Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(util): Cross account publishing disallowed for non-bootstraped accounts #31866

Closed
1 task done
mrkbabu opened this issue Oct 23, 2024 · 4 comments · Fixed by #31876
Closed
1 task done

(util): Cross account publishing disallowed for non-bootstraped accounts #31866

mrkbabu opened this issue Oct 23, 2024 · 4 comments · Fixed by #31876
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. p1 potential-regression Marking this issue as a potential regression to be checked by team member

Comments

@mrkbabu
Copy link

mrkbabu commented Oct 23, 2024
edited
Loading

Describe the bug

Release v2.163.0 has introduced a breaking change for customers who do not bootstrap their AWS CDK accounts and publish assets / artifacts to S3 buckets that lives a different AWS account.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

v2.162.1

Expected Behavior

For accounts that are not bootstrapped, CDK should allow to publish assets / artifacts to S3 bucket in cross account.

Current Behavior

We do not bootstrap our target deployment accounts. We also package & publish the deploying assets / artifacts into a S3 bucket that is managed in a central account to be used during CDK deploy. The change introduced in determineAllowCrossAccountAssetPublishing as part of “disallow cross account asset publishing in some scenarios (#31623) (edd031d)” is breaking our pipelines from publishing assets cross account and eventually failing to deploy. 


Error observed

[2024-10-23T13:31:05.667Z] [09:31:05] [AWS cloudformation 400 0.371s 0 retries] describeStacks({ StackName: 'CDKToolkit' })
[2024-10-23T13:31:05.667Z] [09:31:05] [trace] SDK#makeDetailedException()
[2024-10-23T13:31:05.667Z] [09:31:05] Call failed: describeStacks({"StackName":"CDKToolkit"}) => Stack with id CDKToolkit does not exist (code=ValidationError)
[2024-10-23T13:31:05.667Z] [09:31:05] Error determining cross account asset publishing: Error: Error retrieving toolkit stack info: ValidationError: Stack with id CDKToolkit does not exist
[2024-10-23T13:31:05.667Z] [09:31:05] Defaulting to disallowing cross account asset publishing

Reproduction Steps

  • Do not bootstrap an account
  • As part of pipeline, try to publish an asset / artifact (to be eventually used during deploy) into a S3 bucket that lives in a different account

Possible Solution

This function determineAllowCrossAccountAssetPublishing should be enhanced to allow cross account publishing for customers who do not bootstrap their AWS CDK accounts.

Additional Information/Context

No response

CDK CLI Version

2.163.1

Framework Version

No response

Node.js Version

16

OS

linux

Language

TypeScript

Language Version

No response

Other information

No response
@mrkbabu mrkbabu added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 23, 2024
@github-actions github-actions bot added @aws-cdk/aws-s3 Related to Amazon S3 potential-regression Marking this issue as a potential regression to be checked by team member labels Oct 23, 2024
@khushail
Copy link
Contributor

khushail commented Oct 23, 2024
edited
Loading

Hi @mrkbabu , thanks for reporting this.
Yes, there seemed to be cross-account deployment issues caused by the mentioned PR. Related Github notice mentioning this issue.
We have released a fix and you should upgrade to v2.163.1 (or downgrade to v2.162.1).

Let me know if you face the issue and it still persists.

@khushail khushail added p0 effort/small Small work item – less than a day of effort response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p1 and removed needs-triage This issue or PR still needs to be triaged. p0 effort/small Small work item – less than a day of effort labels Oct 23, 2024
@mrkbabu
Copy link
Author

mrkbabu commented Oct 23, 2024

Thank you @khushail. Let me test it. Appreciate your quick turnaround.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 23, 2024
rix0rrr added a commit that referenced this issue Oct 24, 2024
@rix0rrr
fix(cli): cross-account asset publishing doesn't work without bootstr…
6523cc0 
…ap stack

If the bootstrap stack can't be found, it can't be validated. We used to
fail closed, but that just means that cross-account publishing is
broken.

Instead, we have to fail open.

Fixes #31866.
@rix0rrr rix0rrr mentioned this issue Oct 24, 2024
Merged
@mergify mergify bot closed this as completed in #31876 Oct 24, 2024
@mergify mergify bot closed this as completed in 427bf63 Oct 24, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. p1 potential-regression Marking this issue as a potential regression to be checked by team member
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): cross-account asset publishing doesn't work without bootstrap stack aws/aws-cdk
2 participants
@mrkbabu @khushail