refactor: gate access to environment SDK behind new class

Previously there were methods on the `Deployments` class that made it possible to directly get an SDK from the `SdkProvider` for a particular environment. Calling these methods made it possible to get an SDK without thinking of assuming roles to go into a different account. This PR introduces a new class, `EnvironmentAccess`, with a couple of public methods that are the only ones allowed to obtain SDKs with credentials. It has the methods: - accessStackForStackOperations(stack) - accessStackForLookup(stack) - accessStackForReading(stack) These will always respect the role information on the stack. Ideally there would have been similar methods for assets as well, but the `cdk-assets` library is entirely handling asset roles itself, and it's not in the scope of this PR to change that. That keeps on using a plain `SdkProvider`. Hotswap deployments will also just use CLI credentials and not assume role, so that also keeps on using an `SdkProvider`. All other uses have moved to `EnvironmentAccess`.
aws · Oct 25, 2024 · 814ea20 · 814ea20
1 parent d1d179f
commit 814ea20
Show file tree

Hide file tree

Showing 9 changed files with 364 additions and 304 deletions.
diff --git a/.npmrc b/.npmrc
@@ -1,3 +1,9 @@
-# Helps with using npm package-locally, while in a yarn workflow (avoids coupling scripts to yarn).
-# This is needed because yarn goes out of it's way to ensure it controls what `node` binary is used (for good!)
-scripts-prepend-node-path=auto
+# This file is generated automatically by PeruNPM.
+# Do not edit this file manually and make sure to include it in your .gitignore file.
+# If you need to define custom npm configuration, you should create .npmrc-brazil file.
+# When running, PeruNPM automatically copies properties from .npmrc-brazil file into .npmrc
+
+# Configuration generated by PeruNPM
+registry=http://127.0.0.1:53235/ws/tm4707yux7e5k8dcv50zej2mt4gaktae/zbkstkk3/npm/
+//127.0.0.1:53235/ws/tm4707yux7e5k8dcv50zej2mt4gaktae/zbkstkk3/npm/:_auth=fake-auth
+omit-lockfile-registry-resolved=true
diff --git a/packages/aws-cdk/lib/api/deploy-stack.ts b/packages/aws-cdk/lib/api/deploy-stack.ts
@@ -51,14 +51,13 @@ export interface DeployStackOptions {
   /**
    * SDK provider (seeded with default credentials)
    *
-   * Will exclusively be used to assume publishing credentials (which must
-   * start out from current credentials regardless of whether we've assumed an
-   * action role to touch the stack or not).
+   * Will be used to:
    *
-   * Used for the following purposes:
-   *
-   * - Publish legacy assets.
-   * - Upload large CloudFormation templates to the staging bucket.
+   * - Publish assets, either legacy assets or large CFN templates
+   *   that aren't themselves assets from a manifest. (Needs an SDK
+   *   Provider because the file publishing role is declared as part
+   *   of the asset).
+   * - Hotswap
    */
   readonly sdkProvider: SdkProvider;