Cross-region support stacks need bootstrappin'

[rix0rrr]

When deploying cross-account, cross-region from the meerkat pipeline, there are obviously 2 envs that need to be bootstrapped:

• The pipeline env
• The target application env

This all makes perfect sense for the customer and is easily explained.

There is also a 3rd env involved, where we deploy the support stack with the replication bucket. When we SelfUpdate, the pipeline tries to deploy the support stack, so it needs to assume the deployment role there, which requires it to be bootstrapped.

                                                   
                      1234             5678     
                                                   
              ┌─────────────────┬─────────────────┐
              │                 │                 │
              │   (Bootstrap)   │   (Bootstrap)   │
  us-east-1   │    Pipeline     │   Application   │
              │                 │                 │
              │                 │                 │
              ├─────────────────┼─────────────────┤
              │                 │                 │
              │   (Bootstrap)   │   (Bootstrap)   │
  eu-west-2   │  Support stack  │   Application   │
              │                 │                 │
              │                 │                 │
              └─────────────────┴─────────────────┘

We would like to get rid of the (Boostrap) requirement for the support stack.

Stacks have a "Synthesizer" these days, which controls the roles/asset bucket/etc used to deploy it. We need a new Synthesizer which will use the role of the parent stack, and won't support assets... and then that synthesizer needs to go onto that support stack in some way. Maybe automatically, maybe configurable? I'd hope for automatic unless given otherwise.

This file contains the default synthesizer which it now gets (because it's a Stack, and all Stacks get this synthesizer in the New World Of CI/CD):

https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.ts

The synthesizer can be overridden upon creation, so the support stack must be created with a SupportStackSynthesizer which is in some way sensitive to the parent stack being a DefaultSynthesizer -- obviously this should all not fall over with legacy stacks, only be slightly more optimized when the rest of the stacks are using the "new" synthesis methods.

[lestephane]

I'm not able to cdk diff against an app in a cross-region scenario because you now expect deploy-role to be assumable.
When I do cdk diff, because I use least privilege, I can only assume lookup-role...

A glance at the source code confirms that you only use 2 (deploy, cfexec) of the 3 (lookup, deploy, cfexec) roles usually involved.

  private getCrossRegionSupportSynthesizer(): IStackSynthesizer | undefined {
    if (this.stack.synthesizer instanceof DefaultStackSynthesizer) {
      ...
      return new BootstraplessSynthesizer({
        deployRoleArn: this.stack.synthesizer.deployRoleArn,                                        
        cloudFormationExecutionRoleArn: this.stack.synthesizer.cloudFormationExecutionRoleArn,
      });
    } else {
      // any other synthesizer: just return undefined
      // (ie., use the default based on the context settings)
      return undefined;
    }
  }

This is more confusing than a better documentation would have been. I would not mind cdk bootstrapping the additional environment as long as I can figure out why it's needed from the docs. And better logging in the event that bootstrapping is missing would help too. But there is no dancing around the fact that you need to deploy something somewhere using deploy-role, but at the same time are now diverging from the standard of using lookup-role to check that this 'something' is present (or not).

Now with your 'fix', I can not cdk diff even If I have cdk bootstrapped in that support stack account/region, because my credentials only allow assuming the lookup-role (and NOTHING ELSE). Only the CI/CD pipeline can assume the deploy-role in my project.

So, in short, how do I cdk diff having only the permission to assume the cdk lookup role? Failing that, how do I undo your change or switch i off. Looking at your if statement, I would try to set the synthesizer to undefined, and hope that it then works like any other synthesis. Am I correct?