Aws-cdk: CDK does not handle `CN` partition deployment properly

Created on 30 Sep 2019 · 4Comments · Source: aws/aws-cdk

cdk bootstrap does creates initial resource bucket properly, but cdk deploy fails with

❌ cdkExampleStack failed: ValidationError: S3 error: The specified key does not exist.
For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
S3 error: The specified key does not exist.
For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

Observed Behaviour

cdk deploy returns target domain as s3.amazonaws.com after packaging which is not a valid domain for aws-cn partition and instead should be s3-cn-north-1.amazonaws.com.cn.

Reproduction Steps

Use typescript init demo from CDK Workshop, and try deploying it to AWS China.

Error Log

<!--
what is the error message you are seeing?
-->
Solla:aws-cdk-example rushi$ cdk deploy --profile caromelChina -v
CDK toolkit version: 1.9.0 (build 30f158a)
Command line arguments: { _: [ 'deploy' ],
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  verbose: true,
  v: true,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  staging: true,
  ci: false,
  profile: 'caromelChina',
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  '$0': 'cdk' }
Determining whether we're on an EC2 instance.
Does not look like EC2 instance.
cdk.json: {
  "app": "npx ts-node ./bootstrap.ts"
}
merged settings: { versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node ./bootstrap.ts',
  context: {},
  tags: [],
  assetMetadata: true,
  toolkitBucket: {},
  staging: true }
Setting "CDK_DEFAULT_REGION" environment variable to cn-north-1
Resolving default credentials
Retrieved account ID 882089736419 from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to 882089736419
context: { 'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true }
outdir: cdk.out
env: { CDK_DEFAULT_REGION: 'cn-north-1',
  CDK_DEFAULT_ACCOUNT: '882089736419',
  CDK_CONTEXT_JSON:
   '{"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out' }
Reading existing template for stack cdkExampleStack.
Using default AWS SDK credentials for account 882089736419
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬────────────────────────────────┬────────┬────────────────┬─────────────────────────────────┬───────────┐
│   │ Resource                       │ Effect │ Action         │ Principal                       │ Condition │
├───┼────────────────────────────────┼────────┼────────────────┼─────────────────────────────────┼───────────┤
│ + │ ${testCdkFunction/ServiceRole. │ Allow  │ sts:AssumeRole │ Service:lambda.amazonaws.com    │           │
│   │ Arn}                           │        │                │                                 │           │
└───┴────────────────────────────────┴────────┴────────────────┴─────────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬────────────────────────────────┬───────────────────────────────────────────────────────────────────────┐
│   │ Resource                       │ Managed Policy ARN                                                    │
├───┼────────────────────────────────┼───────────────────────────────────────────────────────────────────────┤
│ + │ ${testCdkFunction/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExec │
│   │                                │ utionRole                                                             │
└───┴────────────────────────────────┴───────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See http://bit.ly/cdk-2EhF7Np)

Do you wish to deploy these changes (y/n)? y
cdkExampleStack: deploying...
Waiting for stack CDKToolkit to finish creating or updating...
Preparing asset cdkExampleStacktestCdkFunctionCodeA4B88D41: {"path":"asset.96cef630369ed2c12eec4eb4a7dceb2aed3cf2c040b84f477823f85488e535ca","id":"cdkExampleStacktestCdkFunctionCodeA4B88D41","packaging":"zip","sourceHash":"96cef630369ed2c12eec4eb4a7dceb2aed3cf2c040b84f477823f85488e535ca","s3BucketParameter":"testCdkFunctionCodeS3BucketEBF1EEBC","s3KeyParameter":"testCdkFunctionCodeS3VersionKeyA1DCA546","artifactHashParameter":"testCdkFunctionCodeArtifactHashDF47BEE8"}
Preparing zip asset from directory: cdk.out/asset.96cef630369ed2c12eec4eb4a7dceb2aed3cf2c040b84f477823f85488e535ca
zip archive: /var/folders/d4/jf5hcfcd6rb2wfjkbjf3nwq80000gt/T/cdk-assetsqM00z4/archive.zip
Preparing file asset: /var/folders/d4/jf5hcfcd6rb2wfjkbjf3nwq80000gt/T/cdk-assetsqM00z4/archive.zip
Using default AWS SDK credentials for account 882089736419
s3://cdktoolkit-stagingbucket-1kq47y2hhsq9h/assets/cdkExampleStacktestCdkFunctionCodeA4B88D41/32e434ebe0d2a42cca135ae48430750d6107e22dabbfe469295754584209ee32.zip: checking if already exists
s3://cdktoolkit-stagingbucket-1kq47y2hhsq9h/assets/cdkExampleStacktestCdkFunctionCodeA4B88D41/32e434ebe0d2a42cca135ae48430750d6107e22dabbfe469295754584209ee32.zip: found (skipping upload)
S3 url for asset.96cef630369ed2c12eec4eb4a7dceb2aed3cf2c040b84f477823f85488e535ca: s3://cdktoolkit-stagingbucket-1kq47y2hhsq9h/assets/cdkExampleStacktestCdkFunctionCodeA4B88D41/32e434ebe0d2a42cca135ae48430750d6107e22dabbfe469295754584209ee32.zip
Up-to-date: asset.96cef630369ed2c12eec4eb4a7dceb2aed3cf2c040b84f477823f85488e535ca (zip)
s3://cdktoolkit-stagingbucket-1kq47y2hhsq9h/cdk/cdkExampleStack/d84e5b2a8f346dc77bb203f64848d2694f3ecd0035cef1fe996e532874a94223.yml: checking if already exists
s3://cdktoolkit-stagingbucket-1kq47y2hhsq9h/cdk/cdkExampleStack/d84e5b2a8f346dc77bb203f64848d2694f3ecd0035cef1fe996e532874a94223.yml: found (skipping upload)
Stored template in S3 at: https://cdktoolkit-stagingbucket-1kq47y2hhsq9h.s3.amazonaws.com/cdk/cdkExampleStack/d84e5b2a8f346dc77bb203f64848d2694f3ecd0035cef1fe996e532874a94223.yml
Attempting to create ChangeSet CDK-934d7046-96a5-42a5-9ad7-1181f62782d3 to create stack cdkExampleStack
cdkExampleStack: creating CloudFormation changeset...

 ❌  cdkExampleStack failed: ValidationError: S3 error: The specified key does not exist.
For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
S3 error: The specified key does not exist.
For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
ValidationError: S3 error: The specified key does not exist.
For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html
    at Request.extractError (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/Users/rushi/.nvm/versions/node/v10.15.3/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

Environment

*CLI Version :1.9.0 (build 30f158a)*
Framework Version:
*OS :MacOs*
*Language :Typescript*

Other

Interesting thing to note here is that cdk can successfully upload artifacts to s3 bucket but fails to deploy changeset.

This is :bug: Bug Report

bug packagtools

Source

whimzyLive

All 4 comments

Okay, I have confirmed this as a bug. Someone will update this issue when there is progress.

NGL321 on 4 Oct 2019

👍1

related to #1469

shivlaks on 7 Oct 2019

fixed in #4427

shivlaks on 10 Oct 2019

🎉1

Something to note here, I think it might help someone else.

So I had CDKToolkit stack created in my account with cdk 1.2.12 at that time cdk was using bucketDomainName as a target url to get template, which was changed to use bucketRegionalDomainName to fix above bug.

Even after upgrading to cdk 1.2.14, cdk was still getting bucketDomainName as a target template url, because I had my CDKToolkit created with 1.2.12.

To actually get it to work, I ended up removing earlier CDKToolkit stack which was created with 1.2.12 and bootstrapping new one with 1.2.14, and everything works like a charm.🎉

@shivlaks not sure if this is how it was supposed to be or cdk deploy should be getting latest deployment template url.

whimzyLive on 24 Oct 2019

Was this page helpful?

0 / 5 - 0 ratings