Proper way to check associations between related constructs in Aspects

[dontirun]

I'm currently attempting to create an Aspect that checks if VPCs have an associated FlowLog resource created and am running into issues with checking the children of the Stack for a FlowLogs resource.

Given the following aspect

import { CfnFlowLog, CfnVPC } from '@aws-cdk/aws-ec2';
import { Annotations, CfnResource, IAspect, IConstruct, Stack } from '@aws-cdk/core';

export class MyAspect implements IAspect {
  public visit(node: IConstruct): void {
    if (node instanceof CfnVPC) {
      const logicalId = Stack.of(node).getLogicalId(node);
      let found = false;
      const allChildren = Stack.of(node).node.children.concat(node.node.children);
      for (const child of allChildren) {
        const resource = child.node.defaultChild as CfnResource;
        if (resource != undefined) {
          console.log(resource.cfnResourceType);
          if (resource.cfnResourceType == 'AWS::EC2::FlowLog') {
            const resourceId = Stack.of(node).resolve(
              (<CfnFlowLog>resource).resourceId,
            );
            if (String(resourceId).includes(logicalId)) {
              found = true;
              break;
            }
          }
        }
      }
      if (!found) {
        Annotations.of(node).addError(
          'The VPC does not have flow logs enabled',
        );
      }
    }
  }
}

And the following test

  test('The VPC does not have flow logs enabled', () => {
    const negative = new Stack();
    Aspects.of(negative).add(new MyAspect());
    const vpc = new Vpc(negative, 'rVpc');
    new FlowLog(negative, 'rFlowLog', {
      resourceType: FlowLogResourceType.fromVpc(vpc),
    });
    new Bucket(negative, 'rBucket');
    const messages3 = SynthUtils.synthesize(negative).messages;
    expect(messages3).not.toContainEqual(
      expect.objectContaining({
        entry: expect.objectContaining({
          data: expect.stringContaining(
            'The VPC does not have flow logs enabled',
          ),
        }),
      }),
    );
  });

I get the following output

  console.log
    AWS::EC2::VPC

      at Object.default_1 (src/Aspect.ts:15:17)

  console.log
    AWS::S3::Bucket

      at Object.default_1 (src/Aspect.ts:15:17)

I'm assuming the problem is related to Aspects being executed in the prepare phase and related constructs not yet being created.

1. Is there any way to check related constructs (like FlowLogs and VPCs) using Aspects?
2. If there is, what's the proper way to do so?

[peterwoodworth]

After you've checked if the node you're at is a VPC, I'm pretty sure you aren't actually doing a full search through the construct tree below that with your logic. It seems to me as if you're only looking at the direct children of the Vpc which wouldn't reveal all the resources you want to reveal

The prepare phase is after pretty much all CDK construct code has ran. This isn't going to be your issue, it's likely with your logic of the search through the tree

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.