aws-cdk: (codepipeline): Cannot deploy multiple copies of the same Pipeline with `crossAccountKeys: true`

What is the problem?

Hi,

In our context we need to have multiple pipelines per pull request, each pull request deploys it own set of stacks in the same region and account.

We use a namespace partition key we name ‘env name’: this partition key is then used as a suffix to all ressources we create. This allows to have multiple isolated environments and provide a lot of flexibility.

Reproduction Steps

A basic pipeline is created:

    def _create_domain_pipeline(self):
        domain_pipeline = pipelines.CodePipeline(
            self,
            'Pipeline',
            pipeline_name=f'Quickstart-Pipeline-{self._env_name}',
            self_mutation=True,
            synth=self._create_codestar_synth_step(),
            cross_account_keys=True,
            reuse_cross_region_support_stacks=False,
        )

If the cross_account_keys props is true then a KMS alias is created in the synthetised pipeline template:

  "PipelineArtifactsBucketEncryptionKeyAlias94A07392": {
      "Type": "AWS::KMS::Alias",
      "Properties": {
        "AliasName": "alias/codepipeline-quickstartpipelineb94f72c0",
        "TargetKeyId": {
          "Fn::GetAtt": [
            "PipelineArtifactsBucketEncryptionKeyF5BF0670",
            "Arn"
          ]
        }
      },

What did you expect to happen?

I would like to create muliple pipelines stacks with different names like when the option cross_account_keys is False.

Please note that this was possible with CDK 1.134.0 version.

What actually happened?

If try to create multiple envs with different env names such as PR-1 and PR-10 it fails when the option cross_account_keys is True because the same KMS alias is shared between all the environments.

When I synthetised multiple times the same CDK app I got one stack template per env name which is good:

assembly-Quickstart-Pipeline-HelloWorld-PR-3
assembly-Quickstart-Pipeline-HelloWorld-PR-45

But I have only one template Quickstart-Pipeline.template.json and this template contains the same AliasName for the KMS key so it fails because for instance I already deployed PR-3 pipeline and the KMS alias is already there when I try to deploy PR-45.

CDK CLI Version

2.10.0

Framework Version

2.10.0

Node.js Version

v16.13.0

OS

Mac Monterey

Language

Python

Language Version

3.8

Other information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 23 (12 by maintainers)

Commits related to this issue

Most upvoted comments

thanks for the tips @skinny85

+1
badfun on Jun 9, 2022

AFAIR you can iterate over stack nodes and locate KMS key in question. Once you do that you can make this name change. I think findAll is the one that you should look at. Not sure if you to use aspect here as well (maybe so)

I would tend to avoid to patch CDK behaviour at runtime before I understand what is the intent of the CDK: is it expected to not support a basic use case to save KMS keys cost? Is it something else I don’t understand?

Especially if the patch relies on CDK template generation implementation details on which there are no API contract. I don’t want to base our entire CDK CI/CD strategy on such workaround.

+1
olivier-schmitt-sonarsource on Feb 7, 2022
Read more comments on GitHub
← aws-cdk: [codepipeline] CDK Deploy-Step Fails - Lambda Assets not uploaded to S3 after build -- "Error occurred while GetObject. S3 Error Code: NoSuchKey"
aws-cdk: (codepipeline): Error: The 'account' property must be a concrete value (action: 'CodeBuild') →