Using a named resource in another resource provisioner

[jasondbaker]

Describe the bug

I don't seem able to use a named resource in another resource provisioner. I don't know if this is by design or my implementation error. How can we reference resources created by one resource provider in another resource provider?

Expected Behavior

I would expect to be able to import a resource, like a KMS key, and be able to use it in another resource provisioner to create an encrypted resource.

Current Behavior

The CDK synth process generates an error:

  Error: Resolution error: Trying to resolve() a Construct at ..........

Reproduction Steps

I created a KMS key resource using a resource provider and LookupKmsKeyProvider method. I then tried to reference this resource as a named resource in a custom resource provider which creates a secret in secrets manager. My goal was to use the KMS key to encrypt the secret.

   blueprints.EksBlueprint.builder()
   .resourceProvider(
    blueprints.GlobalResources.KmsKey,
    new blueprints.LookupKmsKeyProvider(config.resources.myKmsKeyAlias),
  )
  .resourceProvider(
    "my-secret",
    new CreateSecretProvider("my-secret", "this is a secret description"),
  )

And here is my custom secrets provider where I'm creating a secret and expecting to be able to use the KMS key. I'm using the blueprints.getNamedResource method to try to retrieve the key.

import * as blueprints from "@aws-quickstart/eks-blueprints";
import { Secret } from "aws-cdk-lib/aws-secretsmanager";
import { IKey } from "aws-cdk-lib/aws-kms";

export class CreateSecretProvider implements blueprints.ResourceProvider<Secret> {
  constructor(
    private readonly secretName: string,
    private readonly description?: string,
  ) {}

  provide(context: blueprints.ResourceContext): Secret {
    const kmsKey = blueprints.getNamedResource(blueprints.GlobalResources.KmsKey) as IKey;

    return new Secret(context.scope, this.secretName, {
      secretName: this.secretName,
      description: this.description,
      encryptionKey: kmsKey,
    });
  }
}

I've tried different ways to use the key. The problem I keep running into when doing a cdk synth is an error like:

Error: Resolution error: Trying to resolve() a Construct at ..........

The eks blueprint is a bit of a black box for me so I don't understand what's going on behind the scenes to generate these constructs.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.173.4

EKS Blueprints Version

1.16.3

Node.js Version

18.x

Environment details (OS name and version, etc.)

Linux

Other information

No response

[shapirov103]

@jasondbaker in your use case please use the provided resource context as opposed to the named resource.

export class CreateSecretProvider implements blueprints.ResourceProvider<Secret> {
  constructor(
    private readonly secretName: string,
    private readonly description?: string,
  ) {}

  provide(context: blueprints.ResourceContext): Secret {
    const kmsKey = context.get(blueprints.GlobalResources.KmsKey) as IKey; // this is the change

    return new Secret(context.scope, this.secretName, {
      secretName: this.secretName,
      description: this.description,
      encryptionKey: kmsKey,
    });
  }
}

The getNamedResource approach is used to pass resources to the clusterProvider, addons and teams. However, now that I observe this usage, I think it reasonable to adjust the framework to handle this case. getNamedResource and getResource generate a dynamic proxy that is resolved at runtime for blueprint creation, however that resolution happens after all resources are instantiated, hence your exception.

Also you may want to avoid using blueprints.GlobalResources.KmsKey for your KMS key, unless you also want to use the same key for secrets encryption in the cluster.
You can pass any string like my-kms-key and then use resourceContext.get('my-kms-key'). You may also want to pass the resource name in the constructor to the CreateSecretProvider.