feat(codepipeline): support cross-environment deployments for all actions

Previously, we only supported cross-environment deployments for CodeBuild
and CloudFormation CodePipeline actions.
This change adds this capability to all remaining AWS-owned actions.

Fixes #3389

Author: skinny85

packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts

@@ -5,7 +5,10 @@ import elbv2 = require('@aws-cdk/aws-elasticloadbalancingv2');
 import iam = require('@aws-cdk/aws-iam');
 import sns = require('@aws-cdk/aws-sns');
 
-import { CfnAutoScalingRollingUpdate, Construct, Duration, Fn, IResource, Lazy, Resource, Stack, Tag, Token, withResolved } from '@aws-cdk/core';
+import {
+  CfnAutoScalingRollingUpdate, Construct, Duration, Fn, IResource, Lazy, PhysicalName, Resource, Stack,
+  Tag, Token, withResolved
+} from '@aws-cdk/core';
 import { CfnAutoScalingGroup, CfnAutoScalingGroupProps, CfnLaunchConfiguration } from './autoscaling.generated';
 import { BasicLifecycleHookProps, LifecycleHook } from './lifecycle-hook';
 import { BasicScheduledActionProps, ScheduledAction } from './scheduled-action';
@@ -414,6 +417,7 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements
     this.node.applyAspect(new Tag(NAME_TAG, this.node.path));
 
     this.role = props.role || new iam.Role(this, 'InstanceRole', {
+      roleName: PhysicalName.GENERATE_IF_NEEDED,
       assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
     });
 
@@ -1091,4 +1095,4 @@ function stringifyNumber(x: number) {
   } else {
     return `${x}`;
   }
-}
+}

packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts

@@ -68,6 +68,7 @@ export class CodeCommitSourceAction extends Action {
 
     super({
       ...props,
+      resource: props.repository,
       category: codepipeline.ActionCategory.SOURCE,
       provider: 'CodeCommit',
       artifactBounds: sourceArtifactBounds(),

packages/@aws-cdk/aws-codepipeline-actions/lib/codedeploy/server-deploy-action.ts

@@ -26,6 +26,7 @@ export class CodeDeployServerDeployAction extends Action {
   constructor(props: CodeDeployServerDeployActionProps) {
     super({
       ...props,
+      resource: props.deploymentGroup,
       category: codepipeline.ActionCategory.DEPLOY,
       provider: 'CodeDeploy',
       artifactBounds: deployArtifactBounds(),

packages/@aws-cdk/aws-codepipeline-actions/lib/ecr/source-action.ts

@@ -41,6 +41,7 @@ export class EcrSourceAction extends Action {
   constructor(props: EcrSourceActionProps) {
     super({
       ...props,
+      resource: props.repository,
       category: codepipeline.ActionCategory.SOURCE,
       provider: 'ECR',
       artifactBounds: sourceArtifactBounds(),

packages/@aws-cdk/aws-codepipeline-actions/lib/lambda/invoke-action.ts

@@ -60,6 +60,7 @@ export class LambdaInvokeAction extends Action {
   constructor(props: LambdaInvokeActionProps) {
     super({
       ...props,
+      resource: props.lambda,
       category: codepipeline.ActionCategory.INVOKE,
       provider: 'Lambda',
       artifactBounds: {

packages/@aws-cdk/aws-codepipeline-actions/lib/s3/deploy-action.ts

@@ -40,6 +40,7 @@ export class S3DeployAction extends Action {
   constructor(props: S3DeployActionProps) {
     super({
       ...props,
+      resource: props.bucket,
       category: codepipeline.ActionCategory.DEPLOY,
       provider: 'S3',
       artifactBounds: deployArtifactBounds(),

packages/@aws-cdk/aws-codepipeline-actions/lib/s3/source-action.ts

@@ -74,6 +74,7 @@ export class S3SourceAction extends Action {
   constructor(props: S3SourceActionProps) {
     super({
       ...props,
+      resource: props.bucket,
       category: codepipeline.ActionCategory.SOURCE,
       provider: 'S3',
       artifactBounds: sourceArtifactBounds(),

packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json

@@ -393,7 +393,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json

@@ -518,7 +518,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-pipeline.expected.json

@@ -296,7 +296,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.expected.json

@@ -295,7 +295,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-cfn.expected.json

@@ -381,7 +381,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json

@@ -593,7 +593,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json

@@ -367,7 +367,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json

@@ -330,7 +330,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "MyPipelineArtifactsBucketEncryptionKey8BF0A7F3"
+              "Fn::GetAtt": [
+                "MyPipelineArtifactsBucketEncryptionKey8BF0A7F3",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.expected.json

@@ -332,7 +332,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "PipelineArtifactsBucketEncryptionKey01D58D69"
+              "Fn::GetAtt": [
+                "PipelineArtifactsBucketEncryptionKey01D58D69",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },

packages/@aws-cdk/aws-codepipeline-actions/test/test.pipeline.ts

@@ -789,7 +789,18 @@ export = {
               "Type": "S3",
               "Location": "replicationstackeplicationbucket2464cd5c33b386483b66",
               "EncryptionKey": {
-                "Id": "alias/replicationstacktencryptionalias043cb2f8ceac9da9c07c",
+                "Id": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:",
+                      {
+                        "Ref": "AWS::Partition",
+                      },
+                      ":kms:us-west-1:123456789012:alias/ionstacktencryptionalias043cb2f8ceac9da9c07c",
+                    ],
+                  ],
+                },
                 "Type": "KMS"
               },
             },

packages/@aws-cdk/aws-codepipeline/lib/cross-region-support-stack.ts

@@ -2,14 +2,40 @@ import kms = require('@aws-cdk/aws-kms');
 import s3 = require('@aws-cdk/aws-s3');
 import cdk = require('@aws-cdk/core');
 
+const REQUIRED_ALIAS_PREFIX = 'alias/';
+
+/**
+ * A class needed to work around CodePipeline's extremely small (100 characters)
+ * limit for the name/ARN of the key in the ArtifactStore.
+ * Limits the length of the alias' auto-generated name to 50 characters.
+ */
+class AliasWithShorterGeneratedName extends kms.Alias {
+  protected generatePhysicalName(): string {
+    let baseName = super.generatePhysicalName();
+    if (baseName.startsWith(REQUIRED_ALIAS_PREFIX)) {
+      // remove the prefix, because we're taking the last characters of the name below
+      baseName = baseName.substring(REQUIRED_ALIAS_PREFIX.length);
+    }
+    const maxLength = 50 - REQUIRED_ALIAS_PREFIX.length;
+    // take the last characters, as they include the hash,
+    // and so have a higher chance of not colliding
+    return REQUIRED_ALIAS_PREFIX + lastNCharacters(baseName, maxLength);
+  }
+}
+
+function lastNCharacters(str: string, n: number) {
+  const startIndex = Math.max(str.length - n, 0);
+  return str.substring(startIndex);
+}
+
 export class CrossRegionSupportConstruct extends cdk.Construct {
   public readonly replicationBucket: s3.IBucket;
 
   constructor(scope: cdk.Construct, id: string) {
     super(scope, id);
 
     const encryptionKey = new kms.Key(this, 'CrossRegionCodePipelineReplicationBucketEncryptionKey');
-    const encryptionAlias = new kms.Alias(this, 'CrossRegionCodePipelineReplicationBucketEncryptionAlias', {
+    const encryptionAlias = new AliasWithShorterGeneratedName(this, 'CrossRegionCodePipelineReplicationBucketEncryptionAlias', {
       targetKey: encryptionKey,
       aliasName: cdk.PhysicalName.GENERATE_IF_NEEDED,
       removalPolicy: cdk.RemovalPolicy.RETAIN,

packages/@aws-cdk/aws-codepipeline/lib/pipeline.ts

@@ -206,6 +206,7 @@ export class Pipeline extends PipelineBase {
   private readonly stages = new Array<Stage>();
   private readonly crossRegionBucketsPassed: boolean;
   private readonly _crossRegionSupport: { [region: string]: CrossRegionSupport } = {};
+  private readonly _crossAccountSupport: { [account: string]: Stack } = {};
 
   constructor(scope: Construct, id: string, props: PipelineProps = {}) {
     super(scope, id, {
@@ -379,7 +380,11 @@ export class Pipeline extends PipelineBase {
       const actionResourceStack = Stack.of(actionResource);
       if (pipelineStack.region !== actionResourceStack.region) {
         actionRegion = actionResourceStack.region;
-        otherStack = actionResourceStack;
+        // if the resource is from a different stack in another region but the same account,
+        // use that stack as home for the cross-region support resources
+        if (pipelineStack.account === actionResourceStack.account) {
+          otherStack = actionResourceStack;
+        }
       }
     } else {
       actionRegion = action.actionProperties.region;
@@ -570,9 +575,12 @@ export class Pipeline extends PipelineBase {
     if (action.actionProperties.resource) {
       const resourceStack = Stack.of(action.actionProperties.resource);
       // check if resource is from a different account
-      return pipelineStack.account === resourceStack.account
-        ? undefined
-        : resourceStack;
+      if (pipelineStack.account === resourceStack.account) {
+        return undefined;
+      } else {
+        this._crossAccountSupport[resourceStack.account] = resourceStack;
+        return resourceStack;
+      }
     }
 
     if (!action.actionProperties.account) {
@@ -593,17 +601,21 @@ export class Pipeline extends PipelineBase {
       return undefined;
     }
 
