bootstrap: Template can currently only be deployed into Commercial Cloud when TrustedAccounts set
#25272
Labels
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p0
package/tools
Related to AWS CDK Tools or CLI
Comments
meeber
added
bug
indrora
added
p0
@aws-cdk/aws-cloudformation
|
Thank you for the report. You're right, this breaks customers in govcloud. Can we confirm that this isn't also a problem with aws-cn? |
meeber
changed the title
TrustedAccounts set
peterwoodworth
added
effort/small
|
Related: CN users have issues with hardcoded ARN parts: #23642 |
mergify bot
pushed a commit
that referenced
this issue
May 11, 2023
…(revert security hub finding fix) (#25540) **NOTE**: This PR bumps the version of the bootstrap stack to 18, but there is no need to update your bootstrap stacks as this PR changes no functionality. We are reverting #24588 because it includes hardcoded partitions in the bootstrap causing the `p0` in #25272. Including intrinsics `${AWS::Partition}` here is impossible. In addition, #24588 was reported to not actually fix the Security Hub finding: #19380 (comment). Although this is a revert, I am rolling forward the bootstrap version to 18. reverts #24588. fixes #25272. see #25273 & #25507. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
corymhall
pushed a commit
that referenced
this issue
May 11, 2023
…(revert security hub finding fix) (#25540) **NOTE**: This PR bumps the version of the bootstrap stack to 18, but there is no need to update your bootstrap stacks as this PR changes no functionality. We are reverting #24588 because it includes hardcoded partitions in the bootstrap causing the `p0` in #25272. Including intrinsics `${AWS::Partition}` here is impossible. In addition, #24588 was reported to not actually fix the Security Hub finding: #19380 (comment). Although this is a revert, I am rolling forward the bootstrap version to 18. reverts #24588. fixes #25272. see #25273 & #25507. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
#24588 introduced ARNs with hardcoded partitions of "aws" (i.e., Commercial Cloud) on lines 477 & 480 of bootstrap-template.yaml, thus preventing deployment into other partitions (e.g., GovCloud) when the
TrustedAccountsparameter is set to one or more Account IDs.Expected Behavior
To be able to deploy the CDK Bootstrap Template into partitions other than Commercial Cloud (such as GovCloud) when setting the
TrustedAccountsparameter.Current Behavior
Deployment fails in CloudFormation with error: Partition "aws" is not valid for resource "arn:aws:kms::<account_id>:".
Reproduction Steps
Deploy version 17 of the CDK Bootstrap Template into a partition other than Commercial Cloud and set the TrustedAccounts` parameter to one or more Account IDs.
Possible Solution
Replace the hardcoded "aws" partition in the ARNs with either "*" or "${AWS::Partition}"; I didn't test to see if the latter option works inside the join function.
Additional Information/Context
No response
CDK CLI Version
2.76.0
Framework Version
No response
Node.js Version
14.19.1
OS
CentOS 7.9.2009
Language
Python
Language Version
3.9.10
Other information
No response
The text was updated successfully, but these errors were encountered: