Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS CodePipeline: CloudFormation Deploy CreateChangeSet, role_arn empty #13121

Closed
rpstreef opened this issue May 1, 2020 · 8 comments
Closed

AWS CodePipeline: CloudFormation Deploy CreateChangeSet, role_arn empty #13121

rpstreef opened this issue May 1, 2020 · 8 comments
Labels
service/codepipeline Issues and PRs that pertain to the codepipeline service.

Comments

@rpstreef
Copy link

rpstreef commented May 1, 2020
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.24

  • provider.aws v2.59.0
  • provider.random v2.2.1
  • provider.template v2.1.2

Affected Resource(s)

  • aws_codepipeline

Terraform Configuration Files

The module that tries to execute a CloudFormation change set and then execute:
https://github.com/rpstreef/terraform-aws-codepipeline-sam

resource "aws_codepipeline" "_" {
  name     = "${local.resource_name}-codepipeline"
  role_arn = module.iam_codepipeline.role_arn

  artifact_store {
    location = aws_s3_bucket.artifact_store.bucket
    type     = "S3"
  }

  stage {
    name = "Source"

    action {
      name             = "Source"
      category         = "Source"
      owner            = "ThirdParty"
      provider         = "GitHub"
      version          = "1"
      output_artifacts = ["source"]

      configuration = {
        OAuthToken           = var.github_token
        Owner                = var.github_owner
        Repo                 = var.github_repo
        Branch               = var.github_branch
        PollForSourceChanges = var.poll_source_changes
      }
    }
  }

  stage {
    name = "Build"

    action {
      name             = "Build"
      category         = "Build"
      owner            = "AWS"
      provider         = "CodeBuild"
      version          = "1"
      input_artifacts  = ["source"]
      output_artifacts = ["build"]

      configuration = {
        ProjectName = aws_codebuild_project._.name
      }
    }
  }

  stage {
    name = "Deploy"

    action {
      name            = "CreateChangeSet"
      category        = "Deploy"
      owner           = "AWS"
      provider        = "CloudFormation"
      input_artifacts = ["build"]
      role_arn        = module.iam_cloudformation.role_arn
      version         = 1
      run_order       = 1

      configuration = {
        ActionMode     = "CHANGE_SET_REPLACE"
        Capabilities   = "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND"
        OutputFileName = "ChangeSetOutput.json"
        StackName      = var.stack_name
        TemplatePath   = "build::templated.yaml"
      }
    }

    action {
      name            = "Deploy"
      category        = "Deploy"
      owner           = "AWS"
      provider        = "CloudFormation"
      input_artifacts = ["build"]
      version         = 1
      run_order       = 2

      configuration = {
        ActionMode     = "CHANGE_SET_EXECUTE"
        Capabilities   = "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND"
        OutputFileName = "ChangeSetExecuteOutput.json"
        StackName      = var.stack_name
      }
    }
  }

  tags = {
    Environment = var.namespace
    Name        = var.resource_tag_name
  }
}

Expected Behavior

The CloudFormation Role ARN should have been applied to the Deploy stage, action "CreateChangeSet"

Actual Behavior

The role arn is not applied to the CloudFormation Deploy CreateChangeSet stage, and at execution it will fail.

When you update the stack, it actively removes the role_arn, but the configuration has not changed:

stage {
            name = "Deploy"

          ~ action {
                category         = "Deploy"
              ~ configuration    = {
                    "ActionMode"            = "CHANGE_SET_REPLACE"
                    "Capabilities"          = "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND"
                    "ChangeSetName"         = "sam-app-deploy"
                    "OutputFileName"        = "ChangeSetOutput.json"
                  - "RoleArn"               = "arn:aws:iam::123:role/dev-example-cloudformation-role" -> null
                    "StackName"             = "sam-app"
                    "TemplateConfiguration" = "build::configuration.json"
                    "TemplatePath"          = "build::packaged.yaml"
                }
                input_artifacts  = [
                    "build",
                ]
                name             = "CreateChangeSet"
                output_artifacts = []
                owner            = "AWS"
                provider         = "CloudFormation"
                region           = "us-east-1"
                role_arn         = "arn:aws:iam::123:role/dev-example-cloudformation-role"
                run_order        = 1
                version          = "1"
            }
          ~ action {
                category         = "Deploy"
              ~ configuration    = {
                    "ActionMode"     = "CHANGE_SET_EXECUTE"
                    "Capabilities"   = "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND"
                  + "ChangeSetName"  = "sam-app-deploy"
                    "OutputFileName" = "ChangeSetExecuteOutput.json"
                    "StackName"      = "sam-app"
                }
                input_artifacts  = [
                    "build",
                ]
                name             = "Deploy"
                output_artifacts = []
                owner            = "AWS"
                provider         = "CloudFormation"
                run_order        = 2
                version          = "1"
            }
        }

