feat(servicecatalog): Add Product Stack Asset Support #22857
Conversation
|
|
github-actions
bot
added
effort/medium
github-actions
bot
added
the
repeat-contributor
wanjacki
force-pushed
the
asset_support
branch
5 times, most recently
from
7c69300
to
ffeaf9a
Compare
wanjacki
force-pushed
the
asset_support
branch
from
ffeaf9a
to
0e97c15
Compare
|
@corymhall Hey Cory, sorry can you reopen this PR. Was trying to fix the the integ test build failing (passing locally) and this closed when I tried to rebase |
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
wanjacki
force-pushed
the
asset_support
branch
from
773c275
to
b61b4a5
Compare
wanjacki
force-pushed
the
asset_support
branch
from
b61b4a5
to
1afdca3
Compare
| } | ||
|
|
||
| private physicalNameOfBucket(bucket: IBucket) { | ||
| const resolvedName = cdk.Stack.of(bucket).resolve((bucket.node.defaultChild as CfnBucket).bucketName); |
There was a problem hiding this comment.
I think this should just be bucket.bucketName right?
const bucketName = bucket.bucketName;
// if the bucketName is undefined or is a token
if (!bucketName || Token.isUnresolved(bucketName)) {
throw new Error(...);
}There was a problem hiding this comment.
The bucketName is always a token regardless of if we pass a bucketName or not.
I asked Rico about a solution and he suggested his comment here: #21487 (comment).
Implementing his suggestion we access the underlying CfnBucket and retrieve the bucketName.
There was a problem hiding this comment.
ahh ok. In that case I think you will just have to handle the case where someone passes an IBucket and there is no default child. Maybe
if (Resource.isOwnedResource(bucket)) {
cdk.Stack.of(bucket).resolve((bucket.node.defaultChild as CfnBucket).bucketName);
} else {
bucket.bucketName;
}|
|
||
| const physicalName = this.physicalNameOfBucket(this.assetBucket); | ||
|
|
||
| (this.boundStack as ProductStack)._addAsset(asset); |
There was a problem hiding this comment.
It feels like we should manage the logic for _addAsset and _deployAssets
here instead of within ProductStack.
There was a problem hiding this comment.
I moved them both over as suggested.
| }); | ||
|
|
||
| const testAssetBucket = new s3.Bucket(stack, 'TestAssetBucket', { | ||
| bucketName: 'product-stack-asset-bucket-12345678-test-region', |
There was a problem hiding this comment.
| bucketName: 'product-stack-asset-bucket-12345678-test-region', | |
| bucketName: `product-stack-asset-bucket-${stack.account}-${stack.region}`, |
| ``` | ||
| $ cdk destroy --app "node integ.product.js" integ-servicecatalog-product | ||
| ``` | ||
| */ | ||
|
|
||
| const app = new cdk.App(); | ||
| const stack = new cdk.Stack(app, 'integ-servicecatalog-product'); |
There was a problem hiding this comment.
| const stack = new cdk.Stack(app, 'integ-servicecatalog-product'); | |
| const stack = new cdk.Stack(app, 'integ-servicecatalog-product', { | |
| env: { | |
| account: process.env.CDK_INTEG_ACCOUNT ?? process.env.CDK_DEFAULT_ACCOUNT, | |
| region: process.env.CDK_INTEG_REGION ?? process.env.CDK_DEFAULT_REGION, | |
| }, | |
| }); |
This allows you to use the actual account+region in the bucket name. The
snapshot will contain the dummy values.
There was a problem hiding this comment.
This results in an error that I'm not fully clear on. Are we missing something else?
Error: Resolution error: Resolution error: Resolution error: Resolution error: Cannot use resource 'integ-servicecatalog-product/S3AssetProduct/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole' in a cross-environment fashion, the resource's physical name must be explicit set or use `PhysicalName.GENERATE_IF_NEEDED`.
There was a problem hiding this comment.
nvm i fixed it somehow.
|
|
||
| product.associateTagOptions(tagOptions); | ||
| new cdk.CfnOutput(stack, 'PortfolioId', { value: portfolio.portfolioId }); |
There was a problem hiding this comment.
Can you use the IntegTest for this test?
new IntegTest(app, 'integ-product', {
testCases: [stack],
enableLookups: true,
});| import { ProductStackHistory, ProductStackProps } from '../lib'; | ||
|
|
||
| /** | ||
| * Follow these instructions to manually test provisioning a Product with an Asset with the resources provisioned in this stack: |
There was a problem hiding this comment.
Thanks for the instructions!
| Furthermore, in order for a spoke account to provision a product with an asset, the role launching | ||
| the product needs permissions to read from the asset bucket. | ||
| We recommend you utilize a launch role with permissions to read from the asset bucket. | ||
| For example your launch role would need to include at least the following policy: |
There was a problem hiding this comment.
