Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pipelines: multiple synths in a 'for' loop with a custom lookup role stopped working in 1.103 #15130

Closed
mrpackethead opened this issue Jun 15, 2021 · 13 comments · Fixed by #15147
Closed

pipelines: multiple synths in a 'for' loop with a custom lookup role stopped working in 1.103 #15130

mrpackethead opened this issue Jun 15, 2021 · 13 comments · Fixed by #15147
Assignees
@skinny85 @rix0rrr
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/core Related to core CDK functionality @aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. package/tools Related to AWS CDK Tools or CLI

Comments

@mrpackethead
Copy link

mrpackethead commented Jun 15, 2021
edited
Loading

My codebuild is breaking now when trying to synth in a cdkpipeline.
It appears that code build is trying to do some kind of cross accoutn lookup, using a cross account lookup role.
Its complaining it can not assume the role in the acconnt where the lookup is.

I found that a cross account lookup role has been introuduced in 1.108.. Are there any other changes that have occured in the way synths occur.?

edit:

I have tested various versions. THis code works find in versions up to and includeing 1.102. All versions higher fail with the same error.

https://github.com/aws/aws-cdk/pull/14874/files?file-filters%5B%5D=.yaml#diff-4fdac38426c4747aa17d515b01af4994d3d2f12c34f7b6655f24328259beb7bf
@mrpackethead mrpackethead added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 15, 2021
@github-actions github-actions bot added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label Jun 15, 2021
@github-actions github-actions bot added the @aws-cdk/core Related to core CDK functionality label Jun 15, 2021
@mrpackethead
Copy link
Author

mrpackethead commented Jun 15, 2021
edited
Loading

@skinny85 , have sent you via private message in cdk.dev slack codebuild log. It contains customer senstive information so cant' post it publically. Accounts removed from post below.

