aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.72k stars 3.94k forks source link

CLI: add flag when running garbage collector to ignore non-authorized stacks #32322

Open TiagoVentosa opened 6 days ago

TiagoVentosa commented 6 days ago

Describe the feature

add some kind of flag to the cdk gc command (for example --skip-unauthorized-stacks) so that when checking the stacks (GetTemplateSummary) it ignores those that the user does not have access instead of failing the command

Use Case

I was very excited for this new feature, but when I tried running it, I got the following error:

npx cdk gc --unstable=gc --rollback-buffer-days 5
 ⏳  Garbage Collecting environment aws://<ACCOUNT>/eu-west-1...
Error refreshing stacks: AccessDenied: User: arn:aws:sts::<ACCOUNT>:assumed-role/<ROLE> is not authorized 
to perform: cloudformation:GetTemplateSummary on 
resource: arn:aws:cloudformation:eu-west-1:<ACCOUNT>:stack/<ORGANIZATION-STACK> 
with an explicit deny in a service control policy

(newlines added to improve readability)

Where is a stack used my my company to do initial setup of AWS accounts.

Proposed Solution

Instead of automatically failing, have some way to ignore stacks in error. Right now I know of no way to skip it

Other Information

No response

Acknowledgements

CDK version used

2.171.1

Environment details (OS name and version, etc.)

macOS Sonoma 14.7

khushail commented 5 days ago

Hi @TiagoVentosa , thanks for reaching out and requesting this. I see that cdk gc support was implemented recently with the idea of collecting unused assets in your bootstrapped S3 bucket with these PRs -

rix0rrr commented 3 days ago

It will be unsafe to do garbage collection in that configuration. I suppose we can add a flag, but can you add a bit more color to this story?

Why are you in a situation where you are trying to GC assets on an account that you don't have access to all stacks in?