fix(appsync): incorrect region used for imported Cognito user pool (#20193)

Replaces all uses of `resource.stack.region` with `resource.env.region`
so that imported resources can provide a different region than the
current stack, wich can result in invalid configuration.

Applying the same treatment to occurrences of `resources.stack.account`
as this is also surfaced as `resources.env.account`.

Fixes #20195

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: RomainMuller

packages/@aws-cdk/aws-apigatewayv2/lib/http/route.ts

@@ -236,7 +236,7 @@ export class HttpRoute extends Resource implements IHttpRoute {
     // path variable and all that follows with a wildcard.
     const iamPath = path.replace(/\{.*?\}.*/, '*');
 
-    return `arn:aws:execute-api:${this.stack.region}:${this.stack.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`;
+    return `arn:aws:execute-api:${this.env.region}:${this.env.account}:${this.httpApi.apiId}/${stage}/${iamHttpMethod}${iamPath}`;
   }
 
   public grantInvoke(grantee: iam.IGrantable, options: GrantInvokeOptions = {}): iam.Grant {

packages/@aws-cdk/aws-appsync/lib/data-source.ts

@@ -219,7 +219,7 @@ export class DynamoDbDataSource extends BackedDataSource {
       type: 'AMAZON_DYNAMODB',
       dynamoDbConfig: {
         tableName: props.table.tableName,
-        awsRegion: props.table.stack.region,
+        awsRegion: props.table.env.region,
         useCallerCredentials: props.useCallerCredentials,
       },
     });
@@ -337,7 +337,7 @@ export class RdsDataSource extends BackedDataSource {
       type: 'RELATIONAL_DATABASE',
       relationalDatabaseConfig: {
         rdsHttpEndpointConfig: {
-          awsRegion: props.serverlessCluster.stack.region,
+          awsRegion: props.serverlessCluster.env.region,
           dbClusterIdentifier: Lazy.string({
             produce: () => {
               return Stack.of(this).formatArn({
@@ -399,7 +399,7 @@ export class ElasticsearchDataSource extends BackedDataSource {
     super(scope, id, props, {
       type: 'AMAZON_ELASTICSEARCH',
       elasticsearchConfig: {
-        awsRegion: props.domain.stack.region,
+        awsRegion: props.domain.env.region,
         endpoint: `https://${props.domain.domainEndpoint}`,
       },
     });
@@ -426,7 +426,7 @@ export class OpenSearchDataSource extends BackedDataSource {
     super(scope, id, props, {
       type: 'AMAZON_OPENSEARCH_SERVICE',
       openSearchServiceConfig: {
-        awsRegion: props.domain.stack.region,
+        awsRegion: props.domain.env.region,
         endpoint: `https://${props.domain.domainEndpoint}`,
       },
     });

packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts

@@ -633,7 +633,7 @@ export class GraphqlApi extends GraphqlApiBase {
     if (!config) return undefined;
     return {
       userPoolId: config.userPool.userPoolId,
-      awsRegion: config.userPool.stack.region,
+      awsRegion: config.userPool.env.region,
       appIdClientRegex: config.appIdClientRegex,
       defaultAction: config.defaultAction || UserPoolDefaultAction.ALLOW,
     };

packages/@aws-cdk/aws-batch/lib/compute-environment.ts

@@ -581,7 +581,7 @@ export class ComputeEnvironment extends Resource implements IComputeEnvironment
         return props.computeResources.spotFleetRole;
       } else if (props.computeResources.type === ComputeResourceType.SPOT) {
         return iam.Role.fromRoleArn(this, 'Resource-SpotFleet-Role',
-          `arn:${this.stack.partition}:iam::${this.stack.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`);
+          `arn:${this.stack.partition}:iam::${this.env.account}:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet`);
       }
     }
 

packages/@aws-cdk/aws-cloud9/lib/environment.ts

@@ -143,7 +143,7 @@ export class Ec2Environment extends cdk.Resource implements IEc2Environment {
     this.environmentId = c9env.ref;
     this.ec2EnvironmentArn = c9env.getAtt('Arn').toString();
     this.ec2EnvironmentName = c9env.getAtt('Name').toString();
-    this.ideUrl = `https://${this.stack.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`;
+    this.ideUrl = `https://${this.env.region}.console.aws.amazon.com/cloud9/ide/${this.environmentId}`;
   }
 }
 

packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts

@@ -55,7 +55,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
     super(scope, id);
 
     // Create a simple Function if we're already in us-east-1; otherwise create a cross-region stack.
-    const regionIsUsEast1 = !Token.isUnresolved(this.stack.region) && this.stack.region === 'us-east-1';
+    const regionIsUsEast1 = !Token.isUnresolved(this.env.region) && this.env.region === 'us-east-1';
     const { edgeFunction, edgeArn } = regionIsUsEast1
       ? this.createInRegionFunction(props)
       : this.createCrossRegionFunction(id, props);

packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts

@@ -612,8 +612,8 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn
   private validateCanLookupSupportedAzs(subnets: ISubnet[], serviceName: string) {
 
     // Having any of these be true will cause the AZ lookup to fail at synthesis time
-    const agnosticAcct = Token.isUnresolved(this.stack.account);
-    const agnosticRegion = Token.isUnresolved(this.stack.region);
+    const agnosticAcct = Token.isUnresolved(this.env.account);
+    const agnosticRegion = Token.isUnresolved(this.env.region);
     const agnosticService = Token.isUnresolved(serviceName);
 
     // Having subnets with Token AZs can cause the endpoint to be created with no subnets, failing at deployment time

packages/@aws-cdk/aws-ecs/lib/base/base-service.ts

@@ -510,7 +510,7 @@ export abstract class BaseService extends Resource
       resources: ['*'],
     }));
 
-    const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
+    const logGroupArn = logConfiguration?.cloudWatchLogGroup ? `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${logConfiguration.cloudWatchLogGroup.logGroupName}:*` : '*';
     this.taskDefinition.addToTaskRolePolicy(new iam.PolicyStatement({
       actions: [
         'logs:CreateLogStream',
@@ -558,7 +558,7 @@ export abstract class BaseService extends Resource
         'kms:*',
       ],
       resources: ['*'],
-      principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.stack.account}:root`)],
+      principals: [new iam.ArnPrincipal(`arn:${this.stack.partition}:iam::${this.env.account}:root`)],
     }));
 
     if (logging === ExecuteCommandLogging.DEFAULT || this.cluster.executeCommandConfiguration?.logConfiguration?.cloudWatchEncryptionEnabled) {
@@ -571,9 +571,9 @@ export abstract class BaseService extends Resource
           'kms:Describe*',
         ],
         resources: ['*'],
-        principals: [new iam.ServicePrincipal(`logs.${this.stack.region}.amazonaws.com`)],
+        principals: [new iam.ServicePrincipal(`logs.${this.env.region}.amazonaws.com`)],
         conditions: {
-          ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.stack.region}:${this.stack.account}:*` },
+          ArnLike: { 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*` },
         },
       }));
     }

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts

@@ -266,7 +266,7 @@ export abstract class BaseLoadBalancer extends Resource {
         actions: ['s3:PutObject'],
         principals: [logsDeliveryServicePrincipal],
         resources: [
-          bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.stack.account}/*`),
+          bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${this.env.account}/*`),
         ],
         conditions: {
           StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },

packages/@aws-cdk/aws-elasticsearch/lib/domain.ts

@@ -1110,7 +1110,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain {
       metricName,
       dimensionsMap: {
         DomainName: this.domainName,
-        ClientId: this.stack.account,
+        ClientId: this.env.account,
       },
       ...props,
     }).attachTo(this);

packages/@aws-cdk/aws-fsx/lib/lustre-file-system.ts

@@ -206,7 +206,7 @@ export class LustreFileSystem extends FileSystemBase {
     this.fileSystem.applyRemovalPolicy(props.removalPolicy);
 
     this.fileSystemId = this.fileSystem.ref;
-    this.dnsName = `${this.fileSystemId}.fsx.${this.stack.region}.${Aws.URL_SUFFIX}`;
+    this.dnsName = `${this.fileSystemId}.fsx.${this.env.region}.${Aws.URL_SUFFIX}`;
     this.mountName = this.fileSystem.attrLustreMountName;
   }
 

packages/@aws-cdk/aws-opensearchservice/lib/domain.ts

@@ -883,7 +883,7 @@ abstract class DomainBase extends cdk.Resource implements IDomain {
       metricName,
       dimensionsMap: {
         DomainName: this.domainName,
-        ClientId: this.stack.account,
+        ClientId: this.env.account,
       },
       ...props,
     }).attachTo(this);

packages/@aws-cdk/aws-s3objectlambda/lib/access-point.ts

@@ -101,14 +101,14 @@ abstract class AccessPointBase extends core.Resource implements IAccessPoint {
   /** Implement the {@link IAccessPoint.domainName} field. */
   get domainName(): string {
     const urlSuffix = this.stack.urlSuffix;
-    return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${urlSuffix}`;
+    return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${urlSuffix}`;
   }
 
   /** Implement the {@link IAccessPoint.regionalDomainName} field. */
   get regionalDomainName(): string {
     const urlSuffix = this.stack.urlSuffix;
-    const region = this.stack.region;
-    return `${this.accessPointName}-${this.stack.account}.s3-object-lambda.${region}.${urlSuffix}`;
+    const region = this.env.region;
+    return `${this.accessPointName}-${this.env.account}.s3-object-lambda.${region}.${urlSuffix}`;
   }
 
   /** Implement the {@link IAccessPoint.virtualHostedUrlForObject} method. */
@@ -252,4 +252,4 @@ export class AccessPoint extends AccessPointBase {
       }),
     );
   }
-}
+}

packages/@aws-cdk/aws-sns-subscriptions/lib/lambda.ts

@@ -59,9 +59,9 @@ export class LambdaSubscription implements sns.ITopicSubscription {
       if (topic.stack !== this.fn.stack) {
         // only if we know the region, will not work for
         // env agnostic stacks
-        if (!Token.isUnresolved(topic.stack.region) &&
-          (topic.stack.region !== this.fn.stack.region)) {
-          return topic.stack.region;
+        if (!Token.isUnresolved(topic.env.region) &&
+          (topic.env.region !== this.fn.env.region)) {
+          return topic.env.region;
         }
       }
       return undefined;

packages/@aws-cdk/aws-sns-subscriptions/lib/sqs.ts

@@ -85,9 +85,9 @@ export class SqsSubscription implements sns.ITopicSubscription {
       if (topic.stack !== this.queue.stack) {
         // only if we know the region, will not work for
         // env agnostic stacks
-        if (!Token.isUnresolved(topic.stack.region) &&
-          (topic.stack.region !== this.queue.stack.region)) {
-          return topic.stack.region;
+        if (!Token.isUnresolved(topic.env.region) &&
+          (topic.env.region !== this.queue.env.region)) {
+          return topic.env.region;
         }
       }
       return undefined;

packages/@aws-cdk/core/lib/resource.ts

@@ -315,4 +315,4 @@ function mimicReference(refSource: any, producer: IStringProducer): string {
       return producer.produce(context);
     }
   }(reference, reference.target, reference.displayName));
-}
+}