From 2308d7da5a754b671bb36b30bcc71452331715ff Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Thu, 25 Jul 2019 20:15:02 +0300 Subject: [PATCH 01/17] rfc: continuous delivery for cdk apps Request for comments on the spec for CI/CD support for CDK apps. --- design/continuous-delivery.md | 329 ++++++++++++++++++++++++++++++++++ 1 file changed, 329 insertions(+) create mode 100644 design/continuous-delivery.md diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md new file mode 100644 index 0000000000000..83b5c8d0aac93 --- /dev/null +++ b/design/continuous-delivery.md @@ -0,0 +1,329 @@ +# Continuous Delivery for CDK Apps + +This is a specification for continuous delivery support for CDK apps. It +describes the requirements, proposed APIs and developer workflow. + +**_Goal_: full CI/CD for CDK apps at any complexity.** + +The desired developer experience is that teams will be able to “git push” a +change into their CDK app repo and have this change automatically picked up, +built, tested and deployed according to a deployment flow they define. + +Any changes in resources, assets *or stacks* in their apps will automatically be +added. To that end, the deployment pipeline itself will also be continuously +delivered and updated throughout the same workflow. No manual deployments to +production (incl. the pipeline) will be required. + +The only caveat is that **new environments** (account/region) will need to be +bootstrapped in advance in order to establish trust with the central pipeline +environment and set-up resources needed for deployment such as the assets S3 +bucket. + +Prototype: https://github.com/eladb/cdkcd-test + +## Requirements + +This list describes only the minimal set of requirements from this feature. +After we release these building blocks, we will look into vending higher-level +"one liner" APIs that will make it very easy to get started. + +1. **Assets**: Support apps that include all supported kinds of assets (S3 + files, ECR images) +2. **Multiple-environments**: Support apps that have stacks that target multiple + environments (accounts/regions) +3. **Orchestration**: Allow developers to express complex deployment + orchestration based on the capabilities of CodePipeline +4. **User defined build + synth environment**: the runtime environment in which + the code is built and the CDK app is synthesized should be fully customizable + by the user +5. **Controlled deployment environment**: for security reasons, the runtime + environment in which deployment is executed will be fully controlled and will + not allow running user code or user-defined image + +_Non-requirements/assumptions:_ + +1. Bundling assets (creating Lambda zip files, building docker images) and + publishing them (upload to S3, push to ECR) is currently coupled with the + deployment of each stack that uses them. This means, for example, that if a + docker image is used in 3 stacks, it will be built 3 times, and this could + lead to different images (for example, “apt get install” can install a + different version of a dependency each time). We are assuming that this is + good enough for the first version of this feature. +2. We assume that **cdk.context.json** is committed into the repo. Any + context-fetching will be done manually by users and committed to the + repository. +3. There’s a one-to-one mapping between an app and a pipeline. We are not + optimizing the experience for multiple apps per pipeline (although + technically it should be possible to do it, but it’s not a use case we are + focused on). +4. We are not optimizing this experience to support any CD tool (e.g. Jenkins) + but we should provide guidance on how to use “cdk synth” and “cdk deploy” so + that users will be able to implement CI/CD through their tools. +5. Dependency management, repository and project structure are out of scope: we + don’t want to be opinionated about how users should structure their projects. + They should be able to use the tools they are familiar with and are available + to their teams to structure and modularize their applications. + +## Approach + +At a high-level, we will model the deployment process of a CDK app as follows: +**source** => **build** => **pipeline => deploy:** + +1. In the *source* stage the code is pulled from a source repository (e.g. + CodeCommit, GitHub or S3), like any other app. +2. In the *build* stage, the application is compiled (if required) **and + synthesized** to a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md). + The only artifact of the build stage is the cloud assembly directory. +3. In the *pipeline* stage, we update the deployment pipeline itself. For + example, if stacks were added to the app, we need the pipeline to include + additional deployment actions for those stacks. In this stage we basically + deploy a CDK stack that is part of the app and contains the CodePipeline + resource itself. +4. In the *deploy* stage(s), stacks are deployed to the various environments + through some orchestration process (e.g. deploy first to this region, run + these canaries, wait for errors, continue to the next stage, etc). + +NOTES: + +* We assume a single source repository that masters the CDK app itself. This + repo can be structured in any way users wish, and may include multiple modules + or just a single one. If users choose to organize their project into modules + and master different modules in other repositories, eventually the build + artifacts from these builds should be available when the app is synthesized. +* The only requirement from the build step is the it will have an output + artifact that is a cloud assembly directory which is obtained through “cdk + synth” (defaults to “cdk.out”). Other than that, users can fully control their + build environment. +* The deployment phase can include any number of stack deployment actions. Each + deployment action is responsible deploy a single stack, along with any assets + it references. + +## Stack Deployment Action + +Given the approach above, the *source* and *build* stages are completely +standard. The only requirement is that the build stage will have the cloud +assembly as its output artifact. + +Cloud assemblies include CloudFormation templates and the *source* (i.e. +Dockerfile, lambda sources, etc) for all assets needed for this application. +Cloud assemblies are self-contained and can later be consumed by `cdk deploy` to +bundle and publish assets and deploy stacks to AWS environments. + +Therefore, the basic building block we need in order to enable continuous +delivery for CDK apps is a **Stack Deployment Action** which deploys a single +CDK stack from a cloud assembly to an AWS environment. + +Such an action can be implemented as a CodeBuild project+action, which accepts a +cloud assembly as a single input artifact, runs inside the standard CodeBuild +node.js base image and executes the “deploy” CDK CLI command: + +``` +npx cdk@${FRAMEWORK_VERSION} deploy \ + --app . \ + --exclusively ${STACK_NAME} \ + --require-approval=never +``` + +In order to support deploying stacks to multiple environments (account/regions) +the build project will assume a **well-known IAM role** which will be +pre-provisioned to each one of the destination environments. See the +[Bootstrapping](#bootstrapping) section below for details on how this role will +be pre-provisioned. + +The CodeBuild project resource itself will be provisioned in the *same* +environment as the pipeline, so it will have direct access to cloud assembly +artifact. + +> A potential alternative would have been to provision a dedicated CodeBuild +> project resource for each stack in each target environment and use +> CodePipeline’s replication system to copy the cloud assembly to the +> destination environment and execute the project remotely, with shared KMS +> keys, etc. This will dramatically complicate the bootstrapping process/setup +> and doesn’t seem to improve the security or reliability of this process. In +> fact a similar approach is taken by the stock CodePipeline CloudFormation +> actions. + +We can offer two levels of abstraction for the stack deployment action: one that +accepts a stack name and an environment and the other that just accepts a +`core.Stack` (and then, we can derive the stack name and the environment from +it): + +Low-level API: + +``` +actionName: string; +assembly: cp.Artifact; // build output +frameworkVersion?: string; // defaults to LATEST +stackName: string; // the name of the stack to deploy +env?: Environment; // defaults to pipeline account/region +``` + +Higher-level API: + +``` +actionName: string; +assembly: cp.Artifact; // build output +frameworkVersion?: string; // defaults to LATEST +stack: core.Stack; // the stack to deploy +``` + +NOTES: + +* The project must run in **privileged** mode in order to support docker + assets. +* The **--exclusively** flag will ensure that “cdk deploy” will only deploy the + specified stack (along with it’s assets). This means that if this stack + depends on other stacks, they must be explicitly deployed before it. +* The **--require-approval=never** flag will not require users to confirm any + posture changes. +* The role will be assumed with an external ID dedicated to the CDK to reduce + the chance for mistakes. + +## Bootstrapping + +Based on this model, in order to be able to deploy CDK stacks to an environment +we need two resources: + +1. **Assets bucket**, which is needed by the CLI in order to upload + CloudFormation templates and assets to S3. +2. **Deployment IAM role**, which is needed by the deployment action in order to + deploy to this account. The deployment role needs to trust the central + account assume-role permissions. + +To CDK CLI currently has a `bootstrap` command which provisions the assets +bucket described above. We will extend it to include a deployment role with an +option to specify a set of trusted AWS account IDs which will be permitted to +deploy to this environment: + +``` +$ cdk bootstrap aws://account/region --trust-account ACCOUNT_ID +WARNING: any principal from will have administrative access to the account . +Please confirm (Y/N): +``` + +An appropriate error should be displayed to the user if they try to deploy to a +non-bootstrapped environment. + +## Sample Walkthrough + +Given these two primitives (a **stack deployment CodePipeline action** and a +**bootstrap deployment IAM role**), we are able to support all requirements in +this doc. + +Lets walk through the following scenario: + +1. Repository hosted on GitHub. +2. Separate AWS account for the pipeline. +3. App includes a VPC stack and a service stack +4. Initially deploy into a single geography (account/region) +5. Extend to another geography + +### Initialize the pipeline + +1. Create an AWS account for the pipeline (we will refer to it as `ACNT-PIPE`) +2. Bootstrap the pipeline environments: + + cdk bootstrap aws://ACNT-PIPE/us-east-1 + +3. Create a new git repository for the app (e.g. on GitHub). +4. Initialize a new CDK app: `cdk init` +5. Define a **"pipeline"** stack ([example](https://github.com/eladb/cdkcd-test/blob/master/lib/pipeline.ts)) + which includes a source, build and self-updating pipeline stage. +6. Commit this code and push to GitHub +7. Execute `cdk deploy pipeline` to deploy this pipeline. +8. From this point forward, no need to use `cdk deploy` anymore. + +### North America deployment + +1. Create an AWS account for the service in North America (`ACNT-NA`) + +2. Bootstrap this account and trust the pipeline account: + + cdk bootstrap aws://ACNT-NA/us-west-2 --trust ACNT-PIPE + +3. Let’s say our service is organized into two stacks: `VpcStack` and + `ServiceStack`. + +4. Add the following code to the pipeline: + + ```ts + pipeline.addStage({ + stageName: 'deploy-VPC', + actions: [ + new DeployStackAction(this, `deploy-NA-VPC`, { + stack: new VpcStack(this, 'na-vpc', { env: NA_ENV }), + assembly: assembly + } + ] + }); + + pipeline.addStage({ + stageName: 'deploy-SVC', + actions: [ + new DeployStackAction(this, `deploy-NA-SVC`, { + stack: new ServiceStack(this, 'na-svc', { env: NA_ENV }), + assembly: assembly + } + ] + }); + ``` + +6. **UGLY**?: Obtain credentials for the new account and `cdk synth` or `cdk ls` + in order to update `cdk.context.json` with the AZ information from that + account/region. +7. Commit + push. That’s it, this will automatically be picked up by our + pipeline. First the pipeline itself will be updated and then the two new + stages will be added and the stacks deployed. + +### Adding Europe + +Now let's say we want to also deploy another geography for our app (in parallel +to the NA deployment, as an example). + +1. Create & bootstrap another account (`ACNT-EU`) (with `--trust ACNT-PIPE`). + +2. Update the pipeline stack to look like this: + +```ts +pipeline.addStage({ + stageName: 'deploy-VPC', + actions: [ + new DeployStackAction(this, `deploy-NA-VPC`, { + stack: new VpcStack(this, 'na-vpc', { env: NA_ENV }), + assembly: assembly + }, + new DeployStackAction(this, `deploy-EU-VPC`, { + stack: new VpcStack(this, 'eu-vpc', { env: EU_ENV }), + assembly: assembly + }, + ] +}); + +pipeline.addStage({ + stageName: 'deploy-SVC', + actions: [ + new DeployStackAction(this, `deploy-NA-SVC`, { + stack: new ServiceStack(this, 'na-svc', { env: NA_ENV }), + assembly: assembly + }, + new DeployStackAction(this, `deploy-EU-SVC`, { + stack: new ServiceStack(this, 'eu-svc', { env: EU_ENV }), + assembly: assembly + } + ] +}); +``` + +5. `cdk synth` to update `cdk.context.json` with the new AZ context. + +6. Commit + push + +## Open Issues + +- [ ] How to handle removal of stacks +- [ ] Define a workflow and a special verb for updating **cdk.context.json** + (currently, users need to simply run `cdk ls` or `cdk synth` from their dev + machine with credentials to access each environment. It’s not super nice. + + + From 8a6b82d34a5801f69488b8c2bc8130848bf18cfe Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Tue, 30 Jul 2019 16:45:13 +0300 Subject: [PATCH 02/17] Added some open issues based on feedback --- design/continuous-delivery.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 83b5c8d0aac93..8e1128e7b1aec 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -320,10 +320,13 @@ pipeline.addStage({ ## Open Issues +- [ ] __SECURITY ISSUE__: since the deployment action needs to run `docker build`, it requires both privileged mode on the machine _and_ can execute arbitrary user-code, so we are essentially losing our ability to really control the deployment environment. +- [ ] Users are concerned with costs of the deployment actions in their pipeline. CloudFormation actions are free. - [ ] How to handle removal of stacks - [ ] Define a workflow and a special verb for updating **cdk.context.json** (currently, users need to simply run `cdk ls` or `cdk synth` from their dev machine with credentials to access each environment. It’s not super nice. - +- [ ] Integration with AWS Organization +- [ ] Extensability model for `cdk boostrap` to allow teams to customize this behavior. From 104ea953c472331f327b7b3344bd471eb092fe43 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Sun, 18 Aug 2019 21:28:07 +0300 Subject: [PATCH 03/17] introduce cdk-package (initial) initial introduction of the concept of cdk-package still needs end to end updates. --- design/continuous-delivery.md | 59 ++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 8e1128e7b1aec..2e5666c554950 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -19,7 +19,8 @@ bootstrapped in advance in order to establish trust with the central pipeline environment and set-up resources needed for deployment such as the assets S3 bucket. -Prototype: https://github.com/eladb/cdkcd-test +- App Prototype: https://github.com/eladb/cdkcd-test +- Toolchain Prototype: https://github.com/eladb/cdk-toolchain-prototype ## Requirements @@ -27,8 +28,8 @@ This list describes only the minimal set of requirements from this feature. After we release these building blocks, we will look into vending higher-level "one liner" APIs that will make it very easy to get started. -1. **Assets**: Support apps that include all supported kinds of assets (S3 - files, ECR images) +1. **Assets**: Support apps that include all kinds of assets (S3 files, ECR + images) 2. **Multiple-environments**: Support apps that have stacks that target multiple environments (accounts/regions) 3. **Orchestration**: Allow developers to express complex deployment @@ -36,30 +37,33 @@ After we release these building blocks, we will look into vending higher-level 4. **User defined build + synth environment**: the runtime environment in which the code is built and the CDK app is synthesized should be fully customizable by the user -5. **Controlled deployment environment**: for security reasons, the runtime +5. **Controlled deployment runtime environment**: for security reasons, the runtime environment in which deployment is executed will be fully controlled and will not allow running user code or user-defined image +_Considerations:_ + +* Support for deployment across partitions and into air-gapped regions. +* Prefer to use stock CloudFormation pipeline actions to reduce costs, leverage + UI and allow restriction of the deployment role to the CloudFormation service + principal. +* Execution of `cdk synth` or `docker build` should not be done in a context + with administrative privileges + _Non-requirements/assumptions:_ -1. Bundling assets (creating Lambda zip files, building docker images) and - publishing them (upload to S3, push to ECR) is currently coupled with the - deployment of each stack that uses them. This means, for example, that if a - docker image is used in 3 stacks, it will be built 3 times, and this could - lead to different images (for example, “apt get install” can install a - different version of a dependency each time). We are assuming that this is - good enough for the first version of this feature. -2. We assume that **cdk.context.json** is committed into the repo. Any +1. We assume that **cdk.context.json** is committed into the repo. Any context-fetching will be done manually by users and committed to the repository. -3. There’s a one-to-one mapping between an app and a pipeline. We are not +2. There’s a one-to-one mapping between an app and a pipeline. We are not optimizing the experience for multiple apps per pipeline (although technically it should be possible to do it, but it’s not a use case we are focused on). -4. We are not optimizing this experience to support any CD tool (e.g. Jenkins) - but we should provide guidance on how to use “cdk synth” and “cdk deploy” so - that users will be able to implement CI/CD through their tools. -5. Dependency management, repository and project structure are out of scope: we +3. We are not optimizing this experience to support any CD tool (e.g. Jenkins) + but we should provide guidance on how to use `cdk synth`, `cdk package` and + `cdk deploy` so that users will be able to implement CI/CD through their + tools. +4. Dependency management, repository and project structure are out of scope: we don’t want to be opinionated about how users should structure their projects. They should be able to use the tools they are familiar with and are available to their teams to structure and modularize their applications. @@ -67,13 +71,21 @@ _Non-requirements/assumptions:_ ## Approach At a high-level, we will model the deployment process of a CDK app as follows: -**source** => **build** => **pipeline => deploy:** + +``` +source => build => package => pipeline => deploy +``` 1. In the *source* stage the code is pulled from a source repository (e.g. CodeCommit, GitHub or S3), like any other app. 2. In the *build* stage, the application is compiled (if required) **and synthesized** to a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md). The only artifact of the build stage is the cloud assembly directory. +2. In the *package* stage, we build and publish all assets needed by the + app to all target environments. The output of this stage is a set of + CloudFormation templates (one for each stack) with the asset parameters + resolved to their published location (by assigning default values to the + CloudFormation parameters). 3. In the *pipeline* stage, we update the deployment pipeline itself. For example, if stacks were added to the app, we need the pipeline to include additional deployment actions for those stacks. In this stage we basically @@ -98,8 +110,14 @@ NOTES: deployment action is responsible deploy a single stack, along with any assets it references. +## Packaging Action + +TODO, see prototype `cdk-package` + ## Stack Deployment Action +TODO: change this to use the stock CloudFormation action + Given the approach above, the *source* and *build* stages are completely standard. The only requirement is that the build stage will have the cloud assembly as its output artifact. @@ -181,6 +199,11 @@ NOTES: ## Bootstrapping + - TODO: update based on `cdk-boostrap` prototype: + - TODO: IAM role for publishing + - TODO: IAM role for manual deployment (through `cdk deploy` with permissions only for developers as needed). + - TODO: IAM role that allows only CFN to assume it and used for actual deployments + Based on this model, in order to be able to deploy CDK stacks to an environment we need two resources: From 58404ed223d8169fa80fc98ea20ad62135c9405b Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Sun, 22 Sep 2019 15:22:08 +0300 Subject: [PATCH 04/17] update based on latest thinking --- design/continuous-delivery.md | 749 ++++++++++++++++++++++------------ 1 file changed, 485 insertions(+), 264 deletions(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 2e5666c554950..c9a2e90b5cbd6 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -1,355 +1,576 @@ # Continuous Delivery for CDK Apps -This is a specification for continuous delivery support for CDK apps. It -describes the requirements, proposed APIs and developer workflow. +This is a specification for the continuous delivery support feature for CDK apps. It describes the requirements, proposed APIs and developer workflow. -**_Goal_: full CI/CD for CDK apps at any complexity.** +**_Goal_: Full CI/CD for CDK apps at any complexity.** -The desired developer experience is that teams will be able to “git push” a -change into their CDK app repo and have this change automatically picked up, -built, tested and deployed according to a deployment flow they define. +The desired developer experience is that teams will be able to "git push" a change into their CDK app repo and have this change automatically picked up, built, tested and deployed according to a deployment flow they define. -Any changes in resources, assets *or stacks* in their apps will automatically be -added. To that end, the deployment pipeline itself will also be continuously -delivered and updated throughout the same workflow. No manual deployments to -production (incl. the pipeline) will be required. +Any changes in resources, assets *or stacks* in their apps will automatically be added. To that end, the deployment pipeline itself will also be continuously delivered and updated throughout the same workflow. No manual deployments to production (incl. the pipeline) will be required. -The only caveat is that **new environments** (account/region) will need to be -bootstrapped in advance in order to establish trust with the central pipeline -environment and set-up resources needed for deployment such as the assets S3 -bucket. +The only caveat is that **new environments** (account/region) will need to be bootstrapped in advance in order to establish trust with the central pipeline environment and set-up resources needed for deployment such as the assets S3 bucket. -- App Prototype: https://github.com/eladb/cdkcd-test -- Toolchain Prototype: https://github.com/eladb/cdk-toolchain-prototype +- [Requirements](#requirements) +- [Approach](#approach) +- [Build](#build) +- [Synthesis](#synthesis) +- [Bootstrapping](#bootstrapping) +- [Mutation](#mutation) +- [Publishing](#publishing) +- [Deployment](#deployment) +- [Walkthrough](#walkthrough) + - [Bootstrapping](#bootstrapping-1) + - [Source](#source) + - [Synthesis](#synthesis-1) + - [Mutation](#mutation-1) + - [Publishing](#publishing-1) + - [Deployment](#deployment-1) ## Requirements -This list describes only the minimal set of requirements from this feature. -After we release these building blocks, we will look into vending higher-level -"one liner" APIs that will make it very easy to get started. - -1. **Assets**: Support apps that include all kinds of assets (S3 files, ECR - images) -2. **Multiple-environments**: Support apps that have stacks that target multiple - environments (accounts/regions) -3. **Orchestration**: Allow developers to express complex deployment - orchestration based on the capabilities of CodePipeline -4. **User defined build + synth environment**: the runtime environment in which - the code is built and the CDK app is synthesized should be fully customizable - by the user -5. **Controlled deployment runtime environment**: for security reasons, the runtime - environment in which deployment is executed will be fully controlled and will - not allow running user code or user-defined image +This list describes only the minimal set of requirements from this feature. After we release these building blocks, we will look into vending higher-level "one liner" APIs that will make it very easy to get started. + +1. **Deployment system**: the design should focus on building blocks that can be easily integrated into various deployment systems. This spec +1. **Assets**: Support apps that include all supported assets (S3 files, ECR images) +1. **Multi-environment**: Support apps that have stacks that target multiple environments (accounts/regions) +1. **Orchestration**: Allow developers to express complex deployment orchestration based on the capabilities of CodePipeline +1. **User-defined build+synth runtime**: the runtime environment in which the code is built and the CDK app is synthesized should be fully customizable by the user +1. **Restricted deployment runtime**: for security reasons, the runtime environment in which deployment is executed will be fully controlled and will not allow running user code or user-defined image +1. **Bootstrapping**: It should be possible to update bootstrapping resources automatically if possible and least discover that the bootstrap environment is not up-to-date. +1. **Custom replication**: In order to support isolated and air-gapped regions, as well as deployment across partitions, the solution should support customizing how and where assets are published and replicated to. _Considerations:_ -* Support for deployment across partitions and into air-gapped regions. -* Prefer to use stock CloudFormation pipeline actions to reduce costs, leverage - UI and allow restriction of the deployment role to the CloudFormation service - principal. -* Execution of `cdk synth` or `docker build` should not be done in a context - with administrative privileges +* Prefer to use standard CloudFormation pipeline actions to reduce costs, leverage UI and allow restriction of the deployment role to the CloudFormation service principal. +* Execution of `cdk synth` or `docker build` should not be done in a context with administrative privileges to avoid injection of malicious code into a privileged environment. _Non-requirements/assumptions:_ -1. We assume that **cdk.context.json** is committed into the repo. Any - context-fetching will be done manually by users and committed to the - repository. -2. There’s a one-to-one mapping between an app and a pipeline. We are not - optimizing the experience for multiple apps per pipeline (although - technically it should be possible to do it, but it’s not a use case we are - focused on). -3. We are not optimizing this experience to support any CD tool (e.g. Jenkins) - but we should provide guidance on how to use `cdk synth`, `cdk package` and - `cdk deploy` so that users will be able to implement CI/CD through their - tools. -4. Dependency management, repository and project structure are out of scope: we - don’t want to be opinionated about how users should structure their projects. - They should be able to use the tools they are familiar with and are available - to their teams to structure and modularize their applications. +* We assume that **cdk.context.json** is committed into the repo. Any context-fetching will be done manually by users and committed to the repository. +* There’s a one-to-one mapping between an app and a pipeline. We are not optimizing the experience for multiple apps per pipeline (although technically it should be possible to do it, but it’s not a use case we are focused on). +* Dependency management, repository and project structure are out of scope: we don’t want to be opinionated about how users should structure their projects. They should be able to use the tools they are familiar with and are available to their teams to structure and modularize their applications. +* Assets will not be supported in environment-agnostic stacks. [#4131](https://github.com/aws/aws-cdk/pull/4131) proposes that `cdk deploy` will default `env` to the current account/region, which means that the CLI use case will no longer treat stacks as environment-agnostic. ## Approach At a high-level, we will model the deployment process of a CDK app as follows: ``` -source => build => package => pipeline => deploy +bootstrap => source => build => synthesis => mutate => publish => deploy ``` -1. In the *source* stage the code is pulled from a source repository (e.g. - CodeCommit, GitHub or S3), like any other app. -2. In the *build* stage, the application is compiled (if required) **and - synthesized** to a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md). - The only artifact of the build stage is the cloud assembly directory. -2. In the *package* stage, we build and publish all assets needed by the - app to all target environments. The output of this stage is a set of - CloudFormation templates (one for each stack) with the asset parameters - resolved to their published location (by assigning default values to the - CloudFormation parameters). -3. In the *pipeline* stage, we update the deployment pipeline itself. For - example, if stacks were added to the app, we need the pipeline to include - additional deployment actions for those stacks. In this stage we basically - deploy a CDK stack that is part of the app and contains the CodePipeline - resource itself. -4. In the *deploy* stage(s), stacks are deployed to the various environments - through some orchestration process (e.g. deploy first to this region, run - these canaries, wait for errors, continue to the next stage, etc). - -NOTES: +1. **bootstrap**: manually pre-provision resources required to deploy CDK apps into this environment (such as an S3 bucket, ECR repository and various IAM roles that trust the central deployment account). +2. **source**: the code is pulled from a source repository (e.g. CodeCommit, GitHub or S3), like any other app. +3. **build**: compiles the CDK app code into an executable program (user-defined). +4. **synthesis**: invokes the compiled executable to produce a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md) from the app. It includes a CloudFormation template for each stack and asset sources (docker images, s3 files, etc) that must be prepared and published to the asset store in each environment that consumes them. +5. **mutate**: update stack(s) required by the pipeline. This includes pipeline resources and other auxiliary resources such as regional replication buckets. These stacks are limited to 50KiB and are not allowed to use assets, so they can be deployed without bootstrapping resources. +6. **publish**: prepare and publish all assets to asset stores (S3 bucket, ECR repository) so they can be consumed. +7. **deploy**: stage(s), stacks are deployed to the various environments through some orchestration process (e.g. deploy first to this region, run these canaries, wait for errors, continue to the next stage, etc). -* We assume a single source repository that masters the CDK app itself. This - repo can be structured in any way users wish, and may include multiple modules - or just a single one. If users choose to organize their project into modules - and master different modules in other repositories, eventually the build - artifacts from these builds should be available when the app is synthesized. -* The only requirement from the build step is the it will have an output - artifact that is a cloud assembly directory which is obtained through “cdk - synth” (defaults to “cdk.out”). Other than that, users can fully control their - build environment. -* The deployment phase can include any number of stack deployment actions. Each - deployment action is responsible deploy a single stack, along with any assets - it references. +NOTE: The deployment phase can include any number of stack deployment actions. Each deployment action is responsible deploy a single stack, along with any assets it references. -## Packaging Action +This following sections describes the design of each component in the toolchain. -TODO, see prototype `cdk-package` +## Build -## Stack Deployment Action +In this stage we compile the CDK app to an executable program through a user-defined build system. -TODO: change this to use the stock CloudFormation action +We assume a single source repository which masters the CDK app itself. This repo can be structured in any way users wish, and may include multiple modules or just a single one. If users choose to organize their project into modules and master different modules in other repositories, eventually the build artifacts from these builds should be available when the app is synthesized. -Given the approach above, the *source* and *build* stages are completely -standard. The only requirement is that the build stage will have the cloud -assembly as its output artifact. +The only requirement from the build step is the it will have an output artifact that is a cloud-assembly directory which is obtained through `cdk synth` (defaults to `./cdk.out`). Other than that, users can fully control their build environment. -Cloud assemblies include CloudFormation templates and the *source* (i.e. -Dockerfile, lambda sources, etc) for all assets needed for this application. -Cloud assemblies are self-contained and can later be consumed by `cdk deploy` to -bundle and publish assets and deploy stacks to AWS environments. +## Synthesis -Therefore, the basic building block we need in order to enable continuous -delivery for CDK apps is a **Stack Deployment Action** which deploys a single -CDK stack from a cloud assembly to an AWS environment. +The CDK synthesizes a CloudFormation template for each stack defined in the CDK app. -Such an action can be implemented as a CodeBuild project+action, which accepts a -cloud assembly as a single input artifact, runs inside the standard CodeBuild -node.js base image and executes the “deploy” CDK CLI command: +When stacks are defined, users can specify the target environment (account and region) into which the stack should be deployed: -``` -npx cdk@${FRAMEWORK_VERSION} deploy \ - --app . \ - --exclusively ${STACK_NAME} \ - --require-approval=never +```ts +new Stack(this, 'my-stack', { env: { account: '123456789012', region: 'us-east-1' } }); ``` -In order to support deploying stacks to multiple environments (account/regions) -the build project will assume a **well-known IAM role** which will be -pre-provisioned to each one of the destination environments. See the -[Bootstrapping](#bootstrapping) section below for details on how this role will -be pre-provisioned. +**Deployment Across Environments** -The CodeBuild project resource itself will be provisioned in the *same* -environment as the pipeline, so it will have direct access to cloud assembly -artifact. +In order