feat(cli): diff now uses the lookup Role for new-style synthesis#18277
feat(cli): diff now uses the lookup Role for new-style synthesis#18277mergify[bot] merged 9 commits intoaws:masterfrom corymhall:corymhall/lookuprole
Conversation
stack artifact This PR exposes information on the bootstrap lookup role on the CloudFormation stack artifact. This enables the CLI to assume the lookup role during cli operations in order to lookup information in the stack account. Along with the ARN of the lookup role, this also exposes a `requiresBootstrapStackVersion` property which is set to `8` (the version the lookup role was given ReadOnlyAccess), and the `bootstrapStackVersionSsmParameter` which is needed to lookup the bootstrap version if a user has renamed the bootstrap stack. This allows us to first check whether the lookupRole exists and has the correct permissions prior to using it.
|
|
rix0rrr
left a comment
There was a problem hiding this comment.
Can you also add the changes to the synthesizer that will emit the new values, and the changes to the CLI that will consume the new values?
packages/@aws-cdk/cx-api/lib/artifacts/cloudformation-artifact.ts
Outdated
Show resolved
Hide resolved
At least for |
Yes, +1000 this! Let's re-shape this PR to, instead of a This will allow for a beautiful transition into Calvin's PR for supporting diff in Nested Stacks (#18207). |
I'm actually not sure that the approach that I've currently implemented will work. I am providing the The only approach I can think of is to:
Alternatively this feels like a big enough change that we could just bump the required bootstrap version in the CLI to 8. @rix0rrr let me know what you think. |
|
I am really loath to bump the required bootstrap version. We've had extremely negative feedback to that in the past. I think your solution is the best one. The most backwards-compatible algorithm I can think of is:
For For |
…mplate also updated forEnvironment to return whether or not it is returning default credentials.
rix0rrr
left a comment
There was a problem hiding this comment.
Thanks for the awesome work! Got some style niggles, but this is almost there
| /** | ||
| * Read a version from an SSM parameter, cached | ||
| */ | ||
| protected async versionFromSsmParameter(sdk: ISDK, parameterName: string): Promise<number> { |
There was a problem hiding this comment.
Is this code copy/pasted? Can we get rid of the duplication?
There was a problem hiding this comment.
In order to remove the duplication I had to make this method a public method on ToolkitInfo. Let me know what you think.
| if (!stack.lookupRole) { | ||
| throw new Error(`The stack ${stack.displayName} does not have the lookupRole configured`); |
There was a problem hiding this comment.
Is this worth an error? What is it checking?
- Is it checking that the caller of
prepareSdkWithLookupRoleForshould not have called this function if there's not a lookup role?- Is it worth requiring every caller of this function to add an additional
if? Can we not just use the "current credentials" and simplify the call path for all callers?
- Is it worth requiring every caller of this function to add an additional
- Or is it checking that all stacks have a
lookupRole?- What about old versions of the cloud assembly, or legacy-synthesized stacks?
| requiresBootstrapStackVersion: MIN_BOOTSTRAP_STACK_VERSION, | ||
| bootstrapStackVersionSsmParameter: this.bootstrapStackVersionSsmParameter, | ||
| additionalDependencies: [artifactId], | ||
| lookupRole: this.lookupRoleArn ? { |
There was a problem hiding this comment.
It's probably useful if people can disable this. I can imagine environments in which the lookup role has been neutered, or people prefer using current credentials to access their stacks.
Add a property to switch this off?
There was a problem hiding this comment.
Add a disableLookupRole property.
| /** | ||
| * Try to use the bootstrap lookupRole. There are two scenarios that are handled here | ||
| * 1. The lookup role may not exist (it was added in bootstrap stack version 7) | ||
| * 2. The lookup role may not have the correct permissions (ReadOnlyAccess was added in |
There was a problem hiding this comment.
Sheesh, fortunately at version 7 it already has the required SSM parameter permissions... 😅
rix0rrr
left a comment
There was a problem hiding this comment.
Conditionally shipped, I'd like to see a minor tweak to the user-facing flag
| /** | ||
| * Whether or not to disable use of the lookup role | ||
| * | ||
| * @default - false | ||
| */ | ||
| readonly disableLookupRole?: boolean; |
There was a problem hiding this comment.
In general, I hate to use flags that are named after a negative. In frail human heads it becomes very hard to reason about (at least in mine 😅).
Can we turn this into something like this (adding some explanation of what the flag does as well):
| /** | |
| * Whether or not to disable use of the lookup role | |
| * | |
| * @default - false | |
| */ | |
| readonly disableLookupRole?: boolean; | |
| /** | |
| * Use the bootstrapped lookup role for (read-only) stack operations | |
| * | |
| * Use the lookup role when performing a `cdk diff`. If set to `false`, the | |
| * `deploy role` credentials will be used to perform a `cdk diff.` | |
| * | |
| * Requires bootstrap stack version 8. | |
| * | |
| * @default true | |
| */ | |
| readonly useLookupRoleForStackOperations?: boolean; |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…#18277) This PR exposes information on the bootstrap lookup role on the CloudFormation stack artifact. This enables the CLI to assume the lookup role during cli operations in order to lookup information in the stack account. Along with the ARN of the lookup role, this also exposes a `requiresBootstrapStackVersion` property which is set to `8` (the version the lookup role was given ReadOnlyAccess), and the `bootstrapStackVersionSsmParameter` which is needed to lookup the bootstrap version if a user has renamed the bootstrap stack. This allows us to first check whether the lookupRole exists and has the correct permissions prior to using it. This also updates the `diff` capability in the CLI (run as part of `cdk diff` or `cdk deploy`) to use this new functionality. It now will try to assume the lookupRole and if it doesn't exist or if the bootstrap stack version is not valid, then it will fallback to using the deployRole (what it uses currently). This PR also updates the `forEnvironment` function to return whether or not it is returning the default credentials. This allows the calling function to decide whether or not it actually wants to use the default credentials. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR exposes information on the bootstrap lookup role on the
CloudFormation stack artifact. This enables the CLI to assume the lookup
role during cli operations in order to lookup information in the stack
account.
Along with the ARN of the lookup role, this also exposes a
requiresBootstrapStackVersionproperty which is set to8(theversion the lookup role was given ReadOnlyAccess), and the
bootstrapStackVersionSsmParameterwhich is needed to lookup thebootstrap version if a user has renamed the bootstrap stack.
This allows us to first check whether the lookupRole exists and has the
correct permissions prior to using it.
This also updates the
diffcapability in the CLI (run as part ofcdk difforcdk deploy)to use this new functionality. It now will try to assume the lookupRole and if it doesn't exist or
if the bootstrap stack version is not valid, then it will fallback to using the deployRole (what it uses
currently).
This PR also updates the
forEnvironmentfunction to return whether or not it is returning thedefault credentials. This allows the calling function to decide whether or not it actually wants
to use the default credentials.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license