Skip to content

fix: ensure the admin role stabilizes for self-managed stacksets #678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
martinjlowm wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: ensure the admin role stabilizes for self-managed stacksets #678

martinjlowm wants to merge 2 commits into from

Conversation

@martinjlowm
Copy link

@martinjlowm martinjlowm commented Dec 22, 2024
edited by kaizencc
Loading

Looks like #439 tackles the same problem, however, I think DependsOn is sufficient and is typically what is used in aws-cdk-lib, e.g. https://github.com/aws/aws-cdk/blob/0546ec24c5fa60cae41c6561d7178de7a403a713/packages/%40aws-cdk/aws-kinesisanalytics-flink-alpha/lib/application.ts#L1030

For anyone looking for a workaround with the current release, you can add the dependency like so:

if (selfManagedStackSet.role) {
  selfManagedStackSet.node.addDependency(selfManagedStackSet.role);
}

fixes #438, supersedes #439

kaizencc
kaizencc requested changes Dec 24, 2024
View reviewed changes
Copy link
Contributor

@kaizencc kaizencc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @martinjlowm I agree that this is the correct way to approach the issue. Can you add a unit test to be safe? I can't accept this without some sort of testing change. If you really cannot, I will add this to my list of things to do but that may incur a delay :)

The unit test can be super simple kind of like this:

https://github.com/aws/aws-cdk/blob/d48d77aa1adbddf27c94e279ee756bdc2c2d18cf/packages/%40aws-cdk/app-staging-synthesizer-alpha/test/app-staging-synthesizer.test.ts#L111-L123

@kaizencc kaizencc mentioned this pull request Dec 24, 2024
Closed
@tabrezm
Copy link

tabrezm commented Dec 24, 2024

AFAIK, it's not typical for a CDK resource to modify an existing role by adding a policy, which is what the current code does. That's why this proposed fix made it conditional on whether the role is new or existing.

auto-merge was automatically disabled January 26, 2025 20:40

Head branch was pushed to by a user without write access

@martinjlowm
Copy link
Author

martinjlowm commented Jan 26, 2025

@kaizencc - a month later and here we go. I hope checking DependsOn will suffice ✌️

@martinjlowm martinjlowm requested a review from kaizencc January 26, 2025 20:56
@alexpkarlsson
Copy link

alexpkarlsson commented May 22, 2025

Any updates on this?

AFAIK, it's not typical for a CDK resource to modify an existing role by adding a policy, which is what the current code does. That's why this proposed fix made it conditional on whether the role is new or existing.

Also in relation to this it would be great if it was also possible to conditionally skip adding a policy to the role if it's a pre-created one.

This is due to us preferably wanting to use a predefined role that is used to multiple StackSets which will potentially run into hitting the limit of 10 attached policies.

Not sure what the best way to handle this would be but could imagine just having an optional flag sent into DeploymentType.selfManaged()

Such as

DeploymentType.selfManaged({
  adminRole: role,
  executionRoleName: 'FooBar',
  attachRolePolicy: false,
})

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaizencc kaizencc Awaiting requested review from kaizencc

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Race condition when using self managed deployment type

4 participants

@martinjlowm @tabrezm @alexpkarlsson @kaizencc