Steps to Reproduce

  1. clone this repo: https://github.com/rpstreef/openapi-tf-example
  2. edit the ./env/dev/dev.tfvars to fit your own environment (e.g. the profile should point to your own AWS profile). and setup the remote-backend.tf, create or reuse an S3 bucket.
  3. in root: npm install
  4. npm run dev-init
  5. npm run dev-infra
  6. Check in the AWS console, CodePipeline, edit the CodePipeline that's just been deployed and view the Deploy stage Step1, role ARN is shown as empty.
@ghost ghost added the service/codepipeline Issues and PRs that pertain to the codepipeline service. label May 1, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label May 1, 2020
@rpstreef
Copy link
Author

rpstreef commented May 1, 2020

Apparently for this there are no checks in place, to get the role_arn applied the stage needs a ChangeSetName parameter like this:

action {
      name            = "CreateChangeSet"
      category        = "Deploy"
      owner           = "AWS"
      provider        = "CloudFormation"
      input_artifacts = ["build"]
      role_arn        = module.iam_cloudformation.role_arn
      version         = 1
      run_order       = 1

      configuration = {
        ActionMode     = "CHANGE_SET_REPLACE"
        Capabilities   = "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND"
        OutputFileName = "ChangeSetOutput.json"
        StackName      = var.stack_name
        TemplatePath   = "build::templated.yaml"
        ChangeSetName  = "${var.stack_name}-deploy"
      }
    }

Then it will work

@rpstreef rpstreef closed this as completed May 1, 2020
@rpstreef rpstreef reopened this May 1, 2020
@rpstreef
Copy link
Author

rpstreef commented May 1, 2020
edited
Loading

I thought it worked, it's inconsistent. I've changed the pipeline a few times and now done a complete redeployment and the role_arn does not get applied

"Action execution failed
Configuration Property RoleArn should not be empty in current ActionMode"

updated the original bug report with an example when you update the stack, Terraform removes the role_arn configuration

@rpstreef
Copy link
Author

rpstreef commented May 1, 2020
edited
Loading

I fixed the issue by setting the RoleArn in the configuration block as well, that makes the role_arn in the action block completely useless. Which should, if I'm not mistaken, be the only role_arn you need to set to make this work.

action {
      name            = "CreateChangeSet"
      category        = "Deploy"
      owner           = "AWS"
      provider        = "CloudFormation"
      input_artifacts = ["build"]
      role_arn        = module.iam_cloudformation.role_arn
      version         = 1
      run_order       = 1

      configuration = {
        ActionMode            = "CHANGE_SET_REPLACE"
        Capabilities          = "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND"
        OutputFileName        = "ChangeSetOutput.json"
        RoleArn               = module.iam_cloudformation.role_arn
        StackName             = var.stack_name
        TemplatePath          = "build::packaged.yaml"
        ChangeSetName         = "${var.stack_name}-deploy"
        TemplateConfiguration = "build::configuration.json"
      }
    }

@mousedownmike
Copy link
Contributor

@rpstreef I encountered the same problem but the way I read it, the role_arn value is the value that CodePipeline uses to start CloudFormation actions and the RoleArn in configuration is the value that the CloudFormation service assumes when it is actually creating/updating the stack. I don't think they're the same but you could certainly use the same role.

@udayreddym
Copy link

I still face the same issue. Is there any fix for this? role_arn was not picked by stage.

@wadave
Copy link

wadave commented Aug 31, 2021

Is there an equivalent action of "DeploymentTargets" for configuration? so that I can deploy in a different account.

@justinretzolk
Copy link
Member

Hey all 👋 Thank you for filing this issue, and for the continued discussion around it. It looks like the answer for the original issue was provided above, so I'm going to go ahead and close this issue out.

If you have additional questions, we would ask that you either open a separate issue (if what you're experiencing seems to be a bug), or submit a new topic in the AWS provider section of Discuss.

@github-actions github-actions bot removed the needs-triage Waiting for first response or review from a maintainer. label Sep 27, 2021
@github-actions
Copy link

github-actions bot commented Jun 5, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
service/codepipeline Issues and PRs that pertain to the codepipeline service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rpstreef @udayreddym @justinretzolk @mousedownmike @wadave