feat(codepipeline): cross-environment (account+region) actions

[skinny85]

This changes the scaffolding stack logic for the cross-region CodePipelines to include a KMS key and alias as part of it, which are required if an action is simultaneously cross-region and cross-account. We also change to use the KMS key ID instead of the key ARN when rendering the ArtifactStores property.

We also add an alias to the default pipeline artifact bucket.

This required a bunch of changes to the KMS and S3 modules:

• Alias now implements IKey
• Added the keyId property to IKey
• Added removalPolicy property to Alias
• Granting permissions to a key works if the principal belongs to a stack that is a dependent of the key stack
• Allow specifying a key when importing a bucket

Fixes #52
Concerns #1584
Fixes #2517
Fixes #2569
Concerns #3275
Fixes #3138
Fixes #3388

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[mergify]

Pull Request Checklist

• Testing

• Unit test added (prefer to add a new test rather than modify existing tests)
• CLI change? Re-run/add CLI integration tests

• Documentation

• Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
• README: update module README
• Design: for significant features, follow the design process

• Title uses the format type(scope): text

• Type: fix, feat, refactor go into CHANGELOG, chore is hidden
• Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
• Style: use all lower-case, do not end with a period

• Description

• Rationale: describe rationale of change and approach taken
• Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
• Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>

• Sensitive Modules (requires 2 PR approvers)

• IAM document library (in @aws-cdk/aws-iam)
• EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
• Grant APIs (if not based on official documentation with a reference)

[mergify]

Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged.

[mergify]

Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged.

[mergify]

Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged.

[mergify]

Pull Request Checklist

• Testing

• Unit test added (prefer to add a new test rather than modify existing tests)
• CLI change? Re-run/add CLI integration tests

• Documentation

• Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
• README: update module README
• Design: for significant features, follow the design process

• Title uses the format type(scope): text

• Type: fix, feat, refactor go into CHANGELOG, chore is hidden
• Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
• Style: use all lower-case, do not end with a period

• Description

• Rationale: describe rationale of change and approach taken
• Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
• Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>

• Sensitive Modules (requires 2 PR approvers)

• IAM document library (in @aws-cdk/aws-iam)
• EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
• Grant APIs (if not based on official documentation with a reference)

[skinny85]

Updated the decdk test.

[rix0rrr]

Does that not mean that destroying and redeploying the stack will fail?

[skinny85]

Yes, but that was always true, even before adding the Alias (because of the orphaned, physically-named S3 Bucket backing the Pipeline).

[skinny85]

Pinging about this.

[skinny85]

Added retention policy Retain to the scaffold Alias.

[mergify]

Codebuild (Continuous Integration) build failed for current commits. Please check log and resolve before PR is merged.

[mergify]

Pull Request Checklist

• Testing

• Unit test added (prefer to add a new test rather than modify existing tests)
• CLI change? Re-run/add CLI integration tests

• Documentation

• Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
• README: update module README
• Design: for significant features, follow the design process

• Title uses the format type(scope): text

• Type: fix, feat, refactor go into CHANGELOG, chore is hidden
• Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
• Style: use all lower-case, do not end with a period

• Description

• Rationale: describe rationale of change and approach taken
• Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
• Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>

• Sensitive Modules (requires 2 PR approvers)

• IAM document library (in @aws-cdk/aws-iam)
• EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
• Grant APIs (if not based on official documentation with a reference)

[mergify]

Pull Request Checklist

• Testing

• Unit test added (prefer to add a new test rather than modify existing tests)
• CLI change? Re-run/add CLI integration tests

• Documentation

• Inline docs: make sure all public APIs are documented (copy & paste from official AWS docs)
• README: update module README
• Design: for significant features, follow the design process

• Title uses the format type(scope): text

• Type: fix, feat, refactor go into CHANGELOG, chore is hidden
• Scope: name of the module without the aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
• Style: use all lower-case, do not end with a period

• Description

• Rationale: describe rationale of change and approach taken
• Issues: Indicate issues fixed via: fixes #xxx or closes #xxx
• Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>

• Sensitive Modules (requires 2 PR approvers)

• IAM document library (in @aws-cdk/aws-iam)
• EC2 security groups and ACLs (in @aws-cdk/aws-ec2)
• Grant APIs (if not based on official documentation with a reference)

[eladb]

Why is the title talks about "simultaneous". You basically mean "support cross account and region actions"?

[eladb]

what "does not work!" mean?

[skinny85]

You'll get a "Can only reference cross stacks in the same region and account." error.

[eladb]

Please follow up with @jerry-aws in a separate PR and revisit this doc. I think he will be able to help.

[eladb]

This documentation is weird. Should mostly describe how to do things and not what doesn't work...

[skinny85]

I just wanted to point out a potential "gotcha!" that might trip people up.

If you have a suggestion how to re-structure this documentation, I'm all ears.

[eladb]

I need a walk through this code. I am really struggling to understand what's going on here (it's me!).
Any chance you can schedule some time next week?

[eladb]

Do we have some doc reference (or appsec consultation) that this is the best practice?

[skinny85]

What would you suggest as an alternative here, given the comment?

[eladb]

missing test for this

[skinny85]

We don't have separate tests in the IAM library for methods like addToPrincipalAndResource - they're exercised only through tests in the particular Construct Libraries that use them. I'd rather not add them as part of this change. With the KMS test added above, this is now covered as well.

[skinny85]

Why is the title talks about "simultaneous". You basically mean "support cross account and region actions"?

"Simultaneous" means "at the same time", because this PR deals specifically with actions that are both cross-region and cross-account at the same time. "Simultaneous" is just shorter.

Pull request has been modified.

[skinny85]

Updated with feedback from comments & rebased.

[eladb]

Please follow up with @jerry-aws in a separate PR and revisit this doc. I think he will be able to help.

[mergify]

Continuous integration build failed

Pull request has been modified.

[skinny85]

Fixed the Import class in fromKeyArn and rebased over 1.8.0.

[skinny85]

Please follow up with @jerry-aws in a separate PR and revisit this doc. I think he will be able to help.

Done: #4031