-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service Catalog ProductStack Asset Support #458
Comments
As one of the voices of the community, I would like to say that many teams working with |
Hi @wanjacki! Thanks for submitting this! The goal of the RFC process is to describe the feature, with code samples, in user-facing language. (Effectively, what would go into the README) Follow that up with design decisions that will come from looking at the code. For example:
Finally: what are negative side effects? What are the things we are locked into for the future once we decide to do this? |
@wanjacki I've added myself as the API bar raiser. You can reach out on Slack and we can setup the kick off meeting. |
The other argument we get is what if the multiple product stack share a bucket. Thus the conclusion we came up with is that an asset belongs to the Product Stack not to the Portfolio, thus the buckets that contain the asset also belongs to the Product Stack. As a workaround, we allow users to pass their own Bucket so they can have one bucket for multiple Product Stacks, so that they can use a single bucket for all Product Stacks they know will go in a specific Portfolio.
Finally: what are negative side effects? What are the things we are locked into for the future once we decide to do this? I guess the biggest thing is that we are locked into supporting assets in Product Stack. There is no really clean way to support this feature as we have resorted to S3Deployment to accomplish this, which itself may seem a bit hacky but every other solution is either just not possible or would not provide a good user experience. In the future if there is a better solution, we might still have to support this feature to ensure backwards compatibility. I don't know if this will set a precident for other teams with similiar use cases, but this is a highly requested feature for our customers and our team will be taking on the responsibility of maintaining this feature. I don't see any other major risk, but feel free to clarify if you spot any. |
Takeaways from our meeting.
|
@corymhall @rix0rrr I opted not to give too much guidance on permissions and how user can setup everything as it is all standard Service Catalog setup and there is already documentation on this from Service Catalog. Admins currently already need to setup permissions for the resources they provision, so I think documentation saying they need to add read permissions to our asset bucket as well is sufficient. How they want to setup the permissions (blanket or restricted) should be responsibility of the Admin. |
Please add at least one working example to the README (permissions wise), and refer users to the existing documentation for more details. |
@wanjacki just to reiterate, this is what we need at a minimum to accept this into the CDK.
You also have the option of creating your own construct (we can create a repo for you on cdklabs) if you do not want to follow the CDK contributing process. Let us know! |
@rix0rrr @corymhall
I thought we already discussed this, this is not one of the points of our takeaway from our meeting as shown in the notes above. Despite that I attempted to use the underlying I already spent a good amount of time on this requirement, so I don't want to waste anymore time. If you are insistent on this, then lets setup a meeting and discuss what we can do and what are the solutions as I am out of options. If its not possible to push this through without this, then lets discuss the alternatives . A lot of customers are asking for this feature, and if this is blocking it , then there isn't much more I can do on my own on my side in regards to this requirement.
Thank you! |
I guess I forgot to include it in the notes, definitely remember discussing it and insisting on that as a requirement.
It 100% is our responsibility to test that it is provisionable with assets. We may not need to test that a standard product can be provisioned since that functionality exists inside Service Catalog. Assets is something managed completely outside of service catalog. You may have setup access within Service Catalog correctly and your product could fail to provision because of an S3 access denied error message. For example, are you 100% sure (I am not) that the permissions that you added to the README are the only permissions that are needed to deploy? And is that the best we can do with permissions (read from all S3 buckets)? I know we talked about looking into ways of scoping this down more. It might not be possible to completely automate the integration test, and that is completely fine. We have several integration tests that require following manual steps. |
@corymhall
For using assets specifically, they just need to provide access to the S3Bucket where assets are stored (that they provided).
|
Unless I am misunderstanding how the
I guess to put it a different way, how do you know that the bucket policy that you are adding actually grants access? That's not something the user is deciding. If the bucket policy was not correct, we would receive a bug report which we would need to fix. |
@corymhall This is how a user would use ProductStack
User define their own resource just like they will also have to define their own assets. If they don't define any assets, then there's no additional infrastructure. Users also define the Bucket to be used for assets, if they don't define this then there is no additional infrastructure.
Not sure if i understand, but in the README I provided this policy, this is just a generic S3 Policy that allows GetObject on any resource, this is all they need to the best of my knowledge. I can test it more thoroughly. Any Role with this policy should be able to retrieve the asset from the bucket. The bucket allowing an account to read the asset is automatically granted when we share the portfolio.
|
This seems doable, would I just need to add instructions to tell them to deploy the integration stack. |
@corymhall |
@corymhall @rix0rrr |
Currently Assets are not supported in Product Stacks. Service Catalog has an unique use case where assets need to be shared cross account and sharing the entire CDK asset bucket is not ideal. Users can either create their own ProductStackAssetBucket or have one automatically generated for them based on their account Id and region. By using S3 Deployments we able to copy the assets to that bucket and share it when a portfolio is shared in Service Catalog. More details can be found here: #20690. Closes #20690 RFC: aws/aws-cdk-rfcs#458 ---- ### All Submissions: * [X ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [X] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [X ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ---- Co-authored-by: Theron Mansilla[[imanolympic](https://github.com/imanolympic)]
Currently Assets are not supported in Product Stacks. Service Catalog has an unique use case where assets need to be shared cross account and sharing the entire CDK asset bucket is not ideal. Users can either create their own ProductStackAssetBucket or have one automatically generated for them based on their account Id and region. By using S3 Deployments we able to copy the assets to that bucket and share it when a portfolio is shared in Service Catalog. More details can be found here: aws#20690. Closes aws#20690 RFC: aws/aws-cdk-rfcs#458 ---- ### All Submissions: * [X ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [X] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [X ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ---- Co-authored-by: Theron Mansilla[[imanolympic](https://github.com/imanolympic)]
Currently Assets are not supported in Product Stacks. Service Catalog has an unique use case where assets need to be shared cross account and sharing the entire CDK asset bucket is not ideal. Users can either create their own ProductStackAssetBucket or have one automatically generated for them based on their account Id and region. By using S3 Deployments we able to copy the assets to that bucket and share it when a portfolio is shared in Service Catalog. More details can be found here: aws#20690. Closes aws#20690 RFC: aws/aws-cdk-rfcs#458 ---- ### All Submissions: * [X ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [X] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [X ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* ---- Co-authored-by: Theron Mansilla[[imanolympic](https://github.com/imanolympic)]
Description
The feature is an improvement to the existing ProductStack construct to add support for the use of Asset files.
Use Case
I'm always frustrated as a Service Catalog administrator when I try to add a Lambda function to my ProductStack in CDK because I want to reference my Lambda code from an asset file, and CDK throws an error when I attempt to synthesize this. This limitation means that I'm unable to make use of ProductStack when I want to create a Service Catalog product consisting of Lambas that run large amounts of code. This is an example of a product which I would like to deploy to Service Catalog and share with end users across AWS accounts:
When
cdk synth
is called, it will throw:Service Catalog Product Stacks cannot use Assets
##Proposed Solution
Currently, CDK vends an asset bucket during bootstrap-time to the customer's AWS account. This bucket can be used successfully for enabling file asset support in ProductStack with CFN outputs from the parent stack for both the S3 bucket name and object key. The major issue with this approach is that when sharing a Service Catalog portfolio across accounts, a product that makes use of file assets cannot be provisioned since the parent stack with the aforementioned outputs does not exist in the end-user account.
To solve this, we could implement the usage of a bespoke S3 Bucket to contain asset files from assets used in a Service Catalog ProductStack. A bespoke bucket for this use case allows us to control the naming of the bucket as well as its permissions. Controlling the bucket name is important, especially at synth-time, since this will be referenced by resources that use assets, such as a Lambda function which references Python code stored in an asset file in the S3 bucket. Controlling permissions on a bucket which contains assets is important within the framework of Service Catalog since the administrator of a Service Catalog portfolio shares this portfolio across AWS accounts with end users who make use of products which reference asset files.
In order to implement this solution, we make use of S3 Deployments. S3 Deployments will essentially copy the assets from the bootstrap asset bucket to our own S3 Bucket enabling us to control the naming and permissions on the bucket.
Users can start using assets in their ProductStack without doing anything in which case a ProductStackAssetBucket (extends S3 Bucket) will be automatically generated for them for each ProductStack and named based on their accountId and region. Their assets will then be copied over to this bucket using S3 Deployment. The limitation here is that each ProductStack will generate its own Bucket.
Alternatively, we understand that creating a Bucket for each ProductStack may not be the ideal user experience but due to limitations we are unable to create them on a Portfolio level. As a workaround, we also allow users to define their own ProductStackAssetBucket and pass this property to their ProductStack. This will allow users to define a single bucket and use it for multiple ProductStacks. The only requirement is that user must define a bucketName for their bucket. This is required as we need the bucketName to be written to the template generated by the ProductStack.
Finally, when the user adds their ProductStack to a Product, the Product will become aware of the asset bucket(s). When they
associate their Product to a Portfolio, the Portfolio will also become aware of the asset bucket(s). When they share their Portfolio with an end user account, the asset bucket(s) will grant read permissions to the end user account, so they will be able to access these assets when they provision their Product.
Draft PR:
A draft PR has already been made of this implementation here. They recommended me to go through the RFC process.
aws/aws-cdk#22143
Updated PR:
aws/aws-cdk#22857
Roles
Workflow
status/proposed
)status/review
)api-approved
applied to pull request)status/final-comments-period
)status/approved
)status/planning
)status/implementing
)status/done
)The text was updated successfully, but these errors were encountered: