alternative approach 2 - stringify after resolve

Author: go-to-k

packages/aws-cdk-lib/aws-events-targets/test/lambda/lambda.test.ts

@@ -320,9 +320,7 @@ test('must display a warning when using a Dead Letter Queue from another account
 
   Template.fromStack(stack1).resourceCountIs('AWS::SQS::QueuePolicy', 0);
 
-  Annotations.fromStack(stack1).hasWarning('/Stack1/Rule', Match.stringLikeRegexp(
-    'Cannot add a resource policy to your dead letter queue associated with rule \\${Token\\[TOKEN\\.[0-9]+\\]} because the queue is in a different account\\. You must add the resource policy manually to the dead letter queue in account 444455556666\\. \\[ack: @aws-cdk/aws-events-targets:manuallyAddDLQResourcePolicy\\]',
-  ));
+  Annotations.fromStack(stack1).hasWarning('/Stack1/Rule', '{"Fn::Join":["",["Cannot add a resource policy to your dead letter queue associated with rule ",{"Ref":"Rule4C995B7F"}," because the queue is in a different account. You must add the resource policy manually to the dead letter queue in account 444455556666. [ack: @aws-cdk/aws-events-targets:manuallyAddDLQResourcePolicy]"]]}');
 });
 
 test('specifying retry policy', () => {

packages/aws-cdk-lib/aws-lambda/test/function.test.ts

@@ -254,7 +254,7 @@ describe('function', () => {
 
       expect(getWarnings(app.synth())).toEqual([
         {
-          message: expect.stringMatching(/^addPermission\(\) has no effect on a Lambda Function with region=us-west-2, account=123456789012, in a Stack with region=\${Token\[AWS\.Region\.\d+]}, account=\${Token\[AWS\.AccountId\.\d+]}. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes\(\) if you would like to add the permissions\. \[ack: UnclearLambdaEnvironment]$/),
+          message: '{"Fn::Join":["",["addPermission() has no effect on a Lambda Function with region=us-west-2, account=123456789012, in a Stack with region=",{"Ref":"AWS::Region"},", account=",{"Ref":"AWS::AccountId"},". Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes() if you would like to add the permissions. [ack: UnclearLambdaEnvironment]"]]}',
           path: '/Default/Imported',
         },
       ]);

packages/aws-cdk-lib/aws-s3-notifications/test/queue.test.ts

@@ -109,7 +109,5 @@ test('if the queue is encrypted with a imported kms key, printout warning', () =
 
   bucket.addObjectCreatedNotification(new notif.SqsDestination(queue));
 
-  Annotations.fromStack(stack).hasWarning('/Default/ImportedKey', Match.stringLikeRegexp(
-    'Can not change key policy of imported kms key\\. Ensure that your key policy contains the following permissions: \\n\\{\\n  "Action": \\[\\n    "kms:GenerateDataKey\\*",\\n    "kms:Decrypt"\\n  \\],\\n  "Effect": "Allow",\\n  "Principal": \\{\\n    "Service": "\\${Token\\[s3\\.amazonaws\\.com\\.[0-9]+\\]}"\\n  \\},\\n  "Resource": "\\*"\\n\\} \\[ack: @aws-cdk/aws-s3-notifications:sqsKMSPermissionsNotAdded\\]',
-  ));
+  Annotations.fromStack(stack).hasWarning('/Default/ImportedKey', 'Can not change key policy of imported kms key. Ensure that your key policy contains the following permissions: \n{\n  "Action": [\n    "kms:GenerateDataKey*",\n    "kms:Decrypt"\n  ],\n  "Effect": "Allow",\n  "Principal": {\n    "Service": "s3.amazonaws.com"\n  },\n  "Resource": "*"\n} [ack: @aws-cdk/aws-s3-notifications:sqsKMSPermissionsNotAdded]');
 });

packages/aws-cdk-lib/aws-s3/test/notification.test.ts

@@ -162,13 +162,13 @@ describe('notification', () => {
     });
 
     // THEN - Following is warning thrown as a part of fix in : https://github.com/aws/aws-cdk/pull/31212
-    const warningMessage = /Can't combine imported IManagedPolicy: arn:\${Token\[AWS\.Partition\.\d+\]}:iam::aws:policy\/service-role\/AWSLambdaBasicExecutionRole to imported role IRole: DevsNotAllowedToTouch\. Use ManagedPolicy directly\. \[ack: @aws-cdk\/aws-iam:IRoleCantBeUsedWithIManagedPolicy\]/;
+    const warningMessage = '{"Fn::Join":["",["Can\'t combine imported IManagedPolicy: arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole to imported role IRole: DevsNotAllowedToTouch. Use ManagedPolicy directly. [ack: @aws-cdk/aws-iam:IRoleCantBeUsedWithIManagedPolicy]"]]}';
     const warningFromStack = Annotations.fromStack(stack).findWarning('*',
       Match.stringLikeRegexp(
         '@aws-cdk/aws-iam:IRoleCantBeUsedWithIManagedPolicy',
       ),
     );
-    expect(warningFromStack[0].entry.data).toEqual(expect.stringMatching(warningMessage));
+    expect(warningFromStack[0].entry.data).toEqual(warningMessage);
   });
 
   test('If `Role` is provided, PutBucketNotification, GetBucketNotification will be added along with `service-role/AWSLambdaBasicExecutionRole`', () => {

packages/aws-cdk-lib/core/lib/stack-synthesizers/_shared.ts

@@ -101,21 +101,22 @@ function collectStackMetadata(stack: Stack) {
     if (node.node.metadata.length > 0) {
       // Make the path absolute
       output[Node.PATH_SEP + node.node.path] = node.node.metadata.map(md => {
-        // If Annotations include a token, the message is resolved and output as `[object Object]` after synth
-        // because the message will be object type using 'Ref' or 'Fn::Join'.
-        // It would be easier for users to understand if the message from Annotations were output in token form,
-        // rather than in `[object Object]` or the object type.
-        // Therefore, we don't resolve the message if it's from Annotations.
-        if ([
+        const resolved = stack.resolve(md) as cxschema.MetadataEntry;
+
+        const isAnnotation = [
           cxschema.ArtifactMetadataEntryType.ERROR,
           cxschema.ArtifactMetadataEntryType.WARN,
           cxschema.ArtifactMetadataEntryType.INFO,
-        ].includes(md.type as cxschema.ArtifactMetadataEntryType)) {
-          return md;
-        }
+        ].includes(md.type as cxschema.ArtifactMetadataEntryType);
 
-        const resolved = stack.resolve(md);
-        return resolved as cxschema.MetadataEntry;
+        // Transform the data to a string for the case where Annotations include a token.
+        // Otherwise, the message is resolved and output as `[object Object]` after synth
+        // because the message will be object type using 'Ref' or 'Fn::Join'.
+        const mdWithStringData: cxschema.MetadataEntry = {
+          ...resolved,
+          data: (isAnnotation && typeof resolved.data === 'object') ? JSON.stringify(resolved.data) : resolved.data,
+        };
+        return mdWithStringData;
       });
     }
 

packages/aws-cdk-lib/core/test/annotations.test.ts

@@ -143,7 +143,7 @@ describe('annotations', () => {
     expect(getWarnings(app.synth())).toEqual([
       {
         path: '/S1/C1',
-        message: expect.stringMatching(/stackId: \${Token\[AWS::StackId\.\d+\]} \[ack: MESSAGE\]/),
+        message: '{"Fn::Join":["",["stackId: ",{"Ref":"AWS::StackId"}," [ack: MESSAGE]"]]}',
       },
     ]);
   });