-    const stackId = `cross-account-support-stack-${targetAccount}`;
-    const app = this.requireApp();
-    let targetAccountStack = app.node.tryFindChild(stackId) as Stack;
+    let targetAccountStack: Stack | undefined = this._crossAccountSupport[targetAccount];
     if (!targetAccountStack) {
-      targetAccountStack = new Stack(app, stackId, {
-        stackName: `${pipelineStack.stackName}-support-${targetAccount}`,
-        env: {
-          account: targetAccount,
-          region: action.actionProperties.region ? action.actionProperties.region : pipelineStack.region,
-        },
-      });
+      const stackId = `cross-account-support-stack-${targetAccount}`;
+      const app = this.requireApp();
+      targetAccountStack = app.node.tryFindChild(stackId) as Stack;
+      if (!targetAccountStack) {
+        targetAccountStack = new Stack(app, stackId, {
+          stackName: `${pipelineStack.stackName}-support-${targetAccount}`,
+          env: {
+            account: targetAccount,
+            region: action.actionProperties.region ? action.actionProperties.region : pipelineStack.region,
+          },
+        });
+      }
+      this._crossAccountSupport[targetAccount] = targetAccountStack;
     }
     return targetAccountStack;
   }
@@ -752,7 +764,7 @@ export class Pipeline extends PipelineBase {
     if (bucketKey) {
       encryptionKey = {
         type: 'KMS',
-        id: bucketKey.keyId,
+        id: bucketKey.keyArn,
       };
     }
 

packages/@aws-cdk/aws-codepipeline/test/test.pipeline.ts

@@ -116,7 +116,18 @@ export = {
                 "Type": "S3",
                 "EncryptionKey": {
                   "Type": "KMS",
-                  "Id": "alias/my-replication-alias",
+                  "Id": {
+                    "Fn::Join": [
+                      "",
+                      [
+                        "arn:",
+                        {
+                          "Ref": "AWS::Partition",
+                        },
+                        ":kms:us-west-1:123456789012:alias/my-replication-alias",
+                      ],
+                    ],
+                  },
                 },
               },
             },
@@ -163,7 +174,7 @@ export = {
         test.done();
       },
 
-      "generates ArtifactStores with the alias' name as the KeyID"(test: Test) {
+      "generates ArtifactStores with the alias' ARN as the KeyID"(test: Test) {
         const app = new cdk.App();
         const replicationRegion = 'us-west-1';
 
@@ -200,7 +211,18 @@ export = {
                 "Type": "S3",
                 "EncryptionKey": {
                   "Type": "KMS",
-                  "Id": "alias/mystack-support-us-west-1tencryptionalias9b344b2b8e6825cb1f7d",
+                  "Id": {
+                    "Fn::Join": [
+                      "",
+                      [
+                        "arn:",
+                        {
+                          "Ref": "AWS::Partition",
+                        },
+                        ":kms:us-west-1:123456789012:alias/s-west-1tencryptionalias9b344b2b8e6825cb1f7d",
+                      ],
+                    ],
+                  },
                 },
               },
             },
@@ -262,7 +284,7 @@ export = {
                 "Location": "my-us-west-1-replication-bucket",
                 "EncryptionKey": {
                   "Type": "KMS",
-                  "Id": "1234-5678-9012",
+                  "Id": "arn:aws:kms:us-west-1:123456789012:key/1234-5678-9012",
                 },
               },
             },

packages/@aws-cdk/aws-events-targets/test/codepipeline/integ.pipeline-event-target.expected.json

@@ -282,7 +282,10 @@
         "ArtifactStore": {
           "EncryptionKey": {
             "Id": {
-              "Ref": "pipelinePipeline22F2A91DArtifactsBucketEncryptionKey87C796D2"
+              "Fn::GetAtt": [
+                "pipelinePipeline22F2A91DArtifactsBucketEncryptionKey87C796D2",
+                "Arn"
+              ]
             },
             "Type": "KMS"
           },