@mrpackethead
Copy link
Author 

[Container] 2021/06/15 04:57:38 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2021/06/15 04:57:38 Phase context status code:  Message: 
[Container] 2021/06/15 04:57:38 Entering phase BUILD
[Container] 2021/06/15 04:57:38 Running command cdk synth -v
CDK toolkit version: 1.108.1 (build ae24d8a)
Command line arguments: {
  _: [ 'synth' ],
  v: 1,
  verbose: 1,
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  fail: false,
  quiet: false,
  q: false,
  '$0': 'cdk'
}
cdk.json: {
  "app": "python3 app.py",
  "context": {
    "@aws-cdk/core:bootstrapQualifier": "fudawl",
    "@aws-cdk/core:newStyleStackSynthesis": "true",
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:enableStackNameDuplicates": "true",
    "aws-cdk:enableDiffNoFail": "true",
    "@aws-cdk/core:stackRelativeExports": "true",
    "@aws-cdk/aws-ecr-assets:dockerIgnoreSupport": true,
    "@aws-cdk/aws-secretsmanager:parseOwnedSecretName": true,
    "@aws-cdk/aws-kms:defaultKeyPolicies": true,
    "@aws-cdk/aws-s3:grantWriteWithoutAcl": true,
    "@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-efs:defaultEncryptionAtRest": true
  },
  "toolkitStackName": "fudawl"
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'python3 app.py',
  context: {
    '@aws-cdk/core:bootstrapQualifier': 'fudawl',
    '@aws-cdk/core:newStyleStackSynthesis': 'true',
    '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
    '@aws-cdk/core:enableStackNameDuplicates': 'true',
    'aws-cdk:enableDiffNoFail': 'true',
    '@aws-cdk/core:stackRelativeExports': 'true',
    '@aws-cdk/aws-ecr-assets:dockerIgnoreSupport': true,
    '@aws-cdk/aws-secretsmanager:parseOwnedSecretName': true,
    '@aws-cdk/aws-kms:defaultKeyPolicies': true,
    '@aws-cdk/aws-s3:grantWriteWithoutAcl': true,
    '@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount': true,
    '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
    '@aws-cdk/aws-efs:defaultEncryptionAtRest': true
  },
  toolkitStackName: 'fudawl',
  debug: false,
  assetMetadata: true,
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '*' ],
  lookups: true
}
Toolkit stack: fudawl
Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
Resolving default credentials
Looking up default account ID from STS
Default account ID: 2xxxxxxxxxxxx5
Setting "CDK_DEFAULT_ACCOUNT" environment variable to 2xxxxxxxxxxxx5
context: {
  '@aws-cdk/core:bootstrapQualifier': 'fudawl',
  '@aws-cdk/core:newStyleStackSynthesis': 'true',
  '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws-cdk:enableDiffNoFail': 'true',
  '@aws-cdk/core:stackRelativeExports': 'true',
  '@aws-cdk/aws-ecr-assets:dockerIgnoreSupport': true,
  '@aws-cdk/aws-secretsmanager:parseOwnedSecretName': true,
  '@aws-cdk/aws-kms:defaultKeyPolicies': true,
  '@aws-cdk/aws-s3:grantWriteWithoutAcl': true,
  '@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount': true,
  '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
  '@aws-cdk/aws-efs:defaultEncryptionAtRest': true,
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'ap-southeast-2',
  CDK_DEFAULT_ACCOUNT: '2xxxxxxxxxxxx5',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:bootstrapQualifier":"fudawl","@aws-cdk/core:newStyleStackSynthesis":"true","@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:enableStackNameDuplicates":"true","aws-cdk:enableDiffNoFail":"true","@aws-cdk/core:stackRelativeExports":"true","@aws-cdk/aws-ecr-assets:dockerIgnoreSupport":true,"@aws-cdk/aws-secretsmanager:parseOwnedSecretName":true,"@aws-cdk/aws-kms:defaultKeyPolicies":true,"@aws-cdk/aws-s3:grantWriteWithoutAcl":true,"@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-efs:defaultEncryptionAtRest":true,"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '12.0.0',
  CDK_CLI_VERSION: '1.108.1'
}
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
latest: Pulling from amazon/aws-sam-cli-build-image-python3.8
8c59f9aa0e7e: Pulling fs layer
63aa19c4ebd0: Pulling fs layer
893886bcc21b: Pulling fs layer
933699edc0aa: Pulling fs layer
cfc8c4817c2f: Pulling fs layer
be496685e17e: Pulling fs layer
6394c05584a5: Pulling fs layer
30f57fa891be: Pulling fs layer
b5d5f5ae2bd9: Pulling fs layer
7f4f89745466: Pulling fs layer
b5d5f5ae2bd9: Waiting
933699edc0aa: Waiting
30f57fa891be: Waiting
be496685e17e: Waiting
cfc8c4817c2f: Waiting
6394c05584a5: Waiting
7f4f89745466: Waiting
63aa19c4ebd0: Download complete
933699edc0aa: Verifying Checksum
933699edc0aa: Download complete
8c59f9aa0e7e: Verifying Checksum
8c59f9aa0e7e: Download complete
893886bcc21b: Verifying Checksum
893886bcc21b: Download complete
be496685e17e: Verifying Checksum
be496685e17e: Download complete
30f57fa891be: Verifying Checksum
30f57fa891be: Download complete
b5d5f5ae2bd9: Download complete
7f4f89745466: Download complete
6394c05584a5: Download complete
8c59f9aa0e7e: Pull complete
63aa19c4ebd0: Pull complete
893886bcc21b: Pull complete
933699edc0aa: Pull complete
cfc8c4817c2f: Download complete
cfc8c4817c2f: Pull complete
be496685e17e: Pull complete
6394c05584a5: Pull complete
30f57fa891be: Pull complete
b5d5f5ae2bd9: Pull complete
7f4f89745466: Pull complete
Digest: sha256:2779976a6afbd2ee11b0543aaf69a65672f6fe548bdd41af6ffdb22b7f109a97
Status: Downloaded newer image for 2xxxxxxxxxxxx5.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-sam-cli-build-image-python3.8:latest
2xxxxxxxxxxxx5.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-sam-cli-build-image-python3.8:latest
Bundling asset mutate/AzureIntegrationFunctions/WebhookLambda/Code/Stage...
Looking in indexes: https://aws:****@contactenergy-2xxxxxxxxxxxx5.d.codeartifact.ap-southeast-2.amazonaws.com/pypi/CandIPyPI/simple/
Some context information is missing. Fetching...
Assuming role 'arn:${AWS::Partition}:iam::6xxxxxxxxxxxx3:role/cdk-fudawl-lookup-role-6xxxxxxxxxxxx3-ap-southeast-2'.
Assuming role failed: User: arn:aws:sts::2xxxxxxxxxxxx5:assumed-role/mutate-mutatecdkPipelineBuildSynthCdkBuildProjectR-16U1LL5O4P0A9/AWSCodeBuild-84fad489-b96f-4b6e-a7f6-6a740d1f83b4 is not authorized to perform: sts:AssumeRole on resource: arn:${AWS::Partition}:iam::6xxxxxxxxxxxx3:role/cdk-fudawl-lookup-role-6xxxxxxxxxxxx3-ap-southeast-2
Setting "vpc-provider:account=6xxxxxxxxxxxx3:filter.tag:Name=vpc-prod:region=ap-southeast-2:returnAsymmetricSubnets=true" context to {"$providerError":"Could not assume role in target account using current credentials (which are for account 2xxxxxxxxxxxx5) User: arn:aws:sts::2xxxxxxxxxxxx5:assumed-role/mutate-mutatecdkPipelineBuildSynthCdkBuildProjectR-16U1LL5O4P0A9/AWSCodeBuild-84fad489-b96f-4b6e-a7f6-6a740d1f83b4 is not authorized to perform: sts:AssumeRole on resource: arn:${AWS::Partition}:iam::6xxxxxxxxxxxx3:role/cdk-fudawl-lookup-role-6xxxxxxxxxxxx3-ap-southeast-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to ap-southeast-2
Setting "CDK_DEFAULT_ACCOUNT" environment variable to 2xxxxxxxxxxxx5
context: {
  'vpc-provider:account=6xxxxxxxxxxxx3:filter.tag:Name=vpc-prod:region=ap-southeast-2:returnAsymmetricSubnets=true': {
    '$providerError': "Could not assume role in target account using current credentials (which are for account 2xxxxxxxxxxxx5) User: arn:aws:sts::2xxxxxxxxxxxx5:assumed-role/mutate-mutatecdkPipelineBuildSynthCdkBuildProjectR-16U1LL5O4P0A9/AWSCodeBuild-84fad489-b96f-4b6e-a7f6-6a740d1f83b4 is not authorized to perform: sts:AssumeRole on resource: arn:${AWS::Partition}:iam::6xxxxxxxxxxxx3:role/cdk-fudawl-lookup-role-6xxxxxxxxxxxx3-ap-southeast-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.",
    '$dontSaveContext': true
  },
  '@aws-cdk/core:bootstrapQualifier': 'fudawl',
  '@aws-cdk/core:newStyleStackSynthesis': 'true',
  '@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId': true,
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws-cdk:enableDiffNoFail': 'true',
  '@aws-cdk/core:stackRelativeExports': 'true',
  '@aws-cdk/aws-ecr-assets:dockerIgnoreSupport': true,
  '@aws-cdk/aws-secretsmanager:parseOwnedSecretName': true,
  '@aws-cdk/aws-kms:defaultKeyPolicies': true,
  '@aws-cdk/aws-s3:grantWriteWithoutAcl': true,
  '@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount': true,
  '@aws-cdk/aws-rds:lowercaseDbIdentifier': true,
  '@aws-cdk/aws-efs:defaultEncryptionAtRest': true,
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'ap-southeast-2',
  CDK_DEFAULT_ACCOUNT: '2xxxxxxxxxxxx5',
  CDK_CONTEXT_JSON: '{"vpc-provider:account=6xxxxxxxxxxxx3:filter.tag:Name=vpc-prod:region=ap-southeast-2:returnAsymmetricSubnets=true":{"$providerError":"Could not assume role in target account using current credentials (which are for account 2xxxxxxxxxxxx5) User: arn:aws:sts::2xxxxxxxxxxxx5:assumed-role/mutate-mutatecdkPipelineBuildSynthCdkBuildProjectR-16U1LL5O4P0A9/AWSCodeBuild-84fad489-b96f-4b6e-a7f6-6a740d1f83b4 is not authorized to perform: sts:AssumeRole on resource: arn:${AWS::Partition}:iam::6xxxxxxxxxxxx3:role/cdk-fudawl-lookup-role-6xxxxxxxxxxxx3-ap-southeast-2 . Please make sure that this role exists in the account. If it doesn\'t exist, (re)-bootstrap the environment with the right \'--trust\', using the latest version of the CDK CLI.","$dontSaveContext":true},"@aws-cdk/core:bootstrapQualifier":"fudawl","@aws-cdk/core:newStyleStackSynthesis":"true","@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId":true,"@aws-cdk/core:enableStackNameDuplicates":"true","aws-cdk:enableDiffNoFail":"true","@aws-cdk/core:stackRelativeExports":"true","@aws-cdk/aws-ecr-assets:dockerIgnoreSupport":true,"@aws-cdk/aws-secretsmanager:parseOwnedSecretName":true,"@aws-cdk/aws-kms:defaultKeyPolicies":true,"@aws-cdk/aws-s3:grantWriteWithoutAcl":true,"@aws-cdk/aws-ecs-patterns:removeDefaultDesiredCount":true,"@aws-cdk/aws-rds:lowercaseDbIdentifier":true,"@aws-cdk/aws-efs:defaultEncryptionAtRest":true,"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '12.0.0',
  CDK_CLI_VERSION: '1.108.1'
}
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
latest: Pulling from amazon/aws-sam-cli-build-image-python3.8
Digest: sha256:2779976a6afbd2ee11b0543aaf69a65672f6fe548bdd41af6ffdb22b7f109a97
Status: Image is up to date for 2xxxxxxxxxxxx5.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-sam-cli-build-image-python3.8:latest
2xxxxxxxxxxxx5.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-sam-cli-build-image-python3.8:latest
Bundling asset mutate/AzureIntegrationFunctions/WebhookLambda/Code/Stage...
Looking in indexes: https://aws:****@contactenergy-2xxxxxxxxxxxx5.d.codeartifact.ap-southeast-2.amazonaws.com/pypi/CandIPyPI/simple/
Not making progress trying to resolve environmental context. Giving up.
[Error at /mutate/PlaceHolderStage2/PlaceholderStack2] Could not assume role in target account using current credentials (which are for account 2xxxxxxxxxxxx5) User: arn:aws:sts::2xxxxxxxxxxxx5:assumed-role/mutate-mutatecdkPipelineBuildSynthCdkBuildProjectR-16U1LL5O4P0A9/AWSCodeBuild-84fad489-b96f-4b6e-a7f6-6a740d1f83b4 is not authorized to perform: sts:AssumeRole on resource: arn:${AWS::Partition}:iam::6xxxxxxxxxxxx3:role/cdk-fudawl-lookup-role-6xxxxxxxxxxxx3-ap-southeast-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
  Annotations.addMessage (/tmp/jsii-kernel-QnJ1id/node_modules/@aws-cdk/core/lib/annotations.js:94:42)
  Annotations.addError (/tmp/jsii-kernel-QnJ1id/node_modules/@aws-cdk/core/lib/annotations.js:59:14)
  Function.getValue (/tmp/jsii-kernel-QnJ1id/node_modules/@aws-cdk/core/lib/context-provider.js:68:53)
  Function.fromLookup (/tmp/jsii-kernel-QnJ1id/node_modules/@aws-cdk/aws-ec2/lib/vpc.js:483:51)
  /tmp/tmpgmupmoj3/lib/program.js:7991:114
  Kernel._wrapSandboxCode (/tmp/tmpgmupmoj3/lib/program.js:8582:24)
  /tmp/tmpgmupmoj3/lib/program.js:7991:87
  Kernel._ensureSync (/tmp/tmpgmupmoj3/lib/program.js:8563:28)
  Kernel.sinvoke (/tmp/tmpgmupmoj3/lib/program.js:7991:34)
  KernelHost.processRequest (/tmp/tmpgmupmoj3/lib/program.js:9479:36)
  KernelHost.run (/tmp/tmpgmupmoj3/lib/program.js:9442:22)
  Immediate._onImmediate (/tmp/tmpgmupmoj3/lib/program.js:9443:46)
  processImmediate (internal/timers.js:461:21)
Found errors
Error: Found errors
    at StackCollection.processMetadataMessages (/usr/local/lib/node_modules/aws-cdk/lib/api/cxapp/cloud-assembly.ts:227:13)
    at CdkToolkit.validateStacks (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:427:12)
    at CdkToolkit.selectStacksForDiff (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:406:16)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at CdkToolkit.synth (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:300:20)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:210:9)

