No longer accessing another stack's resource causes deadly embrace

[mcalello]

CDK's automatic determination and synthesis of exports to imports can get locked into a deadly embrace that cannot be resolved without destroying your stacks.

Reproduction Steps

Stack1 creates a common Security Group, sg1.
Stack2 uses sg1.

CDK's automatic determination and synthesis described here, will generate an export output from Stack1 for sg1 and an Fn:ImportValue into Stack2.

Then you deploy these stacks.

Later, you decide that Stack2 really needs it's own more specific Security Group, so you create it's own sg2. Again, CDK's automatic determination and synthesis realizes that sg1 is no longer referenced by Stack2 (or any other stack) and attempts to delete the Export of sg1 from Stack1.

This will fail and cannot be deployed.

CloudFormation will be prevented from deleting sg1 as an export from Stack1 since it is currently being used as an Import in the (existing) Stack2. Ironically, you were trying to update Stack2 to no longer reference Stack1's sg1.

Error Log

UPDATE_ROLLBACK_IN_P | AWS::CloudFormation::Stack  | Stack1 Export Stack1:ExportsOutputFnGetAtt-sg1-C785ABD5GroupId30372C66 cannot be deleted as it is in use by Stack2

Environment

• **CLI Version : aws-cli/1.16.223 Python/3.7.4 Darwin/18.7.0 botocore/1.12.213
• **Framework Version: 1.34.1 (build 7b21aa0)
• **OS : macOS 10.14.6
• **Language : Python3

Other

---

This is 🐛 Bug Report

[austinbv]

I have a bit more code to support this as you create a circular reference that ends up meaning NO changes can be made without deleting an entire stack

export class StackA extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    new Instance(this, "instance1", {
      allowAllOutbound: true,
      machineImage: MachineImage.genericLinux({
        "us-east-2": "ami-*****",
      }),
      blockDevices: [
        { deviceName: "/dev/sda1", volume: mainVolume },
        { deviceName: "/dev/sdm", volume: largeVolume },
      ],
      vpc,
      instanceType: InstanceType.of(InstanceClass.M5A, InstanceSize.XLARGE2),
    });

    new IamStack(this, "IAM stack", {
      instances: [instance],
      env: props?.env,
    });
  }
}

interface IamStackProps extends StackProps {
  instances: IInstance[];
}

export class IamStack extends Stack {
  constructor(scope: Construct, id: string, props: IamStackProps) {
    // ...
    this.group.addToPolicy(
      new PolicyStatement({
        actions: ["ec2-instance-connect:SendSSHPublicKey"],
        effect: Effect.ALLOW,
        resources: props.instances.map(this.buildArn),
      })
    );
    // ...
  }
  private buildArn(instance: IInstance): string {
    return `arn:${Aws.PARTITION}:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:instance/${instance.instanceId}`;
  }
}

No change can be made to the instance resource that would require it to recreate (update the AMI). And no change can be made to the Policy statement (including deleting it).

The error is StackA Export StackA:ExportsOutputRefinstance4096131FFAFEED01 cannot be deleted as it is in use by IAMstackF7BED611

The only want to solve this problem is to delete the dependent stack. Deploy the parent stack. Add back the dependent stack.

[austinbv]

so I found a way around this.

If you are updating the child stack you can deploy with the -e tag not deploy the parent stack.

If you are changing the parent stack it's a 2 step process.

1. Remove the dependency on the parent stack. In my case it was remove the PolicyStatement

export class IamStack extends Stack {
  constructor(scope: Construct, id: string, props: IamStackProps) {
    // ...
   // this.group.addToPolicy(
    //  new PolicyStatement({
    //    actions: ["ec2-instance-connect:SendSSHPublicKey"],
    //    effect: Effect.ALLOW,
    //    resources: props.instances.map(this.buildArn),
    //  })
    //);
    // ...
  }
  private buildArn(instance: IInstance): string {
    return `arn:${Aws.PARTITION}:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:instance/${instance.instanceId}`;
  }
}

Then deploy the IAMStack with the -e tag.

2. Change the parent ami and uncomment the IAMStack and deploy the whole stack.

[eladb]

We are aware of this issue (duplicate #3414), but I am not sure exactly what we can do about it. Any ideas?

[austinbv]

Our solution is to deploy the substack with the -e flag then deploy the parent stack.

Even some documentation around that would be stronger than just two immutable stacks. Could you always update leaf nodes first, then update the full stack again