cdk bootstrap in multi-tenant accounts #1416
Comments
|
After checking the code, looks like the Exports are not being used. The bootstrap code uses describeStacks to get the whole stack and gets the outputs from there. It's not actually being used from other CloudFormation template. |
|
@manrueda there should be only a single "toolkit stack" in each account/region. This means that teams should not need to "cdk bootstrap" on their own. Would that work for your use case or do you have any security/isolation concerns with this model? |
|
That will not work on our configuration, because different teams can work in the same account but with different roles. For many many teams share the same account in the same region, but we use roles that only allow us to access and use resources that are prefixed or have tags that our team use. This is not only for security/isolation reasons but also for billing purposes. Because we all share the same account and each teams has to be accountable of their resources, each "team id" is used for billing. In this scenario with only one "toolkit stack" there is not a clear owner of the resource because can be used by many teams and also is difficult to bill because all teams that use it will have assets on that S3 bucket. |
|
Okay, got it. So basically if we remove the exports from the toolkit stack, you will be able to use |
|
I I checked the code and looks like yes, that should do it. |
|
👍 |
The --toolkit-stack-name option can be used to specify the name for the toolkit stack. However, since the the toolkit stack outputs had "Export"s, which must be unique within an environment, it was impossible to deploy multiple toolkit stacks. This change removes the "Export"s as they are actually not used or needed and also adds an integration test to verify that multiple toolkit stacks can be deployed into the same environment. `toolkitStackName` can also be specified in `cdk.json` or `~/.cdk.json`. Updated the toolkit documentation topic to describe this. Fixes #1416
The --toolkit-stack-name option can be used to specify the name for the toolkit stack. However, since the the toolkit stack outputs had "Export"s, which must be unique within an environment, it was impossible to deploy multiple toolkit stacks. This change removes the "Export"s as they are actually not used or needed and also adds an integration test to verify that multiple toolkit stacks can be deployed into the same environment. `toolkitStackName` can also be specified in `cdk.json` or `~/.cdk.json`. Updated the toolkit documentation topic to describe this. Fixes #1416
|
PR: #1427 |
…#1427) The `--toolkit-stack-name` option can be used to specify the name for the toolkit stack. However, since the the toolkit stack outputs had "Export"s, which must be unique within an environment, it was impossible to deploy multiple toolkit stacks. This change removes the "Export"s as they are actually not used or needed and also adds an integration test to verify that multiple toolkit stacks can be deployed into the same environment. `toolkitStackName` can also be specified in `cdk.json` or `~/.cdk.json`. Updated the toolkit documentation topic to describe this. Fixes #1416
Hi,
I am eager to implement CDK on a few new projects, but in the company who i work for we use a system of multi-tenant accounts where one account is shared by many teams and units and we divide the cost of resources using tags and names.
The command
cdk bootstrapcreates a CloudFormation stack with an S3 busket, which name can be configured, but also exports twoOutputs( BucketName and BucketDomainName ) and CloudFormation Stack's Outputs must be unique in the same account.I saw that when the
Outputsare read actually it list all theOutputsand get the ones that are the same name. I think that if theOutputswhere prefixed with the stack name the conflict can be avoided and work in the same way.I would like to find a solution to this problem to start using CDK, and i am up to send a PR with changes to support this case.
Thanks
The text was updated successfully, but these errors were encountered: