Circular dependency error in CDK setting EFS policy referencing access point

Question

I have a CDK script where I want to have one click set up and destruction of the following:

• Create an EFS
• Create access points on that EFS
• Create a file system policy that assigns rules about those access points to specific IAM roles

Problem:

• Setting the policy, I run into circular dependency errors as soon as I attempt to reference an access point ID.

Things I have tried:

• Splitting out the EFS/access point creation into a different stack from policy creation
  • While passing the objects from stack to stack
  • Without passing the objects required, I need to either:
    • know the ID (would require human intervention)
    • or use a lambda to look things up (this should be a within CDK thing without invoking extra cost)
• Running the EFS/access point creation separately first so the EFS exists, then running the policy creation
• Lazy loading the actions lines in policy where the access point ID is referenced

Similar questions:

• https://repost.aws/questions/QUE3YFcnI0S1qOBfLgR55GyQ/how-to-avoid-circular-dependencies-between-efs-and-access-point-in-file-system-policy-of-cloudformation-template
  • Found this exact issue, but no within CDK answer

Answer 1

After talking to an AWS rep, it turns out the lambda jank is the currently intended path unless I can convince CloudFormation to split out the EFS policy from the EFS object.

Here's the request on the CloudFormation GitHub: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/900