cli: automatic cross account integration tests #32085

iliapolo · 2024-11-11T09:55:22Z

Describe the feature

When running integration tests, invoke the CLI with credentials to a different account than the target account.

Use Case

A fairly common setup for deploying CDK apps is providing the CLI with credentials to a role in centralized account (Account S) to perform the deployments to a target account (Account T).

This differs from the "standard" scenario where the CLI is executed with credentials to the target account. To make this setup work, the customer needs to setup trust relationships between both accounts, creating one variation of a cross-account auth setup.

In such a case, the CLI needs to take special care when invoking any AWS APIs because it must make sure its doing so with the appropriate assumed role. Running tests with this setup will automatically catch bugs that fail to do so.

For example: #31845

Proposed Solution

We already control CLI invocation inside our tests via the TestFixture (FLW: its probably ok to assume all tests use it). This means our fixture can assume a role in Account S, and invoke the CLI with its credentials, leaving Account T as is.

aws-cdk/packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts

Lines 525 to 540 in 33872f3

    
           public async cdk(args: string[], options: CdkCliOptions = {}) { 
        
             const verbose = options.verbose ?? true; 
        
             await this.packages.makeCliAvailable(); 
        
             return this.shell(['cdk', ...(verbose ? ['-v'] : []), ...args], { 
        
               ...options, 
        
               modEnv: { 
        
                 AWS_REGION: this.aws.region, 
        
                 AWS_DEFAULT_REGION: this.aws.region, 
        
                 STACK_NAME_PREFIX: this.stackNamePrefix, 
        
                 PACKAGE_LAYOUT_VERSION: this.packages.majorVersion(), 
        
                 ...options.modEnv, 
        
               }, 
        
             }); 
        
           }

The only thing left to unpack here is where will the fixture get 2 accounts from? Currently, our framework only provides different regions in the same account.

aws-cdk/packages/@aws-cdk-testing/cli-integ/lib/with-aws.ts

Line 38 in 33872f3

_regionPool = ResourcePool.withResources('aws_regions', REGIONS);

So, we need to first implement the test environment allocation service to make this work.

Other Information

Some peripheral considerations:

We need to provide a way for tests to opt out of this behavior (there may be good reasons for it).
Do we add this as a permutation of the test? or instead?

Acknowledgements

I may be able to implement this feature request
This feature might incur a breaking change

CDK version used

ALL

Environment details (OS name and version, etc.)

ALL

The text was updated successfully, but these errors were encountered:

iliapolo added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 11, 2024

github-actions bot added the package/tools Related to AWS CDK Tools or CLI label Nov 11, 2024

iliapolo mentioned this issue Nov 11, 2024

Tracking: CLI testing posture improvements #31929

Open

8 tasks

iliapolo self-assigned this Nov 11, 2024

pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cli: automatic cross account integration tests #32085

cli: automatic cross account integration tests #32085

iliapolo commented Nov 11, 2024

cli: automatic cross account integration tests #32085

cli: automatic cross account integration tests #32085

Comments

iliapolo commented Nov 11, 2024

Describe the feature

Use Case

Proposed Solution

Other Information

Acknowledgements

CDK version used

Environment details (OS name and version, etc.)