feat(cfn): implement env controller #1508
Conversation
Manual Tests
|
efekarakus
added
the
do-not-merge
iamhopaul123
force-pushed
the
env-upgrade/env-controller
branch
from
3066f93 to
d9edc87
Compare
| Value: | ||
| Fn::ImportValue: | ||
| !Sub "${AppName}-${EnvName}-PublicLoadBalancerDNS" {{if .Variables}}{{range $name, $value := .Variables}} | ||
| Value: !GetAtt EnvControllerAction.PublicLoadBalancerDNSName{{if .Variables}}{{range $name, $value := .Variables}} |
There was a problem hiding this comment.
I think this will break backend services since the Lambda is not included there!
Mmm this is interesting 🤔
I feel like what we need is a way of telling if an environment variable should exist because the feature is enabled. For example:
{{- if has .RequiredFeatures "ALBWorkloads" }}
- Name: COPILOT_LB_DNS
Value: !GetAtt EnvControllerAction.PublicLoadBalancerDNSName
{{- end }}There was a problem hiding this comment.
or maybe only display it when it is an LB service?
There was a problem hiding this comment.
yea, we could do that for now. But in the future the LB Web Service pattern will support NLB.
So instead of having http maybe users will specify only udp or tcp and that should still give them a service that is internet-facing. In that scenario we should not create this environment variable.
But yes let's do your suggestion for now! If it's a LBWebService, let's add the environment variable and remove it from the other types that don't force the resource creation.
| @@ -168,6 +167,31 @@ Resources: | |||
| Action: | |||
| - elasticloadbalancing:DescribeRules | |||
| Resource: "*" | |||
| - PolicyName: "EnvControllerStackUpdate" | |||
There was a problem hiding this comment.
Hmmm we are increasing the permission scope here! Which would require a security review.
I'm trying to understand how come this prototype worked: efekarakus@66a2c27 without these permission changes. I feel like my prototype shouldn't have worked :O strange!
There was a problem hiding this comment.
How do you perform those actions without permission 🤔 And looks like the prototype doesn't pass CFN execution role to update the stack, which should fail when updating the environment stack...
There was a problem hiding this comment.
ok instead of increasing the scope of the other Lambda, let's create a new role:
EnvControllerLambdaRole which has the permissions that you've listed.
Can we try being specific on the resources? For example:
- the stack
Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppName}-${EnvName}/*'- the role
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${AppName}-${EnvName}-CFNExecutionRole'There was a problem hiding this comment.
Agree on creating a new role otherwise the other lambda scope might be expanded as well. However, I don't get why we want to be specific on the resources? I feel they are about the same since the only stack with both copilot app and env tags are in format of those two. But one benefit for using tags is it is agnostic about the arn format, whereas we are very unlikely to change our copilot tags. What do you think?
There was a problem hiding this comment.
I guess we also need to move the role for auto scaling out right? i'll do that in the next PR
There was a problem hiding this comment.
The slight difference is that if we use only tags, then the role can also update other service stacks in the environment. Whereas specifying the ARN limits it strictly to the environment stack and not to the services.
There was a problem hiding this comment.
ah got it good point!
| try { | ||
| switch (event.RequestType) { | ||
| case "Create": | ||
| responseData = await controlEnv( |
There was a problem hiding this comment.
can we increase it to the max 15 mins plz? 🙏
I could see env upgrades taking a while just in case, and we should handle the previous comment above as well
| } catch (err) { | ||
| if ( | ||
| !err.message.match( | ||
| /^Stack.*is in UPDATE_IN_PROGRESS state and can not be updated/ |
There was a problem hiding this comment.
Yeah, I don't think they can change it either. OK as long as you validated that this is indeed the error message, I'm fine with it.
| Value: | ||
| Fn::ImportValue: | ||
| !Sub "${AppName}-${EnvName}-PublicLoadBalancerDNS" {{if .Variables}}{{range $name, $value := .Variables}} | ||
| Value: !GetAtt EnvControllerAction.PublicLoadBalancerDNSName{{if .Variables}}{{range $name, $value := .Variables}} |
There was a problem hiding this comment.
yea, we could do that for now. But in the future the LB Web Service pattern will support NLB.
So instead of having http maybe users will specify only udp or tcp and that should still give them a service that is internet-facing. In that scenario we should not create this environment variable.
But yes let's do your suggestion for now! If it's a LBWebService, let's add the environment variable and remove it from the other types that don't force the resource creation.
| @@ -168,6 +167,31 @@ Resources: | |||
| Action: | |||
| - elasticloadbalancing:DescribeRules | |||
| Resource: "*" | |||
| - PolicyName: "EnvControllerStackUpdate" | |||
There was a problem hiding this comment.
ok instead of increasing the scope of the other Lambda, let's create a new role:
EnvControllerLambdaRole which has the permissions that you've listed.
Can we try being specific on the resources? For example:
- the stack
Resource: !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppName}-${EnvName}/*'- the role
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${AppName}-${EnvName}-CFNExecutionRole'
iamhopaul123
force-pushed
the
env-upgrade/env-controller
branch
from
ea73c34 to
a135bd1
Compare
just one more request related to the env variable
iamhopaul123
force-pushed
the
env-upgrade/env-controller
branch
from
81455a5 to
07320c7
Compare
iamhopaul123
removed
the
do-not-merge
iamhopaul123
force-pushed
the
env-upgrade/env-controller
branch
from
07320c7 to
59a58f7
Compare
<!-- Provide summary of changes --> Address this [comment](#1508 (comment)) left in #1508. Add retry to EnvController when we call `cfn.waitFor()`, so that it won't immediately error out when the request gets throttled. <!-- Issue number, if available. E.g. "Fixes #31", "Addresses #42, 77" --> By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
<!-- Provide summary of changes --> Implement env controller for env upgrade, allowing `svc deploy` to update env stack to create/delete optional resources (e.g., ALB). Note that this feature is only available starting from env version v1.0.0. <!-- Issue number, if available. E.g. "Fixes aws#31", "Addresses aws#42, 77" --> By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
<!-- Provide summary of changes --> Address this [comment](aws#1508 (comment)) left in aws#1508. Add retry to EnvController when we call `cfn.waitFor()`, so that it won't immediately error out when the request gets throttled. <!-- Issue number, if available. E.g. "Fixes aws#31", "Addresses aws#42, 77" --> By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Implement env controller for env upgrade, allowing
svc deployto update env stack to create/delete optional resources (e.g., ALB).Note that this feature is only available starting from env version v1.0.0.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.