feat: new synthesizer separates assets out per CDK application #24430
Conversation
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
| bucketName: this.stagingBucketName, | ||
| autoDeleteObjects: true, | ||
| removalPolicy: RemovalPolicy.DESTROY, | ||
| }); |
| /** | ||
| * The app-scoped, environment-keyed bucket created in this staging stack. | ||
| */ | ||
| readonly stagingBucket?: s3.Bucket; | ||
|
|
||
| /** | ||
| * The app-scoped, environment-keyed repositories created in this staging stack. | ||
| * A repository is created per image asset family. | ||
| */ | ||
| readonly stagingRepos: Record<string, ecr.Repository>; |
There was a problem hiding this comment.
These don't need to be exposed on the interface, right?
| * Staging Stack Properties | ||
| */ | ||
| export interface StagingStackProps extends StackProps { | ||
| /** |
There was a problem hiding this comment.
I would expect an application name parameter here as well
| * | ||
| * @default - a well-known name unique to this app/env. | ||
| */ | ||
| readonly fileAssetPublishingRoleName?: string; |
There was a problem hiding this comment.
Is this one that's going to be created or reused? Maybe call it existingFileAssetPublishingRoleName ?
| /** | ||
| * Default asset publishing role name for file (S3) assets. | ||
| */ | ||
| private static readonly DEFAULT_FILE_ASSET_PUBLISHING_ROLE_NAME = 'cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region}'; |
There was a problem hiding this comment.
This name is going to conflict with the default bootstrapped roles :).
I think we pick a prefix that contains the app name and base the rest off of it. And come to think of it, ${AccountId} only needs to be in the bucket name, not in any of the role names.
| * Returns the well-known name of the file publishing role | ||
| */ | ||
| private getCreateFilePublishingRole() { | ||
| this.node.tryFindChild(this.fileAssetPublishingRoleName) as iam.Role ?? new iam.Role(this, this.fileAssetPublishingRoleName, { |
There was a problem hiding this comment.
The construct ID doesn't have to be its actual name. It could just be a symbolic identifier like "FileRole". Think of it as a variable name.
| private getCreateFilePublishingRole() { | ||
| this.node.tryFindChild(this.fileAssetPublishingRoleName) as iam.Role ?? new iam.Role(this, this.fileAssetPublishingRoleName, { | ||
| roleName: DefaultStagingStack.DEFAULT_FILE_ASSET_PUBLISHING_ROLE_NAME, | ||
| assumedBy: new iam.ServicePrincipal('sts.amazonaws.com'), // TODO actually create correct role |
There was a problem hiding this comment.
Check the current assume role policies. I think the correct assumer here will be:
- The Deploy Role if the user chooses a Deploy Role (should be a parameter to the stack synthesizer)
- The current account root if not
There was a problem hiding this comment.
Perhaps this needs to be configurable?
| partition: this.partition ?? Aws.PARTITION, | ||
| account: this.account ?? Aws.ACCOUNT_ID, | ||
| region: this.region ?? Aws.REGION, |
There was a problem hiding this comment.
You need special placeholders instead of tokens, to pass to the asset manifest. I think it's the literal string ${AWS::Region}, etc.
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
added
the
pr/needs-cli-test-run
kaizencc
added
pr-linter/cli-integ-tested
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Bump schema version to accompany #24430 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Howdy! Probably not the best place to ask, but will there be a version of this where you can still share Buckets, but the rest is independent? At least two of our accounts are already close to bucket limit and it's not hard to hit depending on your usage. |
This PR introduces a new synthesizer inside the module
app-staging-synthesizer-alpha. This new synthesizer produces staging resources alongside the CDK application and assets will be stored there. It removes the need for runningcdk bootstrapbefore deploying a CDK app in a new account/region. Under the new synthesizer, assets between different CDK applications will be separated which means they can be cleaned up and lifecycle controlled independently.To get started, add the following to your CDK application:
The new format of staging resources will look something like this:
This feature is heavily experimental and the API may break in the future. It does not work with CDK Pipelines yet.
Depended on #25536.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license