-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support cross-account context queries from bootstrap stack #8905
Comments
@rix0rrr how would you address this issue? What's the best way to fix this? Happy to contribute |
Is there additional documentation on work needed to support this feature? |
There's a good thread in the cdk.dev slack about this. It appears that a workaround is to populate the VPC IDs in a |
so one fix is to have a script that populates cdk.context.json independently ? |
You can synth locally once and then commit the file. |
yep that's what I thought xD. Despite seeing many projects having context file in .gitignore , committing it is the recommended approach :
from still not only about running synth I will add a script that
|
Hi, I have come across this problem while building a cdk pipeline, I think a solution/workaround may to to give the codebuild role or whatever role is performing the synth action permissions to use describe or list actions for whatever resource it needs such as vpc or listeners etc and then it can successfully synth with all the required context information. Does this seem like a valid solution/workaround? I only discovered this today and will attempt to validate my findings tomorrow. Sorry if this is the wrong place to mention it. Can give more information about my scenario if needed. |
It's not enough @sean-kennedy-songtradr , because the |
The best workaround is:
|
In my scenario (as far as I can tell) I am always synthesizing in the same account, that synth will require some ssm parameters from different accounts/regions and then use them in .fromLookup calls, I am using the CDK credential plugin so that cdk can assume the relevant role when it needs to get those parameters and make context queries. If I can make sure the build always happens in the same account and region is this a valid method of supporting context queries right now or would you say it's a bit hacky for lack of a better term? |
I wouldn't use the word "hacky" necessarily, but I would say it's not a practice we want to encourage exactly. The reason is that we want to separate synthesizing your CDK application, which might mean running code from arbitrary third-party dependencies that you might not want to trust completely, from deploying it. If you give your build step permissions to read from your account, the third party dependencies will have those permissions as well. Perhaps you consider that risk acceptable, in which case, go right ahead 🙂. |
@skinny85 |
Error message on running `cdk synth` - Error at /CdkReproPipeline] Could not find any VPCs matching {"account":DEV_ACCOUNT_ID","region":"REGION","filter":{"vpc-id":"PROD_VPC_ID"},"returnAsymmetricSubnets":true} This seems to look for prod Vpc in my dev account (most likely because of line#61 where I am doing ec2.Vpc.from_lookup(self, 'VpcPrd', vpc_id=PROD_VPC_ID). Why? not clear to me but could be related to - aws/aws-cdk#8905 but will log a issue in CDK repo for the experts to look at.
@greg-aws, something like |
Exactly, in terms of the actual policy I would want some input on. We could be fairly fine grained to only allow access to the current actions required or it would be a more broad read policy which would leave room for future features. |
Fixes #8905 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Fixes aws#8905 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
See title.
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: