but when I try to do the same thing in codebuild, I get errors like, Cannot find module '@aws-cdk/cloud-assembly-schema'
so I added this particular module to npm dev dependencies
> mw-auth@0.9.6 cdk /codebuild/output/src982291460/src
> cdk "synth" "-o" "dist"
Cannot find module 'constructs'
Require stack:
- /codebuild/output/src982291460/src/node_modules/@aws-cdk/core/lib/annotations.js
- /codebuild/output/src982291460/src/node_modules/@aws-cdk/core/lib/tag-aspect.js
- /codebuild/output/src982291460/src/node_modules/@aws-cdk/core/lib/index.js
- /codebuild/output/src982291460/src/bin/mw-auth-cdk.ts
question regarding cdk bootstrap
with the modern bootstrap template
if i bootstrap with --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
, are there any benefits to limiting the user that will be executing cdk deploy
to only be able to assume the CDK roles? or does it not matter since the user can deploy anything via cloudformation?
in other words, which is more secure
npx cdk synth runs fine locally in my project and generates the cdk.out folder. in AWS CodePipeline i dont get much error details to go on. Just:
[Container] 2021/03/20 15:35:27 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2021/03/20 15:35:27 Phase context status code: Message:
[Container] 2021/03/20 15:35:27 Expanding base directory path: cdk.out
[Container] 2021/03/20 15:35:27 Assembling file list
[Container] 2021/03/20 15:35:27 Expanding cdk.out
[Container] 2021/03/20 15:35:27 Skipping invalid file path cdk.out
[Container] 2021/03/20 15:35:27 Phase complete: UPLOAD_ARTIFACTS State: FAILED
[Container] 2021/03/20 15:35:27 Phase context status code: CLIENT_ERROR Message: no matching base directory path found for cdk.out
Hi, I'm having some trouble passing an output variable from a buildAction to pipeline.addApplicationStage
as there's no way to define parameters set during deploy time.
const imageTag = buildAction.variable('imageTag');
const stage = pipeline.addApplicationStage(new ApiDeployStagingStage(this, 'Deploy', {
env: { account: 'acc', region: 'region' },
vars: {
imageTag, // How do I pass this variable?
}
}))
How should I go about passing the imageTag from earlier action into addApplicationStage?
I've got an EC2 instance whose security group allows all outbound. But it cannot connect to my RDS instance unless I set:
database.connections.allow_from(
instance, aws_ec2.Port.tcp(5432), description="Allow RDS to accept incoming connections from EC2."
)
Because I need the database to allow incoming connections. But doing this gives me this warning:
[Warning at /stack-devel/Ec2SecurityGroup] Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
I'd rather the warning go away than ignore it. Is there some more proper way to tell RDS to allow incoming connections from the EC2 instance?
Hi - looking for some help breaking out of a paradox around information passing between stack and stages.
Goal: A project where I use a mutating CDK pipeline to build a web architecture. Once the architecture is built I want to deploy the react code to the www bucket.
Structure
1) have a standard CDK Pipeline (including a source artifact for the whole project)
2) It creates some infrastructure including a bucket (as a stage)
3) once the bucket is created I run a codebuild project to compile some source (react) and deploy it to the bucket
Have tried 4-5 different methods but am having difficulties structuring this so I don't violate passing any information out of a stage.
I am not allowed to pass the (source) Artifact from the Stack holding the CDKPipeline to the Stage which creates the bucket
I am not allowed to pass the Bucket created by the Stage out of the stage for use with a Codebuild project
Was thinking of duplicating the entire Codepipeline within the stage but dont think that is going to work either
Any pointers much appreciated.
Anyone else see these kind of type errors with python:
Argument of type "ServicePrincipal" cannot be assigned to parameter "assumed_by" of type "IPrincipal" in function "__init__"
"__jsii_proxy_class__" is an incompatible type
Type "() -> Type[_PrincipalBaseProxy]" cannot be assigned to type "() -> Type[_IPrincipalProxy]"
Function return type "Type[_PrincipalBaseProxy]" is incompatible with type "Type[_IPrincipalProxy]"
Type "Type[_PrincipalBaseProxy]" cannot be assigned to type "Type[_IPrincipalProxy]"
"Type[_PrincipalBaseProxy]" is incompatible with "Type[_IPrincipalProxy]"
Type "Type[_PrincipalBaseProxy]" cannot be assigned to type "Type[_IPrincipalProxy]"
"__jsii_proxy_class__" is an incompatible type
Type "() -> Type[_PrincipalBaseProxy]" cannot be assigned to type "() -> Type[_IGrantableProxy]" error reportGeneralTypeIssues nil 46 72)
The stack runs fine, but it's hard to tell real errors when I have these littered all over my stack class.
does anyone uses lambda aliases successfully? :D
I'm facing huge issues with it, e.g.A version for this Lambda function exists. Modify the function to create a new version.
I also added the description like mentioned here: aws/aws-cdk#5334 to make sure every time a new version is generated.
That change caused probably another issue on my SQS:An event source mapping with SQS arn and function already exists.
The mapping (SQS -> Lambda Alias Trigger) looks like this:lambdaAlias.addEventSource(SqsEventSource(alarmInput))
@austinbv_twitter Didn't know you were using CDK dude, me too! I'm gonna want to chat with you about how you're setting up your nested stacks.
I think I've gone a bit stack-crazy and have run into very annoying cross-stack dependency issues. Eg when I added a security group to an LB in my AppPlatformStack (fargate cluster + rabbitmq) , I have an application stack that then adds itself as a listener rule to the ALB in the AppPlatformStack, and hell ensued when I tried to give the ALB an explicit security group.
I have a Cfn.Role
in which the property name assumedRolePolicyDocument
has a FederatedPrincipal
that allows request to be made by only a specific static URL. This URL (oidc provided URL) is static and therefore this assumedRolePolicy
will not change. But logical decision(s) aside is there a way I can directly inject a JSON object in a key value?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${AWS::AccountId}:oidc-provider/${ClusterOIDCURL}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${ClusterOIDCURL}:sub": "system:serviceaccount:test-namespace:test-service-account"
}
}
}
]
}
const role = new iam.CfnRole(this, "some-role", {
assumeRolePolicyDocument: "", // TODO: inject here
managedPolicyArns: [policy.managedPolicyArn.toString()],
})
CfnInclude is promising but wanted to know if there is a way to use the JSON object directly for just a property.
Also is there a place where I can find some literature about how these props?
and defined const
are serialized and deserialized ?