(aws-codepipeline-actions): Support cross-account ECS deployments with codepipeline actions

[kartickvijayakumar]

General Issue

Cross Account & Cross Region ECS

The Question

What is the recommended approach from CDK for cross account ECS deployments through codepipeline at present?

We have a code pipeline that needs to deploy a fargate service into multiple AWS accounts and regions.

The few things we considered were:

1. Multi-stack approach where we have a pipeline stack with a CodeBuildAction that builds the actual service, pushes the container image to ECR and outputs an imageTag. Another CodeBuildAction does a cdk synth for the service stack and outputs its template. We then use TagParameterContainerImage with a CloudFormationCreateUpdateStackAction to deploy this template with the appropriate imageTag - An ECR resource policy issue described in (aws-codepipeline-actions): TagParameterContainerImage unusable cross-account #15070 blocks this approach to do this cross-account.
2. Single stack with multiple stages in a code-pipeline with instances of EcsDeployAction that takes account and region as parameters and a `role' with appropriate cross-account and cross-region permissions - Something similar to this has been discussed in [aws-codepipeline-actions] support cross account/region ecs deployment  #11199 but the issue has been closed with a pull request (fix(ecs): imported services don't have account & region set correctly #15944) without clarity on the final approach.

Is there any elegant way of doing this today? Probably @skinny85 who has been active in most of these issues and discussions can help us with this.

CDK CLI Version

1.132.0

Framework Version

No response

Node.js Version

No response

OS

No response

Language

Typescript

Language Version

No response

Other information

No response

[skinny85]

Hey @kartickvijayakumar,

the recommended CDK-team solution is to use the CDK Pipelines module for these cross-account deployments.

CDK Pipelines handles Assets for you, automatically.

Thanks,
Adam

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[trefore-iakbar]

@skinny85 Is there any sample code on how to use the CDK Pipelines module to do this?

[stockf]

I'm also interested in how exactly you would do this with @aws-cdk/pipelines. I've tried to solve this for a while now and it is really tricky. I endet up with an additional S3 source with my image tag that I want to deploy and a context-variable for the tag that I overwrite in the build phase.

[skinny85]

@stockf there's a pretty detailed explanation on how to achieve this by @tobytipton in #17917 (comment).