[aws-eks]: Allow creating masters role in stacks other than the cluster stack

[fspaniol]

I'm trying to create a role in a different stack and add it to the cluster using awsAuth methods. However, I get an error message stating the following:

Error: RoleStack/Role should be defined in the scope of the EKSCluster stack to prevent circular dependencies

I tried to work around it by using eks.Cluster.fromClusterAttributes but it returns an iCluster instead of a Cluster which does not contain awsAuth.

Reproduction Steps

import * as eks from "@aws-cdk/aws-eks";
import * as iam from "@aws-cdk/aws-iam";
import * as cdk from "@aws-cdk/core";

export class EKSCluster extends cdk.Stack {
  public eksCluster: eks.Cluster;

  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    this.eksCluster = new eks.Cluster(this, "EKSCluster", {
      version: eks.KubernetesVersion.V1_18,
    });
  }
}

export class RoleStack extends cdk.Stack {
  constructor(
    scope: cdk.Construct,
    id: string,
    props: cdk.StackProps & { cluster: eks.Cluster }
  ) {
    super(scope, id, props);

    const user = new iam.User(this, "User");
    const role = new iam.Role(this, "Role", {
      assumedBy: user,
    });

    const cluster = eks.Cluster.fromClusterAttributes

    props.cluster.awsAuth.addMastersRole(role);
  }
}

const app = new cdk.App();
const eksCluster = new EKSCluster(app, "EKSCluster");
new RoleStack(app, "RoleStack", { cluster: eksCluster.eksCluster });

What did you expect to happen?

I expected to be able to configure the awsAuth in a different stack than the one where the cluster was created

What actually happened?

I got a circular dependency error

Environment

• CDK CLI Version : 1.91.0
• Framework Version: 1.91.0
• Node.js Version: 12.20.1
• OS : Mac
• Language (Version): TypeScript

Other

This related to #8884

---

This is 🐛 Bug Report

[iliapolo]

@fspaniol Thanks for reporting this.

Actually what you're seeing is not a circular dependency problem, but rather a validation (limitation) we put in place to prevent possible circular dependencies.

The main issue is that once the RoleStack uses some runtime property from the cluster, an actual circular dependency will be created that is hard to untangle and debug.

Having said that, we acknowledge that this might be too restrictive, and in your use-case, it actually prevents a would be successful deployment. (More details here)

I'll mark this as a feature request to be more targeted with this limitation.

[fspaniol]

Hi, thanks a lot for the explanation @iliapolo, so, currently the only solution would be to have both the Role and the Cluster be defined in the same stack?

[iliapolo]

Thats right.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[a-patel]

I am also facing a similar error when I have EksCluster created in a separate stack and make Nodegroup in a different stack for that cluster.

[iantcrg]

I am facing this issue, having one stack that creates the cluster, and another, dependent stack, create the node groups. Is there any traction here?