search

aws-samples / automate-cross-account-cicd-cfn-cdk

MIT No Attribution
70 stars 24 forks source link

[FYI] CDK Version 2 synthesizes a 'BootstrapVersion' CFN Parameter #3

Closed tennantje closed 1 year ago

tennantje commented 2 years ago

Issue: Whilst I'm mindful that this sample repository was created for CDKv1, CodePipeline Deploy_Uat and Deploy_Prod stages fail after upgrading to CDKv2.

Cause: CDK (v2) synth creates a new BootstrapVersion parameter for generated CFN templates

    "BootstrapVersion": {
      "Type": "AWS::SSM::Parameter::Value<String>",
      "Default": "/cdk-bootstrap/XXXXXXXXX/version",
      "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
    }

Solution: Prod and UAT environments need to be CDK bootstrapped. Otherwise CDK's SSM parameter doesn't exist in deployment accounts, and the pipeline fails. The CloudFormationDeploymentRole also needs permissions to read from SSM parameter store.

A potential alternative solution is to override the CDK synthesizer discussed here.

From CloudTrail

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "XXXXXXXXXXXXX:AWSCloudFormation",
        "arn": "arn:aws:sts::XXXXXXXXXXXXX:assumed-role/CloudFormationDeploymentRole/AWSCloudFormation",
        "accountId": "XXXXXXXXXXXXX",
        "accessKeyId": "XXXXXXXXXXXXX",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "XXXXXXXXXXXXX",
                "arn": "arn:aws:iam::XXXXXXXXXXXXX:role/CloudFormationDeploymentRole",
                "accountId": "XXXXXXXXXXXXX",
                "userName": "CloudFormationDeploymentRole"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-03-20T04:54:58Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2022-03-20T04:54:58Z",
    "eventSource": "ssm.amazonaws.com",
    "eventName": "GetParameters",
    "awsRegion": "ap-southeast-2",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "requestParameters": {
        "names": [
            "/cdk-bootstrap/XXXXXXXXX/version"
        ]
    },
    "responseElements": null,
    "requestID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "eventID": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "readOnly": true,
    "resources": [
        {
            "accountId": "XXXXXXXXXXXXX",
            "ARN": "arn:aws:ssm:ap-southeast-2:XXXXXXXXXXXXX:parameter/cdk-bootstrap/XXXXXXXXX/version"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "XXXXXXXXXXXXX",
    "eventCategory": "Management"
}
natalie-white-aws commented 2 years ago

This is interesting... I haven't done much with CDK v2 but one of the nice things about this solution as originally written is that one does not have to bootstrap the CDK in the target accounts. I'll have to take a look at this and see if there's a way to keep that advantage even if it's upgraded. I don't have an ETA but wanted you to know I saw it and will have to research. Thanks for calling this out.

zachgoll commented 2 years ago

From what I've been reading, it sounds like V2 might have native support for the cross-account deployments, which would eliminate the need for those circular scripts at the beginning (at least from my understanding). Yes, you need to bootstrap in each target account, but I'm thinking with a stack-set + Organizations it wouldn't be too bad.

Just curious, are there any plans to update (possibly on a separate branch) this repo to use the CDK V2? No worries if not, learned a ton from this presentation and appreciate the repo as a reference!

natalie-white-aws commented 2 years ago

Short answer: yes, I would like to, because I don't want customers to have to stick with CDK v1 just to use the solution. However, CDK Pipelines isn't always a good fit, in this case when the roles need to be managed outside of / by a separate team than the CDK code, or if you want to use a specific KMS key or S3 bucket. That's why I want to explore one of the mechanisms you suggested to prevent myself from having to bootstrap in every account, and continue to demonstrate the way CFN and CDK can work together to allow collaboration across dev / non-dev skill sets (covered more in the YouTube video than the README here).

If you'd like to give it a shot feel free to create a PR! Otherwise this will be on my backlog TBD :)

zachgoll commented 2 years ago

Totally understandable! I actually went ahead and tested out the stack-set idea that I outlined above, and it works really well, especially in the scope of AWS Organizations + ControlTower (which we use). Have an admin go in and run the stack-set once, and then the dev team can do their work without any further steps!

Given that CDK V1.x goes into maintenance mode on June 1st, I'm wondering if it might be helpful to folks to have a short note at the top of the README linking to the "modern" bootstrap template?

I think the talk definitely still applies to CDK 2.x and wouldn't want this small detail getting in the way of that! Thanks again for putting all this together!

natalie-white-aws commented 1 year ago

Finally upgraded to CDK v2 due to critical security vulnerabilities. Thanks for engaging!