Home > Software engineering >  Is `cdk bootstrap` safe to run on a production AWS system?
Is `cdk bootstrap` safe to run on a production AWS system?

Time:08-06

I have inherited a small AWS project, and the infra is built in CDK. I am relatively new to CDK.

I have a Bitbucket pipeline that deploys to our preprod environment fine. Since it feels reliable, I am now productionising it.

I detailed on a prior question that there is no context in the project for the production VPCs and subnets. I have been advised there that I can get AWS to generate the context file; I have not had much luck with that, so for now I have hand-generated it.

For safety I have made the deployment command a no-execute one:

cdk deploy --stage=$STAGE --region=eu-west-1 --no-execute --require-approval never

In production I get this error with the prod creds:

current credentials could not be used to assume 'arn:aws:iam::$CDK_DEFAULT_ACCOUNT:role/cdk-xxxxxxxx-lookup-role-$CDK_DEFAULT_ACCOUNT-eu-west-1', but are for the right account. Proceeding anyway. Bundling asset VoucherSupportStack/VoucherImporterFunction/Code/Stage...

I then get:

❌ VoucherSupportStack failed: Error: VoucherSupportStack: SSM parameter /cdk-bootstrap/xxxxxxxx/version not found. Has the environment been bootstrapped? Please run 'cdk bootstrap' (see https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)

I am minded to run cdk bootstrap in a production pipeline, on a once-off basis, as I think this is all it needs. We have very little CDK knowledge amongst my team, so I am a bit stuck on obtaining the appropriate reassurances - is this safe to run on a production AWS account?

As I understand it, it will just create a harmless "stack" that does nothing (unless we start using cdk deploy ...).

CodePudding user response:

Yes, you need to bootstrap every environment (account/region) that you deploy to, including your production environment(s).

It is definitely safe to do - it's what CDK expects.

You can scope the execution role down if you need (the default policy is AdministratorAccess).

Although your pipeline shouldn't ideally be performing lookups during synth - the recommended way is to run cdk synth once with your production credentials, which will perform the lookups and populate the cdk.context.json file. You would then commit this file to VCS and your pipeline will use these cached values instead of performing the lookups every time.

CodePudding user response:

Generally yes, but here some extension to @gshpychka answer:
You don't have to bootstrap Your production environment in case You are deploying Your application with AWS Service Catalog.
The setup in our project looks like following:

  • Resources account - for pipelines, secrets, ...
  • Development account - bootstrapped, the dev pipeline deploys directly to this account
  • Integration Account and Production Account - not bootstrapped, we are provisioning the releases and the release candidates through the AWS Service Catalog.

Service Catalog provides the cool functionality to provision and also update the applications in a friendly way. There are CDK LVL2 stable constructs for building Your product stacks.

Of course, this approach has its advantages and disadvantages. I would recommend using it if you want to have full control over when you want to deploy or update Your application. It is also worth using this approach if you are developing an application that will be installed on a client account.

  • Related