aws-cdk-github-actions
aws-cdk-github-actions copied to clipboard
Require approval: never is broken
Hello and thanks for this action.
I am deploying a project with two stacks (probably not relevant) and I am getting the following
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:
and
"--require-approval" is enabled and stack includes security-sensitive updates, but terminal (TTY) is not attached so we are unable to get a confirmation from the user
Here is the action:
- name: Deploy backend
uses: youyo/aws-cdk-github-actions@v1
with:
working_dir: "./backend"
cdk_subcommand: 'deploy'
cdk_stack: '*'
actions_comment: false
args: '--require-approval never --outputs-file ../swedishclient/src/devoutputs.json'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET }}
AWS_DEFAULT_REGION: 'eu-west-1'
I think we need to use a interactive session by passing the "-it" flag in the docker run command but I am not in a position to test this atm.
I face the same issue, too.
Same for us.
Anyone found a workaround? Like this it's not possible to deploy from GH actions...
workaround: change this:
cdk_subcommand: "deploy"
args: "--require-approval never"
to this:
cdk_subcommand: "deploy --require-approval never"
this works because the subcommand parameter is not quoted in the entrypoint script so the shell will split it on spaces.
i think it indicates that the problem lies with passing in the "*" parameters to the script rather than with require-approval itself.
This can also be solved by setting the flag in your cdk.json
file, for example:
{ "app": "python3 app.py", "requireApproval": "never", "context": {...} }
workaround: change this:
cdk_subcommand: "deploy" args: "--require-approval never"
to this:
cdk_subcommand: "deploy --require-approval never"
this works because the subcommand parameter is not quoted in the entrypoint script so the shell will split it on spaces.
i think it indicates that the problem lies with passing in the "*" parameters to the script rather than with require-approval itself.
This works for me. Thanks!
Having the same issue with:
yes | cdk deploy
--app "npx ts-node bin/stack.ts"
--required-approval never
--profile profile
--context account=account
--context region=region
- It doesn't help specifying the app in
cdk.json
(plus, I have multiple apps so they need to be specified in the cmd) - It helps adding to
cdk.json
:"requireApproval": "never",
but in the future I might not want this key enabled for all the apps...