search

aws-quickstart / cdk-eks-blueprints

AWS Quick Start Team
Apache License 2.0
454 stars 205 forks source link

Pipelines: cross-account deployment needs shared KMS #384

Closed youngjeong46 closed 2 years ago

youngjeong46 commented 2 years ago

Describe the bug

I'm leveraging cross-account deployment using pipelines as follows, and have bootstrapped with the correct permissions:

blueprints.CodePipelineStack.builder()
      .name("eks-blueprints-pipeline-test")
      .owner("youngjeong46")
      .repository({
          repoUrl: 'eks-blueprints-pipeline-test',
          credentialsSecretName: 'github-token',
          targetRevision: 'main'
      })
      .wave({
        id: 'dev',
        stages: [
          { id: "dev-1", stackBuilder: blueprint.clone('us-east-1')},
          { id: "dev-2", stackBuilder: blueprint.clone('us-west-2')},
        ]
      })
      .wave({
        id: "prod",
        stages: [
          { id: "west-1", stackBuilder: blueprint.clone('us-east-1', prodAccount)},
        ]
      })
      .build(scope, id+'-stack', props);
  }

When I try deploying, the cdk produces the error needing either a bucket with a key or a shared KMS cross-account key (needed when creating the cross-account Artifact bucket).

Expected Behavior

Deploy as intended (dev into the current account, and prod to a designated prod account)

Current Behavior

The following error occurs:

/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts:726
        throw new Error(
              ^
Error: Artifact Bucket must have a KMS Key to add cross-account action 'Prepare' (pipeline account: '661554271967', action account: '181460066119'). Create Pipeline with 'crossAccountKeys: true' (or pass an existing Bucket with a key)
    at Pipeline.getRoleFromActionPropsOrGenerateIfCrossAccount (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts:726:15)
    at Pipeline.getRoleForAction (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts:698:27)
    at Pipeline._attachActionToPipeline (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts:529:29)
    at Stage.attachActionToPipeline (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/aws-codepipeline/lib/private/stage.ts:155:27)
    at Stage.addAction (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/aws-codepipeline/lib/private/stage.ts:93:29)
    at Object.produceAction (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/pipelines/lib/codepipeline/codepipeline.ts:572:15)
    at CodePipeline.pipelineStagesAndActionsFromGraph (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/pipelines/lib/codepipeline/codepipeline.ts:428:36)
    at CodePipeline.doBuildPipeline (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/pipelines/lib/codepipeline/codepipeline.ts:377:10)
    at CodePipeline.buildPipeline (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/pipelines/lib/main/pipeline-base.ts:120:10)
    at CodePipeline.buildJustInTime (/Users/yojeo/src/kubernetes/eks-blueprints-pipeline-test/node_modules/aws-cdk-lib/pipelines/lib/main/pipeline-base.ts:134:12)

Subprocess exited with error 1

Reproduction Steps

See Above

Possible Solution

As described here, the key should be enabled across account with the following prop value when instantiating a new CodePipeline: crossAccountKeys: true.

Additional Information/Context

No response

CDK CLI Version

2.20.0

EKS Blueprints Version

1.0.0

Node.js Version

v16.13.2

Environment details (OS name and version, etc.)

MacOS 10.15.7

Other information

No response

jyidiego commented 2 years ago

@youngjeong46 Hi, so I think this is an easy fix. If you could call it like:

blueprints.CodePipelineStack.builder()
      .name("eks-blueprints-pipeline-test")
      .owner("youngjeong46")
      .repository({
          repoUrl: 'eks-blueprints-pipeline-test',
          credentialsSecretName: 'github-token',
          targetRevision: 'main'
      })
      .enableCrossAccountKeys()
...

Would that work for you?

youngjeong46 commented 2 years ago

@jyidiego I was thinking something similar - if you are working on a PR feel free to proceed. Otherwise I can implement the bug fix.

jyidiego commented 2 years ago

cool. i'll do that, good chance to get my feet wet. :-)

shapirov103 commented 2 years ago

Closed as we were able to verify for cross account use case. @jyidiego please feel free to reopen if you observe an issue for cross account keys on 1.2+