fix(codedeploy): cross-region referenced groups use wrong config (#23986)

DeploymentGroups grant IAM permissions to their DeploymentConfigs, by their ARN.

When using a predefined DeploymentConfig (like `ECS_ALL_AT_ONCE`) however, we used to use `Aws.ACCOUNT_ID, Aws.REGION` to build the ARN for the DeploymentConfig. This would be incorrect if the DeploymentGroup is referenced in a different region (by using `DeploymentGroup.fromDeploymentGroupArn()`): the `Aws.REGION` token would resolve to the region of the *referencing Stack*, instead of the region of the *referenced DeploymentGroup*.

Make all predefined DeploymentConfigs implement a hidden interface that allows the DeploymentGroup to specialize the Config to its own account and region. This behavior is not relevant for user-created deployment configs: those will still be region-bound, so customers won't need access to this interface.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

.gitallowed

@@ -14,7 +14,11 @@ account: '012345678913'
 
 # Account patterns used in the CHANGELOG
 account: '123456789012'
+
+111111111111
+222222222222
 123456789012
+333333333333
 
 # The account ID's of public facing ECR images for App Mesh Envoy
 # https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html

packages/@aws-cdk/aws-codedeploy/lib/ecs/deployment-group.ts

@@ -222,7 +222,7 @@ export class EcsDeploymentGroup extends DeploymentGroupBase implements IEcsDeplo
     this.alarms = props.alarms || [];
 
     this.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AWSCodeDeployRoleForECS'));
-    this.deploymentConfig = props.deploymentConfig || EcsDeploymentConfig.ALL_AT_ONCE;
+    this.deploymentConfig = this._bindDeploymentConfig(props.deploymentConfig || EcsDeploymentConfig.ALL_AT_ONCE);
 
     if (cdk.Resource.isOwnedResource(props.service)) {
       const cfnSvc = (props.service as ecs.BaseService).node.defaultChild as ecs.CfnService;
@@ -358,6 +358,6 @@ class ImportedEcsDeploymentGroup extends ImportedDeploymentGroupBase implements
     });
 
     this.application = props.application;
-    this.deploymentConfig = props.deploymentConfig || EcsDeploymentConfig.ALL_AT_ONCE;
+    this.deploymentConfig = this._bindDeploymentConfig(props.deploymentConfig || EcsDeploymentConfig.ALL_AT_ONCE);
   }
 }

packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts

@@ -162,7 +162,7 @@ export class LambdaDeploymentGroup extends DeploymentGroupBase implements ILambd
     this.alarms = props.alarms || [];
 
     this.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSCodeDeployRoleForLambdaLimited'));
-    this.deploymentConfig = props.deploymentConfig || LambdaDeploymentConfig.CANARY_10PERCENT_5MINUTES;
+    this.deploymentConfig = this._bindDeploymentConfig(props.deploymentConfig || LambdaDeploymentConfig.CANARY_10PERCENT_5MINUTES);
 
     const resource = new CfnDeploymentGroup(this, 'Resource', {
       applicationName: this.application.applicationName,
@@ -290,6 +290,6 @@ class ImportedLambdaDeploymentGroup extends ImportedDeploymentGroupBase implemen
     });
 
     this.application = props.application;
-    this.deploymentConfig = props.deploymentConfig || LambdaDeploymentConfig.CANARY_10PERCENT_5MINUTES;
+    this.deploymentConfig = this._bindDeploymentConfig(props.deploymentConfig || LambdaDeploymentConfig.CANARY_10PERCENT_5MINUTES);
   }
 }

packages/@aws-cdk/aws-codedeploy/lib/private/base-deployment-group.ts

@@ -1,7 +1,9 @@
 import * as iam from '@aws-cdk/aws-iam';
 import { Resource, IResource, ArnFormat, Arn, Aws } from '@aws-cdk/core';
 import { Construct } from 'constructs';
+import { IBaseDeploymentConfig } from '../base-deployment-config';
 import { CfnDeploymentGroup } from '../codedeploy.generated';
+import { isPredefinedDeploymentConfig } from './predefined-deployment-config';
 import { validateName } from './utils';
 
 /**
@@ -52,6 +54,15 @@ export class ImportedDeploymentGroupBase extends Resource {
     this.deploymentGroupName = deploymentGroupName;
     this.deploymentGroupArn = deploymentGroupArn;
   }
+
+  /**
+   * Bind DeploymentGroupConfig to the current group, if supported
+   *
+   * @internal
+   */
+  protected _bindDeploymentConfig(config: IBaseDeploymentConfig) {
+    return isPredefinedDeploymentConfig(config) ? config.bindEnvironment(this) : config;
+  }
 }
 
 export interface DeploymentGroupBaseProps {
@@ -114,6 +125,15 @@ export class DeploymentGroupBase extends Resource {
     this.node.addValidation({ validate: () => validateName('Deployment group', this.physicalName) });
   }
 
+  /**
+   * Bind DeploymentGroupConfig to the current group, if supported
+   *
+   * @internal
+   */
+  protected _bindDeploymentConfig(config: IBaseDeploymentConfig) {
+    return isPredefinedDeploymentConfig(config) ? config.bindEnvironment(this) : config;
+  }
+
   /**
    * Set name and ARN properties.
    *
@@ -135,4 +155,4 @@ export class DeploymentGroupBase extends Resource {
       arnFormat: ArnFormat.COLON_RESOURCE_NAME,
     });
   }
-}
+}

packages/@aws-cdk/aws-codedeploy/lib/private/predefined-deployment-config.ts

@@ -0,0 +1,31 @@
+import { IResource } from '@aws-cdk/core';
+import { IBaseDeploymentConfig } from '../base-deployment-config';
+
+/**
+ * A reference to a DeploymentConfig that is managed by AWS
+ *
+ * Since these DeploymentConfigs are present in every region, and we might use
+ * them in conjunction with cross-region DeploymentGroups, we need to specialize
+ * the account and region to the DeploymentGroup before using.
+ *
+ * A DeploymentGroup must call `bindEnvironment()` first if it detects this type,
+ * before reading the DeploymentConfig ARN.
+ *
+ * This type is fully hidden, which means that the constant objects provided by
+ * CDK will have magical behavior that customers can't reimplement themselves.
+ * Not ideal, but our DeploymentConfig type inheritance is already overly
+ * complicated and to do it properly with the nominal typing we are emplying
+ * will require adding 4 more empty or nearly empty interfaces, which seems a
+ * bit silly for a need that's not necessarily clearly needed by customers.
+ * We can always move to exposing later.
+ */
+export interface IPredefinedDeploymentConfig {
+  /**
+   * Bind the predefined deployment config to the environment of the given resource
+   */
+  bindEnvironment(deploymentGroup: IResource): IBaseDeploymentConfig;
+}
+
+export function isPredefinedDeploymentConfig(x: unknown): x is IPredefinedDeploymentConfig {
+  return typeof x === 'object' && !!x && !!(x as any).bindEnvironment;
+}

packages/@aws-cdk/aws-codedeploy/lib/private/utils.ts

@@ -1,8 +1,9 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
-import { Token, Stack, ArnFormat, Arn, Fn, Aws } from '@aws-cdk/core';
+import { Token, Stack, ArnFormat, Arn, Fn, Aws, IResource } from '@aws-cdk/core';
 import { IBaseDeploymentConfig } from '../base-deployment-config';
 import { CfnDeploymentGroup } from '../codedeploy.generated';
 import { AutoRollbackConfig } from '../rollback-config';
+import { IPredefinedDeploymentConfig } from './predefined-deployment-config';
 
 export function arnForApplication(stack: Stack, applicationName: string): string {
   return stack.formatArn({
@@ -18,11 +19,11 @@ export function nameFromDeploymentGroupArn(deploymentGroupArn: string): string {
   return Fn.select(1, Fn.split('/', components.resourceName ?? ''));
 }
 
