fix(core): cross-stack references to NestedStack list values produces invalid outputs

[brandondahler]

Issue

Closes #27233.

Reason for this change

Referencing a list attribute of a resource defined within a NestedStack synthesizes successfully but the nested stack will fail deployment with the error:

Template format error: Every Value member must be a string.

This prevents deploying resources into a NestedStack instance if a reference to one of that resource's list attribute exists within a cross-stack context. For example, deploying a InterfaceVpcEndpoint instance in a nested stack and attempting to reference its vpcEndpointDnsEntries property within a different stack will cause this error.

See new integration test at packages/@aws-cdk-testing/framework-integ/test/core/test/integ.nested-stack-references.ts for minimal reproduction.

Description of changes

A similar strategy to exportStringListValue is used to serialized the reference's values into a string and expose that value as the output from the nested stack. The reference to the serialized value is then made exportable as normally needed to hoist it to the top-level parent stack. The final reference that imports the value is then re-written to also deserialize the imported string back to the original list.

The return types of some internal methods were modified to handle the fact that core/lib/private/refs.ts's getExportable no longer necessarily returns a Reference. This was needed because an exportable may now be a value derived from a reference instead of only a direct reference.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

• Added unit test to verify low-level operation
• Added integration test to verify high-level behavior and deploy-ability
  • Executed integration test within a personal account to verify success

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[nmussy]

Mostly nits about coverage, LGTM overall though 👍

[nmussy]

LGTM, thanks for the changes

[kaizencc]

sorry for the super late review @brandondahler. my main concern is the change between Reference and Intrinsic. Let's figure that out, and then I'm happy to send this one into main!

[kaizencc]

why are we returning an Intrinsic here? it should be a Reference right.

[brandondahler]

We have to use Intrinsic here because we're reversing the tokenized list via Fn.split (line 354). We're having to use Fn.split because we're having to do a join when creating the output within the nested stack since the output cannot be a list.

Prior to this update, the values returned from here were only able to reference strings and therefore were just outer stack Reference's to the nested stack's resource attribute. After this update, the values returned from here may either reference a string or a list. In the list case, it is an implementation detail of this method that we're having to re-split the Reference on the nested stack's resource out to its list representation again (and therefore are returning an Intrinsic instead).

Ultimately the choice from a type perspective was either returning an Intrinsic or an IResolvable, either would be correct per the type hierarchies involved.

[kaizencc]

i understand that this is a private function but I am concerned about the downgrade from returning a Reference to an Intrinsic. i want to learn more about why thats something you've deemed necessary.

[brandondahler]

This ultimately changed because referenceNestedStackValueInParent changed, see that comment for more details. TL;DR Fn.split returns an Intrinsic (not a Reference) when untokenized.

[kaizencc]

Thanks @brandondahler!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[brandondahler]

@Mergifyio requeue

[mergify]

requeue

❌ Command disallowed due to command restrictions in the Mergify configuration.

Details

• sender-permission >= write

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 8968e4a
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.