Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

❗NOTICE: Cross-account deployments are failing in v2.163.0 with error 'Need to perform AWS calls for account' #31845

Closed
cgatt opened this issue Oct 22, 2024 · 17 comments · Fixed by #31846
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort management/tracking Issues that track a subject or multiple issues p0 package/tools Related to AWS CDK Tools or CLI

Comments

@cgatt
Copy link

cgatt commented Oct 22, 2024

Please add your +1 👍 to let us know you have encountered this


Status: RESOLVED

Overview:

Release v2.163.0 introduced an issues with cross-account deployments. The AWS CDK fails with the error Need to perform AWS calls for account XXXXX, but the current credentials are for YYYYY. The root cause is a new check for the bootstrap version added in v2.163.0. The check needs to make an API call to AWS CloudFormation to describe the bootstrap stack. This API call was using incorrect credentials.

Complete Error Message:

Need to perform AWS calls for account XXXXXXXXXXXX, but the current credentials are for YYYYYYYYYYYY

Workaround:

Downgrade the AWS CDK CLI to version 2.162.1

Solution:

Upgrade the AWS CDK CLI to version 2.163.1

Related Issues:

n/a


Original issue:

Describe the bug

Release v2.163.0 causes deployments using cross account role assumption to fail with the error Need to perform *** calls for account XXXXX, but the current credentials are for YYYYY. This is presumably caused by #31623.
Based on comments on this PR (as it has no description or linked issue) this was done to address a vulnerability when the assets bucket for an account is not longer in the target account, but this failure is occurring when the assets bucket is still in the target account with no change.
These deployments and buckets are in the ap-southeast-2 region.

Regression Issue

Confirmed Regression

Last Known Working CDK Version

2.162.1

Expected Behavior

Cross account deployments should succeed unless the asset bucket is no longer in the target account.

Current Behavior

Cross account deployments fail with the error Need to perform *** calls for account XXXXX, but the current credentials are for YYYYY
cdk diff succeeds as expected, and cloudtrail shows role assumption is successful.
Debug log excerpt just before the failure:

[04:15:56] datadog-lambda-apm-test-dev: check: Check s3://cdk-hnb659fds-assets-XXXXXXXXXXXX-ap-southeast-2/2819175352ad1ce0dae768e83fc328fb70fb5f10b4a8ff0ccbcb791f02b0716d.zip
[04:15:56] [*** s3 200 0.06s 0 retries] listObjectsV2({
  Bucket: 'cdk-hnb659fds-assets-XXXXXXXXXXXX-ap-southeast-2',
  Prefix: 'fdfffca2098cb4f12a1dd3f0f2f98b4606063436cdfc311da0589251fa61cbe0.json',
  MaxKeys: 1
})
[04:15:56] [*** s3 200 0.074s 0 retries] listObjectsV2({
  Bucket: 'cdk-hnb659fds-assets-XXXXXXXXXXXX-ap-southeast-2',
  Prefix: '7fbaff7dbc84f82c58c19512abc1c6e165bebea0038d20da2d2ee153808fee70.zip',
  MaxKeys: 1
})
[04:15:56] datadog-lambda-apm-test-dev: found: Found s3://cdk-hnb659fds-assets-XXXXXXXXXXXX-ap-southeast-2/7fbaff7dbc84f82c58c19512abc1c6e165bebea0038d20da2d2ee153808fee70.zip
[04:15:56] [*** s3 200 0.06s 0 retries] listObjectsV2({
  Bucket: 'cdk-hnb659fds-assets-XXXXXXXXXXXX-ap-southeast-2',
  Prefix: '2819175352ad1ce0dae768e83fc328fb70fb5f10b4a8ff0ccbcb791f02b0716d.zip',
  MaxKeys: 1
})
[04:15:56] datadog-lambda-apm-test-dev: found: Found s3://cdk-hnb659fds-assets-XXXXXXXXXXXX-ap-southeast-2/2819175352ad1ce0dae768e83fc328fb70fb5f10b4a8ff0ccbcb791f02b0716d.zip
[04:15:56] 3 total assets, 1 still need to be published
[04:15:56] [trace] SdkProvider#resolveEnvironment()
[04:15:56] [trace] SdkProvider#baseCredentialsPartition()
[04:15:56] [trace]   SdkProvider#resolveEnvironment()
[04:15:56] [trace]   SdkProvider#obtainBaseCredentials()
[04:15:56] [trace]     SdkProvider#defaultAccount()
[04:15:56] [trace]     SdkProvider#defaultCredentials()
[04:15:56] [trace]   SDK#currentAccount()
[04:15:56] [trace]     SDK#forceCredentialRetrieval()
[04:15:56] Retrieved account ID YYYYYYYYYYYY from disk cache
[04:15:56] [trace] SDK#ssm()
[04:15:56] [trace]   SDK#wrapServiceErrorHandling()
[04:15:56] [*** ssm 200 0.062s 0 retries] getParameter({ Name: '/cdk-bootstrap/hnb659fds/version' })
datadog-lambda-apm-test-dev: start: Building fdfffca2098cb4f12a1dd3f0f2f98b4606063436cdfc311da0589251fa61cbe0:XXXXXXXXXXXX-ap-southeast-2
datadog-lambda-apm-test-dev: success: Built fdfffca2098cb4f12a1dd3f0f2f98b4606063436cdfc311da0589251fa61cbe0:XXXXXXXXXXXX-ap-southeast-2
[04:15:56] [trace] SdkProvider#resolveEnvironment()
[04:15:56] [trace] SdkProvider#baseCredentialsPartition()
[04:15:56] [trace]   SdkProvider#resolveEnvironment()
[04:15:56] [trace]   SdkProvider#obtainBaseCredentials()
[04:15:56] [trace]     SdkProvider#defaultAccount()
[04:15:56] [trace]     SdkProvider#defaultCredentials()
[04:15:56] [trace]   SDK#currentAccount()
[04:15:56] [trace]     SDK#forceCredentialRetrieval()
[04:15:56] Retrieved account ID YYYYYYYYYYYY from disk cache
[04:15:56] [trace] SdkProvider#forEnvironment()
[04:15:56] [trace]   SdkProvider#resolveEnvironment()
[04:15:56] [trace]   SdkProvider#obtainBaseCredentials()
[04:15:56] [trace]     SdkProvider#defaultAccount()
[04:15:56] [trace]     SdkProvider#defaultCredentials()
[04:15:56] Notices refreshed
Need to perform *** calls for account XXXXXXXXXXXX, but the current credentials are for YYYYYYYYYYYY
[04:15:56] Error: Need to perform *** calls for account XXXXXXXXXXXX, but the current credentials are for YYYYYYYYYYYY
    at SdkProvider.forEnvironment (/home/runner/.npm/_npx/39b4457c6eead837/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:195:60)
    at Deployments.cachedSdkForEnvironment (/home/runner/.npm/_npx/39b4457c6eead837/node_modules/aws-cdk/lib/api/deployments.ts:918:17)
    at Deployments.allowCrossAccountAssetPublishingForEnv (/home/runner/.npm/_npx/39b4457c6eead837/node_modules/aws-cdk/lib/api/deployments.ts:863:20)
    at Deployments.publishSingleAsset (/home/runner/.npm/_npx/39b4457c6eead837/node_modules/aws-cdk/lib/api/deployments.ts:855:62)
    at Object.publishAsset (/home/runner/.npm/_npx/39b4457c6eead837/node_modules/aws-cdk/lib/cdk-toolkit.ts:254:7)
    at /home/runner/.npm/_npx/39b4457c6eead837/node_modules/aws-cdk/lib/util/work-graph.ts:111:11

Reproduction Steps

  1. Create a role in account A
  2. Bootstrap account B with account A (or the role in account A) as the trusted principle
  3. Assume role in account A
  4. Run npx cdk deploy on a stack with account B as the env.account property. May need to also set region to ap-southeast-2, I have not been able to test this in us-east-1 yet.

Possible Solution

Roll back #31623 until full integration testing can be performed.

Additional Information/Context

This change has caused all deployments from our CICD to fail, as they make use of cross account role assumption and use the latest CDK V2 CLI unless otherwise specified (due to caret version matching to avoid breaking changes). I would like to request that this change be rolled back until it can be thoroughly integration tested. If this is not possible, the new expected requirements for cross account CDK deployments need to be clearly documented.

CDK CLI Version

2.163.0

Framework Version

No response

Node.js Version

v20.13.1

OS

Debian Linux

Language

TypeScript

Language Version

TypeScript (5.6.3)

Other information

No response

@cgatt cgatt added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 22, 2024
@github-actions github-actions bot added package/tools Related to AWS CDK Tools or CLI potential-regression Marking this issue as a potential regression to be checked by team member labels Oct 22, 2024
@yassine-ops
Copy link

yassine-ops commented Oct 22, 2024

We are facing the same issue after upgrading to release v2.163.0, we are encountering errors during deployments involving cross-account role assumptions:

Need to perform *** calls for account XXXXX, but the current credentials are for YYYYY.

Downgrading to v2.162.0 resolves the issue for now.

@cgatt
Copy link
Author

cgatt commented Oct 22, 2024

Apologies in advance that I have not tested this as thoroughly as I normally would before raising an issue, but my ability to spin up completely fresh AWS accounts is limited in the org environment. If the reproduction steps as I've written them do work (i.e. dont reproduce the issue) I have the following additional variables that I've observed in our environment:

  • Bootstrap stack name is different in account A vs account B
  • Bootstrap stack version is v20
  • Bootstrack trust principal is a role, rather than account

I will attempt to do further testing if I can get some clean accounts approved, but I'm hoping that you guys have better options in the "clean test accounts" field than I do.

@manumaki
Copy link

Having same problem here.

@kevin-journey
Copy link

Same issue here. Downgrading to cdk@2.162.1 resolves it for now.

@cgatt
Copy link
Author

cgatt commented Oct 22, 2024

After further investigation, I can confirm this was caused by #31623, specifically this line:
https://github.com/aws/aws-cdk/pull/31623/files#diff-1c33e80dabddc5697544f07e314339fa3abe37c68183cb882ce5127b76f7deeeR863

const sdk = (await this.cachedSdkForEnvironment(env, Mode.ForReading)).sdk;

All other uses of cachedSdkForEnvironment in this file also specify the assume role details:

const stackSdk = await this.cachedSdkForEnvironment(resolvedEnvironment, Mode.ForReading, {
  assumeRoleArn: arns.lookupRoleArn,
  assumeRoleExternalId: stack.lookupRole?.assumeRoleExternalId,
  assumeRoleAdditionalOptions: stack.lookupRole?.assumeRoleAdditionalOptions,
});

In a cross-account deployment allowCrossAccountAssetPublishingForEnv is now requesting SDK credentials for an env that doesnt match the base credentials, but not providing an assume role ARN. This hits the exception handling here throwing the exception seen in the logs.

@niklaskallander
Copy link

We're having the same issue. Can confirm downgrading to cdk@2.162.1 works as suggested by @kevin-journey (Thanks!).

Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@mrgrain mrgrain reopened this Oct 22, 2024
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 22, 2024
@mrgrain
Copy link
Contributor

mrgrain commented Oct 22, 2024

Release with fix is in progress.

@khushail khushail added p0 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 22, 2024
@mrgrain mrgrain changed the title CLI: Cross account deployments are broken as of v2.163.0 CLI: Cross account deployments are broken in v2.163.0 Oct 22, 2024
@mrgrain mrgrain changed the title CLI: Cross account deployments are broken in v2.163.0 CLI: Cross-account deployments are failing in v2.163.0 with error 'Need to perform AWS calls for account' Oct 22, 2024
@mrgrain mrgrain added the management/tracking Issues that track a subject or multiple issues label Oct 22, 2024
@mrgrain mrgrain pinned this issue Oct 22, 2024
@mrgrain mrgrain changed the title CLI: Cross-account deployments are failing in v2.163.0 with error 'Need to perform AWS calls for account' ❗NOTICE: Cross-account deployments are failing in v2.163.0 with error 'Need to perform AWS calls for account' Oct 22, 2024
@mrgrain
Copy link
Contributor

mrgrain commented Oct 22, 2024

v2.163.1 was released with a fix.

Can you please confirm if this resolves the issue for you?

@scottrmercer
Copy link

Same issue here that started with 2.163.0, except downgrading did not resolve anything (I tried going back to several different versions) - even after re-bootstrapoping both accounts. It broke deploys from githubactions as well as codepipeline. I've had a ticket open with AWS support for 4 days with absolutely no progress. The weirest part is that if I open up permissions on the deployment account, it will deploy the metadata to the correct target account, while all of the application assets get created in the deployment/pipeline account.

Fortunately, we can still deploy from local machines using a profile for the target account to bypass the assumerole step, otherwise this would be a very big problem.

@mrgrain
Copy link
Contributor

mrgrain commented Oct 26, 2024

Same issue here that started with 2.163.0, except downgrading did not resolve anything (I tried going back to several different versions) - even after re-bootstrapoping both accounts. It broke deploys from githubactions as well as codepipeline.

Hi @scottrmercer sorry you are having issues. Can you please provides some more details on the error you're hitting and the setup you're using? A full dump of the error output will do. What version did you upgrade from? What's the last known working version for you?

While I'm sure you are experiencing issues, this particular change was only introduced in v2.163.0. If reverting back to older versions does not resolve this for you, we are probably looking at a (slighty) different situation. Unfortunately the possible causes for this error message are quite varied and many of them are intentional.

@scottrmercer
Copy link

scottrmercer commented Oct 27, 2024

Of course! Thanks for the reply. Here is an abbreviated version of the log:

// AAAAAAAAAAA = deploment pipeline account
// BBBBBBBBBBB = target account

// When launching env:  {"account":"BBBBBBBBBBB","region":"us-west-2"}


// it assumes the correct role in BBBBBBBBBBB exactly once, then all subsequent assume role calls are against the AAAAAAAAAAA account

[21:48:51] Retrieved account ID 180239838014 from disk cache
[21:48:51] [trace]                 SdkProvider#forEnvironment()
[21:48:51] [trace]                   SdkProvider#resolveEnvironment()
[21:48:51] [trace]                   SdkProvider#obtainBaseCredentials()
[21:48:51] [trace]                     SdkProvider#defaultAccount()
[21:48:51] [trace]                     SdkProvider#defaultCredentials()
[21:48:51] [trace]                   SdkProvider#withAssumedRole()
[21:48:51] Assuming role 'arn:aws:iam::BBBBBBBBBBB:role/cdk-hnb659fds-deploy-role-BBBBBBBBBBB-us-west-2'.

// The deploy fails because the required permissions are not configured in the deploy account, since that is not our target

21:48:52] exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: check: Check s3://cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2/e7d43f88a752fbb345e314be7c94924f7ec773f779fc8822c74fdd4fa71a7988.zip
[21:48:52] Assuming role failed: User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::AAAAAAAAAAA:role/cdk-hnb659fds-file-publishing-role-AAAAAAAAAAA-us-west-2
[21:48:52] Could not assume role in target account using current credentials User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::AAAAAAAAAAA:role/cdk-hnb659fds-file-publishing-role-AAAAAAAAAAA-us-west-2 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
[21:48:52] current credentials could not be used to assume 'arn:aws:iam::AAAAAAAAAAA:role/cdk-hnb659fds-file-publishing-role-AAAAAAAAAAA-us-west-2', but are for the right account. Proceeding anyway.
[21:48:52] [trace] SDK#s3()
[21:48:52] [trace]   SDK#wrapServiceErrorHandling()
[21:48:52] exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: check: Check s3://cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2/e8f803f71c760c26ea6e93c13029e9df0daa9000fe9c0ce7ff67e8af9b0be5a4.json
[21:48:52] [trace] SDK#makeDetailedException()
[21:48:52] Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2","Prefix":"bfff475abaadbe8543c8b90da0a4e6a0e59418f5e2e6faa867f0eaf93710d92e.zip","MaxKeys":1}) => User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action (code=AccessDenied)
[21:48:52] exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: debug: User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action
[21:48:52] [trace] SDK#makeDetailedException()
[21:48:52] Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2","Prefix":"e7d43f88a752fbb345e314be7c94924f7ec773f779fc8822c74fdd4fa71a7988.zip","MaxKeys":1}) => User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action (code=AccessDenied)
[21:48:52] exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: debug: User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action
[21:48:52] [trace] SDK#makeDetailedException()
[21:48:52] Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2","Prefix":"de51aa2658be27a8a82b34fb97810f073ca10764a9ade0840a9efb204489c530.zip","MaxKeys":1}) => User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action (code=AccessDenied)
[21:48:52] exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: debug: User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action
[21:48:53] [trace] SDK#makeDetailedException()
[21:48:53] Call failed: listObjectsV2({"Bucket":"cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2","Prefix":"e8f803f71c760c26ea6e93c13029e9df0daa9000fe9c0ce7ff67e8af9b0be5a4.json","MaxKeys":1}) => User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action (code=AccessDenied)
[21:48:53] exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: debug: User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::cdk-hnb659fds-assets-AAAAAAAAAAA-us-west-2" because no identity-based policy allows the s3:ListBucket action
[21:48:53] 5 total assets, 5 still need to be published
[21:48:53] [trace] SdkProvider#resolveEnvironment()
[21:48:53] [trace]   SdkProvider#defaultAccount()
[21:48:53] [trace] SdkProvider#baseCredentialsPartition()
[21:48:53] [trace]   SdkProvider#resolveEnvironment()
[21:48:53] [trace]   SdkProvider#obtainBaseCredentials()
[21:48:53] [trace]     SdkProvider#defaultAccount()
[21:48:53] [trace]     SdkProvider#defaultCredentials()
[21:48:53] [trace]   SDK#currentAccount()
[21:48:53] [trace]     SDK#forceCredentialRetrieval()
[21:48:53] Retrieved account ID AAAAAAAAAAA from disk cache
[21:48:53] [trace] SDK#ssm()
[21:48:53] [trace]   SDK#wrapServiceErrorHandling()
[21:48:53] [trace] SDK#makeDetailedException()
[21:48:53] Call failed: getParameter({"Name":"/cdk-bootstrap/hnb659fds/version"}) => User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:AAAAAAAAAAA:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action (code=AccessDeniedException)
[21:48:53] [trace] SDK#cloudFormation()
[21:48:53] [trace]   SDK#wrapServiceErrorHandling()
[21:48:53] Waiting for stack CDKToolkit to finish creating or updating...
[21:48:53] [trace] SDK#makeDetailedException()
[21:48:53] Call failed: describeStacks({"StackName":"CDKToolkit"}) => User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-west-2:AAAAAAAAAAA:stack/CDKToolkit/5a42d3d0-3833-11ed-8a26-06f20dc37c49 because no identity-based policy allows the cloudformation:DescribeStacks action (code=AccessDenied)
[21:48:53] Notices refreshed
exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: This CDK deployment requires bootstrap stack version '6', but during the confirmation via SSM parameter /cdk-bootstrap/hnb659fds/version the following error occurred: AccessDeniedException: User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:AAAAAAAAAAA:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
[21:48:53] Error: exampleservicesandboxexampleserviceExampleWebapisandbox1115F3F1: This CDK deployment requires bootstrap stack version '6', but during the confirmation via SSM parameter /cdk-bootstrap/hnb659fds/version the following error occurred: AccessDeniedException: User: arn:aws:iam::AAAAAAAAAAA:user/github-actions-cdk-deployment is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:AAAAAAAAAAA:parameter/cdk-bootstrap/hnb659fds/version because no identity-based policy allows the ssm:GetParameter action
    at Deployments.validateBootstrapStackVersion (/home/runner/work/example-service/example-service/cdk/node_modules/aws-cdk/lib/api/deployments.ts:898:13)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at Deployments.buildSingleAsset (/home/runner/work/example-service/example-service/cdk/node_modules/aws-cdk/lib/api/deployments.ts:837:7)
    at Object.buildAsset (/home/runner/work/example-service/example-service/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:254:7)
    at /home/runner/work/example-service/example-service/cdk/node_modules/aws-cdk/lib/util/work-graph.ts:108:11
Error: Process completed with exit code 1.

My CDK project is very vanilla:

bin/cdk.ts:

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { CdkStack } from '../lib/cdk-stack';
import * as path from "path";
import {Config} from "@company/cdk-base-constructs";

const app = new cdk.App();

const environment = process.env.ENV || 'sandbox';

const config = new Config(path.join(__dirname, "../config.yml"));
const environmentConfig = config.getEnvironment(environment);

console.log('Deploying environment: ${environmentConfig.get('ENVIRONMENT')} -  ${JSON.stringify(environmentConfig.get("env"))}');

new CdkStack(app, 'example-service-' + environmentConfig.get('ENVIRONMENT'), {
    env: {account: "BBBBBBBBBBB", region: "us-west-2"},
    config: environmentConfig
});


------------------------------

lib/cdk-stack.js

import * as cdk from 'aws-cdk-lib';
import {Construct} from 'constructs';
import {StackProps} from "aws-cdk-lib";

import {Config} from "@everwise/cdk-base-constructs";
import {ExampleWebServiceApiStack} from "./example-web-service-api";

interface CdkStackProps extends StackProps {
    env: any;
    config: Config;
}

export class CdkStack extends cdk.Stack {
    constructor(scope: Construct, id: string, props: CdkStackProps) {
        super(scope, id, props);
        console.log('Building ExampleWebServiceApiStack env: ${JSON.stringify(props.config)}');
        new ExampleWebServiceApiStack(this, 'example-service-example-web-api-${props.config.get("ENVIRONMENT")}', {
            env: props.env,
            config: props.config,
        })

    }
}

lib/example-web-service-api.ts:

import {ApplicationSecrets, Config} from "@everwise/cdk-base-constructs";
import * as cdk from "aws-cdk-lib";
import {PolicyStatement} from "aws-cdk-lib/aws-iam";
import * as lambda from "aws-cdk-lib/aws-lambda";
import {Construct} from "constructs";
import * as path from "path";
import * as bedrock from "aws-cdk-lib/aws-bedrock";

export interface ExampleWebServiceStackProps extends cdk.StackProps {
    env: any;
    config: Config;
}

export class ExampleWebServiceApiStack extends cdk.Stack {
    constructor(scope: Construct, id: string, props: ExampleWebServiceStackProps) {
        super(scope, id);

        console.log('Building ExampleWebServiceApiStack env: ${JSON.stringify(props.env)}');

        cdk.Tags.of(this).add("Service", "example-api");
        cdk.Tags.of(this).add("Owner", "Falcon");

        // convert the above to a list of strings
        const piiEntities = [
            "ADDRESS",
            "AGE",
            "AWS_ACCESS_KEY",
            "AWS_SECRET_KEY",
            "CA_HEALTH_NUMBER",
            "CA_SOCIAL_INSURANCE_NUMBER",
            "CREDIT_DEBIT_CARD_CVV",
            "CREDIT_DEBIT_CARD_EXPIRY",
            "CREDIT_DEBIT_CARD_NUMBER",
            "DRIVER_ID",
            "EMAIL",
            "INTERNATIONAL_BANK_ACCOUNT_NUMBER",
            "IP_ADDRESS",
            "LICENSE_PLATE",
            "MAC_ADDRESS",
            "NAME",
            "PASSWORD",
            "PHONE",
            "PIN",
            "SWIFT_CODE",
            "UK_NATIONAL_HEALTH_SERVICE_NUMBER",
            "UK_NATIONAL_INSURANCE_NUMBER",
            "UK_UNIQUE_TAXPAYER_REFERENCE_NUMBER",
            "URL",
            "USERNAME",
            "US_BANK_ACCOUNT_NUMBER",
            "US_BANK_ROUTING_NUMBER",
            "US_INDIVIDUAL_TAX_IDENTIFICATION_NUMBER",
            "US_PASSPORT_NUMBER",
            "US_SOCIAL_SECURITY_NUMBER",
            "VEHICLE_IDENTIFICATION_NUMBER",
        ];

        const cfnGuardrail = new bedrock.CfnGuardrail(
            this,
            'ExampleWebServiceGuardrail-${props.config.get("ENVIRONMENT")}',
            {
                blockedInputMessaging: "blockedInputMessaging",
                blockedOutputsMessaging: "blockedOutputsMessaging",
                name: 'ExampleWebServiceGuardrail-${props.config.get("ENVIRONMENT")}',
                contextualGroundingPolicyConfig: {
                    filtersConfig: [
                        {
                            threshold: 0.7,
                            type: "GROUNDING",
                        },
                        {
                            threshold: 0.7,
                            type: "RELEVANCE",
                        },
                    ],
                },
                description: "PII filtering for API",
                sensitiveInformationPolicyConfig: {
                    piiEntitiesConfig: piiEntities.map((entity) => ({
                        action: "ANONYMIZE",
                        type: entity,
                    })),
                },
            }
        );

        const cfnGuardrailVersion = new bedrock.CfnGuardrailVersion(
            this,
            'ExampleWebServiceGuardrailVersion-${props.config.get("ENVIRONMENT")}',
            {
                guardrailIdentifier: cfnGuardrail.attrGuardrailId,
                description: "PII filtering - versioned",
            }
        );

        const apiSecrets = new ApplicationSecrets(
            this,
            'ExampleWebServiceApiSecrets-${props.config.get("ENVIRONMENT")}',
            {}
        );
        const apiWebhook = new lambda.Function(
            this,
            'ExampleWebServiceApiWebhook-${props.config.get("ENVIRONMENT")}',
            {
                runtime: lambda.Runtime.PYTHON_3_12,
                handler: "handler.handler",
                timeout: cdk.Duration.minutes(15),
                memorySize: 2048,
                environment: {
                    GUARDRAIL_ID: cfnGuardrail.attrGuardrailId,
                    GUARDRAIL_VERSION: cfnGuardrailVersion.attrVersion,
                    LOG_LEVEL: props.config.get("logLevel"),
                },
                code: lambda.Code.fromAsset(
                    path.join(__dirname, "../../src/lambdas/example-web-service"),
                    {
                        bundling: {
                            image: lambda.Runtime.PYTHON_3_12.bundlingImage,
                            command: [
                                "bash",
                                "-xc",
                                [
                                    "pip install -r requirements.txt -t /asset-output",
                                    "cp -a . /asset-output",
                                    "rm -rf /asset-output/{.vscode,requirements-dev.txt,run.py,README.md}",
                                ].join("&&"),
                            ],
                        },
                    }
                ),
            }
        );

        apiSecrets.wrapLambda(apiWebhook);

        apiWebhook.addToRolePolicy(
            new PolicyStatement({
                actions: ["bedrock:InvokeModel"],
                resources: ["*"],
            })
        );

        apiWebhook.addToRolePolicy(
            new PolicyStatement({
                actions: ["bedrock:ApplyGuardrail"],
                resources: [cfnGuardrail.attrGuardrailArn],
            })
        );

        const fnUrl = new lambda.FunctionUrl(
            this,
            "ExampleWebServiceApiWebhookUrl",
            {
                function: apiWebhook,
                authType: lambda.FunctionUrlAuthType.NONE,
                cors: {
                    allowedOrigins: ["*"],
                    allowedHeaders: [
                        "authorization",
                        "x-request-id",
                        "content-type",
                        "x-app-agent",
                    ],
                    allowCredentials: false,
                },
            }
        );

        new cdk.CfnOutput(this, "ExampleWebServiceApiWebhookUrlOutput", {
            value: fnUrl.url,
            exportName: 'ExampleWebServiceApiWebhookUrlOutput${props.config.get(
                "ENVIRONMENT"
            )}',
            description: "",
        });
    }
}```

@mrgrain
Copy link
Contributor

mrgrain commented Oct 28, 2024

Thanks @scottrmercer that's very helpful. One more thing: What version of the bootstrap template are you on? Could you manually check this please. Are you using custom bootstrapping at all?

@rix0rrr
Copy link
Contributor

rix0rrr commented Oct 28, 2024

I can't reproduce this on my machine. I'm seeing some irregularity in the code of your app (or at least, it doesn't look like this is what you intended):

export class ExampleWebServiceApiStack extends cdk.Stack {
    constructor(scope: Construct, id: string, props: ExampleWebServiceStackProps) {
        super(scope, id);
//	               ^^^^^^ missing passing 'props' to super()

Even having said that, that shouldn't cause a failure, just deploy to the wrong environment.

EDIT: it will cause a failure if it's not possible to deploy to environment AAAAAAAAAA at all because it hasn't been bootstrapped; assuming the AAAA-deploy-role will fail, but it will proceed anyway with the current credentials because they are for the right account, and then fail because presumably your GitHub role doesn't have a lot of permissions.

@scottrmercer
Copy link

@rix0rrr - that was the issue, excellent catch.
@mrgrain - I appreciate your time.
Many thanks to you both, this is a big relief!

@cgatt
Copy link
Author

cgatt commented Oct 29, 2024

v2.163.1 was released with a fix.

Can you please confirm if this resolves the issue for you?

I can confirm that 2.163.1 resolved the issue for us, thanks for the quick turnaround.

@mrgrain mrgrain removed the potential-regression Marking this issue as a potential regression to be checked by team member label Nov 17, 2024
@mrgrain mrgrain unpinned this issue Nov 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort management/tracking Issues that track a subject or multiple issues p0 package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants