hupe1980 / cdk-multi-profile-plugin Goto Github PK

It's easy to include the #/ ending on the sso url (i.e. https://MYORG.awsapps.com/start#/) when configuring sso in aws, and it's not clear from any error message what's wrong (you'll get "Current cached SSO login is expired or invalid"). Perhaps we could allow for this difference?

Is it possible to add the arn of a CloudFormation service role? It would be nice not to have to explicitly specify this for each account.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

When working in a team currently every team member has to sync their local AWD profile names or the profile configuration has to be edited before running CDK.

A better approach could be some kind of precedence resolver.

My suggestion for precedence would be:

1. Use ~/.cdkmultiprofileplung.json
2. Use project local package.jsonfor mapping

To not break back backward compatibility first the profile is looked up in ~/.cdkmultiprofileplung.json. If no mapped account is found then the local package.json will be used for looking up a mapping.

As a result, there can be a team configuration in package.json and it can be overridden locally by every team member.

Currently I'm working this issue at https://github.com/vondeetzen/cdk-multi-profile-plugin

The plugin apparently does no longer work with CDK 1.51.0 onwards.

cdk.json:

{
  "app": "npx ts-node bin/infra.ts",
  "context": {
    "@aws-cdk/core:enableStackNameDuplicates": true,
    "aws-cdk:enableDiffNoFail": true,
    "@aws-cdk/core:newStyleStackSynthesis": true
  },
  "plugin": ["cdk-multi-profile-plugin"]
}

cdkmultiprofileplugin.json

{
  "awsProfiles": {
    "1111111111": "1111111111_AWSAdministratorAccess",
    "2222222222": "2222222222_AWSAdministratorAccess",
    "3333333333": "3333333333_AWSAdministratorAccess",
    "4444444444": "4444444444_AWSAdministratorAccess"
  }
}

Running yarn cdk deploy PipelineStack fails with the message:

$ cdk deploy PipelineStack


 🚀  Using profile 1111111111_AWSAdministratorAccess for account 1111111111 in mode ForReading


Could not assume role in target account (did you bootstrap the environment with the right '--trust's?): The security token included in the request is invalid
error Command failed with exit code 1.

Specifying --profile manually works without any issues

yarn cdk deploy PipelineStack --profile 1111111111_AWSAdministratorAccess

Credentials fail when attempting to create a VPC

Step by step:

1. Create and add a network stack (se below) to your AWS CDK app:

   import { Construct, Stack, StackProps } from '@aws-cdk/core';
   import { SubnetType, Vpc } from '@aws-cdk/aws-ec2';
   
   export class NetworkStack extends Stack {
     public readonly vpc: Vpc;
   
     constructor(scope: Construct, id: string, props?: StackProps) {
       super(scope, id, props);
   
       this.vpc = new Vpc(this, 'VPC', {
         subnetConfiguration: [{
           name: 'Isolated',
           cidrMask: 24,
           subnetType: SubnetType.ISOLATED,
         }]
       });
     }
   }

2. Build and deploy:

   $ npm run build
   $ npx cdk synth

Expected result
The AWS CDK should deploy the app and create a new VPC

Actual result

[Error at network-stack] Need to perform AWS calls for account 112233445566, but no credentials found. Tried: default credentials.

package.json excerpt:

{
  "name": "my-app-with-vpc",
  "private": true,
  "bin": {
    "cdk": "bin/cdk.js"
  },
  "scripts": {
    "build": "tsc",
  },
  "devDependencies": {
    "@aws-cdk/aws-ec2": "^1.23.0",
    "@aws-cdk/core": "^1.23.0",
    "cdk-multi-profile-plugin": "^1.1.2",
    "ts-node": "^8.1.0",
    "typescript": "~3.7.2"
  }
}

cdkmultiprofileplugin.json excerpt:

{
  "awsProfiles": {
    "112233445566": "dev-mfa"
  }
}

Where dev-mfa is the AWS CLI profile that is configured (in ~/.aws/config) to access the AWS development account if MFA is provided.

