Skip to content

fix(cli): cross-account asset publishing doesn't work without bootstrap stack#31876

Merged
mergify[bot] merged 2 commits intomainfrom
huijbers/fix-cross-account2
Oct 24, 2024
Merged

fix(cli): cross-account asset publishing doesn't work without bootstrap stack#31876
mergify[bot] merged 2 commits intomainfrom
huijbers/fix-cross-account2

Conversation

@rix0rrr
Copy link
Copy Markdown
Contributor

@rix0rrr rix0rrr commented Oct 24, 2024
edited
Loading

When determining whether or not to allow cross-account bucket uploads, we inspect the bootstrap stack in the account we're deploying to:

  • If it doesn't advertise an S3 Bucket, then we allow cross-account bucket uploads (if the bucket isn't in the bootstrap stack in our account, it's probably in a different account, because we do need one)
  • if the bootstrap stack is recent enough, we also allow cross-account bucket uploads (there are mitigations against problems in the IAM policy of recent bootstrap stacks, and if those are gone they have been removed on purpose by the customer).

However, if the bootstrap stack can't be found, it can't be validated. This can happen if the customer provisions their resources differently than via the bootstrap stack.

When that happens, we used to fail closed: but that just means that cross-account asset uploads are now prohibited, and not having a bootstrap stack and expecting assets to be uploaded to a different account in your organization should be a valid setup.

So instead, we have to fail open: if we can't find the bootstrap stack, we do allow cross-account asset uploads. We treat this check more as a best-effort sanity check. This is not the only protection mechanism we have, so the local check is more of a bonus.

Fixes #31866.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
fix(cli): cross-account asset publishing doesn't work without bootstr…
6523cc0 
…ap stack

If the bootstrap stack can't be found, it can't be validated. We used to
fail closed, but that just means that cross-account publishing is
broken.

Instead, we have to fail open.

Fixes #31866.
@rix0rrr rix0rrr requested a review from a team October 24, 2024 08:44
@aws-cdk-automation aws-cdk-automation requested a review from a team October 24, 2024 08:44
@github-actions github-actions bot added bug This issue is a bug. p1 labels Oct 24, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Oct 24, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 24, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation added the pr/needs-cli-test-run This PR needs CLI tests run against it. label Oct 24, 2024
@rix0rrr rix0rrr added pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes labels Oct 24, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review October 24, 2024 09:16

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-cli-test-run This PR needs CLI tests run against it. label Oct 24, 2024
@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Oct 24, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: af27bf6
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Oct 24, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 427bf63 into main Oct 24, 2024
@mergify mergify bot deleted the huijbers/fix-cross-account2 branch October 24, 2024 09:44
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Oct 24, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mrgrain mrgrain mrgrain approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. p1 pr-linter/cli-integ-tested Assert that any CLI changes have been integ tested pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(util): Cross account publishing disallowed for non-bootstraped accounts

3 participants

@rix0rrr @aws-cdk-automation @mrgrain