(servicecatalog): Service Catalog does not support assets out of the box!

[padaszewski]

Describe the bug

The docs states:

Creating a product from a stack
You can create a Service Catalog CloudFormationProduct entirely defined with CDK code using a service catalog ProductStack.
A separate child stack for your product is created and you can add resources like you would for any other CDK stack,
such as an S3 Bucket, IAM roles, and EC2 instances. This stack is passed in as a product version to your product.

But unfortunately this is not the case. Each resource that creates S3 assets, like eg. complex bundled lambdas, can not be created in the desired customer (target) account.
This applies to the game changer method fromProductStack() and also (found today) to the fromAsset() method.

Expected Behavior

fromProductStack(): The behaviour of ProductStack containing assets in the target account is the same as of Stack in the development account.
fromAsset() : The product containing assets is successfully deployed in the target account

Current Behavior

fromProductStack() : Not even synthable, because the ProductStackSynthesizer throws the following error: Service Catalog Product Stacks cannot use Assets
fromAsset() : before we create the product we presynth the App with following stack synthesizer:

synthesizer: new DefaultStackSynthesizer({
          generateBootstrapVersionRule: false,
        }

and put the result into the fromAsset() method. This leads to actually generating the product but if we try to launch the product we got the error that the cdk-bootstrap-bucket in the target account does not exists (what is correct, we do not want to bootstrap the account, just launch the CFN product) and the asset, obviously, can not be created. So this leads to an error during the launch.

Reproduction Steps

Lets consider the following simple stack:

export class SimpleStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props)

    const simpleBucket: IBucket = new Bucket(this, 'my-simple-bucket', {
      autoDeleteObjects: true,
      removalPolicy: RemovalPolicy.DESTROY,
    })
  }
}

This construct creates the custom resource lambda for auto deleting objects, so it fits perfect as a small example.
Now the actual portfolio stacks:
fromAsset():

export class PortfolioStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props)

    const portfolio = new servicecatalog.Portfolio(this, 'my-portfolio', {
      displayName: 'somename',
      description: 'somedesc',
      providerName: 'someprovidername',
    })

    portfolio.shareWithAccount('SOME_ACCOUNT_ID_TO_SHARE_THE_PORTFOLIO_WITH')

    PortfolioStack.getTemplate()

    const product = new servicecatalog.CloudFormationProduct(this, 'Product', {
      productName: 'someProductName',
      owner: 'someProductOwner',
      productVersions: [
        {
          productVersionName: 'someProductVersionName',
          description: 'someProductDesc',
          cloudFormationTemplate: servicecatalog.CloudFormationTemplate.fromAsset(
            path.join(__dirname, 'templates', 'mySimpleStack.template.json'),
          ),
        },
      ],
    })

    portfolio.addProduct(product)
  }

  private static getTemplate() {
    const app = new cdk.App({
      stackTraces: false,
      treeMetadata: false,
      //context
    })

    const applicationStack = new SimpleStack(
      app,
      'mySimpleStack',
      {
        env: {
          account: 'ENV_ACCOUNT_ID',
          region: 'ENV_REGION',
        },
        synthesizer: new DefaultStackSynthesizer({
          generateBootstrapVersionRule: false,
        }),
      },
    )

    const synth = app.synth()
    const template = synth.getStackArtifact(applicationStack.artifactId).template
    const templateDir = path.join(__dirname, 'templates')
    console.log(templateDir)

    if (!fs.existsSync(templateDir)) {
      fs.mkdirSync(templateDir)
    }
    const templatePath = `${templateDir}/mySimpleStack.template.json`
    console.log(templatePath)
    fs.writeFileSync(templatePath, JSON.stringify(template, null, 2))
  }
}

fromProductStack():
Just simply exchange the product creation method and ignore getTemplate()

 cloudFormationTemplate: CloudFormationTemplate.fromProductStack(
            new ProductStack(new SimpleStack(), 'mySimpleProductStack'),
          )

Possible Solution

Currently the only solution we got is to have one application wich contains the assets in the specified S3 buckets, provide read permissions for the target account and then create the assets like:

lambda.Code.fromBucket(bucket, key[, objectVersion])

But as You can see this is kind of ironic.
If You have any better solution please share it here.
fromProductStack() is a very big game changer for using the Service Catalog with CDK so we want to encourage You to provide a clean solution for this.

Additional Information/Context

No response

CDK CLI Version

2.23.0 (build 50444aa)

Framework Version

No response

Node.js Version

v16.15.0

OS

Windows

Language

Typescript

Language Version

TypeScript (4.6.4)

Other information

No response

[wanjacki]

@padaszewski
We are aware of this issue and are currently working on a feature to improve ProductStack in order fix this.

[wanjacki]

In regards to fromAsset(), you mention the error you got was that the cdk-bootstrap-bucket in the target account does not exists.
Have you already called cdk bootstrap?
In order for the asset to be deployed to S3, this command needs to be called to create the bucket where the asset will be stored.
Take a look at the following docs for more information:
https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html
https://github.com/aws/aws-cdk/blob/master/design/cdk-bootstrap.md

[padaszewski]

@wanjacki
Thats cool, do You have any orientation date when this feature might be released?

According to fromAsset() we do not want to bootstrap the target account. Deploying the CFN Product should work without bootstraping in target. The devops guys in the target account should have only to import the portfolio and launch the product. We do not have the power to tell them to bootstrap the account according to our needs,

[wanjacki]

@padaszewski
We do not have any orientation date at the moment, however we are prioritizing this feature and are actively working on it. I can provide an update if when we do have a date available.

In regards for fromAsset(), if I am understanding correctly, are you referring to deploying an asset file using fromAsset() that is also containing another nested Asset. This nested asset is available to the admin account but not to the end user account when the portfolio is shared with them? (We are aware of similar issue that is existing with fromProductStack if you were allowed to deploy assets from them)

Edit: Okay I think I understand you are trying to use fromAsset() to bypass the error restrictions on deploying assets on fromProductStack. This lead to the asset not existing in target account. That should not work since the assets are not being deployed at all in this case.

[padaszewski]

@wanjacki
Sure, please keep me up to date with this, because this would enorm simplify our release process.

According to fromAsset() we tried exactly that what You wrote in the edit section. I thought it might fail, but I had to check it out as I didn't find a good solution on how to work with the combination assets + cdk + service catalog.

[peterwoodworth]

I'm going to close this as a duplicate of the feature request #20690. Thanks for the discussion all! I'd appreciate it if we could keep this all in the FR thread 🙂

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.