feat(cdk): introduce the new cfn-changeset-review-role for the diff command #30568
Conversation
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…aws-cdk into diff-changeset-role
…ff-changeset-role
github-actions
bot
added
bug
sakurai-ryo
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
added
the
pr/needs-cli-test-run
| @@ -620,7 +620,9 @@ export async function installNpmPackages(fixture: TestFixture, packages: Record< | |||
| }, undefined, 2), { encoding: 'utf-8' }); | |||
|
|
|||
| // Now install that `package.json` using NPM7 | |||
| await fixture.shell(['node', require.resolve('npm'), 'install']); | |||
| const isRepoMode = !!process.env.REPO_ROOT; | |||
| const npmPath = isRepoMode ? path.join(__dirname, 'package-sources/repo-tools/npm') : require.resolve('npm'); | |||
There was a problem hiding this comment.
The require.resolve function searches under the node_modules, so we were not able to use fake npm to use local packages.
|
|
||
| // IMAGE_COPIES env variable is used to test maximum number of ECR repositories allowed. | ||
| const IMAGE_COPIES = Number(process.env.IMAGE_COPIES) ?? 1; | ||
| const IMAGE_COPIES = Number(process.env.IMAGE_COPIES) || 1; |
There was a problem hiding this comment.
If we use ??, the right side will not be returned if Number(~) returns NaN when the IMAGE_COPIES is undefined.
| @@ -355,7 +354,6 @@ async function uploadBodyParameterAndCreateChangeSet(options: PrepareChangeSetOp | |||
| bodyParameter, | |||
| parameters: options.parameters, | |||
| resourcesToImport: options.resourcesToImport, | |||
| role: executionRoleArn, | |||
There was a problem hiding this comment.
Because CloudFormation cannot assume the cfn-changeset-review-role.
|
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
@Mergifyio update |
✅ Branch has been successfully updated |
|
This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error. |
aws-cdk-automation
added
the
closed-for-staleness
scanlonp
added
pr-linter/do-not-close
…d large templates (#31597) Closes #29936 ### Reason for this change When running `cdk diff` on larger templates, the CDK needs to upload the diff template to S3 to create the ChangeSet. However, the CLI is currently not using the the [file asset publishing role](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L275) to do so and is instead using the IAM user/role that is configured by the user in the CLI - this means that if the user/role lacks S3 permissions then the `AccessDenied` error is thrown and users cannot see a full diff. ### Description of changes This PR ensures that the `FileAssetPublishingRole` is used by `cdk diff` to upload assets to S3 before creating a ChangeSet by: - Deleting the `makeBodyParameterAndUpload` function which was using the deprecated `publishAssets` function from [deployments.ts](https://github.com/aws/aws-cdk/blob/4b00ffeb86b3ebb9a0190c2842bd36ebb4043f52/packages/aws-cdk/lib/api/deployments.ts#L605) - Building and Publishing the template file assets inside the `uploadBodyParameterAndCreateChangeSet` function within `cloudformation.ts` instead ### Description of how you validated changes Integ test that deploys a simple CDK app with a single IAM role, then runs `cdk diff` on a large template change adding 200 IAM roles. I asserted that the logs did not contain the S3 access denied permissions errors, and also contained a statement for assuming the file publishing role. Reused the CDK app for the integ test from this [PR](#30568) by @sakurai-ryo which tried fixing this issue by adding another Bootstrap role (which we decided against). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ff-changeset-role
…aws-cdk into diff-changeset-role
sakurai-ryo
had a problem deploying
to
test-pipeline
GitHub Actions
Failure
|
The pull request linter fails with the following errors: PRs must pass status checks before we can provide a meaningful review. If you would like to request an exemption from the status checks or clarification on feedback, please leave a comment on this PR containing |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #29767
Closes #29936
Reason for this change
The
cdk diffcommand needs to assume the deploy-role to create the changeset, but thedeploy-rolehas strong privileges, such as deleting the cfn stack.Granting developers the ability to be able to assume the
deploy-roleto use thecdk diffcommand is a problem that some organizations should avoid.To avoid this, creating a new role in the Bootstrapping process with only limited privileges is necessary to avoid using the
deploy-rolewhen using thecdk diffcommand.Description of changes
Introducing a new role
Introduce a new
cfn-changeset-review-roleand give thecdk diffcommand the permissions it needs to create changesets.With this change, the required roles for each operation are as follows
The
cfn-changeset-review-rolehas the following permissions.The
cloud-assembly-schemais modified to allow users to use this role.It will be added to
manifest.jsonin the same format as the existinglookup-role.Retaining the role's Arn and the
requiresBootstrapStackVersionwill help if permissions are changed in the future.Change behavior when executing `cdk diff
Currently, we assume to
deploy-rolebefore creating the changeset, but changing it to assume to the newchangeset-role.If for some reason it is not possible to assume to
changeset-role, it will fall back to assume thedeploy-role.For example, when
changeset-roledoes not exist.This allows the
cdk diffto work in environments without the latest Bootstrap version.app-staging-synthesizer module
With the introduction of the new
changeset-role, I modified theapp-staging-synthesizermodule so that it can be used in the same way.Description of how you validated changes
Added cli-integ test to verify successful upload of cfn template and creation of changeset using the new role, plus several other unit tests.
Others
I created a new PR because a previously created PR was deemed abandoned after an Exemption Request was submitted.
#30329
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license