Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(core): CliCredentialsStackSynthesizer does not work unless newStyleStackSynthesis is set false explicitly #30938

Open
mrlikl opened this issue Jul 24, 2024 · 2 comments
Open

(core): CliCredentialsStackSynthesizer does not work unless newStyleStackSynthesis is set false explicitly #30938

mrlikl opened this issue Jul 24, 2024 · 2 comments
Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@mrlikl
Copy link
Contributor

mrlikl commented Jul 24, 2024

Describe the bug

When using CliCredentialsStackSynthesizer, if unless the feature flag "@aws-cdk/core:newStyleStackSynthesis" is set false in cdk.json, bootstrapped deployment roles and cfn exec roles are being used when deploying the stack.

Expected Behavior

For a stack that has synthesizer as CliCredentialsStackSynthesizer(), the CLI creds must be used even if the feature flag is not set.

Current Behavior

The CliCredentialsStackSynthesizer does not have an effect to the stack.

Reproduction Steps

Create a sample stack with an s3 bucket

export class TestStack extends cdk.Stack {
    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
        super(scope, id), props;
        const assetBucket = new s3.Bucket(this, 'testbc', {}) 
    }
}

set the stack like below -

new TestStack(app, 'bucketstack', {
    synthesizer: new cdk.CliCredentialsStackSynthesizer(),
});

verbose logs -

[17:17:19] Checking for previously published assets
[17:17:19] Retrieved account ID 01234567890 from disk cache
[17:17:19] Assuming role 'arn:aws:iam::01234567890:role/cdk-hnb659fds-deploy-role-01234567890-us-east-1'.
[17:17:20] Retrieved account ID 01234567890 from disk cache
[17:17:20] Assuming role 'arn:aws:iam::01234567890:role/cdk-hnb659fds-file-publishing-role-01234567890-us-east-1'.
[17:17:22] bucketstack:  check: Check s3://cdk-hnb659fds-assets-01234567890-us-east-1/a6f9c6f95acfb65c76eb4031a8303b4f7e322d363838d887e176dee57c7ac141.json
[17:17:24] bucketstack:  found: Found s3://cdk-hnb659fds-assets-01234567890-us-east-1/a6f9c6f95acfb65c76eb4031a8303b4f7e322d363838d887e176dee57c7ac141.json
[17:17:24] 1 total assets, 0 still need to be published
[17:17:24] Reading existing template for stack bucketstack.
[17:17:24] Retrieved account ID 01234567890 from disk cache
[17:17:24] Assuming role 'arn:aws:iam::01234567890:role/cdk-hnb659fds-lookup-role-01234567890-us-east-1'.
[17:17:29] Call failed: describeStacks({"StackName":"bucketstack"}) => Stack with id bucketstack does not exist (code=ValidationError)
bucketstack: deploying... [1/1]
[17:17:29] Retrieved account ID 01234567890 from disk cache
[17:17:30] Call failed: describeStacks({"StackName":"bucketstack"}) => Stack with id bucketstack does not exist (code=ValidationError)
[17:17:30] bucketstack: checking if we can skip deploy
[17:17:30] bucketstack: no existing stack
[17:17:30] bucketstack: deploying...
[17:17:30] Attempting to create ChangeSet with name cdk-deploy-change-set to create stack bucketstack
bucketstack: creating CloudFormation changeset...
[17:17:32] Initiated creation of changeset: arn:aws:cloudformation:us-east-1:01234567890:changeSet/cdk-deploy-change-set/0f8da92b-5fa7-4891-861f-b5a0fa21d40d; waiting for it to finish creating...
[17:17:32] Waiting for changeset cdk-deploy-change-set on stack bucketstack to finish creating...
[17:17:33] Changeset cdk-deploy-change-set on stack bucketstack is still creating
[17:17:40] Initiating execution of changeset arn:aws:cloudformation:us-east-1:01234567890:changeSet/cdk-deploy-change-set/0f8da92b-5fa7-4891-861f-b5a0fa21d40d on stack bucketstack
[17:17:41] Execution of changeset arn:aws:cloudformation:us-east-1:01234567890:changeSet/cdk-deploy-change-set/0f8da92b-5fa7-4891-861f-b5a0fa21d40d on stack bucketstack has started; waiting for the update to complete...
[17:17:41] Waiting for stack bucketstack to finish creating or updating...
[17:17:42] Stack bucketstack has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS)
[17:17:48] Stack bucketstack has an ongoing operation in progress and is not stable (CREATE_IN_PROGRESS)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.150

Framework Version

No response

Node.js Version

v20.10.0

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response
@mrlikl mrlikl added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 24, 2024
@github-actions github-actions bot added the @aws-cdk/core Related to core CDK functionality label Jul 24, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jul 24, 2024
@khushail
Copy link
Contributor

Hey @mrlikl ,thanks for reporting this. I am able to repro this issue but my CDK stack is being deployed without CLI creds whether ot not I set this flag- "@aws-cdk/core:newStyleStackSynthesis", which seems like an issue.sharing the code snippet I tried -

Code -/bin file -

const app = new cdk.App();
new StackSynthesizerStack(app, 'StackSynthesizerStack', {
  synthesizer: new cdk.CliCredentialsStackSynthesizer({
    bucketPrefix: 'bucketPrefix_withoutFlag',
  }),
  env: {
    account: process.env.CDK_DEFAULT_ACCOUNT,
    region: "us-east-2",
  },
});

Code - /lib file

export class StackSynthesizerStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const assetbucket = new s3.Bucket(this, 'AssetBucket0316', {
      removalPolicy: cdk.RemovalPolicy.DESTROY,
      bucketName: 'synthesizer-bucket-0316'
    });
    new cdk.CfnOutput(this, 'AssetBucketName0316', { value: assetbucket.bucketName });
  }
}

and default CLI Creds point to region - 'us-east-1'

Did you do any more setting change to get it working with flag ??

@khushail khushail added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 24, 2024
@khushail khushail self-assigned this Jul 24, 2024
@khushail khushail added the effort/small Small work item – less than a day of effort label Jul 24, 2024
@mrlikl
Copy link
Contributor Author

mrlikl commented Jul 24, 2024

@khushail thank you for taking a look. Can you check by setting the flag "@aws-cdk/core:newStyleStackSynthesis": false, explicitly ? Setting to false would use CLI credentials for all operations (lookup, diff, stack execution iam role).

You can compare by setting to false and removing the flag altogether to notice the difference by running verbose during deploy.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 24, 2024
This was referenced Jul 29, 2024
Closed
Closed
@khushail khushail removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Aug 1, 2024
@khushail khushail removed their assignment Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrlikl @khushail