand the flow correctly. I could probably replace CertificateWaf2Stack with any other stack that uses the hostedZoneStack.hostedZone as an import. The error is generated even if I only deploy the HostedZoneStack.
Can I provide you with any other information?

[aleksey-zikrackiy]

FYI
Hey there! I have the same issue when trying to set up Vpc Peering :)