-export function arnForDeploymentConfig(name: string): string {
+export function arnForDeploymentConfig(name: string, resource?: IResource): string {
   return Arn.format({
     partition: Aws.PARTITION,
-    account: Aws.ACCOUNT_ID,
-    region: Aws.REGION,
+    account: resource?.env.account ?? Aws.ACCOUNT_ID,
+    region: resource?.env.region ?? Aws.REGION,
     service: 'codedeploy',
     resource: 'deploymentconfig',
     resourceName: name,
@@ -41,10 +42,14 @@ CfnDeploymentGroup.AlarmConfigurationProperty | undefined {
     };
 }
 
-export function deploymentConfig(name: string): IBaseDeploymentConfig {
+export function deploymentConfig(name: string): IBaseDeploymentConfig & IPredefinedDeploymentConfig {
   return {
     deploymentConfigName: name,
     deploymentConfigArn: arnForDeploymentConfig(name),
+    bindEnvironment: (resource) => ({
+      deploymentConfigName: name,
+      deploymentConfigArn: arnForDeploymentConfig(name, resource),
+    }),
   };
 }
 

packages/@aws-cdk/aws-codedeploy/lib/server/deployment-group.ts

@@ -68,7 +68,7 @@ class ImportedServerDeploymentGroup extends ImportedDeploymentGroupBase implemen
     });
 
     this.application = props.application;
-    this.deploymentConfig = props.deploymentConfig || ServerDeploymentConfig.ONE_AT_A_TIME;
+    this.deploymentConfig = this._bindDeploymentConfig(props.deploymentConfig || ServerDeploymentConfig.ONE_AT_A_TIME);
   }
 }
 
@@ -255,7 +255,7 @@ export class ServerDeploymentGroup extends DeploymentGroupBase implements IServe
     this.application = props.application || new ServerApplication(this, 'Application', {
       applicationName: props.deploymentGroupName === cdk.PhysicalName.GENERATE_IF_NEEDED ? cdk.PhysicalName.GENERATE_IF_NEEDED : undefined,
     });
-    this.deploymentConfig = props.deploymentConfig || ServerDeploymentConfig.ONE_AT_A_TIME;
+    this.deploymentConfig = this._bindDeploymentConfig(props.deploymentConfig || ServerDeploymentConfig.ONE_AT_A_TIME);
 
     this.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSCodeDeployRole'));
     this._autoScalingGroups = props.autoScalingGroups || [];

packages/@aws-cdk/aws-codedeploy/test/ecs/deployment-group.test.ts

@@ -5,7 +5,7 @@ import * as ecs from '@aws-cdk/aws-ecs';
 import * as elbv2 from '@aws-cdk/aws-elasticloadbalancingv2';
 import * as iam from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
-import { Duration } from '@aws-cdk/core';
+import { Duration, Stack } from '@aws-cdk/core';
 import * as codedeploy from '../../lib';
 
 const mockCluster = 'my-cluster';
@@ -45,7 +45,7 @@ describe('CodeDeploy ECS DeploymentGroup', () => {
         deploymentGroupName: 'EcsDeploymentGroup',
       });
 
-      expect(importedGroup.deploymentConfig).toEqual(codedeploy.EcsDeploymentConfig.ALL_AT_ONCE);
+      expect(importedGroup.deploymentConfig.deploymentConfigName).toEqual('CodeDeployDefault.ECSAllAtOnce');
     });
   });
 
@@ -849,25 +849,34 @@ describe('CodeDeploy ECS DeploymentGroup', () => {
     });
   });
 
-  test('deploymentGroup from Arn knows its account and region', () => {
-    // GIVEN
-    const stack = new cdk.Stack(undefined, 'Stack', { env: { account: '111111111111', region: 'blabla-1' } });
+  describe('deploymentGroup from ARN in different account and region', () => {
+    let stack: Stack;
+    let application: codedeploy.IEcsApplication;
+    let group: codedeploy.IEcsDeploymentGroup;
 
-    // WHEN
-    const application = codedeploy.EcsApplication.fromEcsApplicationArn(stack, 'Application', 'arn:aws:codedeploy:theregion-1:222222222222:application:MyApplication');
-    const group = codedeploy.EcsDeploymentGroup.fromEcsDeploymentGroupAttributes(stack, 'Group', {
-      application,
-      deploymentGroupName: 'DeploymentGroup',
+    const account = '222222222222';
+    const region = 'theregion-1';
+
+    beforeEach(() => {
+      stack = new cdk.Stack(undefined, 'Stack', { env: { account: '111111111111', region: 'blabla-1' } });
+
+      application = codedeploy.EcsApplication.fromEcsApplicationArn(stack, 'Application', `arn:aws:codedeploy:${region}:${account}:application:MyApplication`);
+      group = codedeploy.EcsDeploymentGroup.fromEcsDeploymentGroupAttributes(stack, 'Group', {
+        application,
+        deploymentGroupName: 'DeploymentGroup',
+      });
     });
 
-    // THEN
-    expect(application.env).toEqual(expect.objectContaining({
-      account: '222222222222',
-      region: 'theregion-1',
-    }));
-    expect(group.env).toEqual(expect.objectContaining({
-      account: '222222222222',
-      region: 'theregion-1',
-    }));
+    test('knows its account and region', () => {
+      // THEN
+      expect(application.env).toEqual(expect.objectContaining({ account, region }));
+      expect(group.env).toEqual(expect.objectContaining({ account, region }));
+    });
+
+    test('references the predefined DeploymentGroupConfig in the right region', () => {
+      expect(group.deploymentConfig.deploymentConfigArn).toEqual(expect.stringContaining(
+        `:codedeploy:${region}:${account}:deploymentconfig:CodeDeployDefault.ECSAllAtOnce`,
+      ));
+    });
   });
 });

packages/@aws-cdk/aws-codedeploy/test/lambda/deployment-group.test.ts

@@ -3,6 +3,7 @@ import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import * as iam from '@aws-cdk/aws-iam';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as cdk from '@aws-cdk/core';
+import { Stack } from '@aws-cdk/core';
 import * as codedeploy from '../../lib';
 import { TrafficRouting } from '../../lib';
 
@@ -616,26 +617,35 @@ describe('CodeDeploy Lambda DeploymentGroup', () => {
     });
   });
 
-  test('deploymentGroup from Arn knows its account and region', () => {
-    // GIVEN
-    const stack = new cdk.Stack(undefined, 'Stack', { env: { account: '111111111111', region: 'blabla-1' } });
+  describe('deploymentGroup from ARN in different account and region', () => {
+    let stack: Stack;
+    let application: codedeploy.ILambdaApplication;
+    let group: codedeploy.ILambdaDeploymentGroup;
 
-    // WHEN
-    const application = codedeploy.LambdaApplication.fromLambdaApplicationArn(stack, 'Application', 'arn:aws:codedeploy:theregion-1:222222222222:application:MyApplication');
-    const group = codedeploy.LambdaDeploymentGroup.fromLambdaDeploymentGroupAttributes(stack, 'Group', {
-      application,
-      deploymentGroupName: 'DeploymentGroup',
-    });
-
-    // THEN
-    expect(application.env).toEqual(expect.objectContaining({
-      account: '222222222222',
-      region: 'theregion-1',
-    }));
-    expect(group.env).toEqual(expect.objectContaining({
-      account: '222222222222',
-      region: 'theregion-1',
-    }));
+    const account = '222222222222';
+    const region = 'theregion-1';
+
+    beforeEach(() => {
+      stack = new cdk.Stack(undefined, 'Stack', { env: { account: '111111111111', region: 'blabla-1' } });
+
+      application = codedeploy.LambdaApplication.fromLambdaApplicationArn(stack, 'Application', `arn:aws:codedeploy:${region}:${account}:application:MyApplication`);
+      group = codedeploy.LambdaDeploymentGroup.fromLambdaDeploymentGroupAttributes(stack, 'Group', {
+        application,
+        deploymentGroupName: 'DeploymentGroup',
+      });
+    });
+
+    test('knows its account and region', () => {
+      // THEN
+      expect(application.env).toEqual(expect.objectContaining({ account, region }));
+      expect(group.env).toEqual(expect.objectContaining({ account, region }));
+    });
+
+    test('references the predefined DeploymentGroupConfig in the right region', () => {
+      expect(group.deploymentConfig.deploymentConfigArn).toEqual(expect.stringContaining(
+        `:codedeploy:${region}:${account}:deploymentconfig:CodeDeployDefault.LambdaCanary10Percent5Minutes`,
+      ));
+    });
   });
 });
 
@@ -649,7 +659,7 @@ describe('imported with fromLambdaDeploymentGroupAttributes', () => {
       deploymentGroupName: 'LambdaDeploymentGroup',
     });
 
-    expect(importedGroup.deploymentConfig).toEqual(codedeploy.LambdaDeploymentConfig.CANARY_10PERCENT_5MINUTES);
+    expect(importedGroup.deploymentConfig.deploymentConfigName).toEqual('CodeDeployDefault.LambdaCanary10Percent5Minutes');
   });
 });
 

packages/@aws-cdk/aws-codedeploy/test/server/deployment-group.test.ts

@@ -494,25 +494,34 @@ describe('CodeDeploy Server Deployment Group', () => {
     expect(() => app.synth()).toThrow('Deployment group name: "my name" can only contain letters (a-z, A-Z), numbers (0-9), periods (.), underscores (_), + (plus signs), = (equals signs), , (commas), @ (at signs), - (minus signs).');
   });
 
-  test('deploymentGroup from Arn knows its account and region', () => {
-    // GIVEN
-    const stack = new cdk.Stack(undefined, 'Stack', { env: { account: '111111111111', region: 'blabla-1' } });
+  describe('deploymentGroup from ARN in different account and region', () => {
+    let stack: cdk.Stack;
+    let application: codedeploy.IServerApplication;
+    let group: codedeploy.IServerDeploymentGroup;
 
-    // WHEN
-    const application = codedeploy.ServerApplication.fromServerApplicationArn(stack, 'Application', 'arn:aws:codedeploy:theregion-1:222222222222:application:MyApplication');
-    const group = codedeploy.ServerDeploymentGroup.fromServerDeploymentGroupAttributes(stack, 'Group', {
-      application,
-      deploymentGroupName: 'DeploymentGroup',
-    });
-
-    // THEN
-    expect(application.env).toEqual(expect.objectContaining({
-      account: '222222222222',
-      region: 'theregion-1',
-    }));
-    expect(group.env).toEqual(expect.objectContaining({
-      account: '222222222222',
-      region: 'theregion-1',
-    }));
+    const account = '222222222222';
+    const region = 'theregion-1';
+
+    beforeEach(() => {
+      stack = new cdk.Stack(undefined, 'Stack', { env: { account: '111111111111', region: 'blabla-1' } });
+
+      application = codedeploy.ServerApplication.fromServerApplicationArn(stack, 'Application', `arn:aws:codedeploy:${region}:${account}:application:MyApplication`);
+      group = codedeploy.ServerDeploymentGroup.fromServerDeploymentGroupAttributes(stack, 'Group', {
+        application,
+        deploymentGroupName: 'DeploymentGroup',
+      });
+    });
+
+    test('knows its account and region', () => {
+      // THEN
+      expect(application.env).toEqual(expect.objectContaining({ account, region }));
+      expect(group.env).toEqual(expect.objectContaining({ account, region }));
+    });
+
+    test('references the predefined DeploymentGroupConfig in the right region', () => {
+      expect(group.deploymentConfig.deploymentConfigArn).toEqual(expect.stringContaining(
+        `:codedeploy:${region}:${account}:deploymentconfig:CodeDeployDefault.OneAtATime`,
+      ));
+    });
   });
 });