aws:ecs: fromSecretsManager causing cyclic dependency when secret creation is done in a separate stack

[surecloud-Awalia]

Describe the bug

As per best practices, we have the secret manager's secret creation in a different stack, and we want to use this secret as an environment variable for an ecs task, when this ecs task and it's related task execution role is created in a different stack.

Expected Behavior

Stacks are created successfully.

Current Behavior

Error: secret stack depends on ecs stack. secret stack -> ecs stack/task execution role. adding this dependency will would create a cyclic reference.

Since we want secret stack to be created first and then we pass the secret to the ecs stack, we get a cyclic dependency when we try to set the secret as env variable, because the function tries to add policy to the secret's kms key which allows access to the ecs task's execution role to access the secret.

Reproduction Steps

const SecretStack = new SecretStack(app, `${environmentName}-secret`, {
env: {region: environment.region},
environment,
});

const ecsStack = new ecsStack(app, `${environmentName}-ecs`, {
env: {region: environment.region},
environment,
SecretStack.ecsSecrets.mySecret,
});

// secret stack

export class SecretStack extends Stack {
readonly ecsSecrets: Secret;

constructor(scope: Construct, id: string, props: StackProps) {

    super(scope, id, props);
    const secretKmsKey = new Key(this, 'secret-kms-key');
    this.ecsSecrets = new Secret(this, `${id}-ecs-secret`, {
         encryptionKey: secretKmsKey,
         generateSecretString: {
            generateStringKey: 'client_secret',
            secretStringTemplate: JSON.stringify({
                string_1: `https://auth.${props.zoneName}`,
                client_id: 'change_me',
            }),
        },
    });

 }

}

// secret being used in ecs stack

export interface ecsStackProps extends StackProps {
readonly ecsSecrets: Secret;
}

export class EcsStack extends Stack {

constructor(scope: Construct, id: string, props: ecsStackProps) {

    super(scope, id, props);

    let secretObject;
    if (props.secrets) {
        secretObject = Object.fromEntries(this.convertSecretToECSSecret(props.ecsSecrets).entries());
    }

    const ecsSecretMap = new Map<string, Secret>;
    props.ecsSecret.forEach((secretValue, secretKey) =>
        ecsSecretMap.set(secretKey, Secret.fromSecretsManager(secretValue))
    );

}

private convertSecretToECSSecret(secretsManagerSecretMap: Map<string, ISecret>) {

    const ecsSecretMap = new Map<string, Secret>;
    secretsManagerSecretMap.forEach((secretValue, secretKey) =>
        ecsSecretMap.set(secretKey, Secret.fromSecretsManager(secretValue))
    );
    return ecsSecretMap;
}

}

Possible Solution

We get an option where fromSecretsManager function gives an optional parameter which enables us to either create or not create the policy statement automatically for the KMS key.

Additional Information/Context

No response

CDK CLI Version

2.85.0

Framework Version

No response

Node.js Version

18.16.0

OS

Windows 10

Language

Typescript

Language Version

No response

Other information

No response

[peterwoodworth]

This reproduction code provided is a bit confusing, there are some clear type and compiler errors, fromSecretsManager isn't a method on any of our constructs, and I don't believe you're creating any resources in the EcsStack code provided.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.