search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.66k stars 3.92k forks source link

pipelines: creates cross account support stack even though the action has cross account role defined #22220

Open knovichikhin opened 2 years ago

knovichikhin commented 2 years ago

Describe the bug

This pipeline downloads source from a different account using existing cross account role. In this case, there should be no need to cross account support stack. However, pipeline generates one for the code commit account.

It appears that the role is not assigned to the Source stage action. Which is what could be triggering the support stack creation.

Expected Behavior

Expecting that cross-account-support-stack-CODE_COMMIT_ACCOUNT does need to be created, since the action already has cross account role.

Current Behavior

CDK adds cross-account-support-stack-CODE_COMMIT_ACCOUNT stack and tries to deploy it during SelfMutate stage.

Reproduction Steps

import * as cdk from 'monocdk';
import * as codecommit from 'monocdk/aws-codecommit';
import * as iam from 'monocdk/aws-iam';
import * as codepipeline_actions from 'monocdk/aws-codepipeline-actions';
import * as pipelines from 'monocdk/pipelines'

export class PipelineStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);

        const codeCommitAccount = '111111111111';

        const sourceAccessRole = iam.Role.fromRoleArn(this, 'SourceAccessRole', 
            `arn:aws:iam::${codeCommitAccount}:role/alreadyCreatedRoleForThisAccount`, { mutable: false });

        const codeCommitRepository = codecommit.Repository.fromRepositoryArn(this, 'Repository',
            `arn:aws:codecommit:us-west-2:${codeCommitAccount}:repository`);

        const synthAction = new pipelines.CodeBuildStep('Synth', {
            input: pipelines.CodePipelineSource.codeCommit(
                codeCommitRepository,
                'branch',
                {
                    trigger: codepipeline_actions.CodeCommitTrigger.EVENTS,
                    eventRole: sourceAccessRole
                }
            ),
            installCommands: [
                'npm ci',
            ],
            commands: [
                'npm run build',
                'npx cdk synth --verbose',
            ],
            // I added this here to see if the Source stage would use this role. But does not seems to be the case.
            role: sourceAccessRole
        });

        const pipeline = new pipelines.CodePipeline(this, 'Pipeline', {
            pipelineName: 'PipelineName',
            synth: synthAction,
            crossAccountKeys: true,
        });
    }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.42.0 (build 7d8ef0b)

Framework Version

1.140.0

Node.js Version

v14.18.1

OS

MacOS 12.5.1

Language

Typescript

Language Version

TypeScript (3.9.10)

Other information

No response

knovichikhin commented 2 years ago

I tracked it down to this code:

https://github.com/aws/aws-cdk/blob/ffd3d2da9af6230f37f8df533a6a3bca88735201/packages/%40aws-cdk/pipelines/lib/codepipeline/codepipeline-source.ts#L473-L495

When pipeline creates Source action out of the CodePipelineSource, it does not provide a role. One potential fix is to expose action role as a property of CodeCommitSourceOptions.

l3ku commented 1 year ago

Any updates on this? I'm facing the same issue when I would like to use an existing role for the Source action for cross-account access to a CodeCommit repository on a different AWS account. Seems like currently the only way to work around this would be to implement a custom child class of CodePipelineSource that allows passing the action role.