(route53-patterns): certificate-redirect-stack cannot reference ... Set crossRegionReferences=true to enable cross region references

[andreialecu]

Describe the bug

I'm attempting to remove some deprecation and I set "@aws-cdk/aws-route53-patters:useCertificate": "true" however, I'm running into this error:

Error: Stack "certificate-redirect-stack-c8b5b42c242cdd1d88a8dbbb939528db6298ad5b05" cannot reference {.../...DotAppZone/Resource[Ref]} in stack "...". Cross stack references are only supported for stacks deployed to the same environment or between nested stacks and their parent stack. Set crossRegionReferences=true to enable cross region references

My stack already has crossRegionReferences: true in its props.

Expected Behavior

No error

Current Behavior

See error above

Reproduction Steps

cdk.json:

{
  "app": "npx ts-node bin/cloud-infra.ts",
  "versionReporting": false,
  "context": {
    "aws-cdk:enableDiffNoFail": "true",
    "@aws-cdk/core:stackRelativeExports": "true",
    "@aws-cdk/aws-route53-patters:useCertificate": "true"
  }
}

     new route53patterns.HttpsRedirect(this, "RedirectWwwToNonWww", {
      recordNames: [`www.${domain}`],
      targetDomain: domain,
      zone,
    });

Possible Solution

I noticed that in here:

aws-cdk/packages/aws-cdk-lib/aws-route53-patterns/lib/website-redirect.ts

Lines 134 to 136 in 840ec97

	return certStack ?? new Stack(parent, stackId, {
	env: { region: 'us-east-1', account: stack.account },
	});

there's no crossRegionReferences: true.

That seems suspect; shouldn't that stack also enable cross-region references?

Additional Information/Context

No response

CDK CLI Version

2.130.0

Framework Version

No response

Node.js Version

20

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Can you share more about the details?

Are you trying to build http redirect in a region out of us-east-1? Which region are you deploying? And, can you share more about how you created the stack?

[andreialecu]

Deploying in eu-west-1.

For a while, we've been using the deprecated DnsValidatedCertificate construct and have migrated to the new cross-region certificates instead.

Some warnings remained, and that's because HttpsRedirect still uses DnsValidatedCertificate unless that new flag (@aws-cdk/aws-route53-patters:useCertificate) is enabled.

Enabling this flag was intended to create the certificate in us-east-1 using the new cross-region references functionality, but it appears it isn't working.

I don't see how it would work without crossRegionReferences: true in the new Stack() instantiation.

[andreialecu]

PR that implemented this initially: #23575 (/cc @corymhall)

I believe the integration test may be wrong here: https://github.com/aws/aws-cdk/pull/23575/files#diff-f979b7bb5df1e4840178e9c77eea1a18ccc87711a1dd71bf271d09ab60ec984dR14-R17

It doesn't specifically enable the flag, so it tests the old behavior.

[andreialecu]

Repro:

const app = new App({
  postCliContext: {
    "@aws-cdk/aws-route53-patters:useCertificate": true,
  },
});

const props: StackProps = {
  env: { account: "...", region: "eu-west-1" },
  crossRegionReferences: true,
};

const stack = new Stack(app, "Redirect-Test-Stack", props);
new HttpsRedirect(stack, "redirect", {
  zone: new route53.HostedZone(
    this,
    "HostedZone",
    {
      zoneName: "some.domain",
    },
  ),
  recordNames: [`integ.some.domain`],
  targetDomain: "aws.amazon.com",
});

[andreialecu]

It appears that enabling crossRegionReferences: true, on the certificates construct's stack results in a cyclic reference.

I opened a draft PR here which shows the new error:
#29464

Let's move discussion there.