codepipeline: x-account AND x-region deployments are a mess #24051
Comments
rix0rrr
added
bug
github-actions
bot
added
the
@aws-cdk/aws-codepipeline
…k dependency In the case of a cross-account AND cross-region ECS deployment, a dependency between the support stacks that is necessary is missing. This cannot be fixed globally. Because the resources reference each other bidirectionally (user -> bucket, bucket -> user), the only way to fix this is to do it locally: in the CodePipeline module, where we can have the knowledge that we use generated names and that everything will work out if we deploy the role before the bucket. All CodePipeline Actions must have this fix eventually, but since people may have crazy stack setups in which addition of this dependency may introduce a cyclic dependency (breaking the synth), we're rolling this fix out with limited blast radius. Follow-up in #24050, and suggest a good clean-up in #24051.
peterwoodworth
removed
the
needs-triage
…ncy (#24053) In the case of a cross-account AND cross-region ECS deployment, a dependency between the support stacks that is necessary is missing. This cannot be fixed globally. Because the resources reference each other bidirectionally (user -> bucket, bucket -> user), the only way to fix this is to do it locally: in the CodePipeline module, where we can have the knowledge that we use generated names and that everything will work out if we deploy the role before the bucket. All CodePipeline Actions must have this fix eventually, but since people may have crazy stack setups in which addition of this dependency may introduce a cyclic dependency (breaking the synth), we're rolling this fix out with limited blast radius. Follow-up in #24050, and suggest a good clean-up in #24051. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
If there's a pipeline with a cross-region action and if this action needs to transfer files from one region to the other, the cross-region-stack will be created. In my use case, this is a CodeDeploy action. It requires an action role, that CDKPipelines may generate or you can use your own role. No matter what you choose, cdk will throw an error like the one below:
This problem will not happen if the deployment is cross-account (single or cross-region). If I have a pipeline that deploys a Service using CodeDeployAction in any region other than the region where the pipeline is deployed, the error above shows. |
Describe the bug
A cross-region AND cross-account deployment where CodePipeline generates the support stacks for replication buckets and the support stacks for cross-account roles (which is the ideal situation), fails to deploy out of the box.
The cross-account and cross-region resources are created in separate stacks that don't have a dependency between them, but the resources on those stacks have bidirectional dependencies on each other:
Normally this wouldn't deploy, but we generate hard-coded resource names for the resources involved so that we can formulate policies anyway without having to have bidirectional cross-stack references.
Everything we're doing in this area right now is a patchwork of ad-hoc solutions, that needs to be rethought.
The bidirectional policy references between the support stacks should be replaced with some form of tag-based access control and clean dependencies between the stacks (and not the "we put some policies in both and hope it works" style we do today).
We should have a good think on what resources go into what stacks in what cases, keeping in mind:
us-east-1,$pipeline-regionor$resources-region? Why is that the right choice?Someone needs to go look at the current situation, come up with a good design, and cover the delta.
Expected Behavior
Cross-environment deployments to work with a minimum of fuss.
Current Behavior
Hard-to-debug failures or mysterious cyclic dependencies between stacks.
The text was updated successfully, but these errors were encountered: