bug(cicd): CICD script does not check if target regions are deployable
flochaz opened this issue · comments
Context
In SDLC-Organization we auto bootstrap accounts with the right trust of CICD account on specified regions
(https://github.com/aws-samples/aws-bootstrap-kit-examples/blob/main/source/1-SDLC-organization/cdk.json#L11) .
In Service / App CDK side we automatically create stages based on the account tags created in the previous steps (https://github.com/aws-samples/aws-bootstrap-kit-examples/blob/main/source/3-landing-page-cicd/cdk/lib/cicd-stack.ts#L89) but we don't check if the target region is deployable .
Issue
If pipeline deployed in CICD account is deployed in a region not listed in "pipeline_deployable_regions", assets steps will fail with credentials error : Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1
.
Proposed fix
Option 1: find a way to figure out if target is bootstrapped properly and throw if not
Option 2:
- Store pipeline_deployable_regions somewhere (tag or ssm) in aws-bootstrap-kit construct (same way we do for stages : https://github.com/awslabs/aws-bootstrap-kit/blob/74aa16188776eb695358cf40e7519387650b72dc/source/aws-bootstrap-kit/lib/account.ts#L103)
- Force deployed regions from this ...