Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-cdk-lib): BootstraplessSynthesizer causing failed stack deployment out of the box

See original GitHub issue

Describe the bug

I’m aware that the behavior of this synthesizer was discussed multiple times in the past, but none of them mentioned that this synthesizer actually does not work: a stack won’t be deployed out-of-the-box if it uses this synthesizer.

Expected Behavior

A stack, that does not require a bootstrap stack, should be able to use BootstraplessSynthesizer synthesizer and be deployed successfully without an existence of a bootstrap stack.

Current Behavior

A stack, that does not require a bootstrap stack, can’t be deployed if it uses the BootstraplessSynthesizer synthesizer. It would fail with the error message as below:

 ❌  <stack-name> failed: Error [ValidationError]: Role arn:aws:iam::<account-id>:role/cdk-hnb659fds-cfn-exec-role-<account-id>-<region> is invalid or cannot be assumed

Reproduction Steps

The app endpoint:

#!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import { CdkBootstraplessStack } from '../lib/cdk-bootstrapless-stack';

const app = new cdk.App();
new CdkBootstraplessStack(app, 'CdkBootstraplessStack', {
  env: {
    region: '<region>',
    account: '<account-id>'
  }
});

The stack:

❯ cat lib/cdk-bootstrapless-stack.ts
import { BootstraplessSynthesizer, Duration, Stack, StackProps } from 'aws-cdk-lib';
import * as sqs from 'aws-cdk-lib/aws-sqs';
import { Construct } from 'constructs';

export class CdkBootstraplessStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, {
      ...props,
      synthesizer: new BootstraplessSynthesizer({}),
    });

    const queue = new sqs.Queue(this, 'CdkBootstraplessQueue', {
      visibilityTimeout: Duration.seconds(300)
    });
  }
}

When running cdk deploy CdkBootstraplessStack --debug -vvv, I could see that the CLI passed the role ARN – that’s usually part of the CDKToolkit stack – to the createChangeSet API. Of course this is going to fail because we never wanted to create the CDKToolkit stack with this synthesizer. Output snippet:

Call failed: createChangeSet({"StackName":"CdkBootstraplessStack","ChangeSetName":"cdk-deploy-change-set","ChangeSetType":"CREATE","Description":"CDK Changeset for execution eb39a5f8-20f1-4b65-bb40-94e61e6a38e4","TemplateBody":"Resources:\n  CdkBootstraplessQueue6BB3DC8E:\n    Type: AWS::SQS::Queue\n    Properties:\n      VisibilityTimeout: 300\n    UpdateReplacePolicy: Delete\n    DeletionPolicy: Delete\n    Metadata:\n      aws:cdk:path: CdkBootstraplessStack/CdkBootstraplessQueue/Resource\n  CDKMetadata:\n    Type: AWS::CDK::Metadata\n    Properties:\n      Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzLVM1BMLC/WTU7J1s3JTNKrDi5JTM7WAQrFFxcW61UHlqaWpuo4p+WBGbUgVlBqcX5pUTKQk5efkqqXVaxfZmimZ2iiZ6SYVZyZqVtUmleSmZuqFwShAeDNBIVlAAAA\n    Metadata:\n      aws:cdk:path: CdkBootstraplessStack/CDKMetadata/Default\n","Parameters":[],"RoleARN":"arn:aws:iam::<account-id>:role/cdk-hnb659fds-cfn-exec-role-<account-id>-<region>","Capabilities":["CAPABILITY_IAM","CAPABILITY_NAMED_IAM","CAPABILITY_AUTO_EXPAND"],"Tags":[]}) => Role arn:aws:iam::<account-id>:role/cdk-hnb659fds-cfn-exec-role-<account-id>-<region> is invalid or cannot be assumed (code=ValidationError)

 ❌  CdkBootstraplessStack failed: Error [ValidationError]: Role arn:aws:iam::<account-id>:role/cdk-hnb659fds-cfn-exec-role-<account-id>-<region> is invalid or cannot be assumed
...
  code: 'ValidationError',
  time: 2022-06-07T07:03:24.446Z,
  requestId: '2efe5035-3c46-4222-9ca6-f04bc3f713a8',
  statusCode: 400,
  retryable: false,
  retryDelay: 331.41807829813575
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.27.0 (build 8e89048)

Framework Version

2.27.0

Node.js Version

v16.14.2

OS

Mac

Language

Typescript

Language Version

3.9.7

Other information

No response

Issue Analytics

State:
Created a year ago
Comments:8 (8 by maintainers)

Top GitHub Comments

2reactions

rix0rrrcommented, Jun 10, 2022

I think it should be fine to adapt the BootstraplessSynthesizer to this scenario. How about we do the following (gives us a chance to fix the naming scheme as well):

Introduce BootstraplessStackSynthesizer, and have it do what people expect: use CLI roles by default. Optionally, role ARNs can still be passed.
Deprecate BootstraplessSynthesizer in favor of BootstraplessStackSynthesizer.

The documentation should say that stacks created with this synthesizer can only be deployed using CDK Pipelines if both roles are given.

1reaction

rix0rrrcommented, Jun 10, 2022

We need to make sure there are no role ARNs emitted to the Cloud Assembly. I haven’t looked at the code to see what the most expedient way is to achieve that.