Skip to content

app-staging-synthesizer-alpha: Uses default bootstrap exec role when bootstrapQualifier is supplied #28195

New issue
New issue
Open
Open
app-staging-synthesizer-alpha: Uses default bootstrap exec role when bootstrapQualifier is supplied#28195
Labels
@aws-cdk/app-staging-synthesizer-alphaRelated to the @aws-cdk/app-staging-synthesizer-alpha packagebugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
@BrianFarnhill

Description

@BrianFarnhill
BrianFarnhill
opened on Nov 29, 2023

Describe the bug

Consider the following use of the AppStagingSynthesizer:

defaultStackSynthesizer: AppStagingSynthesizer.defaultResources({
    appId: 'UniqueAppId',
    bootstrapQualifier: 'Custom',
    deploymentIdentities: DeploymentIdentities.defaultBootstrapRoles({
      bootstrapRegion: 'ap-southeast-2',
    }),
  }),

In this scenario I'm trying to avoid the use of the default qualifier at all (to meet a customer requirement, each bootstrap uses a unique qualifier that enforces a specific permission boundary for each app that is deployed). When I deploy this the app works and my main CDK stacks all use the CFN exec role that goes with the 'Custom' qualifier in this case, but the Staging Stack itself still relies on the exec role from the default bootstrap. I would expect that given I've specified a qualifier here that it would use that for the staging stack as well, but if that assumption is wrong, having an option to specific the exec role for the staging stack would also address the concern.

Expected Behavior

I would expect the deployment role used on the staging stack to match that of the Custom bootstrap qualifier that was deployed in to the account.

Current Behavior

It deploys with the default bootstrap qualifier instead (being hnb659fds and the role arn:aws:iam::{ACCOUNT}:role/cdk-hnb659fds-cfn-exec-role-{ACCOUNT}-{REGION} if you don't customise the bootstrap)

Reproduction Steps

Use the code snippet from the example - you'll need to create a secondary bootstrap qualifier as well as the default one though, so the flow would be:

  1. Deploy the default bootstrap with cdk bootstrap aws://ACCOUNT-NUMBER-1/REGION-1 (using your account number and region)
  2. Deploy a custom bootstrap with cdk bootstrap --qualifier Custom aws://ACCOUNT-NUMBER-1/REGION-1 (using your account number and region)
  3. Use the snippet above with the qualifier name and appropriate region name
  4. Deploy any CDK stack against that synthesiser

Go in here and look at the deployed stack, you'll see the StagingStack uses the default qualifier. You'll also see that role called out in the manifest.json file in the cdk.out directory for the staging stack:

"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.100.0 (build e1b5c77)

Framework Version

No response

Node.js Version

v18.18.0

OS

Linux and MacOs

Language

TypeScript

Language Version

TypeScript (5.5.2)

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/app-staging-synthesizer-alphaRelated to the @aws-cdk/app-staging-synthesizer-alpha packagebugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions