Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

app-staging-synthesizer: cross-account support #26634

Open
1 of 2 tasks
tenjaa opened this issue Aug 4, 2023 · 3 comments
Open
1 of 2 tasks

app-staging-synthesizer: cross-account support #26634

tenjaa opened this issue Aug 4, 2023 · 3 comments
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3

Comments

@tenjaa
Copy link
Contributor

tenjaa commented Aug 4, 2023

Describe the feature

I do not see an option to add a trust relationship to the roles created by the new app-staging-synthsizer.
But they are required to provide a similar experience as the current default bootstrap for cross-account deployments.

Use Case

We have three accounts: dev, prod and one for the pipeline

Proposed Solution

I think adding an array of trusted accounts to

aws-cdk/packages/@aws-cdk/app-staging-synthesizer-alpha/lib/default-staging-stack.ts

Line 45 in a35fcc5

export interface DefaultStagingStackOptions {
might work. IPrincipal[] could be used.

Then adding a CompositePrincipal with the account and the added trusted accounts should be enough.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

Environment details (OS name and version, etc.)
@tenjaa tenjaa added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 4, 2023
@github-actions github-actions bot added the @aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package label Aug 4, 2023
@tenjaa tenjaa mentioned this issue Aug 4, 2023
Closed
@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Aug 4, 2023
@pahud
Copy link
Contributor

pahud commented Aug 4, 2023
edited
Loading

Thank you for your PR. Can you can elaborate more about your use case?

@tenjaa
Copy link
Contributor Author

tenjaa commented Aug 5, 2023

We have three accounts: pipeline, dev and prod.
With the current bootstrap, we can bootstrap dev and prod with the flag --trust pipeline.

The buildjob in the pipeline looks like:

npx cdk synth
npx cdk-assets publish -p cdk.out/DevAppStack.assets.json
npx cdk-assets publish -p cdk.out/ProdAppStack.assets.json

The x.assets.json file has the dev/prod account as destination set and there is also the prop assumeRoleArn which tells cdk-assets to assume the role in the dev/prod account from the pipeline account.
Giving the buildjob-role the rights to assume that role is easy. But the resource-based policy of the roles in the dev/prod account do not allow the buildjob-role to assume them.

With this PR, they are allowed to be assumed.

Alternatively, I could provide a custom pre-bootstrap providing my own roles. But I think cross-account is such a common usecase, that it should be a feature of this package.

@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
@quadrupole
Copy link

Is there any update on this? I also have the exact same issue - using app-staging-synthsizer in cross account deployments would be very handy!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/app-staging-synthesizer-alpha Related to the @aws-cdk/app-staging-synthesizer-alpha package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(app-staging-synthesizer): cross-account support tenjaa/aws-cdk
3 participants
@pahud @tenjaa @quadrupole