Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(core): crossRegionReference only works for first destination region #24464

Closed
jsamuel1 opened this issue Mar 5, 2023 · 6 comments · Fixed by #25190
Closed

(core): crossRegionReference only works for first destination region #24464

jsamuel1 opened this issue Mar 5, 2023 · 6 comments · Fixed by #25190
Assignees
@corymhall
Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Comments

@jsamuel1
Copy link

jsamuel1 commented Mar 5, 2023
edited by pahud
Loading

Describe the bug

When referencing a value from a source stack in two destination regions, only the first region is granted permissions on the CrossRegionExportWriterCustomerResourceProvider/Role, resulting in a stack deployment failure with insufficient permissions on ssm:ListTagsForResource in the second destination region.

Expected Behavior

Expected behaviour is for the IAM role to include each of the destination regions required.

Current Behavior

IAM Statement Changes:
Resource: "arn:aws:ssm:ap-southeast-1:082966487824::parameter/cdk/exports/*"
Effect: Allow
Action: ssm:DeleteParameters, ssm:GetParameters,ssm:ListTagsForResource,ssm:PutParameter
Principal: AWS:${Custom::CrossRegionExportWriterCustomResourceProvider/Role}

Error
8:48:55 am | CREATE_FAILED | Custom::CrossRegionExportWriter | ExportsWriterapsou...t2235C849A8E92266D
Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: User: arn:aws:sts::082966487824:assumed-role/sourceStack-
CustomCrossRegionExportWriterCustomRes-1L7WV0YX11H2H/sourceStack-CustomCrossRegionExportWriterCustomRes-XU6vlSVHMoXz is not authorized to perform: ssm:Lis
tTagsForResource on resource: arn:aws:ssm:ap-southeast-2:082966487824:parameter/cdk/exports/Region2Stack/sourceStackuseast1RefhostedZone861779BD20ED3C2C b
ecause no identity-based policy allows the ssm:ListTagsForResource action

Reproduction Steps

Sample Repo Code:

import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { Stack } from 'aws-cdk-lib';

const app = new cdk.App();
var sourceStack = new Stack(app, 'sourceStack', {  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'us-east-1' } });
var hostedZone = new cdk.aws_route53.HostedZone(sourceStack, "hostedZone", { zoneName: 'test.local'});

var destRegion1Stack = new Stack(app, 'Region1Stack',  {  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'ap-southeast-1' }, crossRegionReferences: true });
new cdk.aws_route53.TxtRecord(destRegion1Stack, "FirstARecord", { zone: hostedZone, recordName: 'ap-southeast-1', values: ['ap-southeast-1'] });

var destRegion2Stack = new Stack(app, 'Region2Stack',  {  env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: 'ap-southeast-2' }, crossRegionReferences: true });
new cdk.aws_route53.TxtRecord(destRegion2Stack, "SecondARecord", { zone: hostedZone, recordName: 'ap-southeast-2', values: ['ap-southeast-2'] });

Possible Solution

the IAM role should include permissions to all required regions.

Additional Information/Context

No response

CDK CLI Version

2.67.0 (build b6f7f39)

Framework Version

No response

Node.js Version

v18.13.0

OS

MacOs/Linux/Agnostic

Language

Typescript

Language Version

Typescript (v10.9.1)

Other information

No response
@jsamuel1 jsamuel1 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 5, 2023
@github-actions github-actions bot added the @aws-cdk/core Related to core CDK functionality label Mar 5, 2023
@pahud
Copy link
Contributor

pahud commented Mar 6, 2023
edited
Loading

According to the description in #22008

Currently this will create a single ExportsWriter per region, but we could potentially update this to just use a single ExportsWriter which can write exports to a list of regions.

I believe it has not supported the write exports to multiple consuming regions yet. I can reproduce this in my account and is making it p1 feature request for now.

@pahud pahud added p1 feature-request A feature should be added or improved. effort/medium Medium work item – several days of effort needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Mar 6, 2023
@pahud pahud self-assigned this Mar 6, 2023
@pahud pahud removed the needs-reproduction This issue needs reproduction. label Mar 6, 2023
@pahud pahud removed their assignment Mar 6, 2023
@mrpackethead
Copy link

I am also finding permission errors with the CrossRegionWriter.

If i update the attributes of a stack, and redeploy, I get this error.

❌ Deployment failed: Error: Stack Deployments Failed: Error: The stack named BuildCoreNetwork-CrowdstrikeEndpoints failed to deploy: UPDATE_ROLLBACK_FAILED (The following resource(s) failed to update: [ExportsWriterapsoutheast2235C849A8E92266D]. ): Received response status [FAILED] from custom resource. Message returned: Error: Exports cannot be updated: 

    at throwIfAnyInUse (/var/task/index.js:4:10)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async handler (/var/task/index.js:3:54)
    at async Runtime.handler (/var/task/__entrypoint__.js:1:932) (RequestId: cfbddadf-d1b6-40a9-bb18-a92eddbc9c3e), Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: User: arn:aws:sts::108967544837:assumed-role/BuildCoreNetwork-Crowdstr-CustomCrossRegionExportW-7A0BHK7VO7QU/BuildCoreNetwork-Crowdstr-CustomCrossRegionExportW-kG0ITAeZRmZA is not authorized to perform: ssm:DeleteParameters on resource: arn:aws:ssm:ap-southeast-2:1xxxxxxxxxxx7:* because no identity-based policy allows the ssm:DeleteParameters action
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18) (RequestId: e9de1172-5ff5-4c63-b46a-9407d574a4b1)
    at deployStacks (/home/ec2-user/.nvm/versions/node/v16.15.1/lib/node_modules/aws-cdk/lib/index.js:330:130488)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async CdkToolkit.deploy (/home/ec2-user/.nvm/versions/node/v16.15.1/lib/node_modules/aws-cdk/lib/index.js:330:146712)
    at async exec4 (/home/ec2-user/.nvm/versions/node/v16.15.1/lib/node_modules/aws-cdk/lib/index.js:385:51296)

At present the only way i've been able to resolve this, is to manually delete the SSM parameters, delete the stack and redeploy. Forutantly this was not a production stack so i had the ability to do that...

@joshmurrayeu
Copy link

As per the original issue, is there any workaround to manually add/create another CrossRegionExportWriter for the region that isn't authorised? I'm currently trying to get an application across three regions (eu-west-1, eu-west-2 and eu-north-1) and get a similar issue:

{corssRegionExportWriterRoleArn} is not authorized to perform: ssm:ListTagsForResource on resource: {ssmParameterArn}

@nomike
Copy link

nomike commented Mar 16, 2023

I'm affected by this as well.

@LikeFury
Copy link

Is there an update on this issue? Anyway we can float this to the top?

@corymhall corymhall self-assigned this Apr 18, 2023
This was referenced Apr 19, 2023
Closed
Closed
@corymhall corymhall mentioned this issue Apr 19, 2023
Merged
@mergify mergify bot closed this as completed in #25190 Apr 21, 2023
mergify bot pushed a commit that referenced this issue Apr 21, 2023
@corymhall
fix(core): crossRegionReferences doesn't work when exporting to multi…
89b26b8 
…ple regions (#25190)

The cross region export writer was only being given permissions to the first region it would export to. Fixing this by adding each consuming region to the IAM policy.

fixes #24464


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@mrpackethead mrpackethead mentioned this issue Apr 30, 2023
Closed
@shahin shahin mentioned this issue Nov 8, 2023
Open
@elliotsegler elliotsegler mentioned this issue Apr 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/core Related to core CDK functionality bug This issue is a bug. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(core): crossRegionReferences doesn't work when exporting to multiple regions
7 participants
@pahud @nomike @jsamuel1 @mrpackethead @joshmurrayeu @corymhall @LikeFury