Comment
This setup works when deploying stacks with other resources, such as Lambda functions, S3 buckets, DynamoDB tables, etc.

After starting a new project from scratch (using cdk init) and then adding the cdl-multi-profile-plugin), the npx cdk deploy command fails:

Unable to load cdk-multi-profile-plugin: Error: Cannot find module 'aws-sdk'
Require stack:
- /Users/user/Projects/cdk-test/node_modules/cdk-multi-profile-plugin/lib/ini-file-credential-provider-source.js
- /Users/user/Projects/cdk-test/node_modules/cdk-multi-profile-plugin/lib/multi-profile-plugin.js
- /Users/user/Projects/cdk-test/node_modules/cdk-multi-profile-plugin/lib/index.js
- /Users/user/Projects/cdk-test/node_modules/aws-cdk/lib/plugin.js
[capped]

Adding the aws-sdk as a dependency to the test project solves the problem, but since it is required by the cdk-multi-profile-plugin it could be added as a dependency to the plugin as well.

cdk-multi-profile-plugin version: 1.1.3

When running cdk synth I get the error:

Unable to resolve plugin cdk-multi-profile-plugin: Error: Cannot find module 'cdk-multi-profile-plugin'
Require stack:
- /Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.js
- /Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:982:15)
    at Function.resolve (internal/modules/cjs/helpers.js:83:19)
    at tryResolve (/Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.ts:150:24)
    at loadPlugins (/Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.ts:140:26)
    at initCommandLine (/Users/username/.nvm/versions/node/v12.16.1/lib/node_modules/aws-cdk/bin/cdk.ts:158:3)
Unable to resolve plug-in: cdk-multi-profile-plugin

I followed the documentation of this plugin.

I'm using version 1.27 of aws-cdk. Not sure if the error is related to this plugin or aws-cdk.

After updating the AWS CDK to version 1.30.0 (or 1.29.0), it is no longer possible to deploy stacks with assets if the AWS CLI profile has been configured with MFA authentication.

Consider the following files:

bin/test.ts

#!/usr/bin/env node
import * as cdk from '@aws-cdk/core';
import { LambdaIntegration, RestApi } from '@aws-cdk/aws-apigateway';
import { Function, InlineCode, Runtime } from '@aws-cdk/aws-lambda';
import { RetentionDays } from '@aws-cdk/aws-logs';

class TestStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const lambda = new Function(this, 'Lambda', {
      runtime: Runtime.NODEJS_12_X,
      code: new InlineCode('exports.handler = function(event, ctx, cb) { return cb(null, "hi"); }'),
      handler: 'index.handler',
      logRetention: RetentionDays.ONE_DAY,
    });

    const restApi = new RestApi(this, 'RestApi');
    restApi.root.addMethod('GET', new LambdaIntegration(lambda), {
    });
  }
}

const app = new cdk.App();
new TestStack(app, 'TestStack', {
  env: {
    account: '111222333444',
    region: 'eu-west-1',
  },
});

cdk.json

{
  "app": "npx ts-node bin/test.ts",
  "plugin": ["cdk-multi-profile-plugin"]
}

cdkmultiprofileplugin.json

{
  "awsProfiles": {
    "111222333444": "mfa-profile"
  }
}

package.json

{
  "name": "test",
  "version": "0.1.0",
  "bin": {
    "test": "bin/test.js"
  },
  "scripts": {
    "build": "tsc",
    "watch": "tsc -w",
    "test": "jest",
    "cdk": "cdk"
  },
  "devDependencies": {
    "@aws-cdk/aws-apigateway": "^1.30.0",
    "@aws-cdk/aws-lambda": "^1.30.0",
    "@aws-cdk/core": "1.30.0",
    "@types/jest": "^24.0.22",
    "@types/node": "10.17.5",
    "aws-cdk": "1.30.0",
    "cdk-multi-profile-plugin": "^1.1.2",
    "jest": "^24.9.0",
    "ts-jest": "^24.1.0",
    "ts-node": "^8.1.0",
    "typescript": "~3.7.2"
  }
}

Using CDK version 1.28.0 (or lower) it was possible to deploy this stack. However, after the upgrade it fails:

$  npm run build && npx cdk deploy
> [email protected] build /Users/mattias/Projects/Bombardier/test
> tsc

 🚀  Using profile mfa-profile for account 111222333444 in mode ForReading

? MFA token for arn:aws:iam::111222333444:mfa/some-user: 492769
Do you wish to deploy these changes (y/n)? y
TestStack: deploying...

 🚀  Using profile mfa-profile for account 111222333444 in mode ForWriting
[0%] start: Publishing [random string]:current
[100%] fail: AWS credentials are required to upload assets. Please configure environment variables or ~/.aws/credentials.

 ❌  TestStack failed: Error: Failed to publish one or more assets. See the error messages above for more information.
    at Object.publishAssets (/Users/test/node_modules/aws-cdk/lib/util/asset-publishing.ts:18:11)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at Object.deployStack (/Users/test/node_modules/aws-cdk/lib/api/deploy-stack.ts:132:3)
    at CdkToolkit.deploy (/Users/test/node_modules/aws-cdk/lib/cdk-toolkit.ts:152:24)
    at main (/Users/test/node_modules/aws-cdk/bin/cdk.ts:229:16)
    at initCommandLine (/Users/test/node_modules/aws-cdk/bin/cdk.ts:172:9)
Failed to publish one or more assets. See the error messages above for more information.

Hi,

I can remember that I was using this plugin a year ago already. While it wasn't possible to specify the account-Id/Name relation it was possible to use cross account references. Now with CDK version 1.46.0 I'm getting this error. I guess this is something that CDK introduced in the meantime. For me this is the only reason the use this plugin. Since you are more into CDK code I guess: Do you have an idea how to get around this?

Thanks for that awesome plugin!

Unfortunately it doesn't seem to work anymore with recent versions of CDK v2 RC (at least 2.0.0-rc.20).
It seems like some exports aren't available anymore.
After changing some imports the plugin works again.

Error:

Unable to load cdk-multi-profile-plugin: Error: Cannot find module 'aws-cdk'
Require stack:
- /PATHTOREPO/node_modules/cdk-multi-profile-plugin/lib/ini-file-credential-provider-source.js
- /PATHTOREPO/node_modules/cdk-multi-profile-plugin/lib/multi-profile-plugin.js
- /PATHTOREPO/node_modules/cdk-multi-profile-plugin/lib/index.js
- /PATHTOREPO/node_modules/aws-cdk/lib/plugin.js
- /PATHTOREPO/node_modules/aws-cdk/lib/api/aws-auth/credential-plugins.js
- /PATHTOREPO/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.js
- /PATHTOREPO/node_modules/aws-cdk/lib/api/aws-auth/index.js
- /PATHTOREPO/node_modules/aws-cdk/bin/cdk.js
- /PATHTOREPO/node_modules/aws-cdk/bin/cdk
    at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15)
    at Function.Module._load (node:internal/modules/cjs/loader:778:27)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
    at require (node:internal/modules/cjs/helpers:94:18)
    at Object.<anonymous> (/PATHTOREPO/node_modules/cdk-multi-profile-plugin/src/ini-file-credential-provider-source.ts:4:1)
    at Module._compile (node:internal/modules/cjs/loader:1101:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
Unable to load plug-in: cdk-multi-profile-plugin

Working Fix:

// /cdk-multi-profile-plugin/ini-file-credential-provider-source.ts:4
import { CredentialProviderSource, Mode } from "aws-cdk/lib/api/aws-auth/credentials";

// /cdk-multi-profile-plugin/multi-profile-plugin
import { Plugin, PluginHost } from "aws-cdk/lib/plugin";

Are you aware of that? I didn't dig too deep into the CDKv2 Source and not sure if there are any official API Changes for Plugins. If it's fine for you to import the exports directly from the specific files I can create a PR. But an official API would be more solid.