Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(aws-cdk): fix profile use in non-'aws' partitions #1283

Merged
merged 2 commits into from
Dec 5, 2018
Merged

fix(aws-cdk): fix profile use in non-'aws' partitions #1283

merged 2 commits into from
Dec 5, 2018

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Dec 4, 2018
edited
Loading

Properly pass on the default region to the STS call we make to discover
the default AWS credentials.

Also, there is no way to make use of AssumeRole profiles without the
AWS_SDK_LOAD_CONFIG flag being set, so reintroduce setting that flag
if we discover the file to exist.

Fixes #1262 and fixes #1109.

Pull Request Checklist

Please check all boxes (including N/A items)

Testing

  • Unit test and/or integration test added
  • Toolkit change?: integration
    tests
    manually executed (paste output to the PR description)
  • Init template change?: coordinated update of integration tests
    (currently maintained in a private repo).

Documentation

  • README: README and/or documentation topic updated
  • jsdocs: All public APIs documented

Title and description

  • Change type: Title is prefixed with change type:
    • fix(module): <title> bug fix (patch)
    • feat(module): <title> feature/capability (minor)
    • chore(module): <title> won't appear in changelog
    • build(module): <title> won't appear in changelog
  • Title format: Title uses lower case and doesn't end with a period
  • Breaking change?: Last paragraph of description is: BREAKING CHANGE: <describe exactly what changed and how to achieve similar behavior + link to documentation/gist/issue if more details are required>
  • References: Indicate issues fixed via: Fixes #xxx or Closes #xxx

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

@rix0rrr
fix(aws-cdk): fix profiles in non-'aws' partitions
5aef969 
Properly pass on the default region to the STS call we make to discover
the default AWS credentials.

Also, there is no way to make use of AssumeRole profiles without the
AWS_SDK_LOAD_CONFIG flag being set, so reintroduce setting that flag
if we discover the file to exist.

Fixes #1262 and #1109.
eladb
eladb reviewed Dec 5, 2018
View reviewed changes
packages/aws-cdk/lib/api/util/sdk.ts
@@ -389,6 +406,15 @@ async function hasEc2Credentials() {
return instance;
}

async function setConfigVariable() {
const homeDir = process.env.HOME || process.env.USERPROFILE
|| (process.env.HOMEPATH ? ((process.env.HOMEDRIVE || 'C:/') + process.env.HOMEPATH) : null) || os.homedir();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't os.homedir() just do all of this for you?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't know. This is exactly what the SDK code does, I don't want to risk us going out of sync because there's some environment variable effect somewhere that we haven't considered.

eladb
eladb reviewed Dec 5, 2018
View reviewed changes
packages/aws-cdk/lib/api/util/sdk.ts Outdated
// Since there is no way to pass a { region } argument to the STS client used for AssumeRole credentials
// (https://github.com/aws/aws-sdk-js/issues/2377), we must now configure the region globally so that it will
// be picked up there.
// AWS.config.update({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this not true anymore? I am confused...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you're right. This wasn't sufficient. We MUST load the config, and we MUST set the env var to do so. Will remove.

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Dec 5, 2018 

============================================================================================
test-cdk-context.sh
============================================================================================
Testing for the context value
Context value contextkey reset. It will be refreshed on the next SDK synthesis run.
No context value with key contextkey
✅  success
============================================================================================
test-cdk-deploy-all.sh
============================================================================================
| ensuring cdk-toolkit-integration-test-1 is cleaned up
| ensuring cdk-toolkit-integration-test-2 is cleaned up
cdk-toolkit-integration-test-1
cdk-toolkit-integration-test-1: deploying...
cdk-toolkit-integration-test-1: creating CloudFormation changeset...
 0/2 | 10:13:42 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic (topic69831491) 
 0/2 | 10:13:42 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic (topic69831491) Resource creation Initiated
 1/2 | 10:13:53 | CREATE_COMPLETE      | AWS::SNS::Topic | topic (topic69831491) 

 ✅  cdk-toolkit-integration-test-1

Stack ARN:
cdk-toolkit-integration-test-2
cdk-toolkit-integration-test-2: deploying...
cdk-toolkit-integration-test-2: creating CloudFormation changeset...
 0/3 | 10:14:07 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic1 (topic152D84A37) 
 0/3 | 10:14:07 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic2 (topic2A4FB547F) 
 0/3 | 10:14:07 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic1 (topic152D84A37) Resource creation Initiated
 0/3 | 10:14:07 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic2 (topic2A4FB547F) Resource creation Initiated
 1/3 | 10:14:17 | CREATE_COMPLETE      | AWS::SNS::Topic | topic1 (topic152D84A37) 
 2/3 | 10:14:18 | CREATE_COMPLETE      | AWS::SNS::Topic | topic2 (topic2A4FB547F) 
 3/3 | 10:14:19 | CREATE_COMPLETE      | AWS::CloudFormation::Stack | cdk-toolkit-integration-test-2 

 ✅  cdk-toolkit-integration-test-2

Stack ARN:
Stack deployed successfully
cdk-toolkit-integration-test-1: destroying...

 ✅  cdk-toolkit-integration-test-1: destroyed
cdk-toolkit-integration-test-2: destroying...

 ✅  cdk-toolkit-integration-test-2: destroyed
✅  success
============================================================================================
test-cdk-deploy.sh
============================================================================================
| ensuring cdk-toolkit-integration-test-1 is cleaned up
| ensuring cdk-toolkit-integration-test-2 is cleaned up
cdk-toolkit-integration-test-2: deploying...
cdk-toolkit-integration-test-2: creating CloudFormation changeset...
 0/3 | 10:14:50 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic1 (topic152D84A37) 
 0/3 | 10:14:51 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic2 (topic2A4FB547F) 
 0/3 | 10:14:51 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic1 (topic152D84A37) Resource creation Initiated
 0/3 | 10:14:51 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic2 (topic2A4FB547F) Resource creation Initiated
 1/3 | 10:15:01 | CREATE_COMPLETE      | AWS::SNS::Topic | topic1 (topic152D84A37) 
 2/3 | 10:15:01 | CREATE_COMPLETE      | AWS::SNS::Topic | topic2 (topic2A4FB547F) 

 ✅  cdk-toolkit-integration-test-2

Stack ARN:
Stack deployed successfully
| assert that last command returned 1 line(s)
cdk-toolkit-integration-test-2: destroying...

 ✅  cdk-toolkit-integration-test-2: destroyed
✅  success
============================================================================================
test-cdk-deploy-with-role.sh
============================================================================================

An error occurred (NoSuchEntity) when calling the ListRolePolicies operation: The role with name cdk-integ-test-role cannot be found.

An error occurred (NoSuchEntity) when calling the DeleteRole operation: The role with name cdk-integ-test-role cannot be found.
Role does not exist yet
Sleeping a bit to improve chances of the role having propagated
| ensuring cdk-toolkit-integration-test-1 is cleaned up
| ensuring cdk-toolkit-integration-test-2 is cleaned up
cdk-toolkit-integration-test-2: deploying...
cdk-toolkit-integration-test-2: creating CloudFormation changeset...
 0/3 | 10:15:37 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic2 (topic2A4FB547F) 
 0/3 | 10:15:37 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic1 (topic152D84A37) 
 0/3 | 10:15:37 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic1 (topic152D84A37) Resource creation Initiated
 0/3 | 10:15:37 | CREATE_IN_PROGRESS   | AWS::SNS::Topic | topic2 (topic2A4FB547F) Resource creation Initiated
 1/3 | 10:15:48 | CREATE_COMPLETE      | AWS::SNS::Topic | topic1 (topic152D84A37) 
 2/3 | 10:15:48 | CREATE_COMPLETE      | AWS::SNS::Topic | topic2 (topic2A4FB547F) 
 3/3 | 10:15:49 | CREATE_COMPLETE      | AWS::CloudFormation::Stack | cdk-toolkit-integration-test-2 

 ✅  cdk-toolkit-integration-test-2

Stack ARN:
Stack deployed successfully
| assert that last command returned 1 line(s)
cdk-toolkit-integration-test-2: destroying...

 ✅  cdk-toolkit-integration-test-2: destroyed
✅  success
============================================================================================
test-cdk-diff.sh
============================================================================================
| ensuring cdk-toolkit-integration-test-1 is cleaned up
| ensuring cdk-toolkit-integration-test-2 is cleaned up
| assert that last command returned 2 line(s)
| assert that last command returned 3 line(s)
✅  success
============================================================================================
test-cdk-ls.sh
============================================================================================
| ensuring cdk-toolkit-integration-test-1 is cleaned up
| ensuring cdk-toolkit-integration-test-2 is cleaned up
| running cdk ls
✅  success
============================================================================================
test-cdk-synth.sh
============================================================================================
| ensuring cdk-toolkit-integration-test-1 is cleaned up
| ensuring cdk-toolkit-integration-test-2 is cleaned up
| running cdk synth cdk-toolkit-integration-test-1
| running cdk synth cdk-toolkit-integration-test-2
✅  success

@rix0rrr rix0rrr changed the title fix(aws-cdk): fix profiles in non-'aws' partitions fix(aws-cdk): fix profile use in non-'aws' partitions Dec 5, 2018
@rix0rrr rix0rrr merged commit 5478913 into master Dec 5, 2018
@rix0rrr rix0rrr deleted the huijbers/iam-in-partitions branch December 5, 2018 10:14
@rix0rrr rix0rrr mentioned this pull request Jan 2, 2019
Closed
@NGL321 NGL321 added the contribution/core This is a PR that came from AWS. label Sep 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

@RomainMuller RomainMuller Awaiting requested review from RomainMuller

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
3 participants
@rix0rrr @eladb @NGL321