bug(cicd): CICD script does not check if target regions are deployable

Question

bug(cicd): CICD script does not check if target regions are deployable

flochaz opened this issue 2 years ago · comments

Context

In SDLC-Organization we auto bootstrap accounts with the right trust of CICD account on specified regions
(https://github.com/aws-samples/aws-bootstrap-kit-examples/blob/main/source/1-SDLC-organization/cdk.json#L11) .
In Service / App CDK side we automatically create stages based on the account tags created in the previous steps (https://github.com/aws-samples/aws-bootstrap-kit-examples/blob/main/source/3-landing-page-cicd/cdk/lib/cicd-stack.ts#L89) but we don't check if the target region is deployable .

Issue

If pipeline deployed in CICD account is deployed in a region not listed in "pipeline_deployable_regions", assets steps will fail with credentials error : Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1.

Proposed fix

Option 1: find a way to figure out if target is bootstrapped properly and throw if not

Option 2:

Store pipeline_deployable_regions somewhere (tag or ssm) in aws-bootstrap-kit construct (same way we do for stages : https://github.com/awslabs/aws-bootstrap-kit/blob/74aa16188776eb695358cf40e7519387650b72dc/source/aws-bootstrap-kit/lib/account.ts#L103)
Force deployed regions from this ...