Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(events): Rules are created incorrectly for resources that don't belong to its Stack environment

See original GitHub issue

We allow resources to be imported from a different environment than the Stack they are imported to. Something like:

import * as cdk from '@aws-cdk/core';
import * as ecr from '@aws-cdk/aws-ecr';

const app = new cdk.App();
const stack = new cdk.Stack(app, 'Stack1', {
  env: { region: 'region1', account: 'stack-account' },
});
const repo = ecr.Repository.fromArn(stack, 'Repo',
  'arn:aws:ecr:us-west-2:012345678901:repository/my-repo');

Above, repo belongs to a different environment than stack.

However, when we use a CloudWatch Events Rule-creating API of a resource like that, like this:

repo.onCloudTrailImagePushed('SourceEventRule', {
  target: someTargetThatBelongsToStack,
});

What happens is that the Rule is created in the environment of the stack, and not the environment of the source (repo in this case)!

This means this logic of determining whether a given Target is cross-environment or not fails for this case.

This was noticed by @fasatrix in https://github.com/aws/aws-cdk/issues/10901#issuecomment-905940853.

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
fasatrixcommented, Sep 14, 2021

@skinny85 Thanks for your answer. I am not sure I got what you mean but to clarify I have made a diagram.

Context:

  1. Several different Application Squads are building and pushing images to a common ECR services under different repos hosted in Account A (which belongs to a DevOps/Infrastructure squad and hosts all common things Including ECR as a service)
  2. These squads own one or more AWS Accounts (Test, PreProd, Prod etc.), and each one of them has codePipeline/CodeDeploy stack with blue/green ECS deployment, deploying images pushed in Step 1 (This is built, tested and pushed with a common Jenkins CI). After the first Bluegreen deployment (in which a cross account role allows images to be fetched from ECR Account A), squads wants to listen to image changes and then trigger and auto-deployment if that happens.

To make the above happen we have created the following process:

  1. Account A (hosting ECR) a rule that moves image related events to to other Accounts ’ default bus
  2. For each squad Account (CopdePipeline/CodeDeploy) a bus Policy like the above, trusts Account A events to be written on each of this Account’s default bus (Trusted principal policy)
  3. For each squad Account an event rule has been created that will listen to ECR PUT/Push events that were pushed to this Account bus (by an the event rule in point 1) and as a action it will trigger a codePipeline deploy action

The above works already well, we are just worried that if the proposed change goes ahead it will break this current solution and also we are wondering whether there is a simpler way to achieve the above.

image

0reactions
github-actions[bot]commented, Sep 14, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Detecting unmanaged configuration changes to stacks and ...
Drift detection enables you to detect whether a stack's actual configuration differs, or has drifted, from its expected configuration.
Read more >
Cannot connect with RDP to a Windows VM in Azure - Virtual ...
Troubleshoot issues when you cannot connect to your Windows virtual machine in Azure using Remote Desktop.
Read more >
Using Custom Resources to Extend your CloudFormation
Perhaps CloudFormation doesn't have support for a resource that you need. ... them incorrectly can wreak havoc on your CloudFormation stack.
Read more >
Content Management API | Contentful
There are no events for creating or deleting an environment. Environments and snapshots. Snapshots are only available for entries and content types belonging...
Read more >
Problem detection and analysis | Dynatrace Docs
Understand the basic concepts related to how Dynatrace detects and raises alerts for problems detected in your environment.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(stepfunctions-tasks): LambdaInvoke - explicit null is not passed to lambda when using

Next page

aws-codepipeline: cross region support creates huge inline policy document for the pipeline role