You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A cross-region AND cross-account deployment where CodePipeline generates the support stacks for replication buckets and the support stacks for cross-account roles (which is the ideal situation), fails to deploy out of the box.
The cross-account and cross-region resources are created in separate stacks that don't have a dependency between them, but the resources on those stacks have bidirectional dependencies on each other:
The Bucket and Key policies reference the Action Role
The Role policy references the Bucket and Key (and deployment resources like CodeDeploy Deployment Groups)
Normally this wouldn't deploy, but we generate hard-coded resource names for the resources involved so that we can formulate policies anyway without having to have bidirectional cross-stack references.
The only order in which this deployment works is if we deploy the account stack (with the Role) before the replication stack (with the Bucket and Key), but there is no dependency between these stacks, so a naive cdk deploy may pick the wrong order and fail to deploy properly.
This is a tricky area to work in, as people may have built all kinds of elaborate constructions of stacks and resources and referenced resources, and anything that adds more dependencies is at risk of producing a cyclic dependency.
We are piloting a patchy fix right now for ECS CodeDeploy, which should be copied to all deployment actions if successful.
Expected Behavior
A cdk deploy should deploy in the right order.
Current Behavior
The replication bucket stack deploys before the role stack, causing a deployment failure.
…k dependency
In the case of a cross-account AND cross-region ECS deployment, a
dependency between the support stacks that is necessary is missing.
This cannot be fixed globally. Because the resources reference each
other bidirectionally (user -> bucket, bucket -> user), the only way to
fix this is to do it locally: in the CodePipeline module, where we can
have the knowledge that we use generated names and that everything will
work out if we deploy the role before the bucket.
All CodePipeline Actions must have this fix eventually, but since
people may have crazy stack setups in which addition of this dependency
may introduce a cyclic dependency (breaking the synth), we're rolling
this fix out with limited blast radius.
Follow-up in #24050, and suggest a good clean-up in #24051.
…ncy (#24053)
In the case of a cross-account AND cross-region ECS deployment, a dependency between the support stacks that is necessary is missing.
This cannot be fixed globally. Because the resources reference each other bidirectionally (user -> bucket, bucket -> user), the only way to fix this is to do it locally: in the CodePipeline module, where we can have the knowledge that we use generated names and that everything will work out if we deploy the role before the bucket.
All CodePipeline Actions must have this fix eventually, but since people may have crazy stack setups in which addition of this dependency may introduce a cyclic dependency (breaking the synth), we're rolling this fix out with limited blast radius.
Follow-up in #24050, and suggest a good clean-up in #24051.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
A cross-region AND cross-account deployment where CodePipeline generates the support stacks for replication buckets and the support stacks for cross-account roles (which is the ideal situation), fails to deploy out of the box.
The cross-account and cross-region resources are created in separate stacks that don't have a dependency between them, but the resources on those stacks have bidirectional dependencies on each other:
Normally this wouldn't deploy, but we generate hard-coded resource names for the resources involved so that we can formulate policies anyway without having to have bidirectional cross-stack references.
The only order in which this deployment works is if we deploy the account stack (with the Role) before the replication stack (with the Bucket and Key), but there is no dependency between these stacks, so a naive
cdk deploy
may pick the wrong order and fail to deploy properly.This is a tricky area to work in, as people may have built all kinds of elaborate constructions of stacks and resources and referenced resources, and anything that adds more dependencies is at risk of producing a cyclic dependency.
We are piloting a patchy fix right now for ECS CodeDeploy, which should be copied to all deployment actions if successful.
Expected Behavior
A
cdk deploy
should deploy in the right order.Current Behavior
The replication bucket stack deploys before the role stack, causing a deployment failure.
Related issues
The text was updated successfully, but these errors were encountered: