search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.69k stars 3.93k forks source link

app-staging-synthesizer: cross-account support #26634

Open tenjaa opened 1 year ago

tenjaa commented 1 year ago

Describe the feature

I do not see an option to add a trust relationship to the roles created by the new app-staging-synthsizer. But they are required to provide a similar experience as the current default bootstrap for cross-account deployments.

Use Case

We have three accounts: dev, prod and one for the pipeline

Proposed Solution

I think adding an array of trusted accounts to https://github.com/aws/aws-cdk/blob/a35fcc59b227cc6151c50ebd04a7b9f9fb3bc189/packages/%40aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts#L45 might work. IPrincipal[] could be used.

Then adding a CompositePrincipal with the account and the added trusted accounts should be enough.

Other Information

No response

Acknowledgements

CDK version used

-

Environment details (OS name and version, etc.)

-

pahud commented 1 year ago

Thank you for your PR. Can you can elaborate more about your use case?

tenjaa commented 1 year ago

We have three accounts: pipeline, dev and prod. With the current bootstrap, we can bootstrap dev and prod with the flag --trust pipeline.

The buildjob in the pipeline looks like:

npx cdk synth
npx cdk-assets publish -p cdk.out/DevAppStack.assets.json
npx cdk-assets publish -p cdk.out/ProdAppStack.assets.json

The x.assets.json file has the dev/prod account as destination set and there is also the prop assumeRoleArn which tells cdk-assets to assume the role in the dev/prod account from the pipeline account. Giving the buildjob-role the rights to assume that role is easy. But the resource-based policy of the roles in the dev/prod account do not allow the buildjob-role to assume them.

With this PR, they are allowed to be assumed.

Alternatively, I could provide a custom pre-bootstrap providing my own roles. But I think cross-account is such a common usecase, that it should be a feature of this package.

quadrupole commented 1 month ago

Is there any update on this? I also have the exact same issue - using app-staging-synthsizer in cross account deployments would be very handy!