Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use ssm parameter to detect CDK boostrap #1576

Merged
merged 5 commits into from
May 31, 2024
Merged

Conversation

sobolk
Copy link
Member

@sobolk sobolk commented May 28, 2024

Problem

CDK can be bootstrapped in a region using custom stack name. I.e. other than CDKToolkit

Issue number, if available:
#1510

Changes

This PR changes detection logic to use SSM parameter that contains version.

SSM access is already required for other functionalities to work.

Corresponding docs PR, if applicable:

Validation

Checklist

  • If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
  • If this PR requires a change to the Project Architecture README, I have included that update in this PR.
  • If this PR requires a docs update, I have linked to that docs PR above.
  • If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sobolk sobolk added the run-e2e Label that will include e2e tests in PR checks workflow label May 28, 2024
@sobolk sobolk requested a review from a team as a code owner May 28, 2024 22:32
Copy link

changeset-bot bot commented May 28, 2024

🦋 Changeset detected

Latest commit: bfab0e8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@aws-amplify/sandbox Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Copy link
Contributor

@edwardfoyle edwardfoyle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionally the change LGTM, but it looks like the AmplifyBackendDeployFullAccess policy only grants permission to read SSM params that start with /amplify:

{
            "Sid": "AmplifySSM",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/amplify/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },

@sobolk
Copy link
Member Author

sobolk commented May 28, 2024

Functionally the change LGTM, but it looks like the AmplifyBackendDeployFullAccess policy only grants permission to read SSM params that start with /amplify:

{
            "Sid": "AmplifySSM",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/amplify/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        },

Thanks. I was assuming we don't have this problem without actually checking it.

@@ -35,8 +32,9 @@ import {
BackendIdentifierConversions,
} from '@aws-amplify/platform-core';

export const CDK_BOOTSTRAP_STACK_NAME = 'CDKToolkit';
export const CDK_BOOTSTRAP_VERSION_KEY = 'BootstrapVersion';
// CDK stores bootstrap version in parameter store. Example parameter name looks like /cdk-bootstrap/<hash>/version
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this documented somewhere by CDK

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's some additional context.

From https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html

--qualifier is a string that is added to the names of all resources in the bootstrap stack. A qualifier lets you avoid resource name clashes when you provision multiple bootstrap stacks in the same environment. The default is hnb659fds (this value has no significance).
Changing the qualifier also requires that your CDK app pass the changed value to the stack synthesizer. For more information, see Stack synthesizers.

From https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-synthesizers

The qualifier is added to the name of bootstrap resources to distinguish the resources in separate bootstrap stacks. To deploy two different versions of the bootstrap stack in the same environment (AWS account and Region), the stacks must have different qualifiers.
This feature is intended for name isolation between automated tests of the CDK itself. Unless you can very precisely scope down the IAM permissions given to the AWS CloudFormation execution role, there are no permission isolation benefits to having two different bootstrap stacks in a single account. Therefore, there's usually no need to change this value.
To change the qualifier, configure the DefaultStackSynthesizer either by instantiating the synthesizer with the property:

The important pieces seem to be This feature is intended for name isolation between automated tests of the CDK itself and The default is hnb659fds (this value has no significance) .

So to use other value than default would require passing qualifier to all stack synthesizers and it seems we should only look up for default setup to check if CDK boostrap is Gen2 compatible

Copy link
Contributor

@abhi7cr abhi7cr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sobolk sobolk merged commit 5b5c15c into main May 31, 2024
52 checks passed
@sobolk sobolk deleted the improve-cdk-detection-logic branch May 31, 2024 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
run-e2e Label that will include e2e tests in PR checks workflow
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants