Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle simultaneous cross-region & cross-account CodePipeline Actions #3388

Closed
skinny85 opened this issue Jul 22, 2019 · 0 comments · Fixed by #3694
Closed

Handle simultaneous cross-region & cross-account CodePipeline Actions #3388

skinny85 opened this issue Jul 22, 2019 · 0 comments · Fixed by #3694
Assignees
@skinny85
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline effort/large Large work item – several weeks of effort

Comments

@skinny85
Copy link
Contributor

It can happen that an Action is both in a different account, and in a different region than the Pipeline. In that case, the replication Bucket needs to be either provided or generated with a KMS Key (that is required for cross-account access).

Also, the artifactStores property has to correctly include the reference to the KMS Key. We need to research whether it's possible to use alias there instead of the ARN; if it turns out we cannot, we will have to design a custom CFN resource that will, at deploy time, query the Stack containing the replication Bucket and find out the ID of the KMS Key (Keys cannot have a physical name set), and pass it to the Pipeline Stack in order to correctly fill the artifactStores property.

Also, to be able to use imported replication Buckets in that use-case, we will have to solve related issue #3138 .
@skinny85 skinny85 added @aws-cdk/aws-codepipeline Related to AWS CodePipeline gap labels Jul 22, 2019
@skinny85 skinny85 mentioned this issue Jul 23, 2019
Closed
@fulghum fulghum added the effort/large Large work item – several weeks of effort label Jul 29, 2019
@skinny85 skinny85 self-assigned this Aug 1, 2019
@skinny85 skinny85 mentioned this issue Aug 17, 2019
Merged
skinny85 added a commit that referenced this issue Sep 11, 2019
@skinny85
feat(codepipeline): cross-environment (account+region) actions (#3694)
69bff3d 
This changes the scaffolding stack logic for the cross-region CodePipelines to include a KMS key and alias as part of it, which are required if an action is simultaneously cross-region and cross-account. We also change to use the KMS key ID instead of the key ARN when rendering the ArtifactStores property.

We also add an alias to the default pipeline artifact bucket.

This required a bunch of changes to the KMS and S3 modules:

* Alias now implements IKey
* Added the keyId property to IKey
* Added removalPolicy property to Alias
* Granting permissions to a key works if the principal belongs to a stack that is a dependent of the key stack
* Allow specifying a key when importing a bucket

Fixes #52
Concerns #1584
Fixes #2517
Fixes #2569
Concerns #3275
Fixes #3138
Fixes #3388
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline effort/large Large work item – several weeks of effort
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(codepipeline): cross-environment (account+region) actions skinny85/aws-cdk
2 participants
@fulghum @skinny85