Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pipelines: creates cross account support stack even though the action has cross account role defined #22220

Open
knovichikhin opened this issue Sep 24, 2022 · 2 comments
Open

pipelines: creates cross account support stack even though the action has cross account role defined #22220

knovichikhin opened this issue Sep 24, 2022 · 2 comments
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@knovichikhin
Copy link

knovichikhin commented Sep 24, 2022
edited
Loading

Describe the bug

This pipeline downloads source from a different account using existing cross account role. In this case, there should be no need to cross account support stack. However, pipeline generates one for the code commit account.

It appears that the role is not assigned to the Source stage action. Which is what could be triggering the support stack creation.

Expected Behavior

Expecting that cross-account-support-stack-CODE_COMMIT_ACCOUNT does need to be created, since the action already has cross account role.

Current Behavior

CDK adds cross-account-support-stack-CODE_COMMIT_ACCOUNT stack and tries to deploy it during SelfMutate stage.

Reproduction Steps

import * as cdk from 'monocdk';
import * as codecommit from 'monocdk/aws-codecommit';
import * as iam from 'monocdk/aws-iam';
import * as codepipeline_actions from 'monocdk/aws-codepipeline-actions';
import * as pipelines from 'monocdk/pipelines'

export class PipelineStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
        super(scope, id, props);

        const codeCommitAccount = '111111111111';

        const sourceAccessRole = iam.Role.fromRoleArn(this, 'SourceAccessRole', 
            `arn:aws:iam::${codeCommitAccount}:role/alreadyCreatedRoleForThisAccount`, { mutable: false });

        const codeCommitRepository = codecommit.Repository.fromRepositoryArn(this, 'Repository',
            `arn:aws:codecommit:us-west-2:${codeCommitAccount}:repository`);

        const synthAction = new pipelines.CodeBuildStep('Synth', {
            input: pipelines.CodePipelineSource.codeCommit(
                codeCommitRepository,
                'branch',
                {
                    trigger: codepipeline_actions.CodeCommitTrigger.EVENTS,
                    eventRole: sourceAccessRole
                }
            ),
            installCommands: [
                'npm ci',
            ],
            commands: [
                'npm run build',
                'npx cdk synth --verbose',
            ],
            // I added this here to see if the Source stage would use this role. But does not seems to be the case.
            role: sourceAccessRole
        });

        const pipeline = new pipelines.CodePipeline(this, 'Pipeline', {
            pipelineName: 'PipelineName',
            synth: synthAction,
            crossAccountKeys: true,
        });
    }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.42.0 (build 7d8ef0b)

Framework Version

1.140.0

Node.js Version

v14.18.1

OS

MacOS 12.5.1

Language

Typescript

Language Version

TypeScript (3.9.10)

Other information

No response
@knovichikhin knovichikhin added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 24, 2022
@github-actions github-actions bot added the @aws-cdk/pipelines CDK Pipelines library label Sep 24, 2022
@knovichikhin
Copy link
Author

knovichikhin commented Sep 26, 2022
edited
Loading

I tracked it down to this code:

aws-cdk/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline-source.ts

Lines 473 to 495 in ffd3d2d

class CodeCommitSource extends CodePipelineSource {
constructor(private readonly repository: codecommit.IRepository, private readonly branch: string, private readonly props: CodeCommitSourceOptions) {
super(Token.isUnresolved(repository.repositoryName)
? Node.of(repository).addr
: repository.repositoryName);
this.configurePrimaryOutput(new FileSet('Source', this));
}
protected getAction(output: Artifact, _actionName: string, runOrder: number, variablesNamespace?: string) {
return new cp_actions.CodeCommitSourceAction({
output,
// Guaranteed to be okay as action name
actionName: this.repository.repositoryName,
runOrder,
branch: this.branch,
trigger: this.props.trigger,
repository: this.repository,
eventRole: this.props.eventRole,
codeBuildCloneOutput: this.props.codeBuildCloneOutput,
variablesNamespace,
});
}

When pipeline creates Source action out of the CodePipelineSource, it does not provide a role. One potential fix is to expose action role as a property of CodeCommitSourceOptions.

@rix0rrr rix0rrr added effort/medium Medium work item – several days of effort p2 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 10, 2022
@rix0rrr rix0rrr removed their assignment Oct 10, 2022
@l3ku
Copy link

l3ku commented May 30, 2023

Any updates on this? I'm facing the same issue when I would like to use an existing role for the Source action for cross-account access to a CodeCommit repository on a different AWS account. Seems like currently the only way to work around this would be to implement a custom child class of CodePipelineSource that allows passing the action role.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@knovichikhin @rix0rrr @l3ku