Cross-region/account references #49
Comments
|
Use case: cross-region replication in combination with encryption.
For replication, the IAM role must must reference both buckets (local reference + one-way cross-stack reference) To add encryption, the role must also reference the KMS Key, and the KMS key must also reference the role (bidirectional reference between stacks!) |
|
Note to self: if we build an ARN from a well-known name, we must not forget to manually add a dependency between the resources involved. Probably, we should just link references between resources, which may then automatically translate into references between stacks. |
|
Use case: cross-account CodePipeline. Below is an example of a hacky way of defining a cross-account CodePipeline using CDK code today. import { AccountPrincipal, App, ArnPrincipal, PolicyStatement, Stack } from 'aws-cdk';
import * as cp from 'aws-cdk-codepipeline';
import * as cb from 'aws-cdk-codebuild';
import * as cc from 'aws-cdk-codecommit';
import * as s3 from 'aws-cdk-s3';
import * as iam from 'aws-cdk-iam';
import * as kms from 'aws-cdk-kms';
import { codecommit } from 'aws-cdk-resources';
import { HackyIdentity } from "./hacky-identity";
const app = new App(process.argv);
const pipelineAcc = '123456789012';
/*************** the CodeCommit Repository Stack *************************/
const repoAcc = '012345678901';
const repoAccStack = new Stack(app, 'OtherAccStack', {
env: {
account: repoAcc,
}
});
const repoName = 'CrossAccountNewRepo';
new cc.Repository(repoAccStack, 'OtherAccRepo', {
repositoryName: repoName,
});
const repoRole = new iam.Role(repoAccStack, 'OtherAccRole', {
roleName: 'CrossAccountRole',
assumedBy: new AccountPrincipal(pipelineAcc),
});
repoRole.addToPolicy(new PolicyStatement()
.addAllResources()
.addActions('s3:*', 'codecommit:*', 'kms:*'));
const repoRoleArn = `arn:aws:iam::${repoAcc}:role/CrossAccountRole`;
/*************** the Pipeline Stack *************************/
const pipelineStack = new Stack(app, 'CrossAccountMainStack');
const key = new kms.EncryptionKey(pipelineStack, 'CrossAccountKmsKey');
const artifactBucket = new s3.Bucket(pipelineStack, 'CrossAccountPipelineBucket', {
bucketName: 'codepipeline-us-west-2-cross-account-code-pipeline-bucket',
encryptionKey: key,
encryption: s3.BucketEncryption.Kms,
});
artifactBucket.grantReadWrite(
new HackyIdentity(new ArnPrincipal(repoRoleArn)));
const pipeline = new cp.Pipeline(pipelineStack, 'CrossAccountPipeline', {
pipelineName: 'CrossAccountPipeline',
artifactBucket: artifactBucket,
});
pipeline.addToRolePolicy(new PolicyStatement()
.addResource(repoRoleArn)
.addActions('sts:AssumeRole'));
const sourceStage = new cp.Stage(pipeline, 'Source');
const sourceAction = new cp.CodeCommitSource(sourceStage, 'Source', {
artifactName: 'SourceOutput',
repository: cc.RepositoryRef.import(pipelineStack, 'ImportedRepo', {
repositoryName: new codecommit.RepositoryName(repoName)
}),
roleArn: repoRoleArn,
});
const buildStage = new cp.Stage(pipeline, 'Build');
const codeBuildProject = new cb.BuildProject(pipelineStack, 'CrossAccountBuildProject', {
source: new cb.CodePipelineSource(),
artifacts: new cb.CodePipelineBuildArtifacts(),
environment: {
image: 'aws/codebuild/java:openjdk-8',
},
encryptionKey: key,
});
new cp.CodeBuildAction(buildStage, 'Build', {
source: sourceAction,
project: codeBuildProject,
});
process.stdout.write(app.run());(this required adding the field import * as iam from 'aws-cdk-iam';
import { PolicyPrincipal, PolicyStatement } from 'aws-cdk';
class HackyIdentity implements iam.IIdentityResource {
public readonly principal: PolicyPrincipal;
constructor(principal: PolicyPrincipal) {
this.principal = principal;
}
attachManagedPolicy(_: any): void {
}
attachInlinePolicy(_: iam.Policy): void {
}
addToPolicy(_: PolicyStatement): void {
}
}) As can bee seen, I had to:
The dream experience would be something like: // in the CodeCommit account / stack
const repository = new cc.Repository(repoAccStack, 'OtherAccRepo', {
repositoryName: 'SomeName',
// ...
});
// in the CodePipeline account / stack
new cp.CodeCommitSource(sourceStage, 'Source', {
artifactName: 'SourceOutput',
repository: repository,
});
// At this moment, the L2 CodePipeline construct notices that the Repository
// passed as the argument when constructing the `CodeCommitSource` is not from the same account as the Pipeline.
// In this case, it add the appropriate Role in the CodeCommit stack,
// adds the permissions for the CodePipeline Role to assume it,
// and makes sure that Role has access to the Pipeline's S3 Bucket,
// as well as the CodeCommit repository itself,
// and then sets it as the Role used in this Action.I'm not sure how realistic it is to get this experience, |
|
Obligatory mention of #233, which defines a nice and general solution which also encompasses x-stack references. |
|
Yes, you're completely right. I have some cross-stack action going on right now and I'm having to do the same things. Just know that we're thinking about it & working on it! :) As a general comment: in general we recommend defining a |
|
@rix0rrr wrote: Right now, if we're referencing objects between stacks, we can't use This breaks abstraction because you now need to know (when consuming a resource) whether it's a same-stack or a cross-stack resource. I propose we build this concept into the framework (potentially at the L2 level): we'll introduce a new type of Now, if the
Doing this (as opposed to some Output/Export system, potentially involving Toolkit Context Providers) has the advantage that we can avoid ordering between stack deployments, which has two benefits:
There is the downside that potential changes in naming aren't automatically propagated/signaled to the user. For Exports, you would be PREVENTED from changing anything that a downstream stack depends on, such as a resource name. (For Outputs or SSM parameters there is no such constraint I think). |
|
The previous comment was written at a time where Stacks were front and center, but everything gets so much better if we automatically slice stacks. When just build a more generic object graph (#233) and slice it down to stacks, we can do the work to transparently make this work at that point. |
|
Agreed (just captured for posterity), however, even if we automatically slice stacks, there still needs to be a mechanism that resolves these cross-stack references, be them explicit or implicit |
|
Use case: Route53 hostname records in a shared hosted zone
The challenge is that account A is using a different profile than account B in ~/.aws/credentials so AWS CDK would need to access both profiles to retrieve the distribution domain names. |
In realation aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role’s will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role’s will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role’s will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role’s will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role’s will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role’s will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
|
Use case: I just hit this limitation by doing: And received this error: Having "EdgeStack" in This currently is somewhat blocking. Is there any workaround currently? |
|
There is not, unfortunately. You're going to have to thread the API URL across regions manually. That means:
There are a number of ways you could do this, and honestly I'm not sure which one to recommend. I guess a pragmatic one would be to use |
|
You could do it automatically using a Lambda-backed Custom Resource in |
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
|
@skinny85 Changes have been made since July. cp.CodeCommitSource no longer exists. Is there still a way to set the role arn for a PipelineSourceAction? I am accessing a repo in a different AWS account. |
|
Hey @briannab12 , currently, there is no way to do that. If you're using TypeScript, the following hack should work: (sourceAction as any)['role'] = yourRole;We're working on this experience as we speak, and we hope to make it awesome - see the #1924 PR for details. Thanks, |
|
Here are the specifics of my circumstances: |
@kennu did you find a workaround? |
@eladb Since this issue is now closed, do we have a solution for the above use case? I am trying something similar: having a public hosted zone in one account delegate to a public hosted zone in another account. |
|
@eladb Can you offer some insights into why this issue was closed? A good generic solution would have taken CDK to the next level (IMHO). |
|
It looks like the project is trying to get around Cloudformation's native limitation: it can't read outputs from another account/region. Having this functionality in Cloudformation would be a perfect world. Meanwhile, cdk can deal with the env variable, contexts, config files - why not make stacks outputs automatically available for subsequent stages in a known artifact? |
|
@OperationalFallacy I agree, and we have a feature request already for that functionality: #8566 . Thanks, |
I am having a similar problem currently, has anyone tried to solve it using custom resources and cdk? A custom resource that calls lambda which is able to access the parent host zone and add records from stack A and B? |
|
Cdk has now a construct to add records with lambda, and it works well with pipelines |
Thank you for your reply! It works well! |
We were in the progress of defining how to transparently make this work.
Tracking it here because it's one of the most important things to pick up post-release.
The text was updated successfully, but these errors were encountered: