(@aws-cdk/pipelines): Cloning cross-account repository in SimpleSynthAction
See original GitHub issue❓ General Issue
The Question
Hi, I am trying to set up a Secure Cross-Account Continuous Delivery Pipeline with four accounts (Dev, Test, Prod, Tools) using Cdk Pipelines.
We have tree repositories that live in the Dev Account. The repo that is used as the sourceAction of the Cdk Pipeline contains all the cdk code and triggers successfully whenever a new commit is pushed. However, the SimpleSynthAction is failing because some lambdas require access to the other repositories that live in a separate account, the Dev Account.
I tried the following, but it did not work: passed the CodeRepositoriesStack (in the Dev Account) to the CdkPipelineStack (in the Tools account) in its extended cdk.StackProps, and then granted read access to the other repos by calling props.codeRepositories.otherRepoInDev.grantRead(simpleSynthAction).
I looked into the CoreRepositoriesStack Resources in Cloudformation and did not see any policies there for the other repos. So the problem might be related to that and assumeRole, but I am not sure.
Environment
- CDK CLI Version: 1.100.0 (build d996c6d)
- Module Version: 1.100.0
- Node.js Version: v14.15.0
- OS: Ubuntu 21.04
- Language (Version): TypeScript (4.2.4)
Other information
CdkPipelineStack
import * as cdk from '@aws-cdk/core';
import { CdkPipeline, SimpleSynthAction } from '@aws-cdk/pipelines';
import * as codepipeline from '@aws-cdk/aws-codepipeline';
import * as codepipelineActions from '@aws-cdk/aws-codepipeline-actions';
import { CodeRepositoriesStack } from './codeRepositoriesStack';
import * as codebuild from '@aws-cdk/aws-codebuild';
import { ComputeType } from '@aws-cdk/aws-codebuild';
export type CdkPipelineStackProps = cdk.StackProps & {
codeRepositories: CodeRepositoriesStack;
};
export class CdkPipelineStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props: CdkPipelineStackProps) {
super(scope, id, props);
const { codeRepositories } = props;
const sourceArtifact = new codepipeline.Artifact();
const codeCommitSourceAction = new codepipelineActions.CodeCommitSourceAction({
actionName: 'GetCode',
repository: codeRepositories.cdk,
branch: codeRepositories.mainlineBranchName,
output: sourceArtifact,
});
const codeCommitConfigurationCommands = this.getCodeCommitConfigurationCommands();
const cloudAssemblyArtifact = new codepipeline.Artifact();
const simpleSynthAction = new SimpleSynthAction({
actionName: `CompileAppAndSynthesizeCloudAssembly`,
environment: {
buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
computeType: ComputeType.SMALL,
privileged: false,
},
cloudAssemblyArtifact,
sourceArtifact,
subdirectory: 'cdk',
installCommands: [...codeCommitConfigurationCommands, 'yarn install:ci'],
buildCommands: ['yarn build:ci'],
synthCommand: 'yarn synth:ci',
});
new CdkPipeline(this, 'Pipeline', {
pipelineName: 'Pipeline',
cloudAssemblyArtifact,
crossAccountKeys: true,
selfMutating: true,
sourceAction: codeCommitSourceAction,
synthAction: simpleSynthAction,
});
codeRepositories.otherA.grantRead(simpleSynthAction);
codeRepositories.otherB.grantRead(simpleSynthAction);
}
private getCodeCommitConfigurationCommands(): string[] {
return [
'touch /etc/gitconfig',
`echo '[credential "https://git-codecommit.eu-central-1.amazonaws.com"]' >> /etc/gitconfig`,
`echo ' helper = !aws codecommit credential-helper $@' >> /etc/gitconfig`,
`echo ' UseHttpPath = true' >> /etc/gitconfig`,
];
}
}
CodeRepositoriesStack
import * as cdk from '@aws-cdk/core';
import { IRepository, Repository } from '@aws-cdk/aws-codecommit';
export class CodeRepositoriesStack extends cdk.Stack {
public readonly cdk: IRepository;
public readonly otherA: IRepository;
public readonly otherB: IRepository;
public readonly mainlineBranchName: string;
public readonly releaseBranchName: string;
constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) {
super(scope, id, props);
this.cdk = Repository.fromRepositoryName(this, 'Cdk', 'cdk');
this.otherA = Repository.fromRepositoryName(this, 'OtherA', 'otherA');
this.otherB = Repository.fromRepositoryName(this, 'OtherB', 'otherB');
this.mainlineBranchName = 'dev';
this.releaseBranchName = 'master';
}
}
App
import { CdkPipelineStack } from '../stacks/cdkPipelineStack';
import { CodeRepositoriesStack } from '../stacks/codeRepositoriesStack';
import * as cdk from '@aws-cdk/core';
const app = new cdk.App();
const devAccount = '#devAccountId';
const codeRepositories = new CodeRepositoriesStack(app, 'CodeRepositories', {
env: {
account: devAccount,
region: 'eu-central-1',
},
});
const toolsAccount = '#toolsAccountId';
new CdkPipelineStack(app, 'CdkPipeline', {
env: {
account: toolsAccount,
region: 'eu-central-1',
},
codeRepositories,
});
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (5 by maintainers)
Top GitHub Comments
Ah. OK. I think this is actually a non-starter - you cannot access CodeCommit repositories cross-account (Repository does not have a resource policy).
What you can do is assume a Role in the repo account before running the CDK commands. I think that’s the only way.
Thanks, Adam
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.