fix(core): message including tokens from annotations cannot output correctly (#33706)

go-to-k · web-flow · commit 55a3c4caefdb · 2025-03-12T17:10:32.000Z
### Issue # (if applicable) Closes #33707 ### Reason for this change If a stack with name 'some-stack' includes an info annotation ```ts Annotations.of(this).addInfo(`stackId: ${this.stackId}`); ``` then the following output results: ``` [Info at /some-stack] [object Object] ``` That's because data comes from Annotations and the data can be of object type containing 'Fn::Join' or 'Ref' when tokens are included in Annotations. The issue mentioned a proposal to output the data in the form of tokens like `[Info at /CdkSampleStack] ${Token[AWS::StackId.1116]}`. ### Description of changes **Approach 1** for now. (I am still wondering if approach 3 would be better...) See below: ### Approach 1 The PR makes messages with tokens by annotations unresolved. #### NOTE This change would also output a token format in `manifest.json`. **If users run integ tests with annotations including tokens, the manifest.json would change for every run.** (like `${Token[AWS::StackId.1119]}` -> `${Token[AWS::StackId.123]}` -> `${Token[AWS::StackId.521]}` -> ...) ```json { // ... "CdkSampleStack": { // ... "metadata": { "/CdkSampleStack": [ { "type": "aws:cdk:info", "data": "stackId: ${Token[AWS::StackId.1119]}", ``` ### Approach 2 Change the type for the `msg.entry.data` (`MetadataEntryData` for `MetadataEntry`) to a string type with `JSON.stringify` if the type is an objective type in cdk-cli. https://github.com/aws/aws-cdk-cli/blob/cdk%40v2.1003.0/packages/%40aws-cdk/toolkit-lib/lib/toolkit/toolkit.ts#L771 Then I had submitted the [PR](aws/aws-cdk-cli#101) in aws-cdk-cli. But talked with Rico that the change should be made inside cdk-lib and leave the token unrendered. aws/aws-cdk-cli#101 (comment) ### Approach 3 Change the data type to a string type after resolve if the data is by annotations with tokens. This approach doesn't make differences in manifest.json for every run and the original format (with 'Ref' or 'Fn::Join') is kept. However, the issue for this PR and comments in the PR submitted (aws-cdk-cli) has proposed the approach with unresolved tokens, I decided the approach 1 for now. 63fd78b ```ts if (node.node.metadata.length > 0) { // Make the path absolute output[Node.PATH_SEP + node.node.path] = node.node.metadata.map(md => { const resolved = stack.resolve(md) as cxschema.MetadataEntry; const isAnnotation = [ cxschema.ArtifactMetadataEntryType.ERROR, cxschema.ArtifactMetadataEntryType.WARN, cxschema.ArtifactMetadataEntryType.INFO, ].includes(md.type as cxschema.ArtifactMetadataEntryType); // Transform the data to a string for the case where Annotations include a token. // Otherwise, the message is resolved and output as `[object Object]` after synth // because the message will be object type using 'Ref' or 'Fn::Join'. const mdWithStringData: cxschema.MetadataEntry = { ...resolved, data: (isAnnotation && typeof resolved.data === 'object') ? JSON.stringify(resolved.data) : resolved.data, }; return mdWithStringData; }); } ``` This approach outputs the message as the following style: ``` {"Fn::Join":["",["Cannot add a resource policy to your dead letter queue associated with rule ",{"Ref":"Rule4C995B7F"}," because the queue is in a different account. You must add the resource policy manually to the dead letter queue in account 444455556666. [ack: @aws-cdk/aws-events-targets:manuallyAddDLQResourcePolicy]"]]} ``` ### Additional Information see: #33707 (comment) aws/aws-cdk-cli#101 (comment) ### Describe any new or updated permissions being added ### Description of how you validated changes Unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-events-targets/test/lambda/lambda.test.ts b/packages/aws-cdk-lib/aws-events-targets/test/lambda/lambda.test.ts
@@ -320,13 +320,9 @@ test('must display a warning when using a Dead Letter Queue from another account
 