Could we make the permissions more specific if they are using a launch role?
For example if they provide a launch role via portfolio.setLocalLaunchRoleName() then we could specify that as part of the bucket policy. From my testing it looks like the most specific we can get is something like this:
new iam.PolicyStatement({
actions: [
's3:GetObject*',
's3:GetBucket*',
's3:List*', ],
effect: iam.Effect.ALLOW,
resources: [
bucket.bucketArn,
bucket.arnForObjects('*'),
],
principals: [
...this.sharedAccounts.map(account => new iam.ArnPrincipal(cdk.Stack.of(this).formatArn({
service: 'iam',
region: '',
account,
resource: 'role',
resourceName: launchRoleName,
}))),
],
conditions: {
'ForAnyValue:StringEquals': {
'aws:CalledVia': ['cloudformation.amazonaws.com'],
},
'Bool': {
'aws:ViaAWSService': true,
},
},
});There was a problem hiding this comment.
Do you mean actually adding that PolicyStatement to their launch role. We would have to save the LaunchRole in portfolio when it is set and add it our aspect, so we can propagate the sharedAccounts regardless of the order it is called. There can also be multiple bucket and multiple accounts and other possible complications trying to generate that PolicyStatement. I'm not if it worth the effort or if the customer wants us adding permissions to their launchRole for them.
Or do you mean adding this to the documentation as a recommended policy statement to use for launch role when deploying assets? I think this a good alternative as they can craft a PolicyStatement using that more specific template you provided and easily add it to their LaunchRole if needed.
There was a problem hiding this comment.
No not to the launch role. This would be the policy that we add to the bucket. Rather than allowing read from any principal in the shared accounts, this only allows read from the launch role (if one is specified).
If this isn't going to cover all use cases though then we can leave the bucket policy as is and just add this as an example policy to the docs if users want to scope down the access more.
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
|
@corymhall Hey Cory thanks for the feedback. I submitted a new commit with all suggested changes. I also updated the integ test to deploy an actual lambda with an asset. Let me know what you think. |
wanjacki
force-pushed
the
asset_support
branch
from
1109c1f
to
e6f49a0
Compare
wanjacki
force-pushed
the
asset_support
branch
from
e6f49a0
to
ef9285c
Compare
PR #22857 is introducing a use case where we need to be able to add additional sources after the `BucketDeployment` resource is created. This PR adds an `addSource` method and changes all the sources evaluation within the construct to be lazy. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Hey @corymhall |
@wanjacki we fixed a bug in the |
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
PR aws#22857 is introducing a use case where we need to be able to add additional sources after the `BucketDeployment` resource is created. This PR adds an `addSource` method and changes all the sources evaluation within the construct to be lazy. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Currently Assets are not supported in Product Stacks. Service Catalog has an unique use case where assets need to be shared cross account and sharing the entire CDK asset bucket is not ideal. Users can either create their own ProductStackAssetBucket or have one automatically generated for them based on their account Id and region. By using S3 Deployments we able to copy the assets to that bucket and share it when a portfolio is shared in Service Catalog. More details can be found here: aws#20690. Closes aws#20690 RFC: aws/aws-cdk-rfcs#458 ---- ### All Submissions: * [X ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [X] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [X ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ---- Co-authored-by: Theron Mansilla[[imanolympic](https://github.com/imanolympic)]
PR aws#22857 is introducing a use case where we need to be able to add additional sources after the `BucketDeployment` resource is created. This PR adds an `addSource` method and changes all the sources evaluation within the construct to be lazy. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [ ] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Currently Assets are not supported in Product Stacks. Service Catalog has an unique use case where assets need to be shared cross account and sharing the entire CDK asset bucket is not ideal. Users can either create their own ProductStackAssetBucket or have one automatically generated for them based on their account Id and region. By using S3 Deployments we able to copy the assets to that bucket and share it when a portfolio is shared in Service Catalog. More details can be found here: aws#20690. Closes aws#20690 RFC: aws/aws-cdk-rfcs#458 ---- ### All Submissions: * [X ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [X] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [X ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ---- Co-authored-by: Theron Mansilla[[imanolympic](https://github.com/imanolympic)]
Currently Assets are not supported in Product Stacks. Service Catalog has an unique use case where assets need to be shared cross account and sharing the entire CDK asset bucket is not ideal. Users can either create their own ProductStackAssetBucket or have one automatically generated for them based on their account Id and region. By using S3 Deployments we able to copy the assets to that bucket and share it when a portfolio is shared in Service Catalog.
More details can be found here: #20690. Closes #20690
RFC: aws/aws-cdk-rfcs#458
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Co-authored-by: Theron Mansilla[imanolympic]