feat(cdk): transparent cross-stack references

packages/@aws-cdk/aws-apigateway/lib/restapi.ts

@@ -404,7 +404,7 @@ export enum EndpointType {
   Private = 'PRIVATE'
 }
 
-export class RestApiUrl extends cdk.CloudFormationToken { }
+export class RestApiUrl extends cdk.Token { }
 
 class ImportedRestApi extends cdk.Construct implements IRestApi {
   public restApiId: string;

packages/@aws-cdk/aws-apigateway/lib/stage.ts

@@ -1,4 +1,5 @@
 import cdk = require('@aws-cdk/cdk');
+import { Stack } from '@aws-cdk/cdk';
 import { CfnStage } from './apigateway.generated';
 import { Deployment } from './deployment';
 import { IRestApi } from './restapi';
@@ -173,7 +174,8 @@ export class Stage extends cdk.Construct implements cdk.IDependable {
     if (!path.startsWith('/')) {
       throw new Error(`Path must begin with "/": ${path}`);
     }
-    return `https://${this.restApi.restApiId}.execute-api.${new cdk.AwsRegion()}.amazonaws.com/${this.stageName}${path}`;
+    const stack = Stack.find(this);
+    return `https://${this.restApi.restApiId}.execute-api.${stack.region}.${stack.urlSuffix}/${this.stageName}${path}`;
   }
 
   private renderMethodSettings(props: StageProps): CfnStage.MethodSettingProperty[] | undefined {

packages/@aws-cdk/aws-cloudtrail/lib/index.ts

@@ -132,13 +132,15 @@ export class CloudTrail extends cdk.Construct {
     const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.Unencrypted});
     const cloudTrailPrincipal = "cloudtrail.amazonaws.com";
 
+    const stack = cdk.Stack.find(this);
+
     s3bucket.addToResourcePolicy(new iam.PolicyStatement()
       .addResource(s3bucket.bucketArn)
       .addActions('s3:GetBucketAcl')
       .addServicePrincipal(cloudTrailPrincipal));
 
     s3bucket.addToResourcePolicy(new iam.PolicyStatement()
-      .addResource(s3bucket.arnForObjects(`AWSLogs/${new cdk.AwsAccountId()}/*`))
+      .addResource(s3bucket.arnForObjects(`AWSLogs/${stack.accountId}/*`))
       .addActions("s3:PutObject")
       .addServicePrincipal(cloudTrailPrincipal)
       .setCondition("StringEquals", {'s3:x-amz-acl': "bucket-owner-full-control"}));

packages/@aws-cdk/aws-cloudwatch/lib/graph.ts

@@ -1,4 +1,4 @@
-import { AwsRegion } from "@aws-cdk/cdk";
+import cdk = require('@aws-cdk/cdk');
 import { Alarm } from "./alarm";
 import { Metric } from "./metric";
 import { parseStatistic } from './util.statistic';
@@ -73,7 +73,7 @@ export class AlarmWidget extends ConcreteWidget {
       properties: {
         view: 'timeSeries',
         title: this.props.title,
-        region: this.props.region || new AwsRegion(),
+        region: this.props.region || new cdk.Token({ Ref: 'AWS::Region' }),
         annotations: {
           alarms: [this.props.alarm.alarmArn]
         },
@@ -150,7 +150,7 @@ export class GraphWidget extends ConcreteWidget {
       properties: {
         view: 'timeSeries',
         title: this.props.title,
-        region: this.props.region || new AwsRegion(),
+        region: this.props.region || new cdk.Token({ Ref: 'AWS::Region' }),
         metrics: (this.props.left || []).map(m => metricJson(m, 'left')).concat(
              (this.props.right || []).map(m => metricJson(m, 'right'))),
         annotations: {
@@ -197,7 +197,7 @@ export class SingleValueWidget extends ConcreteWidget {
       properties: {
         view: 'singleValue',
         title: this.props.title,
-        region: this.props.region || new AwsRegion(),
+        region: this.props.region || new cdk.Token({ Ref: 'AWS::Region' }),
         metrics: this.props.metrics.map(m => metricJson(m, 'left'))
       }
     }];

packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts

@@ -857,7 +857,7 @@ export = {
       environment: {
         environmentVariables: {
           FOO: { value: '1234' },
-          BAR: { value: `111${new cdk.CloudFormationToken({ twotwotwo: '222' })}`, type: codebuild.BuildEnvironmentVariableType.ParameterStore }
+          BAR: { value: `111${new cdk.Token({ twotwotwo: '222' })}`, type: codebuild.BuildEnvironmentVariableType.ParameterStore }
         }
       },
       environmentVariables: {

packages/@aws-cdk/aws-codecommit/lib/repository.ts

@@ -264,7 +264,8 @@ class ImportedRepository extends RepositoryBase {
   }
 
   private repositoryCloneUrl(protocol: 'https' | 'ssh'): string {
-    return `${protocol}://git-codecommit.${new cdk.AwsRegion()}.${new cdk.AwsURLSuffix()}/v1/repos/${this.repositoryName}`;
+    const stack = cdk.Stack.find(this);
+    return `${protocol}://git-codecommit.${stack.region}.${stack.urlSuffix}/v1/repos/${this.repositoryName}`;
   }
 }
 

packages/@aws-cdk/aws-codedeploy/lib/deployment-group.ts

@@ -310,9 +310,9 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupBase {
 
     this._autoScalingGroups = props.autoScalingGroups || [];
     this.installAgent = props.installAgent === undefined ? true : props.installAgent;
-    const region = new cdk.AwsRegion().toString();
+    const stack = cdk.Stack.find(this);
     this.codeDeployBucket = s3.Bucket.import(this, 'CodeDeployBucket', {
-      bucketName: `aws-codedeploy-${region}`,
+      bucketName: `aws-codedeploy-${stack.region}`,
     });
     for (const asg of this._autoScalingGroups) {
       this.addCodeDeployAgentInstallUserData(asg);
@@ -387,7 +387,7 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupBase {
 
     this.codeDeployBucket.grantRead(asg.role, 'latest/*');
 
-    const region = (new cdk.AwsRegion()).toString();
+    const stack = cdk.Stack.find(this);
     switch (asg.osType) {
       case ec2.OperatingSystemType.Linux:
         asg.addUserData(
@@ -405,7 +405,7 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupBase {
           '$PKG_CMD install -y awscli',
           'TMP_DIR=`mktemp -d`',
           'cd $TMP_DIR',
-          `aws s3 cp s3://aws-codedeploy-${region}/latest/install . --region ${region}`,
+          `aws s3 cp s3://aws-codedeploy-${stack.region}/latest/install . --region ${stack.region}`,
           'chmod +x ./install',
           './install auto',
           'rm -fr $TMP_DIR',
@@ -414,7 +414,7 @@ export class ServerDeploymentGroup extends ServerDeploymentGroupBase {
       case ec2.OperatingSystemType.Windows:
         asg.addUserData(
           'Set-Variable -Name TEMPDIR -Value (New-TemporaryFile).DirectoryName',
-          `aws s3 cp s3://aws-codedeploy-${region}/latest/codedeploy-agent.msi $TEMPDIR\\codedeploy-agent.msi`,
+          `aws s3 cp s3://aws-codedeploy-${stack.region}/latest/codedeploy-agent.msi $TEMPDIR\\codedeploy-agent.msi`,
           '$TEMPDIR\\codedeploy-agent.msi /quiet /l c:\\temp\\host-agent-install-log.txt',
         );
         break;

packages/@aws-cdk/aws-codepipeline-api/lib/artifact.ts

@@ -1,4 +1,4 @@
-import { CloudFormationToken, Construct } from "@aws-cdk/cdk";
+import { Construct, Token } from "@aws-cdk/cdk";
 import { Action } from "./action";
 
 /**
@@ -72,9 +72,9 @@ export class ArtifactPath {
 }
 
 function artifactAttribute(artifact: Artifact, attributeName: string) {
-  return new CloudFormationToken(() => ({ 'Fn::GetArtifactAtt': [artifact.name, attributeName] })).toString();
+  return new Token(() => ({ 'Fn::GetArtifactAtt': [artifact.name, attributeName] })).toString();
 }
 
 function artifactGetParam(artifact: Artifact, jsonFile: string, keyName: string) {
-  return new CloudFormationToken(() => ({ 'Fn::GetParam': [artifact.name, jsonFile, keyName] })).toString();
+  return new Token(() => ({ 'Fn::GetParam': [artifact.name, jsonFile, keyName] })).toString();
 }

packages/@aws-cdk/aws-ec2/lib/vpc-ref.ts

@@ -1,4 +1,4 @@
-import { Construct, IDependable } from "@aws-cdk/cdk";
+import { Construct, IDependable, Stack } from "@aws-cdk/cdk";
 import { subnetName } from './util';
 
 export interface IVpcSubnet extends IDependable {
@@ -54,6 +54,11 @@ export interface IVpcNetwork extends IDependable {
    */
   readonly availabilityZones: string[];
 
+  /**
+   * Region where this VPC is located
+   */
+  readonly vpcRegion: string;
+
   /**
    * Take a dependency on internet connectivity having been added to this VPC
    *
@@ -250,6 +255,14 @@ export abstract class VpcNetworkBase extends Construct implements IVpcNetwork {
   public internetDependency(): IDependable {
     return new DependencyList(this.internetDependencies);
   }
+
+  /**
+   * The region where this VPC is defined
+   */
+  public get vpcRegion(): string {
+    return Stack.find(this).region;
+  }
+
 }
 
 /**

packages/@aws-cdk/aws-ec2/lib/vpc.ts

@@ -5,6 +5,7 @@ import { NetworkBuilder } from './network-util';
 import { DEFAULT_SUBNET_NAME, ExportSubnetGroup, ImportSubnetGroup, subnetId  } from './util';
 import { VpcNetworkProvider, VpcNetworkProviderProps } from './vpc-network-provider';
 import { IVpcNetwork, IVpcSubnet, SubnetType, VpcNetworkBase, VpcNetworkImportProps, VpcPlacementStrategy, VpcSubnetImportProps } from './vpc-ref';
+
 /**
  * Name tag constant
  */

packages/@aws-cdk/aws-ecs/lib/log-drivers/aws-log-driver.ts

@@ -73,12 +73,13 @@ export class AwsLogDriver extends LogDriver {
    * Return the log driver CloudFormation JSON
    */
   public renderLogDriver(): CfnTaskDefinition.LogConfigurationProperty {
+    const stack = cdk.Stack.find(this);
     return {
       logDriver: 'awslogs',
       options: removeEmpty({
         'awslogs-group': this.logGroup.logGroupName,
         'awslogs-stream-prefix': this.props.streamPrefix,
-        'awslogs-region': `${new cdk.AwsRegion()}`,
+        'awslogs-region': stack.region,
         'awslogs-datetime-format': this.props.datetimeFormat,
         'awslogs-multiline-pattern': this.props.multilinePattern,
       }),

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts

@@ -92,7 +92,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
 
     // FIXME: can't use grantPut() here because that only takes IAM objects, not arbitrary principals
     bucket.addToResourcePolicy(new iam.PolicyStatement()
-      .addPrincipal(new iam.AccountPrincipal(account))
+      .addPrincipal(new iam.AccountPrincipal(this, account))
       .addAction('s3:PutObject')
       .addResource(bucket.arnForObjects(prefix || '', '*')));
   }

packages/@aws-cdk/aws-iam/lib/policy-document.ts

@@ -1,6 +1,6 @@
-import { AwsAccountId, AwsPartition, Token } from '@aws-cdk/cdk';
+import cdk = require('@aws-cdk/cdk');
 
-export class PolicyDocument extends Token {
+export class PolicyDocument extends cdk.Token {
   private statements = new Array<PolicyStatement>();
 
   /**
@@ -81,8 +81,8 @@ export class ArnPrincipal extends PolicyPrincipal {
 }
 
 export class AccountPrincipal extends ArnPrincipal {
-  constructor(public readonly accountId: any) {
-    super(`arn:${new AwsPartition()}:iam::${accountId}:root`);
+  constructor(public readonly anchor: cdk.Construct, public readonly accountId: any) {
+    super(`arn:${new cdk.Aws(anchor).partition}:iam::${accountId}:root`);
   }
 }
 
@@ -136,8 +136,8 @@ export class FederatedPrincipal extends PolicyPrincipal {
 }
 
 export class AccountRootPrincipal extends AccountPrincipal {
-  constructor() {
-    super(new AwsAccountId());
+  constructor(anchor: cdk.Construct) {
+    super(anchor, new cdk.Aws(anchor).accountId);
   }
 }
 
@@ -201,7 +201,7 @@ export class CompositePrincipal extends PolicyPrincipal {
 /**
  * Represents a statement in an IAM policy document.
  */
-export class PolicyStatement extends Token {
+export class PolicyStatement extends cdk.Token {
   private action = new Array<any>();
   private principal: { [key: string]: any[] } = {};
   private resource = new Array<any>();
@@ -250,12 +250,12 @@ export class PolicyStatement extends Token {
     return this.addPrincipal(new ArnPrincipal(arn));
   }
 
-  public addArnPrincipal(arn: string): this {
-    return this.addAwsPrincipal(arn);
+  public addAwsAccountPrincipal(anchor: cdk.Construct, accountId: string): this {
+    return this.addPrincipal(new AccountPrincipal(anchor, accountId));
   }
 
-  public addAwsAccountPrincipal(accountId: string): this {
-    return this.addPrincipal(new AccountPrincipal(accountId));
+  public addArnPrincipal(arn: string): this {
+    return this.addAwsPrincipal(arn);
   }
 
   public addServicePrincipal(service: string): this {
@@ -266,8 +266,8 @@ export class PolicyStatement extends Token {
     return this.addPrincipal(new FederatedPrincipal(federated, conditions));
   }
 
-  public addAccountRootPrincipal(): this {
-    return this.addPrincipal(new AccountRootPrincipal());
+  public addAccountRootPrincipal(anchor: cdk.Construct): this {
+    return this.addPrincipal(new AccountRootPrincipal(anchor));
   }
 
   public addCanonicalUserPrincipal(canonicalUserId: string): this {
@@ -363,7 +363,7 @@ export class PolicyStatement extends Token {
   }
 
   public limitToAccount(accountId: string): PolicyStatement {
-    return this.addCondition('StringEquals', new Token(() => {
+    return this.addCondition('StringEquals', new cdk.Token(() => {
       return { 'sts:ExternalId': accountId };
     }));
   }

packages/@aws-cdk/aws-iam/lib/util.ts

@@ -1,10 +1,10 @@
-import { CloudFormationToken } from '@aws-cdk/cdk';
+import { Token } from '@aws-cdk/cdk';
 import { Policy } from './policy';
 
 const MAX_POLICY_NAME_LEN = 128;
 
-export function undefinedIfEmpty<T>(f: () => T[]): CloudFormationToken {
-  return new CloudFormationToken(() => {
+export function undefinedIfEmpty<T>(f: () => T[]): Token {
+  return new Token(() => {
     const array = f();
     return (array && array.length > 0) ? array : undefined;
   });

packages/@aws-cdk/aws-iam/test/example.external-id.lit.ts

@@ -7,7 +7,7 @@ export class ExampleConstruct extends cdk.Construct {
 
     /// !show
     const role = new iam.Role(this, 'MyRole', {
-      assumedBy: new iam.AccountPrincipal('123456789012'),
+      assumedBy: new iam.AccountPrincipal(this, '123456789012'),
       externalId: 'SUPPLY-ME',
     });
     /// !hide

packages/@aws-cdk/aws-iam/test/integ.role.ts

@@ -17,7 +17,7 @@ policy.attachToRole(role);
 
 // Role with an external ID
 new Role(stack, 'TestRole2', {
-  assumedBy: new AccountRootPrincipal(),
+  assumedBy: new AccountRootPrincipal(stack),
   externalId: 'supply-me',
 });