Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(@aws-cdk/pipelines): Cloning cross-account repository in SimpleSynthAction

See original GitHub issue

❓ General Issue

The Question

Hi, I am trying to set up a Secure Cross-Account Continuous Delivery Pipeline with four accounts (Dev, Test, Prod, Tools) using Cdk Pipelines.

We have tree repositories that live in the Dev Account. The repo that is used as the sourceAction of the Cdk Pipeline contains all the cdk code and triggers successfully whenever a new commit is pushed. However, the SimpleSynthAction is failing because some lambdas require access to the other repositories that live in a separate account, the Dev Account.

I tried the following, but it did not work: passed the CodeRepositoriesStack (in the Dev Account) to the CdkPipelineStack (in the Tools account) in its extended cdk.StackProps, and then granted read access to the other repos by calling props.codeRepositories.otherRepoInDev.grantRead(simpleSynthAction).

I looked into the CoreRepositoriesStack Resources in Cloudformation and did not see any policies there for the other repos. So the problem might be related to that and assumeRole, but I am not sure.

Environment

CDK CLI Version: 1.100.0 (build d996c6d)
Module Version: 1.100.0
Node.js Version: v14.15.0
OS: Ubuntu 21.04
Language (Version): TypeScript (4.2.4)

Other information

CdkPipelineStack

import * as cdk from '@aws-cdk/core';
import { CdkPipeline, SimpleSynthAction } from '@aws-cdk/pipelines';

import * as codepipeline from '@aws-cdk/aws-codepipeline';
import * as codepipelineActions from '@aws-cdk/aws-codepipeline-actions';
import { CodeRepositoriesStack } from './codeRepositoriesStack';
import * as codebuild from '@aws-cdk/aws-codebuild';
import { ComputeType } from '@aws-cdk/aws-codebuild';

export type CdkPipelineStackProps = cdk.StackProps & {
    codeRepositories: CodeRepositoriesStack;
};

export class CdkPipelineStack extends cdk.Stack {
    constructor(scope: cdk.Construct, id: string, props: CdkPipelineStackProps) {
        super(scope, id, props);

        const { codeRepositories } = props;

        const sourceArtifact = new codepipeline.Artifact();
        const codeCommitSourceAction = new codepipelineActions.CodeCommitSourceAction({
            actionName: 'GetCode',
            repository: codeRepositories.cdk,
            branch: codeRepositories.mainlineBranchName,
            output: sourceArtifact,
        });

        const codeCommitConfigurationCommands = this.getCodeCommitConfigurationCommands();
        const cloudAssemblyArtifact = new codepipeline.Artifact();
        const simpleSynthAction = new SimpleSynthAction({
            actionName: `CompileAppAndSynthesizeCloudAssembly`,
            environment: {
                buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
                computeType: ComputeType.SMALL,
                privileged: false,
            },
            cloudAssemblyArtifact,
            sourceArtifact,
            subdirectory: 'cdk',
            installCommands: [...codeCommitConfigurationCommands, 'yarn install:ci'],
            buildCommands: ['yarn build:ci'],
            synthCommand: 'yarn synth:ci',
        });

        new CdkPipeline(this, 'Pipeline', {
            pipelineName: 'Pipeline',
            cloudAssemblyArtifact,
            crossAccountKeys: true,
            selfMutating: true,
            sourceAction: codeCommitSourceAction,
            synthAction: simpleSynthAction,
        });

        codeRepositories.otherA.grantRead(simpleSynthAction);
        codeRepositories.otherB.grantRead(simpleSynthAction);
    }

    private getCodeCommitConfigurationCommands(): string[] {
        return [
            'touch /etc/gitconfig',
            `echo '[credential "https://git-codecommit.eu-central-1.amazonaws.com"]' >> /etc/gitconfig`,
            `echo '    helper = !aws codecommit credential-helper $@' >> /etc/gitconfig`,
            `echo '    UseHttpPath = true' >> /etc/gitconfig`,
        ];
    }
}

CodeRepositoriesStack

import * as cdk from '@aws-cdk/core';
import { IRepository, Repository } from '@aws-cdk/aws-codecommit';

export class CodeRepositoriesStack extends cdk.Stack {
    public readonly cdk: IRepository;
    public readonly otherA: IRepository;
    public readonly otherB: IRepository;
    public readonly mainlineBranchName: string;
    public readonly releaseBranchName: string;

    constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) {
        super(scope, id, props);
        this.cdk = Repository.fromRepositoryName(this, 'Cdk', 'cdk');
        this.otherA = Repository.fromRepositoryName(this, 'OtherA', 'otherA');
        this.otherB = Repository.fromRepositoryName(this, 'OtherB', 'otherB');
        this.mainlineBranchName = 'dev';
        this.releaseBranchName = 'master';
    }
}

App

import { CdkPipelineStack } from '../stacks/cdkPipelineStack';
import { CodeRepositoriesStack } from '../stacks/codeRepositoriesStack';
import * as cdk from '@aws-cdk/core';

const app = new cdk.App();

const devAccount = '#devAccountId';
const codeRepositories = new CodeRepositoriesStack(app, 'CodeRepositories', {
    env: {
        account: devAccount,
        region: 'eu-central-1',
    },
});

const toolsAccount = '#toolsAccountId';
new CdkPipelineStack(app, 'CdkPipeline', {
    env: {
        account: toolsAccount,
        region: 'eu-central-1',
    },
    codeRepositories,
});

Issue Analytics

State:
Created 2 years ago
Comments:6 (5 by maintainers)

Top GitHub Comments

2reactions

skinny85commented, Apr 27, 2021

Ah. OK. I think this is actually a non-starter - you cannot access CodeCommit repositories cross-account (Repository does not have a resource policy).

What you can do is assume a Role in the repo account before running the CDK commands. I think that’s the only way.

Thanks, Adam

0reactions

github-actions[bot]commented, May 4, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Top Results From Across the Web

class CloneRepository · AWS CDK

The class for different repository providers. Example. import * as codecommit from '@aws-cdk/aws-codecommit'; // create a codecommit repository to clone ...

[cdk-pipelines] Cross Account CodePipeline IAM roles not ...

Below is code which creates a role that assumes a cross-account role that has permissions to pull from the code commit repo (also...

CDK Cross-Account Pipelines - AWS in Plain English

I'm using AWS CDK to develop and deploy infrastructure and apps into pre-prod and production environments. Specifically, there is: A Dev account (Account...

Continuous Delivery with AWS CDK Pipelines - Luminis

Essentially we are going to create two CDK Applications in one Git repository, 1 CDK application for the Pipeline, and 1 CDK application...

CDK Pipelines - Go Packages

Returns a CodeStar connection source. A CodeStar connection allows AWS CodePipeline to access external resources, such as repositories in GitHub, GitHub ...