[Container] 2021/06/15 04:58:35 Command did not exit successfully cdk synth -v exit status 1
[Container] 2021/06/15 04:58:35 Phase complete: BUILD State: FAILED
[Container] 2021/06/15 04:58:35 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: cdk synth -v. Reason: exit status 1
[Container] 2021/06/15 04:58:35 Entering phase POST_BUILD
[Container] 2021/06/15 04:58:35 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2021/06/15 04:58:35 Phase context status code:  Message: 
[Container] 2021/06/15 04:58:35 Preparing to copy secondary artifacts cloudassembly
[Container] 2021/06/15 04:58:35 Expanding base directory path: cdk.out
[Container] 2021/06/15 04:58:35 Assembling file list
[Container] 2021/06/15 04:58:35 Expanding cdk.out
[Container] 2021/06/15 04:58:35 Expanding file paths for base directory cdk.out
[Container] 2021/06/15 04:58:35 Assembling file list
[Container] 2021/06/15 04:58:35 Expanding **/*
[Container] 2021/06/15 04:58:35 Found 28 file(s)
[Container] 2021/06/15 04:58:35 Preparing to copy secondary artifacts modified_repo
[Container] 2021/06/15 04:58:35 Expanding base directory path: ./
[Container] 2021/06/15 04:58:35 Assembling file list
[Container] 2021/06/15 04:58:35 Expanding ./
[Container] 2021/06/15 04:58:35 Expanding file paths for base directory ./
[Container] 2021/06/15 04:58:35 Assembling file list
[Container] 2021/06/15 04:58:35 Expanding **/*
[Container] 2021/06/15 04:58:35 Found 79 file(s)
[Container] 2021/06/15 04:58:35 Phase complete: UPLOAD_ARTIFACTS State: SUCCEEDED
[Container] 2021/06/15 04:58:35 Phase context status code:  Message:

@skinny85 skinny85 added @aws-cdk/pipelines CDK Pipelines library and removed @aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/core Related to core CDK functionality labels Jun 15, 2021
@skinny85 skinny85 removed their assignment Jun 15, 2021
@github-actions github-actions bot added @aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/core Related to core CDK functionality labels Jun 15, 2021
@mrpackethead mrpackethead changed the title Vs1.108 core | pipeline | codebuild ??? ( not sure where the error is ). core | pipeline | codebuild ??? ( cdk synth is failing with context errors ) in versions > 1.102 in codebuild ( under pipelines ) Jun 15, 2021
@mrpackethead mrpackethead changed the title core | pipeline | codebuild ??? ( cdk synth is failing with context errors ) in versions > 1.102 in codebuild ( under pipelines ) core | pipeline | codebuild ??? ( cdk synth is failing with context errors ) in versions > 1.102 in codebuild ( under pipelines ).. THis might be a CLI error Jun 15, 2021
@github-actions github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Jun 15, 2021
@rix0rrr
Copy link
Contributor

rix0rrr commented Jun 15, 2021

The reason this is happening is because there is context information missing from cdk.context.json. Run the synth on your desktop and commit the result.

How did this use to work in the past? Your PlaceholderStack2 could not have synthesized and deployed correctly, since the information was missing and there should not have been a way for the cdk synth step to pick that up properly.

@mrpackethead
Copy link
Author

It absolutely did syntheisese and deploy correctly in versions lower than 1.102 and i am able to demonstrate that to you. It is the way that i showed you in our call much ealier this year. Happy to show you the pipleines that actually build and deploy. So, not helpful to say ' It could not deploy '. We've been deploying this way for months!
I CANNOT run the synth on the desktop as I do not have access to the accounts. As i explained to you and Elad eariler this year. Our code build as permission to those accounts.

Our code build is interating over the manifest, and synthing against each cloud assembly. It assumes a role in the remote account, and does a synth against the account using an account. Its EXACTLY what happens on the desktop but its automated. cdk.context. json

The code build does a intital cdk synth, this creates all the tempates, but cdk.context.json was not populated. However all the manifests were created.
code build then runs this code, which interates over the manfifests.

import json
import boto3
import sys, os


def synth_assemblys():
	with open("cdk.out/manifest.json") as manifest_json:
		manifest = json.load(manifest_json)

	for artifact, artifact_cfg in manifest['artifacts'].items():
		
		if artifact_cfg['type'] == 'cdk:cloud-assembly':
			with open(f"cdk.out/{artifact_cfg['properties']['directoryName']}/manifest.json") as assembly_manifest_json:
				assembly_manifest = json.load(assembly_manifest_json)
			
			for assembly, assembly_cfg in assembly_manifest['artifacts'].items():
				if assembly_cfg['type'] == 'aws:cloudformation:stack':
					environments.append(assembly_cfg['environment'])
					account = assembly_cfg['environment'].split('/')[2] 
					region = assembly_cfg['environment'].split('/')[3]
	

					role_arn =  f"arn:aws:iam::{account}:role/cdk-{sys.argv[1]}-lookup-role-{account}-{region}"				

					if os.environ.get('USER') != None:
						session = boto3.session.Session(region_name='ap-southeast-2', profile_name = 'contact-fudawl-cdk')
						sts = session.client('sts')
					else:
						sts = boto3.client('sts')

					creds = sts.assume_role(
						RoleArn = role_arn,
						RoleSessionName = 'getappenv'
					)
					os.system(f"aws configure set aws_access_key_id {creds['Credentials']['AccessKeyId']} --profile lookup{account}{region}")
					os.system(f"aws configure set aws_secret_access_key {creds['Credentials']['SecretAccessKey']} --profile lookup{account}{region}")
					os.system(f"aws configure set aws_session_token {creds['Credentials']['SessionToken']} --profile lookup{account}{region}")

					

					try:
						if sys.argv[2] == 'verbose':
							os.system(f"cdk synth -a cdk.out/{artifact_cfg['properties']['directoryName']} -v --profile lookup{account}{region}")
						else:
							os.system(f"cdk synth -a cdk.out/{artifact_cfg['properties']['directoryName']} --profile lookup{account}{region}")
					except:	
						os.system(f"cdk synth -a cdk.out/{artifact_cfg['properties']['directoryName']} --profile lookup{account}{region}")
	


if __name__ == "__main__":
	synth_assemblys()

This has caused me significnat pain, and i cna't find any release notes that talk about it in in vs1.103. I've had to go and pin a whole bunch of stacks today.. to get them to work, ( after spending the best part of a day to figure out what was going on ).

@mrpackethead
Copy link
Author

My best guess is this is where things have gone badly.

7f75416

@hross-frae
Copy link

This issue is also affecting us, it seems we have a similar setup to @mrpackethead, where our pipeline account has the required cross account permissions for deployment and in general our devs do not. Ideally we don't want to give devs access to production accounts just so we can allow the pipeline to work.

It was also working for us prior to the latest releases

@rix0rrr
Copy link
Contributor

rix0rrr commented Jun 15, 2021
edited
Loading

I see. You all have scripted a for loop around a number of synth calls to do lookups in the pipelines build step, using some roles you provisioned yourselves?

That is fine, but I would repeat that standing guidance was to:

My best guess is this is where things have gone badly.

You are correct. You are running afoul of a validation intended to protect against incomplete synths proceeding through the pipeline and leading to confusing errors upon deployment.

This didn't use to fail, and in your particular cases (with your for loop), the stacks would eventually have ended up with complete context information, but unfortunately the for loop exits early on because there is still missing context.

A potential simple workaround would be:

  • Ignore exit codes until the final synth, at which point we all agree the context ought to be complete and the validation shouldn't error out anymore (or if it does, something is actually wrong).

But read on for a potential better solution. Your custom scripting may not be necessary anymore.

Ideally we don't want to give devs access to production accounts

Sure. Would you consider giving them read-only access?

In #14874 we introduced a new version of the bootstrap template, adding a lookup-role with permissions to perform lookups across accounts.

This change introduces a new --trust-for-lookup trust class, which you could extend to developers, allowing them to ONLY perform lookups (cdk synths) against the target account, without allowing them to cdk deploy.

Recommendation

Our current recommendation would be:

  • Re-bootstrap your accounts with the latest CLI (1.108 or later)
  • Extend --trust-for-lookup to your developers
  • Synth and commit cdk.context.json

Fallback (not recommended but closer to your current setups)

We know there are organizations who under no circumstances want to see cdk.context.json committed, or have developers go near production accounts.

Since --trust (which the pipeline has) implies --trust-for-lookup, the pipeline will be able to do the lookups out of the box, AS LONG AS you give the Synth CodeBuild Role permissions to assume the new lookup role in the other account (by default it will not have those permissions). This would remove the need for your custom lookup roles, and your custom for loop.

Be aware that this setup opens you up to risk of nondeterminism! If any lookup value changes, this will immediately impact your infrastructure in a way you may not be prepared for! If AWS opens a new AZ tomorrow, your VPC will try to spread over more AZs and your deployments will get stuck because the existing subnets need to be replaced. If a new AMI gets released it will be immediately picked up and all of your instances will be replaced (make sure there's no important state on them!).

This is the reason we recommend committing cdk.context.json to version control.

To be less susceptible to nondeterminism you should store the cdk.context.json somewhere, if not in your git repo then somewhere else.

Let me know if this is guidance you cannot follow, for whatever reason.

@rix0rrr rix0rrr changed the title core | pipeline | codebuild ??? ( cdk synth is failing with context errors ) in versions > 1.102 in codebuild ( under pipelines ).. THis might be a CLI error pipelines: multiple synths in a 'for' loop with a custom lookup role stopped working in 1.103 Jun 15, 2021
@hross-frae
Copy link

@rix0rrr, it appears in our case the issue occurs when the VPC construct is looking up the availability zones for the current region. Which isn't an explicit import in our case, but appears to trip up the new changes made to the pipeline. I do like the addition of the lookup-role, which will solve our issues

@ProficientBell
Copy link

@rix0rrr I am trying to take advantage of the new lookup role but ran into issues during the pipeline build stage. Not sure if there is something I'm doing wrong or this is a bug. Please see #15119

@mrpackethead
Copy link
Author

Not using lookups in pipelines would have rendered CDK in the useless pile to us.

You are correct. You are running afoul of a validation intended to protect against incomplete synths proceeding through the pipeline and leading to confusing errors upon deployment.

A Validation htat never exisited before, and has introduced a breaking change. We coded around the KNOWN behavior.

A potential simple workaround would be:

  • Ignore exit codes until the final synth, at which point we all agree the context ought to be complete and the validation shouldn't error out anymore (or if it does, something is actually wrong).

How do we do that? I dont' have any control of how synth validates the code......

Ideally we don't want to give devs access to production accounts
Sure. Would you consider giving them read-only access?

Even if i wanted, to, which i dont' ( and probalby cant ) ,its a deeper problem than that. Some of our apps dont' know what environments they are going to deploy to. Sounds crazy.? We make extensive use of Tags in our environments. A great example, we tag accounts in our organisation.. Our app will look up the tags attached to the acount to determine if something should be deployed in that account. ( for example, some roles ) .

a lookup-role with permissions to perform lookups across accounts.

This change introduces a new --trust-for-lookup trust class, which you could extend to developers, allowing them to ONLY perform lookups (cdk synths) against the target account, without allowing them to cdk deploy.

As described, it requires that (a) devs have access, and (b) that the environments are determined before synth time.

  • Re-bootstrap your accounts with the latest CLI (1.108 or later)

The permissions that the lookup role give don't provide enough permissions to do the lookups.. Why is it so restricted?

  • Extend --trust-for-lookup to your developers
  • Synth and commit cdk.context.json

Our pipeline synths everything now, and commits cdk.context.json back to the repo, ( and tags it ) when its done.

Fallback (not recommended but closer to your current setups)

We know there are organizations who under no circumstances want to see cdk.context.json committed, or have developers go near production accounts.

Since --trust (which the pipeline has) implies --trust-for-lookup, the pipeline will be able to do the lookups out of the box, AS LONG AS you give the Synth CodeBuild Role permissions to assume the new lookup role in the other account (by default it will not have those permissions). This would remove the need for your custom lookup roles, and your custom for loop.

Be aware that this setup opens you up to risk of nondeterminism! If any lookup value changes, this will immediately impact your infrastructure in a way you may not be prepared for! If AWS opens a new AZ tomorrow, your VPC will try to spread over more AZs and your deployments will get stuck because the existing subnets need to be replaced. If a new AMI gets released it will be immediately picked up and all of your instances will be replaced (make sure there's no important state on them!).

WE discussed this months ago. WE do not risk nondterminism. MY lookups are all determinisistic. ( the ones that we do want to be at least ), they all get committed to cdk.context.json by the codebuild thats doing the synths.

This is the reason we recommend committing cdk.context.json to version control.

To be less susceptible to nondeterminism you should store the cdk.context.json somewhere, if not in your git repo then somewhere else.

Let me know if this is guidance you cannot follow, for whatever reason.

We are going around in circles, and i'm really very dissapointed.. What i need really quickly, is a way to turn off the 'validation' so we can move forward quickly.. and then as a second step we can take our time to review these breaking changes.

@rix0rrr
Copy link
Contributor

rix0rrr commented Jun 16, 2021

What i need really quickly, is a way to turn off the 'validation' so we can move forward quickly

We are working on that right now. Hope to get it out later today. Stay tuned.

rix0rrr added a commit that referenced this issue Jun 16, 2021
@rix0rrr
fix(cli): cdk synth too eager with validation in Pipelines
60c9ebb 
In #14613, we introduced validation so that `cdk synth` would guard
against incomplete context lookups. In the past, stacks with missing
context would have successfully completed synthesis, propagated down
the pipeline and caused confusing error messages during deployment.
The new behavior was to error out early in case there was missing
context.

This broke people who had resorted to resolving context in the pipeline
using multiple `synth` commands in `for`-loop: this used to work because
the `synths` would be incomplete but silently succeed, but with the new
validation the very first `cdk synth` would start failing and the `for`
loop would never complete.

This PR adds a `--no-validation` flag to `cdk synth` to stop the
additional validation, so the `for` loop can complete successfully.

The same behavior can be controlled with an environment variable,
by setting `CDK_VALIDATION=false`.

Fixes #15130.
@rix0rrr rix0rrr mentioned this issue Jun 16, 2021
Merged
@rix0rrr
Copy link
Contributor

rix0rrr commented Jun 16, 2021

We added --no-validation, or CDK_VALIDATION=false.

rix0rrr added a commit that referenced this issue Jun 16, 2021
@rix0rrr
fix(cli): cdk synth too eager with validation in Pipelines (#15147)
ae98e88 
In #14613, we introduced validation so that `cdk synth` would guard
against incomplete context lookups. In the past, stacks with missing
context would have successfully completed synthesis, propagated down
the pipeline and caused confusing error messages during deployment.
The new behavior was to error out early in case there was missing
context.

This broke people who had resorted to resolving context in the pipeline
using multiple `synth` commands in `for`-loop: this used to work because
the `synths` would be incomplete but silently succeed, but with the new
validation the very first `cdk synth` would start failing and the `for`
loop would never complete.

This PR adds a `--no-validation` flag to `cdk synth` to stop the
additional validation, so the `for` loop can complete successfully.

The same behavior can be controlled with an environment variable,
by setting `CDK_VALIDATION=false`.

Fixes #15130.
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

matthewsvu pushed a commit to matthewsvu/aws-cdk that referenced this issue Jun 22, 2021
@rix0rrr
fix(cli): cdk synth too eager with validation in Pipelines (aws#15147)
bf0faa1 
In aws#14613, we introduced validation so that `cdk synth` would guard
against incomplete context lookups. In the past, stacks with missing
context would have successfully completed synthesis, propagated down
the pipeline and caused confusing error messages during deployment.
The new behavior was to error out early in case there was missing
context.

This broke people who had resorted to resolving context in the pipeline
using multiple `synth` commands in `for`-loop: this used to work because
the `synths` would be incomplete but silently succeed, but with the new
validation the very first `cdk synth` would start failing and the `for`
loop would never complete.

This PR adds a `--no-validation` flag to `cdk synth` to stop the
additional validation, so the `for` loop can complete successfully.

The same behavior can be controlled with an environment variable,
by setting `CDK_VALIDATION=false`.

Fixes aws#15130.
hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Aug 26, 2021
@rix0rrr @hollanddd
fix(cli): cdk synth too eager with validation in Pipelines (aws#15147)
88a6c47 
In aws#14613, we introduced validation so that `cdk synth` would guard
against incomplete context lookups. In the past, stacks with missing
context would have successfully completed synthesis, propagated down
the pipeline and caused confusing error messages during deployment.
The new behavior was to error out early in case there was missing
context.

This broke people who had resorted to resolving context in the pipeline
using multiple `synth` commands in `for`-loop: this used to work because
the `synths` would be incomplete but silently succeed, but with the new
validation the very first `cdk synth` would start failing and the `for`
loop would never complete.

This PR adds a `--no-validation` flag to `cdk synth` to stop the
additional validation, so the `for` loop can complete successfully.

The same behavior can be controlled with an environment variable,
by setting `CDK_VALIDATION=false`.

Fixes aws#15130.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/core Related to core CDK functionality @aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cli): cdk synth too eager with validation in Pipelines aws/aws-cdk
5 participants
@skinny85 @rix0rrr @mrpackethead @hross-frae @ProficientBell