(Pipeline and Codebuild): Using cdk can a pipeline in Account B invoke a codebuild in Account A?

[Rmpanga]

❓ Does cdk codepipeline support across account codebuild invocations?

The Goal

To use codebuild.PipelineProject.from_project_arn(self, id="some_id", project_arn="arn:aws:codebuild:us-west-2:A:project/1234" in a pipeline in Account B to invoke a codebuild project in Account A. This codebuild will run integration tests against Account A's application. The pipeline successfully deploys the application to Account A.

Context

We have a Pipeline and that deploys our application in multiple accounts. For the purposes of this question lets simply the pipeline to only deploy the app to a single account A. The pipeline is deployed in Account B. After the pipeline deploys the our application to account A. We want the next step in the pipeline to invoke a codebuild project in account A to run integration tests on the application. The codebuild project for Account A is deployed as part of the cdk deploy --all

If the above description isn't clear hopefully a code summary will clarify things.

Code

App.py - Defining the Codebuild to be deployed in Account A and the Pipeline in Account B.

app = core.App()
  
# Deploy codebuild to Account A via cdk deploy --all 
    codebuild_tests = IntergrationCodeBuild(app, f"some-id-1", env=core.Environment(
        account="A", 
        region="us-west-2"
    ))
# Deploy pipeline  to Account B via cdk deploy --all
    pipeline = Codepipeline(app,  f"some-id-2", codebuild_arn=cb_stack.project_arn, codebuild_name=cb_stack.project_name, stage="build", env=core.Environment( account="B", region="us-east-1" ))

    app.synth()

codebuild.py #Defines the codebuild project

class IntergrationCodeBuild(core.Stack):
    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)
        self.define_codebuild()

    def define_codebuild(self):
        project = codebuild.PipelineProject(self, "IntegrationTests", build_spec=codebuild.BuildSpec.from_object(
            {
                "version": "0.2",
                "phases": {
                    "install": {
                        "commands":
                        [
                            "curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python",
                            ". $HOME/.poetry/env",
                            "poetry install"
                        ]
                    },
                    "build": {
                        "commands":
                        [
                            "poetry run pytest test"
                        ]
                    }
                }
            }),
        environment={
            "build_image": codebuild.LinuxBuildImage.AMAZON_LINUX_2_3
        },
        project_name=core.PhysicalName.GENERATE_IF_NEEDED
        )

MainApp.py # The main application that will be deployed by the pipeline

class MainAppStage(core.Stage):
    def __init__(self, scope: core.Construct, id: str, stage: str, env: core.Environment, **kwargs):
        super().__init__(scope, id, **kwargs)
        MainApp(
            self,
            id, 
            stage=stage,
            env=env
        )

codepipeline.py # The pipeline that deployes the MainApp and runs tests against it via codebuild

 pipeline = pipelines.CdkPipeline(
            self, 
            "Test App Deploy Pipeline Integration Test",
            cloud_assembly_artifact=cdk_artifact,
            pipeline_name=self.pipeline_name,
            self_mutating=True,
            source_action=codepipeline_actions.GitHubSourceAction(
                oauth_token=access_token, 
                owner="me",
                repo="git",
                branch="something",
                trigger=codepipeline_actions.GitHubTrigger.WEBHOOK,
                action_name="GithubSourcePull",
                output=github_source
            ),
            synth_action=pipelines.SimpleSynthAction(
                synth_command='poetry run cdk synth',
                install_commands=[
                    "curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python",
                    ". $HOME/.poetry/env",
                    "poetry install",

                ],
                cloud_assembly_artifact=cdk_artifact,
                source_artifact=github_source,
                environment=codebuild.BuildEnvironment(privileged=True),
                role_policy_statements= [ iam.PolicyStatement(actions=['ecr:*'], resources=["*"]) , iam.PolicyStatement(actions=['codebuild:*'], resources=['*'])]
            )
        )
# Deploy the MainApp
        alpha_stage = pipeline.add_application_stage(MainApp(
            self, 
            "some-id",
            "alpha", 
            core.Environment( 
                account="A", 
                region="us-west-2"
            )
        ))

# Trying to run integration tests against the MainApp
# This Fails. Notice here I am referencing an arn in account A in region us-west-2. 
# The pipeline is in Account B

        cb_project = codebuild.PipelineProject.from_project_arn(self, id="some_id", project_arn="arn:aws:codebuild:us-west-2:A:project/1234")


        test_action = codepipeline_actions.CodeBuildAction(
            action_name="IntegrationTest",
            project=cb_project,
            input=github_source,
            type=codepipeline_actions.CodeBuildActionType.TEST,
            run_order=4
        )

        alpha_stage.add_actions(test_action)

Problem

In the Pipeline console for the codebuild step I receive and error:
Error calling startBuild: Project cannot be found: arn:aws:codebuild:us-east-1:B:project/1234(Service: AWSCodeBuild; Status Code: 400; Error Code: ResourceNotFoundException;...)

Notice the arn? The region is should be us-west-2 but it is us-east-1. Furthermore the account should be A instead of B

Environment

• CDK CLI Version: 1.89
• Module Version:
• Node.js Version: v15.8.0
• OS: MacOS Catalina
• Language (Version): Python 3.8

Other information

[skinny85]

Thanks for opening the issue @Rmpanga . This is actually a bug in the CodeBuild library. I'm working on a fix.

[Rmpanga]

Awesome. Happy I played a small part in improving the cdk library

[Rmpanga]

Hi, just curious what is the best workaround for this issue?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.