Skip to content

fix(core): share a single IAM role across cross-account Fn::GetStackOutput consumers#37871

Merged
mergify[bot] merged 3 commits into
mainfrom
otaviom/multi-consumer
May 15, 2026
Merged

fix(core): share a single IAM role across cross-account Fn::GetStackOutput consumers#37871
mergify[bot] merged 3 commits into
mainfrom
otaviom/multi-consumer

Conversation

@otaviomacedo
Copy link
Copy Markdown
Contributor

@otaviomacedo otaviomacedo commented May 14, 2026

For cross-account references, the producer creates one role per reference.

Change it to create a single IAM role with all consumer principals in its trust policy. The role and policy construct IDs are now stable (GetStackOutputRole / GetStackOutputPolicy) rather than derived from each reference's resolved value, ensuring idempotent construct creation. The trust policy uses Lazy.any to defer principal resolution, accumulating consumers as references are discovered.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@otaviomacedo
fix(core): share a single IAM role across cross-account Fn::GetStackO…
d1dc4e0 
…utput consumers

- When multiple consumer stacks in different accounts reference the same
  producer via Fn::GetStackOutput, the producer now creates a single IAM role
  with all consumer principals in its trust policy, instead of one role per
  reference.
- The role and policy construct IDs are now stable (GetStackOutputRole /
  GetStackOutputPolicy) rather than derived from each reference's resolved
  value, ensuring idempotent construct creation.
- The trust policy uses Lazy.any to defer principal resolution, accumulating
  consumers as references are discovered.

Test plan

- Unit test: multiple consumers produce a single role with multiple principals
  in the trust policy
- Unit test: single consumer with multiple attribute references produces a
  single principal (not an array)
- Existing cross-region and cross-account reference tests continue to pass
@otaviomacedo otaviomacedo requested a review from a team as a code owner May 14, 2026 09:18
@github-actions github-actions Bot added the p2 label May 14, 2026
@mergify mergify Bot added the contribution/core This is a PR that came from AWS. label May 14, 2026
@mergify mergify Bot temporarily deployed to automation May 14, 2026 09:19 Inactive
@mergify mergify Bot temporarily deployed to automation May 14, 2026 09:19 Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026

⚠️ This pull request description does not follow the correct template structure.

PRs without a linked issue will receive lower priority for review and merging. Please update the description to follow the PR template and include a line like Closes #123 in the Issue section. If no existing issue matches your change, create one first.

aws-cdk-automation
aws-cdk-automation previously requested changes May 14, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label May 14, 2026
@otaviomacedo otaviomacedo added pr-linter/exempt-integ-test The PR linter will not require integ test changes and removed pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. labels May 14, 2026
@aws-cdk-automation aws-cdk-automation dismissed their stale review May 14, 2026 09:41

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

TestsPassed ✅SkippedFailed
Security Guardian Results96 ran96 passed
TestResult
No test annotations available

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates96 ran96 passed
TestResult
No test annotations available

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 14, 2026
@otaviomacedo otaviomacedo removed the pr-linter/exempt-integ-test The PR linter will not require integ test changes label May 14, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented May 15, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented May 15, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-05-15 14:01 UTC · Rule: default-squash
  • Checks passed · in-place
  • Merged2026-05-15 14:49 UTC · at c07f626efd1f35053f898ccf7de079e73de441f8 · squash

This pull request spent 47 minutes 34 seconds in the queue, including 46 minutes 42 seconds running CI.

Required conditions to merge

@mergify mergify Bot temporarily deployed to automation May 15, 2026 14:02 Inactive
@mergify mergify Bot temporarily deployed to automation May 15, 2026 14:02 Inactive
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented May 15, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify Bot merged commit fee8b90 into main May 15, 2026
24 of 25 checks passed
@mergify mergify Bot deleted the otaviom/multi-consumer branch May 15, 2026 14:49
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 15, 2026

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 15, 2026
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 15, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pahud pahud pahud approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@otaviomacedo @pahud @aws-cdk-automation