to support deploying stacks from a centralized (pipeline/development) environment to other environments, the bootstrap stack includes a set of named IAM roles which trust the central account for publishing and deployment. -> A potential alternative would have been to provision a dedicated CodeBuild -> project resource for each stack in each target environment and use -> CodePipeline’s replication system to copy the cloud assembly to the -> destination environment and execute the project remotely, with shared KMS -> keys, etc. This will dramatically complicate the bootstrapping process/setup -> and doesn’t seem to improve the security or reliability of this process. In -> fact a similar approach is taken by the stock CodePipeline CloudFormation -> actions. +In order to encourage separation of concerns and allow customizability, we will add role information to the assembly manifest. -We can offer two levels of abstraction for the stack deployment action: one that -accepts a stack name and an environment and the other that just accepts a -`core.Stack` (and then, we can derive the stack name and the environment from -it): +For each stack, we will encode additional two IAM roles: -Low-level API: +1. Administrator CloudFormation IAM role which can only be assumed by the CloudFormation service principal +1. Deployment IAM role which can be assumed by any principal from the central account and has permissions to "pass role" on the administrator role. -``` -actionName: string; -assembly: cp.Artifact; // build output -frameworkVersion?: string; // defaults to LATEST -stackName: string; // the name of the stack to deploy -env?: Environment; // defaults to pipeline account/region -``` +This is the recommended setup for cross-account CloudFormation deployments. -Higher-level API: +**Assets** -``` -actionName: string; -assembly: cp.Artifact; // build output -frameworkVersion?: string; // defaults to LATEST -stack: core.Stack; // the stack to deploy +Users can reference "assets" within their CDK app. Assets represent artifacts produced from local files and used by the app at runtime. The CDK currently supports file assets served from Amazon S3 and docker image assets served from Amazon ECR. + +For example, this is a definition of an AWS Lambda function that uses the code from the `my-handler` directory: + +```ts +new lambda.Function(this, 'MyFunction', { + handler: 'index.handler', + runtime: lambda.Runtime.NODEJS_10, + code: lambda.Code.fromAsset('./my-handler') +}); ``` -NOTES: +In order for this to work, this is what needs to happen: + +1. A zip archive needs to be created from the contents of `my-handler`. +2. The file needs to be uploaded to an S3 bucket in the stack’s environment. +3. The `Code` property in the synthesized `AWS::Lambda::Function` resource should point to the S3 URL that will contains this zip file when the stack is deployed. + +A similar set of requirements exist for a Docker image built from a local `Dockerfile`, pushed to an ECR repository in the target environment and referenced in the `Image` property of the `AWS::ECS::TaskDefinition` resource. + +**Asset Identity** + +Assets will be identified throughout the system using a sha256 hash calculated from their source. This is the contents of the asset source directory, Dockerfile or specific file. Using a consistent source hash allows the various tools in the system to avoid duplicated work such as building docker images or transferring large amount of information. + +> **NOTE:** docker builds are technically not deterministic, but this scheme will cause them to be. If the source (Dockerfile or accompanying files) didn’t change, the source hash will stay the same and the asset will not be rebuild/updated. Operationally this is actually a good thing as it will protect against out-of-band updates (we only want commits to cause production updates), but users may rely on this non-deterministic behavior and we need to communicate/enforce somehow. + +**Asset Stores** + +The S3 bucket and ECR repository that are used to serve asset artifacts in each target environment are called the "**asset store**". They will be provisioned and populated **before** stacks which use assets can be deployed to this environment. The process of provisioning deployment resources in an AWS environment is called "**bootstrapping**". It provisions the asset store and various IAM roles with permissions to publish assets and to deploy CloudFormation stacks to the environment. + +In order to minimize the amount of configuration required throughout the deployment pipeline, we decided to double-down on the CDK design tenet that favors early (synthesis-time) binding. In the current implementation, if a CDK stack used asset, CloudFormation parameters are added to templates so that the asset locations were late-bound and resolved by the CLI only after the asset has been published. This approach has two problems: + +1. It resulted in the proliferation of asset parameters (currently 2-3 parameters per asset). +2. It requires the deployment tool to "wire" the asset parameters to the stack during deployment. + +The main issue is #2. Different deployment tools have different ways to configure how parameters are passed to CloudFormation stacks, which makes it difficult to find a general purpose way to convey this information to the deployment stage. Additionally, the publishing and consumption locations must be customizable since different deployment systems may have different ways to publish and replicate assets across environments (for example, a deployment system which needs to be able to deploy to air-gapped regions and requires that all assets are published to a centralized store and then copied to target environments through air gaps). + +The solution is to resolve asset locations **during synthesis** and use naming conventions for bootstrapping resources. This means that asset locations will be concrete values and we can also encode all publishing information to the assembly manifest. It will also allow customizing all publishing behavior from within the CDK app, without the need to supply additional plugin capabilities. + +We will synthesize a file called `assets.json`, which will include preparation and publishing instructions for each asset. + +For file assets: + +* Source file or directory (relative to cloud assembly) +* Packaging format (zip/file) +* Destinations: + * Bucket name + * Object key + * Publishing Role ARN to assume + +For image assets: + +* Source directory (relative to cloud assembly): where Dockerfile resides +* Docker build arguments (optional) +* Dockerfile name (optional) +* Destinations: + * ECR repository name + * Image name + * Publishing Role ARN to assume + +**Customizability** + +Asset consumption and publishing locations should be fully customizable. To that end, the `core.Stack` base class will expose an API that will be used by the asset framework to resolve consumption locations and synthesize `assets.json`. This will allow users to provide their own implementation based on their specific needs. -* The project must run in **privileged** mode in order to support docker - assets. -* The **--exclusively** flag will ensure that “cdk deploy” will only deploy the - specified stack (along with it’s assets). This means that if this stack - depends on other stacks, they must be explicitly deployed before it. -* The **--require-approval=never** flag will not require users to confirm any - posture changes. -* The role will be assumed with an external ID dedicated to the CDK to reduce - the chance for mistakes. +**Asset Source Staging** + +During synthesis, the CDK app will _copy the sources_ of all assets from their original location on disk into the cloud assembly output directory. This allows the cloud assembly to be self-contained and is important for the CI/CD use cases (both internal and external) where the cloud assembly is the only artifact needed after build is complete. + +**Asset Providers** + +Users should be able to vend custom asset providers to allow customizing how assets are being referenced or prepared. + +For example, a company might have an internal system that manages software artifacts. They can internally vend custom implementations for the `lambda.Code` and `ecs.ContainerImage` classes which will allow users to reference these artifacts and synthesize placeholders into the cloud assembly, which will later be resolved during the publishing stage and identified through a user-defined unique identifier. + +**Environment-agnostic Stacks** + +When a stack is defined, users can specify `env` (account and/or region). + +If `account` and/or `region` use the pseudo references `Aws.ACCOUNT_ID` and `Aws.REGION`, respectively, the stack is called "environment-agnostic". Certain features in the CDK, like VPC lookups for example, are not supported for environment-agnostic stacks since the specific account/region is required during synthesis. + +The proposal described in [PR#4131](https://github.com/aws/aws-cdk/pull/4131) suggests that environment-agnostics stacks cannot be deployed using the CDK. However, it also proposes that the default behavior for `env` will be to use ("inherit") the CLI configured environment when a stack is deployed through `cdk deploy`. + +This means that the only way to produce environment-agnostic templates will be to explicitly indicate it when a stack is defined. + +Since the specific account and region are required when resolving asset consumption and publishing locations, the current plan is for the default asset store implementation to **fail if assets are used from environment-agnostic stacks**. Again, bear in mind that the current behavior (where the default is environment-agnostic stacks) is going to be changed. ## Bootstrapping - - TODO: update based on `cdk-boostrap` prototype: - - TODO: IAM role for publishing - - TODO: IAM role for manual deployment (through `cdk deploy` with permissions only for developers as needed). - - TODO: IAM role that allows only CFN to assume it and used for actual deployments +The CDK already has a dedicated tool for bootstrapping environments called **`cdk bootstrap`**. An environment is bootstrapped once, and from that point, it is possible to deploy CDK apps into this environment. + +Environment bootstrapping doesn't have to be performed by the development team, and does not require deep knowledge of the application structure, besides the set of accounts and regions into which the app needs to be deployed. + +The current implementation only provisions an S3 bucket, but in order to be able to continuously deploy CDK stacks that use asses, we will need the following resources: + +For publishing: + +* **S3 Bucket**: for file asset and CloudFormation templates +* **ECR Repository**: for docker image assets +* **Publishing Role**: IAM role trusted by the deployment account, and allows publishing to the S3 bucket and the ECR repository. + +For deployment: + +* **CloudFormation Role**: IAM role which allows the CloudFormation service principal to deploy stacks into the environment (this role usually has administrative privileges). +* **Deployment Role**: IAM role which allows anyone from the deployment account to create, update and describe CloudFormation change sets and s"pass" the CloudFormation role (`iam:PassRole`). -Based on this model, in order to be able to deploy CDK stacks to an environment -we need two resources: +To accommodate these requirements we will make the following changes to how `cdk bootstrap` works: -1. **Assets bucket**, which is needed by the CLI in order to upload - CloudFormation templates and assets to S3. -2. **Deployment IAM role**, which is needed by the deployment action in order to - deploy to this account. The deployment role needs to trust the central - account assume-role permissions. +1. Extend the bootstrap stack to include these resources. +2. Use explicit convention-based physical names for all resources. +3. Allow specifying a list of *trusted accounts* from which the CloudFormation service principal can deploy to this account. +4. Allow specifying a list of accounts from which principals can deploy to this account from the CLI. +5. Allow specifying the managed policy to use for the deployment role (mostly it will be the administrator managed policy). +6. Allow specifying an optional qualifier for the physical names of all resources to address bucket hijacking concerns and allow multiple bootstraps to the same environment for whatever reason. -To CDK CLI currently has a `bootstrap` command which provisions the assets -bucket described above. We will extend it to include a deployment role with an -option to specify a set of trusted AWS account IDs which will be permitted to -deploy to this environment: +**Resource Names** + +We need to be able to synthesize asset locations into the templates for consumption and publishing. We also need to be able to assume a role in order to be able to publish to the environment. + +This means that we cannot rely on CloudFormation physical name generation since it requires accessing the account in order to resolve these names. + +We will employ a naming convention which encodes `account`, `region` and an optional `qualifier` (such as `cdk-account-region[-qualifier]-xxxx`). This is because not all AWS resource names are environment-local: IAM roles are account-wide and S3 buckets are global. + +It is important that we do not rely on hashing or parsing account and region in order to be able to support environment-agnostic stacks (in which case "account" resolves to `{ "Ref": "AWS::AccountId" }`, etc. + +In order to address the risk of S3 bucket hijacking, we need to be ale to support an optional `qualifier` postfix. This means that we need to allow users to specify this qualifier when they define the Stack's `env`. Perhaps we need to encode this into `aws://account/region[/qualifier]` + +> **Alternative considered**: one way to implement environment-specific name-spacing would have been to export the bootstrapping resources through a CloudFormation Export and then reference them using Fn::ImportValue. This would have worked for templates, but means that we would need a way to resolve import values during publishing as well (and as a result also Fn::Join, etc). + +**User Interface** + +This is the proposed API for `cdk-bootstrap`: ``` -$ cdk bootstrap aws://account/region --trust-account ACCOUNT_ID +$ cdk bootstrap --profile XXX [--yes] aws://account/region --trust-account ACCOUNT_ID WARNING: any principal from will have administrative access to the account . Please confirm (Y/N): ``` -An appropriate error should be displayed to the user if they try to deploy to a -non-bootstrapped environment. +We should consider allowing users to specify a profile map that will allow bootstrapping multiple environments at the same time, but this can easily be achieved through a shell script: + +```bash +#!/bin/sh +cdk bootstrap --yes --profile prod-us aws://111111111111/us-east-1 --trust-account $PIPELINE_ACCOUNT +cdk bootstrap --yes --profile prod-eu aws://222222222222/eu-west-2 --trust-account $PIPELINE_ACCOUNT +``` + +## Mutation + +Deployment of complex cloud application often involves a business-specific process which includes rolling out the app throughout multiple deployment phases and environments. This means that there is strong coupling between the structure of the application and the structure of its deployment pipeline. To enable users to represent this relationship naturally in their code, the CDK should support defining the app's deployment infrastructure as part of the CDK app. + +Therefore, we recommend that all resources needed for the deployment pipeline are defined as part of the CDK app itself in one or more stacks. After synthesis, the cloud assembly will include a set of CloudFormation templates for the pipeline stack(s). + +We can't begin to deploy an app before we provision and update the required the deployment resources based on the structure of the app. This is the purpose of the "**mutation**" stage. + +The initial creation of the pipeline will be performed manually using `cdk deploy pipeline-main` (where `pipeline-main` is name of the main pipeline stack), but from that point forward, any changes to the pipeline will be done by pushing a commit into the repo, and letting the pipeline pick it up. + +For example, if we use CodePipeline for deploying an app to multiple environments,the deployment infrastructure will consist of a central pipeline stack, which contains the pipeline itself, it's artifacts bucket and other related resources such as CodeBuild projects. It will also require a stack in each region that includes a CodePipeline regional replication bucket (and key). + +In CodePipeline, we will implement this stage using a CodeBuild action which runs `cdk deploy "pipeline-*"`. This will deploy all stacks that begin with the `pipeline-` prefix. These stacks can be deployed to any bootstrapped environment since `cdk deploy` can assume the deployment role. + + +## Publishing + +**cdk-publish** is responsible for _preparing_ and _publishing_ application assets to "**asset stores**" in AWS environments so they can be consumed by stacks deployed to these environments. + +```shell +cdk-publish cdk.out [ASSET-ID,ASSET-ID,...] +``` + +The input is the *cloud assembly* (`cdk.out`), which includes an asset manifest `assets.json`: -## Sample Walkthrough +The manifest is synthesized by the app and, for each asset (identified by their source hash) includes the `source` information (within the cloud assembly) and as set of `destinations` with a list of locations into which the asset should be published. The idea is that this manifest is all the information the publish needs. -Given these two primitives (a **stack deployment CodePipeline action** and a -**bootstrap deployment IAM role**), we are able to support all requirements in -this doc. +A list of asset IDs (source hashes) can also be included in order to only publish a subset of the assets. This can be used to implement concurrent publishing of assets (e.g. through CodePipeline). -Lets walk through the following scenario: +Then, for each asset, cdk-publish will perform the following operation: -1. Repository hosted on GitHub. -2. Separate AWS account for the pipeline. -3. App includes a VPC stack and a service stack -4. Initially deploy into a single geography (account/region) -5. Extend to another geography +1. Assume the **publishing IAM role** in the target environment. +2. Check if the asset is already published to this location. Assets are identified by their source hash. If it is, skip. +3. If the asset doesn’t exists locally (e.g. docker image already exists, zip file already exists in local cache), prepare (docker build, zip directory). +4. Publish the asset to the target location. -### Initialize the pipeline +In order for the publish to be able to execute `docker build`, this command must be executed in an environment that has docker available (in CodeBuild this means the project must be "privileged"). -1. Create an AWS account for the pipeline (we will refer to it as `ACNT-PIPE`) -2. Bootstrap the pipeline environments: +**Templates as Assets** - cdk bootstrap aws://ACNT-PIPE/us-east-1 +Some deployment systems (e.g. the CDK CLI) require that CloudFormation templates will be uploaded an S3 location before they can be deployed (this is done automatically in CodePipeline). Due to S3 eventual consistency, these files must be immutable, so we need to upload a new template file every time the template changes. -3. Create a new git repository for the app (e.g. on GitHub). -4. Initialize a new CDK app: `cdk init` -5. Define a **"pipeline"** stack ([example](https://github.com/eladb/cdkcd-test/blob/master/lib/pipeline.ts)) - which includes a source, build and self-updating pipeline stage. -6. Commit this code and push to GitHub -7. Execute `cdk deploy pipeline` to deploy this pipeline. -8. From this point forward, no need to use `cdk deploy` anymore. +To that end, we will treat all CloudFormation templates in the assembly like any other asset. They will be identified by their source hash (the hash of the template) and uploaded to the asset store in the environment in which they are expected to be deployed, like any other file asset. -### North America deployment +## Deployment -1. Create an AWS account for the service in North America (`ACNT-NA`) +At this point, all assets are published to asset stores in their target environments, so we can simply use standard CloudFormation deployment tools to deploy templates from the cloud assembly. Any references to assets were already resolved during synthesis. -2. Bootstrap this account and trust the pipeline account: +To deploy a stack to an environment, the deployment will need to: - cdk bootstrap aws://ACNT-NA/us-west-2 --trust ACNT-PIPE +1. Assume the **Deployment IAM Role** from the target environment. +2. Create a CloudFormation change-set for the stack. +3. Execute the change-set by requesting CloudFormation to assume the administrative **CloudFormation IAM +Role**. + +## Walkthrough + +In this section we will walk through the process of deploying a complex CDK app and how each one of the components in the toolchain is used within the workflow. + +### Bootstrapping + +We go to our ops team and ask them to prepare three AWS accounts for our application: + +1. `111111111DEP`: Deployment account +2. `2222222222US`: US account +3. `3333333333EU`: EU account + +The ops team will also bootstrap our environments: + +```shell +$ cdk bootstrap aws://111111111DEP/us-west-2 +$ cdk bootstrap aws://2222222222US/us-east-1 --trust-account 111111111DEP +$ cdk bootstrap aws://3333333333EU/eu-west-2 --trust-account 111111111DEP +``` -3. Let’s say our service is organized into two stacks: `VpcStack` and - `ServiceStack`. +> NOTE: each bootstrap command will be executed with the appropriate AWS credentials configured. -4. Add the following code to the pipeline: +The bootstrapping process will create the following resources: + +* 111111111DEP/us-west-2: + * `aws-cdk-files-111111111DEP-us-west-2`: S3 bucket + * `aws-cdk-images-111111111DEP-us-west-2`: ECR repository + * `aws-cdk-publish-111111111DEP-us-west-2`: IAM role for publishing (assumable by 111111111DEP), permissions to read/write from the S3/ECR + * `aws-cdk-deploy-111111111DEP-us-west-2`: IAM role for deployment (assumable by 111111111DEP), with pass-role to the CloudFormation role + * `aws-cdk-admin-111111111DEP-us-west-2`: IAM role for CloudFormation (assumable by the CloudFormation service principal) +* 2222222222US/us-east-1: + * `aws-cdk-files-2222222222EU-us-east-1`: S3 bucket + * `aws-cdk-images-2222222222EU-us-east-1`: ECR repository + * `aws-cdk-publish-2222222222EU-us-east-1`: IAM role for publishing (assumable by 111111111DEP), permissions to read/write from the S3/ECR + * `aws-cdk-deploy-2222222222EU-us-east-1`: IAM role for deployment (assumable by 111111111DEP), with pass-role to the CloudFormation role + * `aws-cdk-admin-2222222222EU-us-east-1`: IAM role for CloudFormation (assumable by the CloudFormation service principal) +* 3333333333EU/eu-west-2: + * `aws-cdk-files-3333333333EU-eu-west-2`: S3 bucket + * `aws-cdk-images-3333333333EU-eu-west-2`: ECR repository + * `aws-cdk-publish-3333333333EU-eu-west-2`: IAM role for publishing (assumable by 111111111DEP), permissions to read/write from the S3/ECR + * `aws-cdk-deploy-3333333333EU-eu-west-2`: IAM role for deployment (assumable by 111111111DEP), with pass-role to the CloudFormation role + * `aws-cdk-admin-3333333333EU-eu-west-2`: IAM role for CloudFormation (assumable by the CloudFormation service principal) + +Notice that all bootstrapping resources have conventional physical names so asset locations can be resolved during synthesis without needing to access the accounts. + +### Source + +This section describes the sample app we will use for our walkthrough in order to demonstrate how the various pieces work together. + +Our app needs to be deployed to two geographies: US (in us-east-1) and EU (in eu-west-2). + +In each geography, we will split our app into two stacks: one that includes the VPC resources (`vpc-us` and `vpc-eu`) and the other that includes the service resources (`service-us` and `service-eu`). This is just an example of course, apps should be able to define any layout they desire. + +The service stack will use two assets: one docker image created from a Dockerfile in our project and one zip file created from a directory. + +Deployment resources (pipeline, buckets, etc) will be defined in a separate set of stacks (`pipeline-main`, `pipeline-us-east-1` and `pipeline-eu-west-2`). The pipeline has the following stages: + +1. Source: monitors a git repository and kicks off the pipeline. +2. Build: a CodeBuild action which compiles the app and invokes `cdk synth`. The output artifact is `cdk.out`. +3. Mutate: a CodeBuild action which runs `cdk deploy pipeline-*` to update all pipeline stacks +4. Publish: includes a CodeBuild action for each asset (2 in our case) which runs `cdk-publish ASSET_ID` +5. VPC Deployment Stage: includes two cross-environment CloudFormation deployment actions for deploying the VPC stack to US and EU +6. Service Deployment Stage: includes two cross-environment CloudFormation deployment actions for deploying the service stack to US and EU + +NOTES: + +* The "Build" stage is defined by the user and expected to always have `cdk.out` as the output artifact (by convention). +* The "Mutate" and "Publish" stage will be provided as ready-made building blocks +* The order and structure of the "Deployment" stages are just an example. Users may choose the orchestration they need. +* The AWS CodePipeline module in the CDK will automatically define all auxiliary stacks required for the pipeline based on the actual structure (`pipeline-REGION`). + +### Synthesis + +After the app is compiled, `cdk synth` will produce a `cdk.out` directory (cloud assembly) which includes the following files: + +1. `manifest.json` +2. `assets.json` +3. `pipeline-main.template.json`: the pipeline itself and auxiliary resources +4. `pipeline-us-east-1.template.json`: pipeline replication resources needed for US deployment +5. `pipeline-eu-west-2.template.json`: pipeline replication resources needed for EU deployment +6. `vpc-us.template.json`: VPC stack for the US deployment +7. `vpc-eu.template.json`: VPC stack for the EU deployment +8. `service-us.template.json`: service stack for the US deployment +9. `service-eu.template.json`: service stack for the EU deployment + +The `manifest.json` file will include an entry for each stack defined above (like today), but each stack will also include the IAM roles to assume if you wish to deploy this stack: + +```json +{ + "version": "0.36.0", + "artifacts": { + "vpc-us": { + "type": "aws:cloudformation:stack", + "environment": "aws://2222222222US/us-east-1", + "properties": { + "templateFile": "vpc-us.template.json", + "deployRoleArn": "aws-cdk-deploy-2222222222EU-us-east-1", + "adminRoleArn": "aws-cdk-admin-2222222222EU-us-east-1" + } + }, + "service-us": { + "type": "aws:cloudformation:stack", + "environment": "aws://2222222222US/us-east-1", + "properties": { + "templateFile": "service-us.template.json", + "deployRoleArn": "aws-cdk-deploy-2222222222EU-us-east-1", + "adminRoleArn": "aws-cdk-admin-2222222222EU-us-east-1" + } + }, + "vpc-eu": { + "type": "aws:cloudformation:stack", + "environment": "aws://3333333333EU/eu-west-2", + "properties": { + "templateFile": "vpc-eu.template.json", + "deployRoleArn": "aws-cdk-deploy-3333333333EU-eu-west-2", + "adminRoleArn": "aws-cdk-admin-3333333333EU-eu-west-2" + } + }, + "service-eu": { + "type": "aws:cloudformation:stack", + "environment": "aws://3333333333EU/eu-west-2", + "properties": { + "templateFile": "service-eu.template.json", + "deployRoleArn": "aws-cdk-deploy-3333333333EU-eu-west-2", + "adminRoleArn": "aws-cdk-admin-3333333333EU-eu-west-2" + } + }, + "pipeline-main": { + "type": "aws:cloudformation:stack", + "environment": "aws://111111111DEP/us-west-2", + "properties": { + "templateFile": "pipeline-main.template.json", + "deployRoleArn": "aws-cdk-deploy-111111111DEP-us-west-2", + "adminRoleArn": "aws-cdk-admin-111111111DEP-us-west-2" + } + }, + "pipeline-us-east-1": { + "type": "aws:cloudformation:stack", + "environment": "aws://111111111DEP/us-east-1", + "properties": { + "templateFile": "pipeline-main.template.json", + "deployRoleArn": "aws-cdk-deploy-111111111DEP-us-east-1", + "adminRoleArn": "aws-cdk-admin-111111111DEP-us-east-1" + } + }, + "pipeline-eu-west-2": { + "type": "aws:cloudformation:stack", + "environment": "aws://111111111DEP/eu-west-2", + "properties": { + "templateFile": "pipeline-main.template.json", + "deployRoleArn": "aws-cdk-deploy-111111111DEP-eu-west-2", + "adminRoleArn": "aws-cdk-admin-111111111DEP-eu-west-2" + } + } + } +} +``` - ```ts - pipeline.addStage({ - stageName: 'deploy-VPC', - actions: [ - new DeployStackAction(this, `deploy-NA-VPC`, { - stack: new VpcStack(this, 'na-vpc', { env: NA_ENV }), - assembly: assembly +The `assets.json` file will look like this: + +```json +{ + "version": "assets-1.0", + "images": { + "d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a": { + "source": { + "packaging": "docker", + "sourceHash": "d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a", + "sourcePath": "my-image", + "dockerfile": "CustomDockerFile" + }, + "destinations": [ + { + "repositoryName": "aws-cdk-images-2222222222US-us-east-1", + "imageName": "d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a", + "assumeRoleArn": "arn:aws:iam::2222222222US:role/aws-cdk-publish-2222222222US-us-east-1" + }, + { + "repositoryName": "aws-cdk-images-3333333333EU-eu-west-2", + "imageName": "d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a", + "assumeRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-publish-3333333333EU-eu-west-2" } ] - }); - - pipeline.addStage({ - stageName: 'deploy-SVC', - actions: [ - new DeployStackAction(this, `deploy-NA-SVC`, { - stack: new ServiceStack(this, 'na-svc', { env: NA_ENV }), - assembly: assembly + } + }, + "files": { + "a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57": { + "source": { + "packaging": "zip", + "sourceHash": "a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57", + "sourcePath": "asset.a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57" + }, + "destinations": [ + { + "bucketName": "aws-cdk-files-2222222222US-us-east-1", + "objectKey": "a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57", + "assumeRoleArn": "arn:aws:iam::2222222222US:role/aws-cdk-publish-2222222222US-us-east-1" + }, + { + "bucketName": "aws-cdk-files-3333333333EU-us-west-2", + "objectKey": "a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57", + "assumeRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-publish-3333333333EU-eu-west-2" } ] - }); - ``` + } + } +} +``` -6. **UGLY**?: Obtain credentials for the new account and `cdk synth` or `cdk ls` - in order to update `cdk.context.json` with the AZ information from that - account/region. -7. Commit + push. That’s it, this will automatically be picked up by our - pipeline. First the pipeline itself will be updated and then the two new - stages will be added and the stacks deployed. +It lists the two assets (one file asset and one image asset) and, for each, it lists the publishing locations which include repository, key and publishing IAM role to assume. -### Adding Europe +### Mutation -Now let's say we want to also deploy another geography for our app (in parallel -to the NA deployment, as an example). +The first stage in our pipeline is the mutation stage. This stage will include a single CodeBuild action that will simply execute: -1. Create & bootstrap another account (`ACNT-EU`) (with `--trust ACNT-PIPE`). +```console +$ cdk deploy pipeline-* +``` -2. Update the pipeline stack to look like this: +This will update all the stacks with names that begin with "pipeline-". Namely, it includes the pipeline stack itself, and the auxiliary stacks that include the pipeline's regional replication buckets. Since we are using `cdk deploy` here, we can technically deploy any stack to any environment in this stage because `cdk deploy` can assume the deployment role in any of the environments which trust the deployment account. -```ts -pipeline.addStage({ - stageName: 'deploy-VPC', - actions: [ - new DeployStackAction(this, `deploy-NA-VPC`, { - stack: new VpcStack(this, 'na-vpc', { env: NA_ENV }), - assembly: assembly - }, - new DeployStackAction(this, `deploy-EU-VPC`, { - stack: new VpcStack(this, 'eu-vpc', { env: EU_ENV }), - assembly: assembly - }, - ] -}); +Notice that this stage happens **before** the publish stage. This is because the structure of the publish stage is dependent on which assets the app uses (we synthesize an action per asset for maximal parallelism), so we want to make sure the pipeline will be updated before publishing. -pipeline.addStage({ - stageName: 'deploy-SVC', - actions: [ - new DeployStackAction(this, `deploy-NA-SVC`, { - stack: new ServiceStack(this, 'na-svc', { env: NA_ENV }), - assembly: assembly - }, - new DeployStackAction(this, `deploy-EU-SVC`, { - stack: new ServiceStack(this, 'eu-svc', { env: EU_ENV }), - assembly: assembly - } - ] -}); +> NOTE: if there is a constraint that does not allow the pipeline to be updated before publishing, it simply means that we have to publish all assets from a single action (`cdk-publish *`). + +In our example, there are 3 pipeline stacks: + +1. `pipeline-main`: contains the pipeline resource, the main artifacts bucket and other related resources +2. `pipeline-us-east-1`: contains the pipeline replication bucket and key for us-east-1 +3. `pipeline-eu-west-2`: contains the pipeline replication bucket and key for eu-west-2 + +Once we deploy these stacks, our pipeline will be ready to deploy the rest of our app. + +### Publishing + +The next stage in the process is the publishing stage. + +In our example, this stage will consist of two CodeBuild actions that will run the following commands concurrently. These command will prepare & upload the asset to all the environments. It will consult `assets.json` to determine the exact location into which to publish each asset and which cross-account role to assume. + +The first action will run this command: + +```shell +cdk-publish cdk.out d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a ``` -5. `cdk synth` to update `cdk.context.json` with the new AZ context. +This will build the docker image from `cdk.out/my-image` using `CustomDockerFile` as a dockerfile. Then, it will assume the roles in the destinations specified in `assets.json` and push the image to the specified ECR locations. + +The second action will run this command: + +```shell +cdk-publish cdk.out a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57 +``` + +This will create a zip archive from the files under `asset.a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57`, and then will assume the roles and upload the file to the destination S3 locations. + +### Deployment + +Once publishing is complete, we can commence deployment. Deployment can happen at any desired order and use the standard CloudFormation deployment actions. + +Each action will be responsible to deploy a single stack to a specific environment. The input artifact will be the cloud assembly, and the template file name will be the template -6. Commit + push +In our example, we decided to first deploy the VPC stack to all geographies and then deploy the service stack, so we will have two deployment stages, each one with two CloudFormation deployment actions. -## Open Issues +All actions will use `cdk.out` as their input artifact, with the specified template name, account, region, deploy and CloudFormation IAM roles. -- [ ] __SECURITY ISSUE__: since the deployment action needs to run `docker build`, it requires both privileged mode on the machine _and_ can execute arbitrary user-code, so we are essentially losing our ability to really control the deployment environment. -- [ ] Users are concerned with costs of the deployment actions in their pipeline. CloudFormation actions are free. -- [ ] How to handle removal of stacks -- [ ] Define a workflow and a special verb for updating **cdk.context.json** - (currently, users need to simply run `cdk ls` or `cdk synth` from their dev - machine with credentials to access each environment. It’s not super nice. -- [ ] Integration with AWS Organization -- [ ] Extensability model for `cdk boostrap` to allow teams to customize this behavior. +CodePipeline will use the regional replication buckets to transfer cdk.out to the destination regions and then assume the deployment role that will invoke the CloudFormation API, passing it the CloudFormation role. +That's it basically. From 223985900b89c867bcffda81b524e9edc505d5f5 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Thu, 26 Sep 2019 11:27:15 +0300 Subject: [PATCH 05/17] cdk-assets Initial spec for cdk-assets --- design/cdk-assets.md | 244 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 244 insertions(+) create mode 100644 design/cdk-assets.md diff --git a/design/cdk-assets.md b/design/cdk-assets.md new file mode 100644 index 0000000000000..4069c74dbedac --- /dev/null +++ b/design/cdk-assets.md @@ -0,0 +1,244 @@ +# cdk-assets + +`cdk-assets` is a tool in the AWS CDK toolchain responsible to package and publish assets as part of the deployment process of CDK applications. + +This document specifies the requirements for this tool derived from the [continuous delivery design document](design/continuous-delivery.md). + +## Asset Manifest + +The main input to `cdk-assets` is a JSON file called `assets.json` which includes a manifest of assets. + +The manifest lists all assets and for each asset it describes the asset **source** (with instructions on how to package the asset if needed) and a list of **destinations**, which are locations into which this asset needs to be published. + +The main components of the assets manifest are: + +* **Types:** there are currently two supported types: files and docker images. Files are uploaded to an Amazon S3 bucket and docker images are pushed to an Amazon ECR repository. + +* **Identifiers:** assets are identified throughout the system via a unique identifier (the key in the `files` and `images` map). This identifier is based on the sha256 of the source (the contents of the file or directory) and will change only if the source changes. It can be used for local caching and optimization purposes. For example, a zip of a directory can be stored in a local cache by this identifier to avoid duplicate work. + +* **Sources:** the `source` information for each asset defines the file or directory (relative to the directory of `assets.json`), and additional **packaging** instructions, such as whether to create a zip file from a directory (for file assets) or which options to pass to `docker build`. + +* **Destinations:** describe where the asset should be published. At a minimum, for file assets, it includes the S3 bucket and object key and for docker images it includes the repository and image names. A destination may also indicate that an IAM role must be assumed in order to support cross environment publishing. + + > Destinations are intentionally denormalized in order to keep the logic of where assets are published at the application or framework level and not in this tool. For example, consider a deployment system which requires that all assets are always published to the same location, and then replicated through some other means to their actual consumption point. Alternatively, a user may have unique security requirements that will require certain assets to be stored in dedicated locations (e.g. with a specific key) and others in a different location, even if they all go to the same environment. Therefore, this tool should not take any assumptions on where assets should be published besides the exact instructions in this file. + +Here is the complete manifest file schema in typescript: + +```ts +interface AssetManifest { + readonly version: 'assets-1.0'; + readonly files?: { [id: string]: FileAsset }; + readonly images?: { [id: string]: ImageAsset }; +} + +interface FileAsset { + readonly source: FileAssetSource; + readonly destinations: FileAssetDestination[]; +} + +interface ImageAsset { + readonly source: ImageAssetSource; + readonly destinations: ImageAssetDestination[]; +} + +interface FileAssetSource { + readonly file: string; // file or directory name, relative to basedir + readonly packaging?: FileAssetPackaging; // packaging (default "FILE") +} + +enum FileAssetPackaging { + FILE = 'file', // just upload "file" as-is + ZIP_DIRECTORY = 'zip' // zip the directory and then upload +} + +interface FileAssetDestination { + readonly assumeRoleArn?: string; // iam role to assume + readonly assumeRoleExternalId?: string; // external id to pass to assume-role + readonly bucketName: string; + readonly objectKey: string; +} + +interface ImageAssetSource { + readonly directory: string; // docker build context directory + readonly dockerBuildArgs?: { [arg: string]: string }; // optional args to "docker build" + readonly dockerBuildTarget?: string; // docker build --target to use + readonly dockerFile?: string; // custom name for Dockerfile +} + +interface ImageAssetDestination { + readonly assumeRoleArn: string; // iam role to assume + readonly assumeRoleExternalId?: string; // external id to pass to assume-role + readonly repositoryName: string; // ECR repository name + readonly imageName: string; // image tag to use +} +``` + +Example of `assets.json` with two assets: a docker image and a file asset. Both assets are published to two destinations (S3/ECR). + +```json +{ + "version": "assets-1.0", + "images": { + "d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a": { + "source": { + "packaging": "docker", + "directory": "my-image", + "dockerFile": "CustomDockerFile", + "dockerBuildArgs": { "label": "prod" }, + "dockerBuildTarget": "my-target" + }, + "destinations": [ + { + "repositoryName": "aws-cdk-images-2222222222US-us-east-1", + "imageName": "d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a", + "assumeRoleArn": "arn:aws:iam::2222222222US:role/aws-cdk-publish-2222222222US-us-east-1" + }, + { + "repositoryName": "aws-cdk-images-3333333333EU-eu-west-2", + "imageName": "d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a", + "assumeRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-publish-3333333333EU-eu-west-2" + } + ] + } + }, + "files": { + "a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57": { + "source": { + "packaging": "zip", + "file": "myzipdirectory" + }, + "destinations": [ + { + "bucketName": "aws-cdk-files-2222222222US-us-east-1", + "objectKey": "a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57.zip" + }, + { + "bucketName": "aws-cdk-files-3333333333EU-us-west-2", + "objectKey": "a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57.zip", + "assumeRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-publish-3333333333EU-eu-west-2" + } + ] + } + } +} +``` + +## API + +`cdk-assets` is designed as a stand-alone command line program and a library, so it can be integrated into other tools such as the CDK CLI or executed individually as a step in a CI/CD pipeline. + +### `publish` + +```shell +cdk-assets publish DIR [ASSET-ID,ASSET-ID...] +``` + +Packages and publishes assets to all destinations. + +* `DIR` is the directory from where to read `assets.json`, and which is used as the base directory for all file/directory references. +* `ASSET-ID,...`: additional arguments represent asset identifiers to publish (default is to publish all assets). This can be used to implement concurrent publishing of assets (e.g. through CodePipeline). + +The `publish` command will do the following: + +For each asset and for each destination (pseudo code): + +``` +for each asset in manifest: + for each destination: + assume destination iam role (if defined) + if asset already published to destination: continue + if asset requires packaging and not cached locally (by id): + package asset (docker build/zip directory) + cache asset locally (to avoid duplicate builds) + publish to destination (upload/push) +``` + +Example (`cdk.out/assets.json` as above): + +```shell +$ cdk-assets publish cdk.out +asset d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a +assume arn:aws:iam::2222222222US:role/aws-cdk-publish-2222222222US-us-east-1 +notfound aws-cdk-images-2222222222US-us-east-1:d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a +nocache d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a +package docker build --target=my-target --label=prod -f CustomDockerFile ./myimage +push aws-cdk-images-2222222222US-us-east-1:d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a +assume arn:aws:iam::3333333333EU:role/aws-cdk-publish-3333333333EU-eu-west-2 +found aws-cdk-images-3333333333EU-eu-west-2:d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a +done d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a +-------------------------------------------------------------------------- +asset a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57 +found s3://aws-cdk-files-2222222222US-us-east-1/a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57.zip +assume arn:aws:iam::3333333333EU:role/aws-cdk-publish-3333333333EU-eu-west-2 +notfound s3://aws-cdk-files-3333333333EU-us-west-2/a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57.zip +cached zip ./myzipdirectory +upload s3://aws-cdk-files-3333333333EU-us-west-2/a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57.zip +done a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57 +-------------------------------------------------------------------------- +``` + +The log above describes the following: + +The first asset to process is the docker image with id `d31ca1a...`. We first assume the role is the 2222US environment and check if the image exists in this ECR repository. Since it doesn't exist (`notfound`), we check if it exists in the local cache under the tag `d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a`. It doesn't so we build the docker image (`package`) and then push it. Then we assume the role from the 33333EU environment and find that the image is already in that ECR repository, so we just finish. + +The second asset is the file asset with id `a0bae...`. The first environment doesn't specify a role, so we just check if the file exists in the S3 bucket. It is, so we move to the next destination. We assume the role and check if the asset is in the s3 location. It is not (`notfound`), so we need to package and upload it. Before we package we check if it's cached locally and find that it is (`cached`), so no need to zip again, just `upload`. + +### `ls` + +```shell +cdk-assets ls DIR +``` + +Prints a list of asset identifiers and their type. + +Example: + +```shell +$ cdk-assets ls cdk.out +d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a image +a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57 file +``` + +### Programmatic API + +The tool should expose a programmatic (library) API, so it can be integrated with other tools such as the AWS CLI and IDEs. The library should be jsii-compliant and released to all languages supported by the AWS CDK. + +Since the publishing process is highly asynchronous, the API should include the ability to subscribe to progress events in order to allow implementation of a rich user interface. + +Proposed API: + +```ts +class Assets { + constructor(dir: string); + readonly manifest: AssetManifest; + + // starts publishing a single asset + publish(assetid: string, progress?: Progress): Progress; +} + +interface ProgressEvent { + readonly assetid: string; + readonly progress: number; // percentage + readonly type: string; + readonly info: string; +} + +class Progress { + onStart(assetid: string): void; + onEvent(evt: ProgressEvent): void; + onComplete(assetid: string): void; +} + +class Publish { + abort(): void; + readonly events: ProgressEvent[]; + readonly progress: number; // percentage + readonly complete: boolean; +} +``` + +## Non-Functional Requirements + +* **test coverage**: codebase must have full unit test coverage and a set of integration tests that can be executed within a pipeline environment. +* **minimal dependencies**: the tool should take the minimum amount of 3rd party dependencies in order to reduce attack surface and to simplify bundling for jsii. +* **jsii**: the API must be jsii-complient, so it can be used programmatically from all supported languages. This means that all non-jsii dependencies must be bundled into the module. From 0d8a55543a1fc3a06db58f91ef3106fcb226d688 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Thu, 26 Sep 2019 11:29:47 +0300 Subject: [PATCH 06/17] rename cdk-publish to cdk-assets --- design/continuous-delivery.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index c9a2e90b5cbd6..9a90caa958c68 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -62,9 +62,9 @@ bootstrap => source => build => synthesis => mutate => publish => deploy 1. **bootstrap**: manually pre-provision resources required to deploy CDK apps into this environment (such as an S3 bucket, ECR repository and various IAM roles that trust the central deployment account). 2. **source**: the code is pulled from a source repository (e.g. CodeCommit, GitHub or S3), like any other app. 3. **build**: compiles the CDK app code into an executable program (user-defined). -4. **synthesis**: invokes the compiled executable to produce a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md) from the app. It includes a CloudFormation template for each stack and asset sources (docker images, s3 files, etc) that must be prepared and published to the asset store in each environment that consumes them. +4. **synthesis**: invokes the compiled executable to produce a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md) from the app. It includes a CloudFormation template for each stack and asset sources (docker images, s3 files, etc) that must be packaged and published to the asset store in each environment that consumes them. 5. **mutate**: update stack(s) required by the pipeline. This includes pipeline resources and other auxiliary resources such as regional replication buckets. These stacks are limited to 50KiB and are not allowed to use assets, so they can be deployed without bootstrapping resources. -6. **publish**: prepare and publish all assets to asset stores (S3 bucket, ECR repository) so they can be consumed. +6. **publish**: package and publish all assets to asset stores (S3 bucket, ECR repository) so they can be consumed. 7. **deploy**: stage(s), stacks are deployed to the various environments through some orchestration process (e.g. deploy first to this region, run these canaries, wait for errors, continue to the next stage, etc). NOTE: The deployment phase can include any number of stack deployment actions. Each deployment action is responsible deploy a single stack, along with any assets it references. @@ -174,7 +174,7 @@ During synthesis, the CDK app will _copy the sources_ of all assets from their o **Asset Providers** -Users should be able to vend custom asset providers to allow customizing how assets are being referenced or prepared. +Users should be able to vend custom asset providers to allow customizing how assets are being referenced or packaged. For example, a company might have an internal system that manages software artifacts. They can internally vend custom implementations for the `lambda.Code` and `ecs.ContainerImage` classes which will allow users to reference these artifacts and synthesize placeholders into the cloud assembly, which will later be resolved during the publishing stage and identified through a user-defined unique identifier. @@ -267,10 +267,10 @@ In CodePipeline, we will implement this stage using a CodeBuild action which run ## Publishing -**cdk-publish** is responsible for _preparing_ and _publishing_ application assets to "**asset stores**" in AWS environments so they can be consumed by stacks deployed to these environments. +The [**cdk-assets**](design/cdk-assets.md) tool is responsible for _packaging_ and _publishing_ application assets to "**asset stores**" in AWS environments so they can be consumed by stacks deployed to these environments. ```shell -cdk-publish cdk.out [ASSET-ID,ASSET-ID,...] +cdk-assets publish cdk.out [ASSET-ID,ASSET-ID,...] ``` The input is the *cloud assembly* (`cdk.out`), which includes an asset manifest `assets.json`: @@ -279,11 +279,11 @@ The manifest is synthesized by the app and, for each asset (identified by their A list of asset IDs (source hashes) can also be included in order to only publish a subset of the assets. This can be used to implement concurrent publishing of assets (e.g. through CodePipeline). -Then, for each asset, cdk-publish will perform the following operation: +Then, for each asset, cdk-assets will perform the following operation: 1. Assume the **publishing IAM role** in the target environment. 2. Check if the asset is already published to this location. Assets are identified by their source hash. If it is, skip. -3. If the asset doesn’t exists locally (e.g. docker image already exists, zip file already exists in local cache), prepare (docker build, zip directory). +3. If the asset doesn’t exists locally (e.g. docker image already exists, zip file already exists in local cache), package (docker build, zip directory). 4. Publish the asset to the target location. In order for the publish to be able to execute `docker build`, this command must be executed in an environment that has docker available (in CodeBuild this means the project must be "privileged"). @@ -528,7 +528,7 @@ This will update all the stacks with names that begin with "pipeline-". Namely, Notice that this stage happens **before** the publish stage. This is because the structure of the publish stage is dependent on which assets the app uses (we synthesize an action per asset for maximal parallelism), so we want to make sure the pipeline will be updated before publishing. -> NOTE: if there is a constraint that does not allow the pipeline to be updated before publishing, it simply means that we have to publish all assets from a single action (`cdk-publish *`). +> NOTE: if there is a constraint that does not allow the pipeline to be updated before publishing, it simply means that we have to publish all assets from a single action (`cdk-assets publish cdk.out`). In our example, there are 3 pipeline stacks: @@ -542,12 +542,12 @@ Once we deploy these stacks, our pipeline will be ready to deploy the rest of ou The next stage in the process is the publishing stage. -In our example, this stage will consist of two CodeBuild actions that will run the following commands concurrently. These command will prepare & upload the asset to all the environments. It will consult `assets.json` to determine the exact location into which to publish each asset and which cross-account role to assume. +In our example, this stage will consist of two CodeBuild actions that will run the following commands concurrently. These command will package & upload the asset to all the environments. It will consult `assets.json` to determine the exact location into which to publish each asset and which cross-account role to assume. The first action will run this command: ```shell -cdk-publish cdk.out d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a +cdk-assets publish cdk.out d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a ``` This will build the docker image from `cdk.out/my-image` using `CustomDockerFile` as a dockerfile. Then, it will assume the roles in the destinations specified in `assets.json` and push the image to the specified ECR locations. @@ -555,7 +555,7 @@ This will build the docker image from `cdk.out/my-image` using `CustomDockerFile The second action will run this command: ```shell -cdk-publish cdk.out a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57 +cdk-assets publish cdk.out a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57 ``` This will create a zip archive from the files under `asset.a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57`, and then will assume the roles and upload the file to the destination S3 locations. From f514f41e5eb0a2820adcdcfac22bc32f0acb21fc Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Thu, 26 Sep 2019 11:30:57 +0300 Subject: [PATCH 07/17] fix link to continuous delivery --- design/cdk-assets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/design/cdk-assets.md b/design/cdk-assets.md index 4069c74dbedac..545e7b60ea2d6 100644 --- a/design/cdk-assets.md +++ b/design/cdk-assets.md @@ -2,7 +2,7 @@ `cdk-assets` is a tool in the AWS CDK toolchain responsible to package and publish assets as part of the deployment process of CDK applications. -This document specifies the requirements for this tool derived from the [continuous delivery design document](design/continuous-delivery.md). +This document specifies the requirements for this tool derived from the [continuous delivery design document](./continuous-delivery.md). ## Asset Manifest From f2d640a80f71914f142b07eb7b627320593d7e7c Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Thu, 26 Sep 2019 11:32:18 +0300 Subject: [PATCH 08/17] fix link to cdk-assets spec --- design/continuous-delivery.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 9a90caa958c68..dbfe15f7a80fd 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -267,7 +267,9 @@ In CodePipeline, we will implement this stage using a CodeBuild action which run ## Publishing -The [**cdk-assets**](design/cdk-assets.md) tool is responsible for _packaging_ and _publishing_ application assets to "**asset stores**" in AWS environments so they can be consumed by stacks deployed to these environments. +The [`cdk-assets`](./cdk-assets.md) tool is responsible for _packaging_ and _publishing_ application assets to "**asset stores**" in AWS environments so they can be consumed by stacks deployed to these environments. + +See the [cdk-assets specification](./cdk-assets.md) for additional details. ```shell cdk-assets publish cdk.out [ASSET-ID,ASSET-ID,...] From bb53fa7b833feb59a73ea83e74152d016febc96a Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Wed, 2 Oct 2019 23:29:49 +0300 Subject: [PATCH 09/17] updated based on some CR comments --- design/cdk-assets.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/design/cdk-assets.md b/design/cdk-assets.md index 545e7b60ea2d6..e1611d01d6e87 100644 --- a/design/cdk-assets.md +++ b/design/cdk-assets.md @@ -54,6 +54,7 @@ enum FileAssetPackaging { interface FileAssetDestination { readonly assumeRoleArn?: string; // iam role to assume readonly assumeRoleExternalId?: string; // external id to pass to assume-role + readonly region: string; readonly bucketName: string; readonly objectKey: string; } @@ -66,6 +67,7 @@ interface ImageAssetSource { } interface ImageAssetDestination { + readonly region: string; readonly assumeRoleArn: string; // iam role to assume readonly assumeRoleExternalId?: string; // external id to pass to assume-role readonly repositoryName: string; // ECR repository name @@ -199,6 +201,8 @@ d31ca1aef8d1b68217852e7aea70b1e857d107b47637d5160f9f9a1b24882d2a image a0bae29e7b47044a66819606c65d26a92b1e844f4b3124a5539efc0167a09e57 file ``` +This information is purely based on the contents of `assets.json`. + ### Programmatic API The tool should expose a programmatic (library) API, so it can be integrated with other tools such as the AWS CLI and IDEs. The library should be jsii-compliant and released to all languages supported by the AWS CDK. @@ -213,7 +217,7 @@ class Assets { readonly manifest: AssetManifest; // starts publishing a single asset - publish(assetid: string, progress?: Progress): Progress; + publish(assetid: string, progress?: Progress): Publish; } interface ProgressEvent { From 641311796e98178ed497b35e266fa152aad39752 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Wed, 30 Oct 2019 22:12:32 +0200 Subject: [PATCH 10/17] initial take on backwards/forward compatibility plan --- design/continuous-delivery.md | 57 +++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index dbfe15f7a80fd..851e552a94648 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -25,6 +25,7 @@ The only caveat is that **new environments** (account/region) will need to be bo - [Mutation](#mutation-1) - [Publishing](#publishing-1) - [Deployment](#deployment-1) +- [Compatibility Plan](#compatibility-plan) ## Requirements @@ -576,3 +577,59 @@ CodePipeline will use the regional replication buckets to transfer cdk.out to th That's it basically. +# Compatibility Plan + +This section describes how we plan to implement this new model, while still supporting old CLIs, apps written with old frameworks and old bootstrap environments. + +This design requires disruptive changes to the following components: + +- **Bootstrap Stack**: the contents of the environment's bootstrap stack has changed. It now includes additional resources like an ECR repository and IAM role, and also uses conventional physical names. +- **Assets (Framework)**: currently each asset synthesizes a set of CloudFormation parameter that is then assigned by the CLI during deployment, and assets are described as metadata in the cloud assembly manifest. This design stipulates that assets will always be published to well-known locations (based on the bootstrap stack conventions) and described in the `assets.json` manifest which is consumed by `cdk-assets`. +- **Publishing (CLI)**: currently the CLI conflates both asset publishing and deployment into a single step. This design stipulates that `cdk-assets` manages all asset publishing and the CLI is only responsible for deployment. +- **AdoptedRepository**: The new asset mechanism does not require Docker image assets to be backed by `AdoptedRepository` since the ECR repository in the new bootstrap stack will allow anyone to read from it. +- **Deployment Roles**: In the new mode, the cloud assembly manifest also includes IAM roles for deployment. These only exist in the new model, and should cause the CLI to assume these roles during depoyment. + +## Goal + +Existing applications should continue to seamlessly work in any combination of CLI/framework without any forced modification when suppot for these new capabilities is introduced. + +Obvsiouly, if users wish to leverage the new CDK continuous delivery capabilities, they will have to upgrade all three components (bootstrap stack, framework, CLI). It's important that their experience will be guided (i.e. they will be promoted exactly what they need to do and not simply get cryptic error messages). + +## Approach + +The main implication is that both CLI and framework should continue to support the "legacy mode" which controls all relevant behavior: asset synthesis (including `AdoptedRepository`), deployment roles and any other aspect described in this design. + +The following table describes the desired behavior for each combination of CLI version, framework version and whether this is an existing app or a new app (the result of `cdk init` from a new CLI): + +| # | | CLI | Framework | Bootstrap | App | Mode | Comments +|----|------|------|-----------|-----------|-----|------|---------------------- +| 0 | 0000 | OLD | OLD | OLD | OLD | 1.0 | No change +| 1 | 0001 | OLD | OLD | OLD | NEW | 1.0 | App created with old CLI +| 2 | 0010 | OLD | OLD | NEW | OLD | 1.0 | "Run `cdk bootstrap`" +| 3 | 0011 | OLD | OLD | NEW | NEW | 1.0 | new bootstrap stack is not detectable +| 4 | 0100 | OLD | NEW | OLD | OLD | 1.0 | Framework auto-detects old CLI +| 5 | 0101 | OLD | NEW | OLD | NEW | ERR | "please upgrade your CLI and bootstrap" +| 6 | 0110 | OLD | NEW | NEW | OLD | 1.0 | "Run `cdk bootstrap`" +| 7 | 0111 | OLD | NEW | NEW | NEW | ERR | "please upgrade your CLI" +| 8 | 1000 | NEW | OLD | OLD | OLD | 1.0 | CLI auto-detects old framework +| 9 | 1001 | NEW | OLD | OLD | NEW | 1.0 | CLI auto-detects old framework +| 10 | 1010 | NEW | OLD | NEW | OLD | 1.0 | can this work?? +| 11 | 1011 | NEW | OLD | NEW | NEW | 1.0 | Old framework doesn't respect feature flag +| 12 | 1100 | NEW | NEW | OLD | OLD | 1.0 | Can opt-in to 2.0 +| 13 | 1101 | NEW | NEW | OLD | NEW | 2.0 | "Run `cdk bootstrap`" +| 14 | 1110 | NEW | NEW | NEW | OLD | | can this work?? +| 15 | 1111 | NEW | NEW | NEW | NEW | 2.0 | Final state + +## Requirements + +The CLI must auto-detect the assembly format version of the synthesized app based on heuristics `assets.json` or asset metadata in manifest (perhaps we will just bump the assembly manifest version number). Based on this version it will execute either the legacy (1.0) code path or the new code path. If the old code path is required, the old bootstrap behavior will be expected. If the bootstrap stack + +The framework will use the CLI version information passed in through environment variable to detect an old CLI. + +A new feature flag `cloud-assembly-version` will be used to determine the cloud assembly format version the framework operates in. This flag will front all relevant code paths. + +In order to enable case #6 (new CLI + framework with old app), the default for `cloud-assembly-version` will be `1.0` (legacy). This means old apps that upgrade both CLI and framework to new version will continue to function without any change. If old apps wishes to use the new behavior, they will have to explicitly specify `cloud-assembly-version` in their `cdk.json` (or code). + +However, we still want new CDK apps created using `cdk init` to use the new behavior (case #9). To that end, when `cdk init` will be executed from a new CLI, the `cdk.json` it will generate will pass in `cloud-assembly-version: 2.0`. This basically means that new apps will automatically be opted-in to this new behavior. + +If old CLI is used and the app is configured to use 2.0 (#3), an error will be raised (we could technically fall back to 1.0 but there is probably no sufficient value). From d445ea5311d4c020064fc0d9d2935c23ee965d35 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Wed, 8 Jan 2020 16:16:31 +0200 Subject: [PATCH 11/17] add a note about docker layer caching --- design/continuous-delivery.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 851e552a94648..de1e4378bdf15 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -291,6 +291,8 @@ Then, for each asset, cdk-assets will perform the following operation: In order for the publish to be able to execute `docker build`, this command must be executed in an environment that has docker available (in CodeBuild this means the project must be "privileged"). +[Caching of docker layers](https://docs.aws.amazon.com/codebuild/latest/userguide/build-caching.html#caching-local) is supported by CodeBuild and therefore `--ci` feature we have today in the CDK which pulls the `latest` tag of images before docker builds is not required. Furthermore, since images will now be identified only by their source hash (and not by their construct node ID) means that it will be impossible to pull a "latest" version. + **Templates as Assets** Some deployment systems (e.g. the CDK CLI) require that CloudFormation templates will be uploaded an S3 location before they can be deployed (this is done automatically in CodePipeline). Due to S3 eventual consistency, these files must be immutable, so we need to upload a new template file every time the template changes. From 96dd32b39d4cf3a26f713076a57b38e17ded5c82 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Wed, 8 Jan 2020 16:18:37 +0200 Subject: [PATCH 12/17] add local docker layer cache --- design/cdk-assets.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/design/cdk-assets.md b/design/cdk-assets.md index e1611d01d6e87..84703da3b8b5d 100644 --- a/design/cdk-assets.md +++ b/design/cdk-assets.md @@ -155,6 +155,8 @@ for each asset in manifest: publish to destination (upload/push) ``` +> When we execute this tool in a CodeBuild project, we should enable [local caching](https://docs.aws.amazon.com/codebuild/latest/userguide/build-caching.html#caching-local) of docker images as an optimization. + Example (`cdk.out/assets.json` as above): ```shell From 55a4d859c22e22616de690d75a007f425ae6c1a9 Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Sun, 12 Jan 2020 13:27:18 +0200 Subject: [PATCH 13/17] additional self-mutation details and alternative considered for bootstrapping pipeline resources --- design/continuous-delivery.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index de1e4378bdf15..cc964d9006d07 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -25,7 +25,9 @@ The only caveat is that **new environments** (account/region) will need to be bo - [Mutation](#mutation-1) - [Publishing](#publishing-1) - [Deployment](#deployment-1) -- [Compatibility Plan](#compatibility-plan) +- [Goal](#goal) +- [Approach](#approach-1) +- [Requirements](#requirements-1) ## Requirements @@ -261,10 +263,14 @@ We can't begin to deploy an app before we provision and update the required the The initial creation of the pipeline will be performed manually using `cdk deploy pipeline-main` (where `pipeline-main` is name of the main pipeline stack), but from that point forward, any changes to the pipeline will be done by pushing a commit into the repo, and letting the pipeline pick it up. -For example, if we use CodePipeline for deploying an app to multiple environments,the deployment infrastructure will consist of a central pipeline stack, which contains the pipeline itself, it's artifacts bucket and other related resources such as CodeBuild projects. It will also require a stack in each region that includes a CodePipeline regional replication bucket (and key). +For example, if we use CodePipeline for deploying an app to multiple environments, the deployment infrastructure requires a central pipeline stack, which contains the pipeline itself, it's artifacts bucket and other related resources such as CodeBuild projects. It will also require a stack in each region that includes a CodePipeline regional replication bucket (and key). See [cross-region support](https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-create-cross-region.html) in the CodePipeline User Guide. -In CodePipeline, we will implement this stage using a CodeBuild action which runs `cdk deploy "pipeline-*"`. This will deploy all stacks that begin with the `pipeline-` prefix. These stacks can be deployed to any bootstrapped environment since `cdk deploy` can assume the deployment role. +In CodePipeline, we will implement self-mutation using a pre-configured CodeBuild action which runs `cdk deploy "pipeline-*"`. This will deploy all stacks that begin with the `pipeline-` prefix. These stacks can be deployed to any bootstrapped environment since `cdk deploy` can assume the deployment role. +To mitigate the security risk, `cdk deploy pipeline-*` should run against a synthesized cloud assembly (from the build step) and not against the executable app, and should also prohibit the use of docker assets. These are the two elements where user code is executed and must not be done in an environment with administrative privileges. The mutation CodeBuild action will not be customizable to ensure that users don't accidentally allow it to execute arbitrary code. + +> ALTERNATIVE CONSIDERED: We initially considered leveraging the bootstrapping process in order to provision cross-regional replication resources for CodePipeline but: (a) this is very specific to CodePipeline and not relevant to other deployment systems (e.g. Travis, GitHub Actions); and (b) it will require the bootstrapping process to span more than a single environment. In order to allow users to use "account stamping" tools like Stack Sets or Landing Zone, we decided that the bootstrapping process will be as simple as possible (== a single cloudformation template). +> The trade-off is that for the CodePipeline resources, we will use "cdk deploy pipeline-*", and so we can encode all this within the CDK. In fact cross account/region is actually already supported in the CDK and will automatically define all these stacks and region for you, so it should already "Just Work". ## Publishing From 491a1ecb746529ffc621d91ec510ad2fdcf3b3ef Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Sun, 12 Jan 2020 13:44:54 +0200 Subject: [PATCH 14/17] added a "bootstrapping at scale" section --- design/continuous-delivery.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index cc964d9006d07..046941f71fc7b 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -221,6 +221,17 @@ To accommodate these requirements we will make the following changes to how `cdk 5. Allow specifying the managed policy to use for the deployment role (mostly it will be the administrator managed policy). 6. Allow specifying an optional qualifier for the physical names of all resources to address bucket hijacking concerns and allow multiple bootstraps to the same environment for whatever reason. +**Bootstrapping at Scale** + +Since organizations may have to bootstrap thousands of accounts, we need to make sure we allow users to leverage "account stamping" tools such as [AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) and [AWS Control Tower](https://aws.amazon.com/controltower/). All of these tools are based on automatically and reliably deploying a single AWS CloudFormation template to multiple accounts across an organization. + +To make sure users can use these tools for bootstrapping, we will take the following requirements: + +- Bootstrapping "logic" MUST be expressible through an AWS CloudFormation template. +- Bootstrapping MUST be self-contained within an environment (account+region). We can't rely on the bootstrapping process to work across accounts or regions. +- Bootstrapping template size cannot exceed 50KiB so it can be deployed through the `TemplateBody` option of the CloudFormation `CreateStack` API (and not require an S3 bucket). +- Bootstrapping templates cannot rely on any other asset such as files on S3 or docker images. + **Resource Names** We need to be able to synthesize asset locations into the templates for consumption and publishing. We also need to be able to assume a role in order to be able to publish to the environment. @@ -311,10 +322,9 @@ At this point, all assets are published to asset stores in their target environm To deploy a stack to an environment, the deployment will need to: -1. Assume the **Deployment IAM Role** from the target environment. +1. Assume the **Deployment IAM Role** from the target environment. The deployment IAM role is encoded inside the cloud assembly. By default the name of the role is rendered by `core.Stack` based on the conventions of the bootstrapping template, but users are able to override this behavior if their environments used custom bootstrapping. 2. Create a CloudFormation change-set for the stack. -3. Execute the change-set by requesting CloudFormation to assume the administrative **CloudFormation IAM -Role**. +3. Execute the change-set by requesting CloudFormation to assume the administrative **CloudFormation IAM Role** (again, role is encoded in the cloud assembly). ## Walkthrough From 044f8601ad2e13a4175590775093faa12564c0ec Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Sun, 12 Jan 2020 15:13:26 +0200 Subject: [PATCH 15/17] clarifications based on code review comments --- design/cdk-assets.md | 4 ++ design/continuous-delivery.md | 125 +++++++++++++++++++--------------- 2 files changed, 75 insertions(+), 54 deletions(-) diff --git a/design/cdk-assets.md b/design/cdk-assets.md index 84703da3b8b5d..d46b32830b963 100644 --- a/design/cdk-assets.md +++ b/design/cdk-assets.md @@ -4,6 +4,10 @@ This document specifies the requirements for this tool derived from the [continuous delivery design document](./continuous-delivery.md). +## Assumptions + +* Similarly to any resource defined through code and managed through CloudFormation, we are not attempting to protect assets from manual tampering by users. + ## Asset Manifest The main input to `cdk-assets` is a JSON file called `assets.json` which includes a manifest of assets. diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 046941f71fc7b..6f69108177575 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -12,8 +12,7 @@ The only caveat is that **new environments** (account/region) will need to be bo - [Requirements](#requirements) - [Approach](#approach) -- [Build](#build) -- [Synthesis](#synthesis) +- [Build + Synthesis](#build--synthesis) - [Bootstrapping](#bootstrapping) - [Mutation](#mutation) - [Publishing](#publishing) @@ -21,25 +20,27 @@ The only caveat is that **new environments** (account/region) will need to be bo - [Walkthrough](#walkthrough) - [Bootstrapping](#bootstrapping-1) - [Source](#source) - - [Synthesis](#synthesis-1) + - [Synthesis](#synthesis) + - [Pipeline Initialization](#pipeline-initialization) - [Mutation](#mutation-1) - [Publishing](#publishing-1) - [Deployment](#deployment-1) -- [Goal](#goal) -- [Approach](#approach-1) -- [Requirements](#requirements-1) +- [Compatibility Plan](#compatibility-plan) + - [Goal](#goal) + - [Approach](#approach-1) + - [Requirements](#requirements-1) ## Requirements This list describes only the minimal set of requirements from this feature. After we release these building blocks, we will look into vending higher-level "one liner" APIs that will make it very easy to get started. -1. **Deployment system**: the design should focus on building blocks that can be easily integrated into various deployment systems. This spec +1. **Deployment system**: the design should focus on building blocks that can be easily integrated into various deployment systems. This spec describes the integration with the CDK CLI and AWS CodePipelines, but it should be applicable to any deployment system. 1. **Assets**: Support apps that include all supported assets (S3 files, ECR images) 1. **Multi-environment**: Support apps that have stacks that target multiple environments (accounts/regions) 1. **Orchestration**: Allow developers to express complex deployment orchestration based on the capabilities of CodePipeline 1. **User-defined build+synth runtime**: the runtime environment in which the code is built and the CDK app is synthesized should be fully customizable by the user -1. **Restricted deployment runtime**: for security reasons, the runtime environment in which deployment is executed will be fully controlled and will not allow running user code or user-defined image -1. **Bootstrapping**: It should be possible to update bootstrapping resources automatically if possible and least discover that the bootstrap environment is not up-to-date. +1. **Restricted deployment runtime**: for security reasons, the runtime environment in which deployment is executed will not allow running user code or user-defined image +1. **Bootstrapping**: it should be possible to leverage existing AWS account stamping tools like AWS CloudFormation StackSets and AWS Control Tower in order to manage bootstrapping at scale. 1. **Custom replication**: In order to support isolated and air-gapped regions, as well as deployment across partitions, the solution should support customizing how and where assets are published and replicated to. _Considerations:_ @@ -56,43 +57,43 @@ _Non-requirements/assumptions:_ ## Approach +The general approach is that deployment of a CDK app is governed by a central system (e.g. an AWS CodePipeline, a Jenkins system or any other deployment tool). This central deployment system runs within credentials from a central deployment account, which then assumes roles within all other accounts that can then deploy resources to them. This deployment account is referred to as the **tools account** in the [CodePipeline Cross Account Reference Architecture](https://github.com/awslabs/aws-refarch-cross-account-pipeline). + At a high-level, we will model the deployment process of a CDK app as follows: ``` bootstrap => source => build => synthesis => mutate => publish => deploy ``` -1. **bootstrap**: manually pre-provision resources required to deploy CDK apps into this environment (such as an S3 bucket, ECR repository and various IAM roles that trust the central deployment account). + +1. **bootstrap**: provision resources required to deploy CDK apps into all environments in advance (such as an S3 bucket, ECR repository and various IAM roles that trust the central deployment account). 2. **source**: the code is pulled from a source repository (e.g. CodeCommit, GitHub or S3), like any other app. -3. **build**: compiles the CDK app code into an executable program (user-defined). -4. **synthesis**: invokes the compiled executable to produce a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md) from the app. It includes a CloudFormation template for each stack and asset sources (docker images, s3 files, etc) that must be packaged and published to the asset store in each environment that consumes them. -5. **mutate**: update stack(s) required by the pipeline. This includes pipeline resources and other auxiliary resources such as regional replication buckets. These stacks are limited to 50KiB and are not allowed to use assets, so they can be deployed without bootstrapping resources. -6. **publish**: package and publish all assets to asset stores (S3 bucket, ECR repository) so they can be consumed. -7. **deploy**: stage(s), stacks are deployed to the various environments through some orchestration process (e.g. deploy first to this region, run these canaries, wait for errors, continue to the next stage, etc). +3. **build + synthesis**: compiles the CDK app code into an executable program (user-defined) and invokes the compiled executable through `cdk synth` to produce a [cloud assembly](https://github.com/aws/aws-cdk/blob/master/design/cloud-assembly.md) from the app. The cloud assembly includes a CloudFormation template for each stack and asset sources (docker images, s3 files, etc) that must be packaged and published to the asset store in each environment that consumes them. +4. **mutate**: update stack(s) required by the pipeline. This includes pipeline resources and other auxiliary resources such as regional replication buckets. These stacks are limited to 50KiB and are not allowed to use assets, so they can be deployed without bootstrapping resources. +5. **publish**: package and publish all assets to asset stores (S3 bucket, ECR repository) so they can be consumed. +6. **deploy**: stage(s), stacks are deployed to the various environments through some orchestration process (e.g. deploy first to this region, run these canaries, wait for errors, continue to the next stage, etc). NOTE: The deployment phase can include any number of stack deployment actions. Each deployment action is responsible deploy a single stack, along with any assets it references. This following sections describes the design of each component in the toolchain. -## Build +## Build + Synthesis -In this stage we compile the CDK app to an executable program through a user-defined build system. +In this stage we compile the CDK app to an executable program through a user-defined build system and synthesize a cloud assembly from it. We assume a single source repository which masters the CDK app itself. This repo can be structured in any way users wish, and may include multiple modules or just a single one. If users choose to organize their project into modules and master different modules in other repositories, eventually the build artifacts from these builds should be available when the app is synthesized. The only requirement from the build step is the it will have an output artifact that is a cloud-assembly directory which is obtained through `cdk synth` (defaults to `./cdk.out`). Other than that, users can fully control their build environment. -## Synthesis +The implication is that users will have to manually configure their build step to invoke `cdk synth` when the app is ready (e.g. code has been compiled). -The CDK synthesizes a CloudFormation template for each stack defined in the CDK app. - -When stacks are defined, users can specify the target environment (account and region) into which the stack should be deployed: +The CDK synthesizes a CloudFormation template for each stack defined in the CDK app. When stacks are defined, users can specify the target environment (account and region) into which the stack should be deployed: ```ts new Stack(this, 'my-stack', { env: { account: '123456789012', region: 'us-east-1' } }); ``` -**Deployment Across Environments** +**Multiple Environments** In order to support deploying stacks from a centralized (pipeline/development) environment to other environments, the bootstrap stack includes a set of named IAM roles which trust the central account for publishing and deployment. @@ -100,8 +101,10 @@ In order to encourage separation of concerns and allow customizability, we will For each stack, we will encode additional two IAM roles: -1. Administrator CloudFormation IAM role which can only be assumed by the CloudFormation service principal -1. Deployment IAM role which can be assumed by any principal from the central account and has permissions to "pass role" on the administrator role. +1. Administrator CloudFormation IAM role which can only be assumed by the CloudFormation service principal (also known as the "action role" in CodePipeline terminology) +2. Deployment IAM role which can be assumed by any principal from the central account and has permissions to "pass role" on the administrator role (also known as the "CFN role" in CodePipeline terminology). + +> The publisher role which is also provisioned during bootstrapping is encoded in the `assets.json` file *per-asset* to allow for maximum customizability. This is the recommended setup for cross-account CloudFormation deployments. @@ -146,7 +149,9 @@ The main issue is #2. Different deployment tools have different ways to configur The solution is to resolve asset locations **during synthesis** and use naming conventions for bootstrapping resources. This means that asset locations will be concrete values and we can also encode all publishing information to the assembly manifest. It will also allow customizing all publishing behavior from within the CDK app, without the need to supply additional plugin capabilities. -We will synthesize a file called `assets.json`, which will include preparation and publishing instructions for each asset. +We will synthesize a file called `assets.json`, which will include preparation and publishing instructions for each asset. + +By default, S3 assets will be stored in a single S3 bucket where the object key will be based on the asset's source hash. Docker assets will be stored in a single ECR repository where the image tag will be based on the asset source hash (hash of the contents of the Dockerfile directory). For file assets: @@ -199,12 +204,12 @@ The CDK already has a dedicated tool for bootstrapping environments called **`cd Environment bootstrapping doesn't have to be performed by the development team, and does not require deep knowledge of the application structure, besides the set of accounts and regions into which the app needs to be deployed. -The current implementation only provisions an S3 bucket, but in order to be able to continuously deploy CDK stacks that use asses, we will need the following resources: +The current implementation only provisions an S3 bucket, but in order to be able to continuously deploy CDK stacks that use asses, we will need the following resources __in each AWS environment (account + region)__: For publishing: -* **S3 Bucket**: for file asset and CloudFormation templates -* **ECR Repository**: for docker image assets +* **S3 Bucket (+ KMS resources)**: for file asset and CloudFormation template (a single bucket will contain all files keyed by their source hash) +* **ECR Repository**: for all docker image assets (a single repo will contain all images tagged by their source hash). * **Publishing Role**: IAM role trusted by the deployment account, and allows publishing to the S3 bucket and the ECR repository. For deployment: @@ -240,7 +245,7 @@ This means that we cannot rely on CloudFormation physical name generation since We will employ a naming convention which encodes `account`, `region` and an optional `qualifier` (such as `cdk-account-region[-qualifier]-xxxx`). This is because not all AWS resource names are environment-local: IAM roles are account-wide and S3 buckets are global. -It is important that we do not rely on hashing or parsing account and region in order to be able to support environment-agnostic stacks (in which case "account" resolves to `{ "Ref": "AWS::AccountId" }`, etc. +It is important that we do not rely on hashing or parsing account and region in order to be able to support account stamping tools like CloudFormation StackSets and Control Tower (in which case "account" resolves to `{ "Ref": "AWS::AccountId" }`, etc. In order to address the risk of S3 bucket hijacking, we need to be ale to support an optional `qualifier` postfix. This means that we need to allow users to specify this qualifier when they define the Stack's `env`. Perhaps we need to encode this into `aws://account/region[/qualifier]` @@ -272,7 +277,7 @@ Therefore, we recommend that all resources needed for the deployment pipeline ar We can't begin to deploy an app before we provision and update the required the deployment resources based on the structure of the app. This is the purpose of the "**mutation**" stage. -The initial creation of the pipeline will be performed manually using `cdk deploy pipeline-main` (where `pipeline-main` is name of the main pipeline stack), but from that point forward, any changes to the pipeline will be done by pushing a commit into the repo, and letting the pipeline pick it up. +The initial creation of the pipeline will be performed manually using `cdk deploy pipeline-main` (where `pipeline-main` is name of the main pipeline stack for example), but from that point forward, any changes to the pipeline will be done by pushing a commit into the repo, and letting the pipeline pick it up. For example, if we use CodePipeline for deploying an app to multiple environments, the deployment infrastructure requires a central pipeline stack, which contains the pipeline itself, it's artifacts bucket and other related resources such as CodeBuild projects. It will also require a stack in each region that includes a CodePipeline regional replication bucket (and key). See [cross-region support](https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-create-cross-region.html) in the CodePipeline User Guide. @@ -280,8 +285,8 @@ In CodePipeline, we will implement self-mutation using a pre-configured CodeBuil To mitigate the security risk, `cdk deploy pipeline-*` should run against a synthesized cloud assembly (from the build step) and not against the executable app, and should also prohibit the use of docker assets. These are the two elements where user code is executed and must not be done in an environment with administrative privileges. The mutation CodeBuild action will not be customizable to ensure that users don't accidentally allow it to execute arbitrary code. -> ALTERNATIVE CONSIDERED: We initially considered leveraging the bootstrapping process in order to provision cross-regional replication resources for CodePipeline but: (a) this is very specific to CodePipeline and not relevant to other deployment systems (e.g. Travis, GitHub Actions); and (b) it will require the bootstrapping process to span more than a single environment. In order to allow users to use "account stamping" tools like Stack Sets or Landing Zone, we decided that the bootstrapping process will be as simple as possible (== a single cloudformation template). -> The trade-off is that for the CodePipeline resources, we will use "cdk deploy pipeline-*", and so we can encode all this within the CDK. In fact cross account/region is actually already supported in the CDK and will automatically define all these stacks and region for you, so it should already "Just Work". +> Alternative Considered: We initially considered leveraging the bootstrapping process in order to provision cross-regional replication resources for CodePipeline but: (a) this is very specific to CodePipeline and not relevant to other deployment systems (e.g. Travis, GitHub Actions); and (b) it will require the bootstrapping process to span more than a single environment. In order to allow users to use "account stamping" tools like Stack Sets or Landing Zone, we decided that the bootstrapping process will be as simple as possible (== a single CloudFormation template). +> The trade-off is that for the CodePipeline resources, we will use `cdk deploy pipeline-*`, and so we can encode all this within the CDK. In fact cross account/region is actually already supported in the CDK and will automatically define all these stacks and region for you, so it should already "Just Work". ## Publishing @@ -312,7 +317,7 @@ In order for the publish to be able to execute `docker build`, this command must **Templates as Assets** -Some deployment systems (e.g. the CDK CLI) require that CloudFormation templates will be uploaded an S3 location before they can be deployed (this is done automatically in CodePipeline). Due to S3 eventual consistency, these files must be immutable, so we need to upload a new template file every time the template changes. +Some deployment systems (e.g. the CDK CLI and other systems we explored) require that CloudFormation templates will be uploaded an S3 location before they can be deployed (this is done automatically in CodePipeline). Due to S3 eventual consistency, these files must be immutable, so we need to upload a new template file every time the template changes. To that end, we will treat all CloudFormation templates in the assembly like any other asset. They will be identified by their source hash (the hash of the template) and uploaded to the asset store in the environment in which they are expected to be deployed, like any other file asset. @@ -326,6 +331,8 @@ To deploy a stack to an environment, the deployment will need to: 2. Create a CloudFormation change-set for the stack. 3. Execute the change-set by requesting CloudFormation to assume the administrative **CloudFormation IAM Role** (again, role is encoded in the cloud assembly). +> This step intentionally uses the most standard CloudFormation deployment actions. This means that users will be able to implement custom flows that leverages these building blocks in any way they need. For example, they can incorporate a manual approval step between changeset creation and execution. + ## Walkthrough In this section we will walk through the process of deploying a complex CDK app and how each one of the components in the toolchain is used within the workflow. @@ -422,8 +429,8 @@ The `manifest.json` file will include an entry for each stack defined above (lik "environment": "aws://2222222222US/us-east-1", "properties": { "templateFile": "vpc-us.template.json", - "deployRoleArn": "aws-cdk-deploy-2222222222EU-us-east-1", - "adminRoleArn": "aws-cdk-admin-2222222222EU-us-east-1" + "deployRoleArn": "arn:aws:iam::2222222222US:role/aws-cdk-deploy-2222222222EU-us-east-1", + "adminRoleArn": "arn:aws:iam::2222222222US:role/aws-cdk-admin-2222222222EU-us-east-1" } }, "service-us": { @@ -431,8 +438,8 @@ The `manifest.json` file will include an entry for each stack defined above (lik "environment": "aws://2222222222US/us-east-1", "properties": { "templateFile": "service-us.template.json", - "deployRoleArn": "aws-cdk-deploy-2222222222EU-us-east-1", - "adminRoleArn": "aws-cdk-admin-2222222222EU-us-east-1" + "deployRoleArn": "arn:aws:iam::2222222222US:role/aws-cdk-deploy-2222222222EU-us-east-1", + "adminRoleArn": "arn:aws:iam::2222222222US:role/aws-cdk-admin-2222222222EU-us-east-1" } }, "vpc-eu": { @@ -440,8 +447,8 @@ The `manifest.json` file will include an entry for each stack defined above (lik "environment": "aws://3333333333EU/eu-west-2", "properties": { "templateFile": "vpc-eu.template.json", - "deployRoleArn": "aws-cdk-deploy-3333333333EU-eu-west-2", - "adminRoleArn": "aws-cdk-admin-3333333333EU-eu-west-2" + "deployRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-deploy-3333333333EU-eu-west-2", + "adminRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-admin-3333333333EU-eu-west-2" } }, "service-eu": { @@ -449,8 +456,8 @@ The `manifest.json` file will include an entry for each stack defined above (lik "environment": "aws://3333333333EU/eu-west-2", "properties": { "templateFile": "service-eu.template.json", - "deployRoleArn": "aws-cdk-deploy-3333333333EU-eu-west-2", - "adminRoleArn": "aws-cdk-admin-3333333333EU-eu-west-2" + "deployRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-deploy-3333333333EU-eu-west-2", + "adminRoleArn": "arn:aws:iam::3333333333EU:role/aws-cdk-admin-3333333333EU-eu-west-2" } }, "pipeline-main": { @@ -458,8 +465,8 @@ The `manifest.json` file will include an entry for each stack defined above (lik "environment": "aws://111111111DEP/us-west-2", "properties": { "templateFile": "pipeline-main.template.json", - "deployRoleArn": "aws-cdk-deploy-111111111DEP-us-west-2", - "adminRoleArn": "aws-cdk-admin-111111111DEP-us-west-2" + "deployRoleArn": "arn:aws:iam::111111111DEP:role/aws-cdk-deploy-111111111DEP-us-west-2", + "adminRoleArn": "arn:aws:iam::111111111DEP:role/aws-cdk-admin-111111111DEP-us-west-2" } }, "pipeline-us-east-1": { @@ -467,8 +474,8 @@ The `manifest.json` file will include an entry for each stack defined above (lik "environment": "aws://111111111DEP/us-east-1", "properties": { "templateFile": "pipeline-main.template.json", - "deployRoleArn": "aws-cdk-deploy-111111111DEP-us-east-1", - "adminRoleArn": "aws-cdk-admin-111111111DEP-us-east-1" + "deployRoleArn": "arn:aws:iam::111111111DEP:role/aws-cdk-deploy-111111111DEP-us-east-1", + "adminRoleArn": "arn:aws:iam::111111111DEP:role/aws-cdk-admin-111111111DEP-us-east-1" } }, "pipeline-eu-west-2": { @@ -476,8 +483,8 @@ The `manifest.json` file will include an entry for each stack defined above (lik "environment": "aws://111111111DEP/eu-west-2", "properties": { "templateFile": "pipeline-main.template.json", - "deployRoleArn": "aws-cdk-deploy-111111111DEP-eu-west-2", - "adminRoleArn": "aws-cdk-admin-111111111DEP-eu-west-2" + "deployRoleArn": "arn:aws:iam::111111111DEP:role/aws-cdk-deploy-111111111DEP-eu-west-2", + "adminRoleArn": "arn:aws:iam::111111111DEP:role/aws-cdk-admin-111111111DEP-eu-west-2" } } } @@ -537,16 +544,24 @@ The `assets.json` file will look like this: It lists the two assets (one file asset and one image asset) and, for each, it lists the publishing locations which include repository, key and publishing IAM role to assume. -### Mutation +### Pipeline Initialization -The first stage in our pipeline is the mutation stage. This stage will include a single CodeBuild action that will simply execute: +At this point we have a bunch of bootstrapped environments and a local `cdk.out` directory. In order to deploy our self-mutating CI/CD pipeline for the app, we need to perform a single, one-off, manual operation: ```console -$ cdk deploy pipeline-* +$ cdk deploy "pipeline-*" ``` +Running this manually will deploy our pipeline which monitors our source control. From now on, any chances to our pipeline will be done by pushing commits into our source repository and not through the CDK CLI. + +### Mutation + +The first stage in our pipeline is the mutation stage. This stage will include a single CodeBuild action that will simply execute: `cdk deploy pipeline-*`. + This will update all the stacks with names that begin with "pipeline-". Namely, it includes the pipeline stack itself, and the auxiliary stacks that include the pipeline's regional replication buckets. Since we are using `cdk deploy` here, we can technically deploy any stack to any environment in this stage because `cdk deploy` can assume the deployment role in any of the environments which trust the deployment account. +> In the [CodePipeline Cross Account Reference Architecture](https://github.com/awslabs/aws-refarch-cross-account-pipeline) the "deployment account" is known as the "tools account". + Notice that this stage happens **before** the publish stage. This is because the structure of the publish stage is dependent on which assets the app uses (we synthesize an action per asset for maximal parallelism), so we want to make sure the pipeline will be updated before publishing. > NOTE: if there is a constraint that does not allow the pipeline to be updated before publishing, it simply means that we have to publish all assets from a single action (`cdk-assets publish cdk.out`). @@ -565,6 +580,8 @@ The next stage in the process is the publishing stage. In our example, this stage will consist of two CodeBuild actions that will run the following commands concurrently. These command will package & upload the asset to all the environments. It will consult `assets.json` to determine the exact location into which to publish each asset and which cross-account role to assume. +> The CodePipeline stage that includes all the asset publishing actions will be automatically generated based on the application structure. This means that any new assets added to the app will automatically appear in this pipeline stage as new CodeBuild actions. + The first action will run this command: ```shell @@ -595,7 +612,7 @@ CodePipeline will use the regional replication buckets to transfer cdk.out to th That's it basically. -# Compatibility Plan +## Compatibility Plan This section describes how we plan to implement this new model, while still supporting old CLIs, apps written with old frameworks and old bootstrap environments. @@ -607,13 +624,13 @@ This design requires disruptive changes to the following components: - **AdoptedRepository**: The new asset mechanism does not require Docker image assets to be backed by `AdoptedRepository` since the ECR repository in the new bootstrap stack will allow anyone to read from it. - **Deployment Roles**: In the new mode, the cloud assembly manifest also includes IAM roles for deployment. These only exist in the new model, and should cause the CLI to assume these roles during depoyment. -## Goal +### Goal Existing applications should continue to seamlessly work in any combination of CLI/framework without any forced modification when suppot for these new capabilities is introduced. Obvsiouly, if users wish to leverage the new CDK continuous delivery capabilities, they will have to upgrade all three components (bootstrap stack, framework, CLI). It's important that their experience will be guided (i.e. they will be promoted exactly what they need to do and not simply get cryptic error messages). -## Approach +### Approach The main implication is that both CLI and framework should continue to support the "legacy mode" which controls all relevant behavior: asset synthesis (including `AdoptedRepository`), deployment roles and any other aspect described in this design. @@ -638,7 +655,7 @@ The following table describes the desired behavior for each combination of CLI v | 14 | 1110 | NEW | NEW | NEW | OLD | | can this work?? | 15 | 1111 | NEW | NEW | NEW | NEW | 2.0 | Final state -## Requirements +### Requirements The CLI must auto-detect the assembly format version of the synthesized app based on heuristics `assets.json` or asset metadata in manifest (perhaps we will just bump the assembly manifest version number). Based on this version it will execute either the legacy (1.0) code path or the new code path. If the old code path is required, the old bootstrap behavior will be expected. If the bootstrap stack From 06be68d3fcd7fbef648497180d096fc96de9a4fd Mon Sep 17 00:00:00 2001 From: Elad Ben-Israel Date: Sun, 12 Jan 2020 16:34:30 +0200 Subject: [PATCH 16/17] remove two types of trusted accounts --- design/continuous-delivery.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 6f69108177575..7ef421128733c 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -221,10 +221,9 @@ To accommodate these requirements we will make the following changes to how `cdk 1. Extend the bootstrap stack to include these resources. 2. Use explicit convention-based physical names for all resources. -3. Allow specifying a list of *trusted accounts* from which the CloudFormation service principal can deploy to this account. -4. Allow specifying a list of accounts from which principals can deploy to this account from the CLI. -5. Allow specifying the managed policy to use for the deployment role (mostly it will be the administrator managed policy). -6. Allow specifying an optional qualifier for the physical names of all resources to address bucket hijacking concerns and allow multiple bootstraps to the same environment for whatever reason. +3. Allow specifying a list of *trusted accounts* that can deploy to this account. +4. Allow specifying the managed policy to use for the deployment role (mostly it will be the administrator managed policy). +5. Allow specifying an optional qualifier for the physical names of all resources to address bucket hijacking concerns and allow multiple bootstraps to the same environment for whatever reason. **Bootstrapping at Scale** @@ -247,7 +246,7 @@ We will employ a naming convention which encodes `account`, `region` and an opti It is important that we do not rely on hashing or parsing account and region in order to be able to support account stamping tools like CloudFormation StackSets and Control Tower (in which case "account" resolves to `{ "Ref": "AWS::AccountId" }`, etc. -In order to address the risk of S3 bucket hijacking, we need to be ale to support an optional `qualifier` postfix. This means that we need to allow users to specify this qualifier when they define the Stack's `env`. Perhaps we need to encode this into `aws://account/region[/qualifier]` +In order to address the risk of S3 bucket hijacking, we need to be able to support an optional `qualifier` postfix. This means that we need to allow users to specify this qualifier when they define the Stack's `env`. Perhaps we need to encode this into `aws://account/region[/qualifier]` > **Alternative considered**: one way to implement environment-specific name-spacing would have been to export the bootstrapping resources through a CloudFormation Export and then reference them using Fn::ImportValue. This would have worked for templates, but means that we would need a way to resolve import values during publishing as well (and as a result also Fn::Join, etc). From 28bcde80d20bb69b84922799accbb94063b027d9 Mon Sep 17 00:00:00 2001 From: scavasoft <52650009+scavasoft@users.noreply.github.com> Date: Tue, 21 Jan 2020 11:34:48 +0200 Subject: [PATCH 17/17] Update continuous-delivery.md (#5886) --- design/continuous-delivery.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/design/continuous-delivery.md b/design/continuous-delivery.md index 7ef421128733c..26d5cd355eb51 100644 --- a/design/continuous-delivery.md +++ b/design/continuous-delivery.md @@ -215,7 +215,7 @@ For publishing: For deployment: * **CloudFormation Role**: IAM role which allows the CloudFormation service principal to deploy stacks into the environment (this role usually has administrative privileges). -* **Deployment Role**: IAM role which allows anyone from the deployment account to create, update and describe CloudFormation change sets and s"pass" the CloudFormation role (`iam:PassRole`). +* **Deployment Role**: IAM role which allows anyone from the deployment account to create, update and describe CloudFormation change sets and "pass" the CloudFormation role (`iam:PassRole`). To accommodate these requirements we will make the following changes to how `cdk bootstrap` works: