aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

feat(servicecatalog): Add Product Stack Asset Support

Open wanjacki opened this issue 3 years ago • 5 comments

Currently Assets are not supported in Product Stacks. Service Catalog has an unique use case where assets need to be shared cross account and sharing the entire CDK asset bucket is not ideal. Users can either create their own ProductStackAssetBucket or have one automatically generated for them based on their account Id and region. By using S3 Deployments we able to copy the assets to that bucket and share it when a portfolio is shared in Service Catalog.

More details can be found here: #20690

All Submissions:

Adding new Unconventional Dependencies:

  • [ ] This PR adds new unconventional dependencies following the process described here

New Features

  • [x] Have you added the new feature to an integration test?
    • [x] Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Co-authored-by: Theron Mansilla[imanolympic]

wanjacki avatar Sep 20 '22 14:09 wanjacki

gitpod-io[bot] avatar Sep 20 '22 14:09 gitpod-io[bot]

Hi, Thanks for the great job. I was comparing the new API with our implementation and I didn't found any way to incorporate the own ProductStackAssetBucket into the ProductStackHistory construct. Do You plan to provide this option?

padaszewski avatar Sep 21 '22 10:09 padaszewski

@padaszewski That should automatically be supported. ie. if you want to specify your own bucket

    const productStackHistory = new ProductStackHistory(this, 'ProductStackHistory', {
      productStack: new HelloServerlessProduct(this, 'HelloServerlessProduct', {
        assetBucket: myBucket,}),
      currentVersionName: 'v1',
      currentVersionLocked: true
      }
    )

wanjacki avatar Sep 21 '22 14:09 wanjacki

@wanjacki Ah right, this is a property of the ProductStack. After a quick read of the README I was convinced that the bucket is passed like this servicecatalog.CloudFormationTemplate.fromProductStack(productStack, bucket). My bad, sorry.

padaszewski avatar Sep 21 '22 14:09 padaszewski

I have a couple of big concerns with this PR.

1. We need an integration test that tests creating a product with assets _and_ provisioning a
   product with assets.

2. I'm not sure about how you are currently handling the asset buckets. Each individual product will
   get it's own asset bucket? What about having a single bucket that the user needs to create
   themselves? A bucket per product seems like it will lead to more work on the consumer side (if
   you want to provision product ABC then add a policy to your role with access to bucket ABC).
  1. We can't provision a product directly in CDK and there has been no precedent for having to provision a product in any of the other integration test.
  2. Yes we are limited to one asset bucket Product Stack if we are generating for the user. It is not trivial to implement it on a portfolio level and the asset itself are tied to Products not Portfolios. As a workaround we allow users to create their own asset bucket, this asset bucket can be used for multiple Product Stacks and bypasses this restriction. We grant users that the admin shares their portfolio/product with permissions to read the Bucket. Any further policy that might be needed would have to be setup and managed by the Admin (Hub) to Shared Accounts (Spoke) anyways.

wanjacki avatar Sep 29 '22 15:09 wanjacki

@wanjacki I would recommend going through the RFC process for this feature. There are a lot of design considerations that we are not yet agreed on. The biggest thing for me is that we have to consider the entire experience (publishing & consuming).

corymhall avatar Sep 30 '22 13:09 corymhall

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 0b84503d8215b82d3431a5bde0e3b6b93e705641
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

aws-cdk-automation avatar Sep 30 '22 17:09 aws-cdk-automation

@wanjacki I would recommend going through the RFC process for this feature. There are a lot of design considerations that we are not yet agreed on. The biggest thing for me is that we have to consider the entire experience (publishing & consuming).

+1 on this comment. I'm going to convert this into a draft until we have an approved RFC for this.

TheRealAmazonKendra avatar Oct 02 '22 05:10 TheRealAmazonKendra

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

aws-cdk-automation avatar Oct 24 '22 00:10 aws-cdk-automation

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

aws-cdk-automation avatar Oct 31 '22 18:10 aws-cdk-automation