-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use ssm parameter to detect CDK boostrap #1576
Conversation
🦋 Changeset detectedLatest commit: bfab0e8 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Functionally the change LGTM, but it looks like the AmplifyBackendDeployFullAccess
policy only grants permission to read SSM params that start with /amplify
:
{
"Sid": "AmplifySSM",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:*:*:parameter/amplify/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
Thanks. I was assuming we don't have this problem without actually checking it. |
@@ -35,8 +32,9 @@ import { | |||
BackendIdentifierConversions, | |||
} from '@aws-amplify/platform-core'; | |||
|
|||
export const CDK_BOOTSTRAP_STACK_NAME = 'CDKToolkit'; | |||
export const CDK_BOOTSTRAP_VERSION_KEY = 'BootstrapVersion'; | |||
// CDK stores bootstrap version in parameter store. Example parameter name looks like /cdk-bootstrap/<hash>/version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this documented somewhere by CDK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's reverse engineered from https://github.com/aws/aws-cdk/blob/526d4ad8a8528d7f7c5665673ad39dd62fda3a17/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml#L616-L622 .
We haven't found a better way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's some additional context.
From https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html
--qualifier is a string that is added to the names of all resources in the bootstrap stack. A qualifier lets you avoid resource name clashes when you provision multiple bootstrap stacks in the same environment. The default is hnb659fds (this value has no significance).
Changing the qualifier also requires that your CDK app pass the changed value to the stack synthesizer. For more information, see Stack synthesizers.
From https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-synthesizers
The qualifier is added to the name of bootstrap resources to distinguish the resources in separate bootstrap stacks. To deploy two different versions of the bootstrap stack in the same environment (AWS account and Region), the stacks must have different qualifiers.
This feature is intended for name isolation between automated tests of the CDK itself. Unless you can very precisely scope down the IAM permissions given to the AWS CloudFormation execution role, there are no permission isolation benefits to having two different bootstrap stacks in a single account. Therefore, there's usually no need to change this value.
To change the qualifier, configure the DefaultStackSynthesizer either by instantiating the synthesizer with the property:
The important pieces seem to be This feature is intended for name isolation between automated tests of the CDK itself and The default is hnb659fds (this value has no significance) .
So to use other value than default would require passing qualifier to all stack synthesizers and it seems we should only look up for default setup to check if CDK boostrap is Gen2 compatible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Problem
CDK can be bootstrapped in a region using custom stack name. I.e. other than
CDKToolkit
Issue number, if available:
#1510
Changes
This PR changes detection logic to use SSM parameter that contains version.
SSM access is already required for other functionalities to work.
Corresponding docs PR, if applicable:
Validation
Checklist
run-e2e
label set.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.