-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cli): diff now uses the lookup Role for new-style synthesis #18277
Conversation
stack artifact This PR exposes information on the bootstrap lookup role on the CloudFormation stack artifact. This enables the CLI to assume the lookup role during cli operations in order to lookup information in the stack account. Along with the ARN of the lookup role, this also exposes a `requiresBootstrapStackVersion` property which is set to `8` (the version the lookup role was given ReadOnlyAccess), and the `bootstrapStackVersionSsmParameter` which is needed to lookup the bootstrap version if a user has renamed the bootstrap stack. This allows us to first check whether the lookupRole exists and has the correct permissions prior to using it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add the changes to the synthesizer that will emit the new values, and the changes to the CLI that will consume the new values?
packages/@aws-cdk/cx-api/lib/artifacts/cloudformation-artifact.ts
Outdated
Show resolved
Hide resolved
At least for |
Yes, +1000 this! Let's re-shape this PR to, instead of a This will allow for a beautiful transition into Calvin's PR for supporting diff in Nested Stacks (#18207). |
I'm actually not sure that the approach that I've currently implemented will work. I am providing the The only approach I can think of is to:
Alternatively this feels like a big enough change that we could just bump the required bootstrap version in the CLI to 8. @rix0rrr let me know what you think. |
I am really loath to bump the required bootstrap version. We've had extremely negative feedback to that in the past. I think your solution is the best one. The most backwards-compatible algorithm I can think of is:
For For |
…mplate also updated forEnvironment to return whether or not it is returning default credentials.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the awesome work! Got some style niggles, but this is almost there
/** | ||
* Read a version from an SSM parameter, cached | ||
*/ | ||
protected async versionFromSsmParameter(sdk: ISDK, parameterName: string): Promise<number> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this code copy/pasted? Can we get rid of the duplication?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to remove the duplication I had to make this method a public method on ToolkitInfo
. Let me know what you think.
if (!stack.lookupRole) { | ||
throw new Error(`The stack ${stack.displayName} does not have the lookupRole configured`); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this worth an error? What is it checking?
- Is it checking that the caller of
prepareSdkWithLookupRoleFor
should not have called this function if there's not a lookup role?- Is it worth requiring every caller of this function to add an additional
if
? Can we not just use the "current credentials" and simplify the call path for all callers?
- Is it worth requiring every caller of this function to add an additional
- Or is it checking that all stacks have a
lookupRole
?- What about old versions of the cloud assembly, or legacy-synthesized stacks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed.
@@ -453,6 +459,11 @@ export class DefaultStackSynthesizer extends StackSynthesizer { | |||
requiresBootstrapStackVersion: MIN_BOOTSTRAP_STACK_VERSION, | |||
bootstrapStackVersionSsmParameter: this.bootstrapStackVersionSsmParameter, | |||
additionalDependencies: [artifactId], | |||
lookupRole: this.lookupRoleArn ? { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's probably useful if people can disable this. I can imagine environments in which the lookup role has been neutered, or people prefer using current credentials to access their stacks.
Add a property to switch this off?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a disableLookupRole
property.
/** | ||
* Try to use the bootstrap lookupRole. There are two scenarios that are handled here | ||
* 1. The lookup role may not exist (it was added in bootstrap stack version 7) | ||
* 2. The lookup role may not have the correct permissions (ReadOnlyAccess was added in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sheesh, fortunately at version 7 it already has the required SSM parameter permissions... 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conditionally shipped, I'd like to see a minor tweak to the user-facing flag
/** | ||
* Whether or not to disable use of the lookup role | ||
* | ||
* @default - false | ||
*/ | ||
readonly disableLookupRole?: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, I hate to use flags that are named after a negative. In frail human heads it becomes very hard to reason about (at least in mine 😅).
Can we turn this into something like this (adding some explanation of what the flag does as well):
/** | |
* Whether or not to disable use of the lookup role | |
* | |
* @default - false | |
*/ | |
readonly disableLookupRole?: boolean; | |
/** | |
* Use the bootstrapped lookup role for (read-only) stack operations | |
* | |
* Use the lookup role when performing a `cdk diff`. If set to `false`, the | |
* `deploy role` credentials will be used to perform a `cdk diff.` | |
* | |
* Requires bootstrap stack version 8. | |
* | |
* @default true | |
*/ | |
readonly useLookupRoleForStackOperations?: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…#18277) This PR exposes information on the bootstrap lookup role on the CloudFormation stack artifact. This enables the CLI to assume the lookup role during cli operations in order to lookup information in the stack account. Along with the ARN of the lookup role, this also exposes a `requiresBootstrapStackVersion` property which is set to `8` (the version the lookup role was given ReadOnlyAccess), and the `bootstrapStackVersionSsmParameter` which is needed to lookup the bootstrap version if a user has renamed the bootstrap stack. This allows us to first check whether the lookupRole exists and has the correct permissions prior to using it. This also updates the `diff` capability in the CLI (run as part of `cdk diff` or `cdk deploy`) to use this new functionality. It now will try to assume the lookupRole and if it doesn't exist or if the bootstrap stack version is not valid, then it will fallback to using the deployRole (what it uses currently). This PR also updates the `forEnvironment` function to return whether or not it is returning the default credentials. This allows the calling function to decide whether or not it actually wants to use the default credentials. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR exposes information on the bootstrap lookup role on the
CloudFormation stack artifact. This enables the CLI to assume the lookup
role during cli operations in order to lookup information in the stack
account.
Along with the ARN of the lookup role, this also exposes a
requiresBootstrapStackVersion
property which is set to8
(theversion the lookup role was given ReadOnlyAccess), and the
bootstrapStackVersionSsmParameter
which is needed to lookup thebootstrap version if a user has renamed the bootstrap stack.
This allows us to first check whether the lookupRole exists and has the
correct permissions prior to using it.
This also updates the
diff
capability in the CLI (run as part ofcdk diff
orcdk deploy
)to use this new functionality. It now will try to assume the lookupRole and if it doesn't exist or
if the bootstrap stack version is not valid, then it will fallback to using the deployRole (what it uses
currently).
This PR also updates the
forEnvironment
function to return whether or not it is returning thedefault credentials. This allows the calling function to decide whether or not it actually wants
to use the default credentials.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license