feat(cli): introduce the new cfn-changeset-review-role for the diff command#30568
feat(cli): introduce the new cfn-changeset-review-role for the diff command#30568sakurai-ryo wants to merge 14 commits intoaws:mainfrom
Conversation
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…ff-changeset-role
…aws-cdk into diff-changeset-role
…ff-changeset-role
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ CLI code has changed. A maintainer must run the code through the testing pipeline (git fetch origin pull/30568/head && git push -f origin FETCH_HEAD:test-main-pipeline), then add the 'pr-linter/cli-integ-tested' label when the pipeline succeeds.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
| // Now install that `package.json` using NPM7 | ||
| await fixture.shell(['node', require.resolve('npm'), 'install']); | ||
| const isRepoMode = !!process.env.REPO_ROOT; | ||
| const npmPath = isRepoMode ? path.join(__dirname, 'package-sources/repo-tools/npm') : require.resolve('npm'); |
There was a problem hiding this comment.
The require.resolve function searches under the node_modules, so we were not able to use fake npm to use local packages.
|
|
||
| // IMAGE_COPIES env variable is used to test maximum number of ECR repositories allowed. | ||
| const IMAGE_COPIES = Number(process.env.IMAGE_COPIES) ?? 1; | ||
| const IMAGE_COPIES = Number(process.env.IMAGE_COPIES) || 1; |
There was a problem hiding this comment.
If we use ??, the right side will not be returned if Number(~) returns NaN when the IMAGE_COPIES is undefined.
| bodyParameter, | ||
| parameters: options.parameters, | ||
| resourcesToImport: options.resourcesToImport, | ||
| role: executionRoleArn, |
There was a problem hiding this comment.
Because CloudFormation cannot assume the cfn-changeset-review-role.
|
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
@Mergifyio update |
✅ Branch has been successfully updated |
…d large templates (#31597) Closes #29936 ### Reason for this change When running `cdk diff` on larger templates, the CDK needs to upload the diff template to S3 to create the ChangeSet. However, the CLI is currently not using the the [file asset publishing role](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L275) to do so and is instead using the IAM user/role that is configured by the user in the CLI - this means that if the user/role lacks S3 permissions then the `AccessDenied` error is thrown and users cannot see a full diff. ### Description of changes This PR ensures that the `FileAssetPublishingRole` is used by `cdk diff` to upload assets to S3 before creating a ChangeSet by: - Deleting the `makeBodyParameterAndUpload` function which was using the deprecated `publishAssets` function from [deployments.ts](https://github.com/aws/aws-cdk/blob/4b00ffeb86b3ebb9a0190c2842bd36ebb4043f52/packages/aws-cdk/lib/api/deployments.ts#L605) - Building and Publishing the template file assets inside the `uploadBodyParameterAndCreateChangeSet` function within `cloudformation.ts` instead ### Description of how you validated changes Integ test that deploys a simple CDK app with a single IAM role, then runs `cdk diff` on a large template change adding 200 IAM roles. I asserted that the logs did not contain the S3 access denied permissions errors, and also contained a statement for assuming the file publishing role. Reused the CDK app for the integ test from this [PR](#30568) by @sakurai-ryo which tried fixing this issue by adding another Bootstrap role (which we decided against). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ff-changeset-role
…aws-cdk into diff-changeset-role
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
…d large templates (#31597) Closes #29936 ### Reason for this change When running `cdk diff` on larger templates, the CDK needs to upload the diff template to S3 to create the ChangeSet. However, the CLI is currently not using the the [file asset publishing role](https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L275) to do so and is instead using the IAM user/role that is configured by the user in the CLI - this means that if the user/role lacks S3 permissions then the `AccessDenied` error is thrown and users cannot see a full diff. ### Description of changes This PR ensures that the `FileAssetPublishingRole` is used by `cdk diff` to upload assets to S3 before creating a ChangeSet by: - Deleting the `makeBodyParameterAndUpload` function which was using the deprecated `publishAssets` function from [deployments.ts](https://github.com/aws/aws-cdk/blob/f978155c40956440b80ca31695242d81f2f3af3a/packages/aws-cdk/lib/api/deployments.ts#L605) - Building and Publishing the template file assets inside the `uploadBodyParameterAndCreateChangeSet` function within `cloudformation.ts` instead ### Description of how you validated changes Integ test that deploys a simple CDK app with a single IAM role, then runs `cdk diff` on a large template change adding 200 IAM roles. I asserted that the logs did not contain the S3 access denied permissions errors, and also contained a statement for assuming the file publishing role. Reused the CDK app for the integ test from this [PR](aws/aws-cdk#30568) by @sakurai-ryo which tried fixing this issue by adding another Bootstrap role (which we decided against). ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Hi @sakurai-ryo, do you know what the state of this PR is? I currently see:
Before either of us do any work cleaning this up, @sakurai-ryo are you still interested in this PR? I can close it if not, but if so, it seems like this PR should get the If you're no longer interested, that is fine too, and I apologize for us not getting to this PR in quite some time. |
|
Hi @kaizencc For the safer use of CDK, I am still interested in this PR.
|
|
Hi @sakurai-ryo, thanks for your response. Yes, you should wait until the split is completed (probably this week). The new location will include the CLI code and the cloud assembly schema code. The repo is currently private but we will publicize when the split is done. Please sit tight until then! Thank you for your patience. |
|
The CLI is now here: https://github.com/aws/aws-cdk-cli Would love to see progress on a diff role |
|
@sakurai-ryo Are you able to port this PR over to the new repository? |
|
This PR has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
|
Keeping this open for a little while longer |
|
Closing due to no response from @sakurai-ryo. For anyone interested in picking this back up - please port this to the https://github.com/aws/aws-cdk-cli repository. |
|
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Closes #29767
Closes #29936
Relates to aws/aws-cdk-cli#634
Reason for this change
The
cdk diffcommand needs to assume the deploy-role to create the changeset, but thedeploy-rolehas strong privileges, such as deleting the cfn stack.Granting developers the ability to be able to assume the
deploy-roleto use thecdk diffcommand is a problem that some organizations should avoid.To avoid this, creating a new role in the Bootstrapping process with only limited privileges is necessary to avoid using the
deploy-rolewhen using thecdk diffcommand.Description of changes
Introducing a new role
Introduce a new
cfn-changeset-review-roleand give thecdk diffcommand the permissions it needs to create changesets.With this change, the required roles for each operation are as follows
The
cfn-changeset-review-rolehas the following permissions.The
cloud-assembly-schemais modified to allow users to use this role.It will be added to
manifest.jsonin the same format as the existinglookup-role.Retaining the role's Arn and the
requiresBootstrapStackVersionwill help if permissions are changed in the future.Change behavior when executing `cdk diff
Currently, we assume to
deploy-rolebefore creating the changeset, but changing it to assume to the newchangeset-role.If for some reason it is not possible to assume to
changeset-role, it will fall back to assume thedeploy-role.For example, when
changeset-roledoes not exist.This allows the
cdk diffto work in environments without the latest Bootstrap version.app-staging-synthesizer module
With the introduction of the new
changeset-role, I modified theapp-staging-synthesizermodule so that it can be used in the same way.Description of how you validated changes
Added cli-integ test to verify successful upload of cfn template and creation of changeset using the new role, plus several other unit tests.
Others
I created a new PR because a previously created PR was deemed abandoned after an Exemption Request was submitted.
#30329
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license