aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

(aws-cdk-lib): Deploy/Bootstrap Failed Due to Existing Roles #25109

Closed NewReactDev2954 closed 1 year ago

NewReactDev2954 commented 1 year ago

Describe the bug

After reverting CDK v2 implementation to address environment issues, when redeploying I receive an error stating that the roles created during the initial deployment already exists. I am unable to delete these policies due to our company's IAM restrictions.

Expected Behavior

If a role or another resource exists and creation fails, CDKToolkit should assume the role or link the other resource rather than failing the bootstrap and deployment.

Current Behavior

Bootstrapping environment aws://{{accountID}}/us-east-1... Trusted accounts for deployment: (none) Trusted accounts for lookup: (none) Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize. CDKToolkit: creating CloudFormation changeset... CDKToolkit | 0/12 | 10:07:11 PM | REVIEW_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit User Initiated CDKToolkit | 0/12 | 10:07:16 PM | CREATE_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit User Initiated CDKToolkit | 0/12 | 10:07:21 PM | CREATE_IN_PROGRESS | AWS::IAM::Role | CloudFormationExecutionRole CDKToolkit | 0/12 | 10:07:21 PM | CREATE_IN_PROGRESS | AWS::IAM::Role | FilePublishingRole CDKToolkit | 0/12 | 10:07:21 PM | CREATE_IN_PROGRESS | AWS::IAM::Role | LookupRole CDKToolkit | 0/12 | 10:07:21 PM | CREATE_IN_PROGRESS | AWS::SSM::Parameter | CdkBootstrapVersion CDKToolkit | 0/12 | 10:07:21 PM | CREATE_IN_PROGRESS | AWS::ECR::Repository | ContainerAssetsRepository CDKToolkit | 0/12 | 10:07:21 PM | CREATE_IN_PROGRESS | AWS::S3::Bucket | StagingBucket CDKToolkit | 0/12 | 10:07:21 PM | CREATE_IN_PROGRESS | AWS::IAM::Role | ImagePublishingRole CDKToolkit | 0/12 | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | LookupRole cdk-hnb659fds-lookup-role-{{accountID}}-us-east-1 already exists CDKToolkit | 0/12 | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole cdk-hnb659fds-cfn-exec-role-{{accountID}}-us-east-1 already exists CDKToolkit | 0/12 | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | FilePublishingRole cdk-hnb659fds-file-publishing-role-{{accountID}}-us-east-1 already exists CDKToolkit | 0/12 | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | ImagePublishingRole cdk-hnb659fds-image-publishing-role-{{accountID}}-us-east-1 already exists CDKToolkit | 0/12 | 10:07:22 PM | CREATE_FAILED | AWS::ECR::Repository | ContainerAssetsRepository Resource creation cancelled CDKToolkit | 0/12 | 10:07:22 PM | CREATE_FAILED | AWS::S3::Bucket | StagingBucket Resource creation cancelled CDKToolkit | 0/12 | 10:07:22 PM | CREATE_FAILED | AWS::SSM::Parameter | CdkBootstrapVersion Resource creation cancelled CDKToolkit | 0/12 | 10:07:23 PM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit The following resource(s) failed to create: [ImagePublishingRole, FilePublishingRole, CdkBootstrapVersion, LookupRole, StagingBucket, CloudFormationExecutionRole, ContainerAssetsRepository]. Rollback requested by user. CDKToolkit | 1/12 | 10:07:28 PM | DELETE_COMPLETE | AWS::IAM::Role | ImagePublishingRole CDKToolkit | 2/12 | 10:07:28 PM | DELETE_COMPLETE | AWS::IAM::Role | LookupRole CDKToolkit | 3/12 | 10:07:28 PM | DELETE_COMPLETE | AWS::IAM::Role | CloudFormationExecutionRole CDKToolkit | 4/12 | 10:07:28 PM | DELETE_COMPLETE | AWS::IAM::Role | FilePublishingRole CDKToolkit | 5/12 | 10:07:28 PM | DELETE_COMPLETE | AWS::ECR::Repository | ContainerAssetsRepository CDKToolkit | 5/12 | 10:07:28 PM | DELETE_SKIPPED | AWS::S3::Bucket | StagingBucket CDKToolkit | 6/12 | 10:07:28 PM | DELETE_COMPLETE | AWS::SSM::Parameter | CdkBootstrapVersion CDKToolkit | 7/12 | 10:07:29 PM | ROLLBACK_COMPLETE | AWS::CloudFormation::Stack | CDKToolkit Failed resources: CDKToolkit | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | LookupRole cdk-hnb659fds-lookup-role-{{accountID}}-us-east-1 already exists CDKToolkit | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | CloudFormationExecutionRole cdk-hnb659fds-cfn-exec-role-{{accountID}}-us-east-1 already exists CDKToolkit | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | FilePublishingRole cdk-hnb659fds-file-publishing-role-{{accountID}}-us-east-1 already exists CDKToolkit | 10:07:22 PM | CREATE_FAILED | AWS::IAM::Role | ImagePublishingRole cdk-hnb659fds-image-publishing-role-{{accountID}}-us-east-1 already exists ❌ Environment aws://{{accountID}}/us-east-1 failed bootstrapping: Error: The stack named CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: cdk-hnb659fds-lookup-role-{{accountID}}-us-east-1 already exists, cdk-hnb659fds-cfn-exec-role-{{accountID}}-us-east-1 already exists, cdk-hnb659fds-file-publishing-role-{{accountID}}-us-east-1 already exists, cdk-hnb659fds-image-publishing-role-{{accountID}}-us-east-1 already exists at FullCloudFormationDeployment.monitorDeployment (/builds/{{projectPath}}/infra/node_modules/aws-cdk/lib/index.js:371:10236) at processTicksAndRejections (internal/process/task_queues.js:95:5) at async /builds/{{projectPath}}/infra/node_modules/aws-cdk/lib/index.js:376:2104 at async Promise.all (index 0) at async CdkToolkit.bootstrap (/builds/{{projectPath}}/infra/node_modules/aws-cdk/lib/index.js:376:1949) at async exec4 (/builds/{{projectPath}}/infra/node_modules/aws-cdk/lib/index.js:429:51795) The stack named CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: cdk-hnb659fds-lookup-role-{{accountID}}-us-east-1 already exists, cdk-hnb659fds-cfn-exec-role-{{accountID}}-us-east-1 already exists, cdk-hnb659fds-file-publishing-role-{{accountID}}-us-east-1 already exists, cdk-hnb659fds-image-publishing-role-{{accountID}}-us-east-1 already exists npm ERR! code ELIFECYCLE

Reproduction Steps

Deploy and bootstrap using CDK v2, revert changes, and redeploy.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.70.0

Framework Version

No response

Node.js Version

16.20.0

OS

Amazon Linux

Language

Typescript

Language Version

TypeScript (4.9.5)

Other information

No response

peterwoodworth commented 1 year ago

cdk bootstrap just deploys a CloudFormation template, see our bootstrapping documentation here for information on how it works, and how to customize your bootstrapping experience.

Since it's just deploying a template, it will try to create roles with the names that already exist in your account + region because they haven't been deleted. You have a few options here if you still need to bootstrap your account + region: modify the template such that you change the names of the roles that are created, remove the roles from the template that have already been created, or find a way to get permission to delete the roles

If a role or another resource exists and creation fails, CDKToolkit should assume the role or link the other resource rather than failing the bootstrap and deployment.

When you bootstrap you are explicitly saying that you want the resources in the template to be created within your account. This is unrelated to your CDK app, so there is no role assumption or linking happening here, just resource creation.

I'm converting this to a discussion as that is the best place to continue this if you have any followup questions