codepipeline: Deploy EKS via codepipeline reported a S3 access denied error

[uxth]

Hello

I have created a pipeline via cdk scripts, which deploys a VPC, an EKS, and some other stuff.
Manually deploy all the stacks via cdk deploy, works fine.
Deploy the codepipeline, works.
codepipeline tries to deploy the application stage, which contains all the stacks above.
1st step, download code from github, works.
2nd step, synth, works,
the application stage
1st step, deploy VPC, works
2nd step, deploy EKS, NOT WORKING, the error was happening when it tries to deploy the nested stack, the error is S3 access denied. no other messages.

Reproduction Steps

use codepipeline to deploy a VPC and an EKS

What did you expect to happen?

I am trying to deploy all the resources I need for my project by using codepipeline in AWS, CI/CD

What actually happened?

the EKS could not be deployed by codepipeline, but it does not have any problem in deploying via cdk deploy command locally.

Environment

• CDK CLI Version : 1.106.1 (build c832c1b)
• Framework Version:
• Node.js Version: 16
• OS : mac big sur
• Language (Version): python3.8

Other

---

This is 🐛 Bug Report

[skinny85]

Hey @uxth,

thanks for opening the issue. Can you please show your code creating the Pipeline?

Thanks,
Adam

[uxth]

Hello @skinny85 ,

it is in my github repo, named cdkpipeline.
there is a file named cdk_eks_stack.py

Thanks

[skinny85]

Great, can I see it? 🙂

[uxth]

definitely

[skinny85]

Can you send me the link to the code then please?

[uxth]

https://github.com/uxth/cdkpipeline

sorry, I thought you were able to see

[skinny85]

Did you perform the correct bootstrapping of the account you are deploying to, as described here? https://docs.aws.amazon.com/cdk/api/latest/docs/pipelines-readme.html#cdk-environment-bootstrapping

[uxth]

do you mean in the code or in my terminal?

I did bootstrap in my terminal

[uxth]

it looks like this, as shown in the screenshot, the eks deployment failed, but the vpc succeeded, which is before eks stack.

[skinny85]

I see it's a Nested Stack. Maybe that's the problem? Perhaps Nested Stack support has some bug in CDK Pipelines?

I'm leaving this one for @rix0rrr and @otaviomacedo to diagnose, since it's a CDK Pipelines issue (and not just CodePipeline, which I initially thought).

[uxth]

any updates?@otaviomacedo , @rix0rrr

[uxth]

@skinny85 is there any other people who can answer this question?
I dont think @otaviomacedo @rix0rrr have the time here.

[rix0rrr]

Hi @uxth, @otaviomacedo is trying to get to the bottom of this as we speak. Our current suspicion is nested stacks, but the issue might be more complicated.

[otaviomacedo]

Hi, @uxth. The problem here is that your pipeline is not self-mutating. Because of that, the "Asset" stage of the pipeline get out of sync with the main stack template, which references a nested stack template that doesn't exist.

We are considering changing this flow to be less reliant on self mutation. But for now what you can do is change it to self_mutating=True (or remove self_mutating it altogether) and this will solve your problem.

[uxth]

hi @otaviomacedo , the reason I turned off the self-mutating option is because with it on the source code could not be downloaded from github.

[uxth]

it is working, thank you for pointing this out.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.