   Template.fromStack(stack1).resourceCountIs('AWS::SQS::QueuePolicy', 0);
 
-  Annotations.fromStack(stack1).hasWarning('/Stack1/Rule', Match.objectLike({
-    'Fn::Join': Match.arrayWith([
-      Match.arrayWith([
-        'Cannot add a resource policy to your dead letter queue associated with rule ',
-      ]),
-    ]),
-  }));
+  Annotations.fromStack(stack1).hasWarning('/Stack1/Rule', Match.stringLikeRegexp(
+    'Cannot add a resource policy to your dead letter queue associated with rule \\${Token\\[TOKEN\\.[0-9]+\\]} because the queue is in a different account\\. You must add the resource policy manually to the dead letter queue in account 444455556666\\. \\[ack: @aws-cdk/aws-events-targets:manuallyAddDLQResourcePolicy\\]',
+  ));
 });
 
 test('specifying retry policy', () => {
diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts
@@ -254,22 +254,7 @@ describe('function', () => {
 
       expect(getWarnings(app.synth())).toEqual([
         {
-          message: {
-            'Fn::Join': [
-              '',
-              [
-                'addPermission() has no effect on a Lambda Function with region=us-west-2, account=123456789012, in a Stack with region=',
-                {
-                  Ref: 'AWS::Region',
-                },
-                ', account=',
-                {
-                  Ref: 'AWS::AccountId',
-                },
-                '. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes() if you would like to add the permissions. [ack: UnclearLambdaEnvironment]',
-              ],
-            ],
-          },
+          message: expect.stringMatching(/^addPermission\(\) has no effect on a Lambda Function with region=us-west-2, account=123456789012, in a Stack with region=\${Token\[AWS\.Region\.\d+]}, account=\${Token\[AWS\.AccountId\.\d+]}. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes\(\) if you would like to add the permissions\. \[ack: UnclearLambdaEnvironment]$/),
           path: '/Default/Imported',
         },
       ]);
diff --git a/packages/aws-cdk-lib/aws-s3-notifications/test/queue.test.ts b/packages/aws-cdk-lib/aws-s3-notifications/test/queue.test.ts
@@ -109,15 +109,7 @@ test('if the queue is encrypted with a imported kms key, printout warning', () =
 
   bucket.addObjectCreatedNotification(new notif.SqsDestination(queue));
 
-  Annotations.fromStack(stack).hasWarning('/Default/ImportedKey', `Can not change key policy of imported kms key. Ensure that your key policy contains the following permissions: \n${JSON.stringify({
-    Action: [
-      'kms:GenerateDataKey*',
-      'kms:Decrypt',
-    ],
-    Effect: 'Allow',
-    Principal: {
-      Service: 's3.amazonaws.com',
-    },
-    Resource: '*',
-  }, null, 2)} [ack: @aws-cdk/aws-s3-notifications:sqsKMSPermissionsNotAdded]`);
+  Annotations.fromStack(stack).hasWarning('/Default/ImportedKey', Match.stringLikeRegexp(
+    'Can not change key policy of imported kms key\\. Ensure that your key policy contains the following permissions: \\n\\{\\n  "Action": \\[\\n    "kms:GenerateDataKey\\*",\\n    "kms:Decrypt"\\n  \\],\\n  "Effect": "Allow",\\n  "Principal": \\{\\n    "Service": "\\${Token\\[s3\\.amazonaws\\.com\\.[0-9]+\\]}"\\n  \\},\\n  "Resource": "\\*"\\n\\} \\[ack: @aws-cdk/aws-s3-notifications:sqsKMSPermissionsNotAdded\\]',
+  ));
 });
diff --git a/packages/aws-cdk-lib/aws-s3/test/notification.test.ts b/packages/aws-cdk-lib/aws-s3/test/notification.test.ts
@@ -162,9 +162,13 @@ describe('notification', () => {
     });
 
