Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): s3-deployments don't work with new bootstrap stack #8578

Merged
merged 8 commits into from
Jun 17, 2020
Merged

fix(core): s3-deployments don't work with new bootstrap stack #8578

merged 8 commits into from
Jun 17, 2020

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Jun 16, 2020
edited

We added a KMS key, so the roles that want to read from the asset bucket should have KMS permissions.

Using aws-s3-deployments in combination with the new bootstrap stack requires a bootstrap stack update. You will see the following message if that is the case: Stack failed: Error: Stack: publishing assets requires bootstrap stack version '3', found '2'. Please run 'cdk bootstrap' with a newer CLI version.

Fixes #8541.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
fix(core): s3-deployments don't work with new bootstrap stack
841e672 
We added a KMS key, so the roles that want to read from the asset
bucket should have KMS permissions.

Fixes #8541.
@rix0rrr rix0rrr requested a review from a team June 16, 2020 14:50
@rix0rrr rix0rrr self-assigned this Jun 16, 2020
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jun 16, 2020
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 841e672
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

eladb
eladb suggested changes Jun 17, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not comfortable with granting decrypt permissions with any key. Feels unnecessarily promiscuous. I believe we should have an alias with a well known name in the bootstrap stack. Can we only grant permissions to it?

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Jun 17, 2020

I am not comfortable with granting decrypt permissions with any key. Feels unnecessarily promiscuous. I believe we should have an alias with a well known name in the bootstrap stack. Can we only grant permissions to it?

We don't have an alias.

We can add an alias, but it wouldn't help. It's not possible to add permissions to an alias, it must be on the key ID (which is a UUID).

@rix0rrr rix0rrr requested review from eladb and a team June 17, 2020 07:56
@hoegertn
Copy link
Contributor

What about a CFN Export of the key ID?

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Jun 17, 2020

What about a CFN Export of the key ID?

Yep, good call. We ended up doing that.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 0062a83
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@rix0rrr rix0rrr added the pr/do-not-merge This PR should not be merged at this time. label Jun 17, 2020
eladb
eladb suggested changes Jun 17, 2020
View reviewed changes
packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.ts Outdated
@@ -247,6 +267,7 @@ export class DefaultStackSynthesizer implements IStackSynthesizer {
httpUrl,
s3ObjectUrl,
s3Url: httpUrl,
kmsKeyArn: Fn.importValue(cfnify(this._kmsKeyArnExportName!)),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious, why do we need ! here and in for this.bucketName? Generally I think we should completely avoid !. It's better to write the code that checks for nullity and throws an "unexpected" exception (or some other meaningful message) then let the null propagate to an unexpected place.

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Show resolved Hide resolved
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 009ed01
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 646e9f5
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 6509d11
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: bcf0287
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@rix0rrr rix0rrr requested review from eladb and a team June 17, 2020 13:30
eladb
eladb suggested changes Jun 17, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you accidentally added the imported Key to the parent scope

packages/@aws-cdk/aws-s3-assets/lib/asset.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-s3-assets/test/asset.test.ts Show resolved Hide resolved
packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml Show resolved Hide resolved
@rix0rrr
Update packages/@aws-cdk/aws-s3-assets/lib/asset.ts
9f0ace8 
Co-authored-by: Elad Ben-Israel <benisrae@amazon.com>
@rix0rrr rix0rrr requested a review from eladb June 17, 2020 15:10
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 9f0ace8
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@rix0rrr rix0rrr removed the pr/do-not-merge This PR should not be merged at this time. label Jun 17, 2020
@rix0rrr rix0rrr requested a review from a team June 17, 2020 16:02
@mergify
Copy link
Contributor

mergify bot commented Jun 17, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 129d2dc
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Jun 17, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit b2006c3 into master Jun 17, 2020
@mergify mergify bot deleted the huijbers/s3-deployment-newassets branch June 17, 2020 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb approved these changes

Assignees

@rix0rrr rix0rrr

Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

S3 Bucket Deployment does not work with new asset system
4 participants
@rix0rrr @aws-cdk-automation @hoegertn @eladb