aws-cdk-github-actions icon indicating copy to clipboard operation
aws-cdk-github-actions copied to clipboard

Published 20 hours ago verified publisher icon youyo

Require approval: never is broken

Open stilren opened this issue 3 years ago • 8 comments

Hello and thanks for this action.

I am deploying a project with two stacks (probably not relevant) and I am getting the following

This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

and

 "--require-approval" is enabled and stack includes security-sensitive updates, but terminal (TTY) is not attached so we are unable to get a confirmation from the user

Here is the action:

    - name: Deploy backend
      uses: youyo/aws-cdk-github-actions@v1
      with:
        working_dir: "./backend" 
        cdk_subcommand: 'deploy'
        cdk_stack: '*'
        actions_comment: false
        args: '--require-approval never --outputs-file ../swedishclient/src/devoutputs.json'
      env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET }}
        AWS_DEFAULT_REGION: 'eu-west-1'

stilren avatar Jul 30 '20 14:07 stilren

I think we need to use a interactive session by passing the "-it" flag in the docker run command but I am not in a position to test this atm.

stilren avatar Jul 30 '20 14:07 stilren

I face the same issue, too.

RicoToothless avatar Aug 05 '20 01:08 RicoToothless

Same for us.

bastiankoetsier avatar Aug 21 '20 10:08 bastiankoetsier

Anyone found a workaround? Like this it's not possible to deploy from GH actions...

tmaximini avatar Sep 10 '20 16:09 tmaximini

workaround: change this:

cdk_subcommand: "deploy"
args: "--require-approval never"

to this: cdk_subcommand: "deploy --require-approval never"

this works because the subcommand parameter is not quoted in the entrypoint script so the shell will split it on spaces.

i think it indicates that the problem lies with passing in the "*" parameters to the script rather than with require-approval itself.

cmsd2 avatar Sep 10 '20 19:09 cmsd2

This can also be solved by setting the flag in your cdk.json file, for example: { "app": "python3 app.py", "requireApproval": "never", "context": {...} }

g-farrow avatar Sep 16 '20 13:09 g-farrow

workaround: change this:

cdk_subcommand: "deploy"
args: "--require-approval never"

to this: cdk_subcommand: "deploy --require-approval never"

this works because the subcommand parameter is not quoted in the entrypoint script so the shell will split it on spaces.

i think it indicates that the problem lies with passing in the "*" parameters to the script rather than with require-approval itself.

This works for me. Thanks!

davitcito avatar Aug 05 '22 23:08 davitcito

Having the same issue with:

yes | cdk deploy
   --app "npx ts-node bin/stack.ts"
   --required-approval never
   --profile profile
   --context account=account
   --context region=region
  • It doesn't help specifying the app in cdk.json (plus, I have multiple apps so they need to be specified in the cmd)
  • It helps adding to cdk.json: "requireApproval": "never", but in the future I might not want this key enabled for all the apps...

diogobaltazar avatar Feb 28 '23 16:02 diogobaltazar