Aws-cdk: cdk bootstrap in multi-tenant accounts

Created on 20 Dec 2018  路  7Comments  路  Source: aws/aws-cdk

Hi,

I am eager to implement CDK on a few new projects, but in the company who i work for we use a system of multi-tenant accounts where one account is shared by many teams and units and we divide the cost of resources using tags and names.

The command cdk bootstrap creates a CloudFormation stack with an S3 busket, which name can be configured, but also exports two Outputs ( BucketName and BucketDomainName ) and CloudFormation Stack's Outputs must be unique in the same account.

I saw that when the Outputs are read actually it list all the Outputs and get the ones that are the same name. I think that if the Outputs where prefixed with the stack name the conflict can be avoided and work in the same way.

I would like to find a solution to this problem to start using CDK, and i am up to send a PR with changes to support this case.

Thanks

bug packagtools
Source
picture manrueda

All 7 comments

After checking the code, looks like the Exports are not being used. The bootstrap code uses describeStacks to get the whole stack and gets the outputs from there. It's not actually being used from other CloudFormation template.

manrueda picture manrueda on 20 Dec 2018

@ManRueda there should be only a single "toolkit stack" in each account/region. This means that teams should not need to "cdk bootstrap" on their own. Would that work for your use case or do you have any security/isolation concerns with this model?

eladb picture eladb on 23 Dec 2018

That will not work on our configuration, because different teams can work in the same account but with different roles. For many many teams share the same account in the same region, but we use roles that only allow us to access and use resources that are prefixed or have tags that our team use. This is not only for security/isolation reasons but also for billing purposes. Because we all share the same account and each teams has to be accountable of their resources, each "team id" is used for billing.

In this scenario with only one "toolkit stack" there is not a clear owner of the resource because can be used by many teams and also is difficult to bill because all teams that use it will have assets on that S3 bucket.

manrueda picture manrueda on 23 Dec 2018

Okay, got it. So basically if we remove the exports from the toolkit stack, you will be able to use --toolkit-stack-name to specify a different toolkit stack name for each team, and they won't conflict. Is that correct?

eladb picture eladb on 24 Dec 2018
👍1

I I checked the code and looks like yes, that should do it.

manrueda picture manrueda on 24 Dec 2018

馃憤

eladb picture eladb on 24 Dec 2018

PR: https://github.com/awslabs/aws-cdk/pull/1427

eladb picture eladb on 24 Dec 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Kent1 picture Kent1  路  3Comments
cybergoof picture cybergoof  路  3Comments
pepastach picture pepastach  路  3Comments
sudoforge picture sudoforge  路  3Comments
nzspambot picture nzspambot  路  3Comments