Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(custom-resources): cross-environment call fails in opt-in region #26917

Merged
merged 35 commits into from
Aug 31, 2023
Merged

fix(custom-resources): cross-environment call fails in opt-in region #26917

merged 35 commits into from
Aug 31, 2023

Conversation

scanlonp
Copy link
Contributor

@scanlonp scanlonp commented Aug 29, 2023
edited
Loading

Currently, the region parameter in AwsCustomResource only controls where the action is performed. If a role needs to be assumed, the assumeRole call is made from the region the stack is deployed into. This presents a problem if the stack is deployed into an opt-in region, and the role being assumed lives in a separate stack in an account without the opt-in region enabled.

This change makes the assumeRole call and the sdk call performed in the same region. Therefore, to solve the above problem, pass any region that is enabled for the account that owns the role to be assumed.

Closes #26562.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Aug 29, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team August 29, 2023 00:30
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 29, 2023
aws-cdk-automation
aws-cdk-automation previously requested changes Aug 29, 2023
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@rix0rrr rix0rrr added the pr/do-not-merge This PR should not be merged at this time. label Aug 29, 2023
rix0rrr
rix0rrr approved these changes Aug 29, 2023
View reviewed changes
Copy link
Contributor

@rix0rrr rix0rrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conditionally approved!

@cgarvis cgarvis added p1 and removed p2 labels Aug 29, 2023
@aws-cdk-automation aws-cdk-automation dismissed their stale review August 29, 2023 21:53

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@github-actions github-actions bot added p2 and removed p1 labels Aug 29, 2023
@github-actions github-actions bot added p1 and removed p2 labels Aug 30, 2023
@scanlonp scanlonp changed the title fix(AwsCustomResource): region parameter in AwsSdkCall does not change region of sts assumeRole call fix(custom-resources): cross-environment call fails in opt-in region Aug 30, 2023
@scanlonp
Copy link
Contributor Author

Moving my personal checklist to comments.

TODO:

  • Specify accounts for the integ test to provide coverage for cross account and opt-in / non-opt-in region relationship

  • reference cross account integ test

  • Add unit tests to verify the configuration of the sts assumeRole call covered by integ test

Future work, not needed to merge

@udaypant udaypant added the sdk-v3-upgrade Tag issues that are associated to SDK V3 upgrade. Not limited to CR usage of SDK only. label Aug 31, 2023
@scanlonp scanlonp removed the pr/do-not-merge This PR should not be merged at this time. label Aug 31, 2023
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: e7d146a
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Aug 31, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 3701aa7 into aws:main Aug 31, 2023
12 checks passed
@github-actions github-actions bot mentioned this pull request Sep 1, 2023
Closed
mikewrighton pushed a commit that referenced this pull request Sep 14, 2023
@scanlonp
fix(custom-resources): cross-environment call fails in opt-in region (#…
693a375 
…26917)

Currently, the region parameter in `AwsCustomResource` only controls where the action is performed. If a role needs to be assumed, the `assumeRole` call is made from the region the stack is deployed into. This presents a problem if the stack is deployed into an opt-in region, and the role being assumed lives in a separate stack in an account without the opt-in region enabled. 

This change makes the `assumeRole` call and the sdk call performed in the same region. Therefore, to solve the above problem, pass any region that is enabled for the account that owns the role to be assumed.

Closes #26562.



----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaizencc kaizencc kaizencc left review comments

@rix0rrr rix0rrr rix0rrr approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1 sdk-v3-upgrade Tag issues that are associated to SDK V3 upgrade. Not limited to CR usage of SDK only.
Projects
None yet
Milestone
No milestone
7 participants
@scanlonp @aws-cdk-automation @rix0rrr @kaizencc @udaypant @cgarvis @vinayak-kukreja