     // THEN - Following is warning thrown as a part of fix in : https://github.com/aws/aws-cdk/pull/31212
-    const warningMessage = { 'Fn::Join': ['', ["Can't combine imported IManagedPolicy: arn:", { Ref: 'AWS::Partition' }, ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole to imported role IRole: DevsNotAllowedToTouch. Use ManagedPolicy directly. [ack: @aws-cdk/aws-iam:IRoleCantBeUsedWithIManagedPolicy]']] };
-    const warningFromStack = Annotations.fromStack(stack).findWarning('*', {});
-    expect(warningFromStack[0].entry.data).toEqual(warningMessage);
+    const warningMessage = /Can't combine imported IManagedPolicy: arn:\${Token\[AWS\.Partition\.\d+\]}:iam::aws:policy\/service-role\/AWSLambdaBasicExecutionRole to imported role IRole: DevsNotAllowedToTouch\. Use ManagedPolicy directly\. \[ack: @aws-cdk\/aws-iam:IRoleCantBeUsedWithIManagedPolicy\]/;
+    const warningFromStack = Annotations.fromStack(stack).findWarning('*',
+      Match.stringLikeRegexp(
+        '@aws-cdk/aws-iam:IRoleCantBeUsedWithIManagedPolicy',
+      ),
+    );
+    expect(warningFromStack[0].entry.data).toEqual(expect.stringMatching(warningMessage));
   });
 
   test('If `Role` is provided, PutBucketNotification, GetBucketNotification will be added along with `service-role/AWSLambdaBasicExecutionRole`', () => {
diff --git a/packages/aws-cdk-lib/core/lib/stack-synthesizers/_shared.ts b/packages/aws-cdk-lib/core/lib/stack-synthesizers/_shared.ts
@@ -100,7 +100,23 @@ function collectStackMetadata(stack: Stack) {
 
     if (node.node.metadata.length > 0) {
       // Make the path absolute
-      output[Node.PATH_SEP + node.node.path] = node.node.metadata.map(md => stack.resolve(md) as cxschema.MetadataEntry);
+      output[Node.PATH_SEP + node.node.path] = node.node.metadata.map(md => {
+        // If Annotations include a token, the message is resolved and output as `[object Object]` after synth
+        // because the message will be object type using 'Ref' or 'Fn::Join'.
+        // It would be easier for users to understand if the message from Annotations were output in token form,
+        // rather than in `[object Object]` or the object type.
+        // Therefore, we don't resolve the message if it's from Annotations.
+        if ([
+          cxschema.ArtifactMetadataEntryType.ERROR,
+          cxschema.ArtifactMetadataEntryType.WARN,
+          cxschema.ArtifactMetadataEntryType.INFO,
+        ].includes(md.type as cxschema.ArtifactMetadataEntryType)) {
+          return md;
+        }
+
+        const resolved = stack.resolve(md);
+        return resolved as cxschema.MetadataEntry;
+      });
     }
 
     for (const child of node.node.children) {
diff --git a/packages/aws-cdk-lib/core/test/annotations.test.ts b/packages/aws-cdk-lib/core/test/annotations.test.ts
@@ -129,4 +129,22 @@ describe('annotations', () => {
     // THEN
     expect(getWarnings(app.synth())).toEqual([]);
   });
+
+  test('don\'t resolve the message if tokens are included', () => {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'S1');
+    const c1 = new Construct(stack, 'C1');
+
+    // WHEN
+    Annotations.of(c1).addWarningV2('MESSAGE', `stackId: ${stack.stackId}`);
+
+    // THEN
+    expect(getWarnings(app.synth())).toEqual([
+      {
+        path: '/S1/C1',
+        message: expect.stringMatching(/stackId: \${Token\[AWS::StackId\.\d+\]} \[ack: MESSAGE\]/),
+      },
+    ]);
+  });
 });
