feat: Bootstrap CDK during Account Activation (#272)

* Bootstrap CDK during Account Activation

Removes the prerequisite of ensuring CDK is bootstrapped for app deployments.

* Add separate bootstrap stack for AGC

Fully encapsulates the bootstrap process by managing an internal Bootstrap stack coupled to the account lifecycle.
This ensures other non-agc CDK applications running cannot interfere with or be interfered by AGC bootstrapping.

Author: ghawk1ns

extras/agc-minimal-permissions/cdk.json

@@ -1,6 +1,7 @@
 {
   "app": "npx ts-node --prefer-ts-exts bin/permissions.ts",
   "context": {
+    "@aws-cdk/core:bootstrapQualifier": "agc",
     "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
     "@aws-cdk/core:enableStackNameDuplicates": "true",
     "aws-cdk:enableDiffNoFail": "true",

extras/agc-minimal-permissions/lib/permissions-stack.ts

@@ -26,7 +26,6 @@ export class AgcPermissionsStack extends cdk.Stack {
       ...perms.s3Destroy(),
       ...perms.s3Read(),
       ...perms.s3Write(),
-      ...perms.s3CDK(),
       ...perms.dynamodbCreate(),
       ...perms.dynamodbRead(),
       ...perms.dynamodbWrite(),
@@ -46,7 +45,6 @@ export class AgcPermissionsStack extends cdk.Stack {
       ...perms.ec2(),
       ...perms.s3Read(),
       ...perms.s3Write(),
-      ...perms.s3CDK(),
       ...perms.dynamodbRead(),
       ...perms.dynamodbWrite(),
       ...perms.ssmRead(),

extras/agc-minimal-permissions/lib/policy-statements.ts

@@ -183,6 +183,7 @@ export class AgcPermissions {
             actions: actions(svc,
                 "GetBucketPolicy",
                 "GetBucketTagging",
+                "GetBucketLocation",
                 "GetEncryptionConfiguration",
                 "ListBucket",
                 "GetObject",
@@ -211,23 +212,6 @@ export class AgcPermissions {
           })]
     }
 
-    s3CDK() : PolicyStatement[] {
-        const svc = "s3";
-        return [new PolicyStatement({
-            effect: Effect.ALLOW,
-            actions: actions(svc,
-                "ListBucket",
-                "GetObject",
-                "GetBucketLocation",
-                "PutObject",
-                "DeleteObject",
-            ),
-            resources: [
-              this.arn({service: svc, region: "", account: "", resource: "cdktoolkit-*"}),
-            ],
-        })]
-    }
-
     dynamodbCreate() : PolicyStatement[] {
         const svc = "dynamodb";
         return [new PolicyStatement({
@@ -446,7 +430,7 @@ export class AgcPermissions {
                 "UntagResource",
             ),
             resources: [
-                this.arn({service: "cloudformation", region: "*", resource: "stack", resourceName: "CDKToolkit*"}),
+                this.arn({service: "cloudformation", region: "*", resource: "stack", resourceName: "Agc-CDKToolkit*"}),
             ]
         })
     }

packages/cdk/apps/context/cdk.json

@@ -1,3 +1,6 @@
 {
-  "app": "npx -p typescript -p ts-node ts-node --prefer-ts-exts app.ts"
+  "app": "npx -p typescript -p ts-node ts-node --prefer-ts-exts app.ts",
+  "context": {
+    "@aws-cdk/core:bootstrapQualifier": "agc"
+  }
 }

packages/cdk/apps/core/cdk.json

@@ -1,3 +1,6 @@
 {
-  "app": "npx -p typescript -p ts-node ts-node --prefer-ts-exts app.ts"
+  "app": "npx -p typescript -p ts-node ts-node --prefer-ts-exts app.ts",
+  "context": {
+    "@aws-cdk/core:bootstrapQualifier": "agc"
+  }
 }

packages/cli/internal/pkg/aws/cdk/bootstrap.go

@@ -0,0 +1,22 @@
+package cdk
+
+import (
+	"fmt"
+
+	"github.com/aws/amazon-genomics-cli/internal/pkg/cli/awsresources"
+	"github.com/aws/amazon-genomics-cli/internal/pkg/cli/clierror/actionableerror"
+	"github.com/aws/amazon-genomics-cli/internal/pkg/constants"
+)
+
+func (client Client) Bootstrap(appDir string, context []string, executionName string) (ProgressStream, error) {
+	cmdArgs := []string{
+		"bootstrap",
+		"--toolkit-stack-name", awsresources.RenderBootstrapStackName(),
+		"--qualifier", constants.AppTagValue,
+		"--tags", fmt.Sprintf("%s=%s", constants.AppTagKey, constants.AppTagValue),
+		"--profile", client.profile,
+	}
+	cmdArgs = appendContextArguments(cmdArgs, context)
+	progressStream, err := executeCdkCommand(appDir, cmdArgs, executionName)
+	return progressStream, actionableerror.FindSuggestionForError(err, actionableerror.AwsErrorMessageToSuggestedActionMap)
+}

packages/cli/internal/pkg/aws/cdk/deploy_app.go

@@ -3,6 +3,7 @@ package cdk
 import (
 	"os"
 
+	"github.com/aws/amazon-genomics-cli/internal/pkg/cli/awsresources"
 	"github.com/aws/amazon-genomics-cli/internal/pkg/cli/clierror/actionableerror"
 )
 
@@ -15,6 +16,7 @@ func (client Client) DeployApp(appDir string, context []string, executionName st
 		"--all",
 		"--profile", client.profile,
 		"--require-approval", "never",
+		"--toolkit-stack-name", awsresources.RenderBootstrapStackName(),
 		"--output", tmpDir,
 	}
 	cmdArgs = appendContextArguments(cmdArgs, context)

packages/cli/internal/pkg/aws/cdk/destroy_app.go

@@ -1,6 +1,7 @@
 package cdk
 
 import (
+	"github.com/aws/amazon-genomics-cli/internal/pkg/cli/awsresources"
 	"github.com/aws/amazon-genomics-cli/internal/pkg/cli/clierror/actionableerror"
 )
 
@@ -10,6 +11,7 @@ func (client Client) DestroyApp(appDir string, context []string, executionName s
 		"destroy",
 		"--all",
 		"--force",
+		"--toolkit-stack-name", awsresources.RenderBootstrapStackName(),
 		"--profile", client.profile,
 		"--output", tmpDir,
 	}

packages/cli/internal/pkg/aws/cdk/new_client.go

@@ -1,6 +1,7 @@
 package cdk
 
 type Interface interface {
+	Bootstrap(appDir string, context []string, executionName string) (ProgressStream, error)
 	ClearContext(appDir string) error
 	DeployApp(appDir string, context []string, executionName string) (ProgressStream, error)
 	DestroyApp(appDir string, context []string, executionName string) (ProgressStream, error)

packages/cli/internal/pkg/cli/account_activate.go

@@ -30,6 +30,7 @@ A new VPC will be created if not specified.`
 	cdkCoreDir   = ".agc/cdk/apps/core"
 	bucketPrefix = "agc"
 	activateKey  = "activate"
+	bootstrapKey = "bootstrap"
 )
 
 type accountActivateVars struct {
@@ -81,7 +82,18 @@ func (o *accountActivateOpts) Execute() error {
 		environmentVars = append(environmentVars, fmt.Sprintf("VPC_ID=%s", o.vpcId))
 	}
 
-	return o.deployCoreInfrastructure(environmentVars)
+	homeDir, err := osutils.DetermineHomeDir()
+	if err != nil {
+		return err
+	}
+
+	cdkAppPath := filepath.Join(homeDir, cdkCoreDir)
+	err = o.cdkBootstrap(cdkAppPath, environmentVars)
+	if err != nil {
+		return err
+	}
+
+	return o.deployCoreInfrastructure(cdkAppPath, environmentVars)
 }
 
 func (o accountActivateOpts) generateDefaultBucket() (string, error) {
@@ -92,17 +104,23 @@ func (o accountActivateOpts) generateDefaultBucket() (string, error) {
 	return generateBucketName(account, o.region), nil
 }
 
-func (o accountActivateOpts) deployCoreInfrastructure(environmentVars []string) error {
-	homeDir, err := osutils.DetermineHomeDir()
+func (o accountActivateOpts) cdkBootstrap(cdkAppPath string, environmentVars []string) error {
+	progressStream, err := o.cdkClient.Bootstrap(cdkAppPath, environmentVars, bootstrapKey)
 	if err != nil {
 		return err
 	}
+	return displayProgress(progressStream, "Bootstrapping CDK...")
+}
 
-	cdkAppPath := filepath.Join(homeDir, cdkCoreDir)
+func (o accountActivateOpts) deployCoreInfrastructure(cdkAppPath string, environmentVars []string) error {
 	progressStream, err := o.cdkClient.DeployApp(cdkAppPath, environmentVars, activateKey)
 	if err != nil {
 		return err
 	}
+	return displayProgress(progressStream, "Activating account...")
+}
+
+func displayProgress(progressStream cdk.ProgressStream, displayMsg string) error {
 	if logging.Verbose {
 		var lastEvent cdk.ProgressEvent
 		for event := range progressStream {
@@ -115,7 +133,7 @@ func (o accountActivateOpts) deployCoreInfrastructure(environmentVars []string)
 			lastEvent = event
 		}
 	} else {
-		return progressStream.DisplayProgress("Activating account...")
+		return progressStream.DisplayProgress(displayMsg)
 	}
 	return nil
 }

packages/cli/internal/pkg/cli/account_activate_test.go

@@ -70,14 +70,13 @@ func TestAccountActivateOpts_Execute(t *testing.T) {
 				defer close(mocks.progressStream)
 				mocks.stsMock.EXPECT().GetAccount().Return(testAccountId, nil)
 				mocks.s3Mock.EXPECT().BucketExists("agc-test-account-id-test-account-region").Return(false, nil)
-				mocks.cdkMock.EXPECT().DeployApp(
-					gomock.Any(),
-					[]string{
-						fmt.Sprintf("AGC_BUCKET_NAME=agc-%s-%s", testAccountId, testAccountRegion),
-						fmt.Sprintf("CREATE_AGC_BUCKET=%t", true),
-						fmt.Sprintf("AGC_VERSION=%s", version.Version),
-					},
-					"activate").Return(mocks.progressStream, nil)
+				vars := []string{
+					fmt.Sprintf("AGC_BUCKET_NAME=agc-%s-%s", testAccountId, testAccountRegion),
+					fmt.Sprintf("CREATE_AGC_BUCKET=%t", true),
+					fmt.Sprintf("AGC_VERSION=%s", version.Version),
+				}
+				mocks.cdkMock.EXPECT().Bootstrap(gomock.Any(), vars, "bootstrap").Return(mocks.progressStream, nil)
+				mocks.cdkMock.EXPECT().DeployApp(gomock.Any(), vars, "activate").Return(mocks.progressStream, nil)
 				return mocks
 			},
 			vpcId: "",
@@ -98,14 +97,13 @@ func TestAccountActivateOpts_Execute(t *testing.T) {
 				mocks := createMocks(t)
 				defer close(mocks.progressStream)
 				mocks.s3Mock.EXPECT().BucketExists(testAccountBucketName).Return(false, nil)
-				mocks.cdkMock.EXPECT().DeployApp(
-					gomock.Any(),
-					[]string{
-						fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
-						fmt.Sprintf("CREATE_AGC_BUCKET=%t", true),
-						fmt.Sprintf("AGC_VERSION=%s", version.Version),
-					},
-					"activate").Return(mocks.progressStream, nil)
+				vars := []string{
+					fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
+					fmt.Sprintf("CREATE_AGC_BUCKET=%t", true),
+					fmt.Sprintf("AGC_VERSION=%s", version.Version),
+				}
+				mocks.cdkMock.EXPECT().Bootstrap(gomock.Any(), vars, "bootstrap").Return(mocks.progressStream, nil)
+				mocks.cdkMock.EXPECT().DeployApp(gomock.Any(), vars, "activate").Return(mocks.progressStream, nil)
 				return mocks
 			},
 		},
@@ -116,14 +114,13 @@ func TestAccountActivateOpts_Execute(t *testing.T) {
 				mocks := createMocks(t)
 				defer close(mocks.progressStream)
 				mocks.s3Mock.EXPECT().BucketExists(testAccountBucketName).Return(true, nil)
-				mocks.cdkMock.EXPECT().DeployApp(
-					gomock.Any(),
-					[]string{
-						fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
-						fmt.Sprintf("CREATE_AGC_BUCKET=%t", false),
-						fmt.Sprintf("AGC_VERSION=%s", version.Version),
-					},
-					"activate").Return(mocks.progressStream, nil)
+				vars := []string{
+					fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
+					fmt.Sprintf("CREATE_AGC_BUCKET=%t", false),
+					fmt.Sprintf("AGC_VERSION=%s", version.Version),
+				}
+				mocks.cdkMock.EXPECT().Bootstrap(gomock.Any(), vars, "bootstrap").Return(mocks.progressStream, nil)
+				mocks.cdkMock.EXPECT().DeployApp(gomock.Any(), vars, "activate").Return(mocks.progressStream, nil)
 				return mocks
 			},
 		},
@@ -134,15 +131,14 @@ func TestAccountActivateOpts_Execute(t *testing.T) {
 				mocks := createMocks(t)
 				defer close(mocks.progressStream)
 				mocks.s3Mock.EXPECT().BucketExists(testAccountBucketName).Return(false, nil)
-				baseVars := []string{
+				vars := []string{
 					fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
 					fmt.Sprintf("CREATE_AGC_BUCKET=%t", true),
 					fmt.Sprintf("AGC_VERSION=%s", version.Version),
+					fmt.Sprintf("VPC_ID=%s", testAccountVpcId),
 				}
-				mocks.cdkMock.EXPECT().DeployApp(
-					gomock.Any(),
-					append(baseVars, fmt.Sprintf("VPC_ID=%s", testAccountVpcId)),
-					"activate").Return(mocks.progressStream, nil)
+				mocks.cdkMock.EXPECT().Bootstrap(gomock.Any(), vars, "bootstrap").Return(mocks.progressStream, nil)
+				mocks.cdkMock.EXPECT().DeployApp(gomock.Any(), vars, "activate").Return(mocks.progressStream, nil)
 				return mocks
 			},
 		},
@@ -160,19 +156,36 @@ func TestAccountActivateOpts_Execute(t *testing.T) {
 			vpcId:      "",
 			setupMocks: func(t *testing.T) mockClients {
 				mocks := createMocks(t)
+				defer close(mocks.progressStream)
 				mocks.s3Mock.EXPECT().BucketExists(testAccountBucketName).Return(true, nil)
+				vars := []string{
+					fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
+					fmt.Sprintf("CREATE_AGC_BUCKET=%t", false),
+					fmt.Sprintf("AGC_VERSION=%s", version.Version),
+				}
+				mocks.cdkMock.EXPECT().Bootstrap(gomock.Any(), vars, "bootstrap").Return(mocks.progressStream, nil)
 				mocks.cdkMock.EXPECT().DeployApp(
-					gomock.Any(),
-					[]string{
-						fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
-						fmt.Sprintf("CREATE_AGC_BUCKET=%t", false),
-						fmt.Sprintf("AGC_VERSION=%s", version.Version),
-					},
-					"activate").Return(nil, fmt.Errorf("some deploy error"))
+					gomock.Any(), vars, "activate").Return(nil, fmt.Errorf("some deploy error"))
 				return mocks
 			},
 			expectedErr: fmt.Errorf("some deploy error"),
 		},
+		"bootstrap error": {
+			bucketName: testAccountBucketName,
+			vpcId:      "",
+			setupMocks: func(t *testing.T) mockClients {
+				mocks := createMocks(t)
+				vars := []string{
+					fmt.Sprintf("AGC_BUCKET_NAME=%s", testAccountBucketName),
+					fmt.Sprintf("CREATE_AGC_BUCKET=%t", false),
+					fmt.Sprintf("AGC_VERSION=%s", version.Version),
+				}
+				mocks.s3Mock.EXPECT().BucketExists(testAccountBucketName).Return(true, nil)
+				mocks.cdkMock.EXPECT().Bootstrap(gomock.Any(), vars, "bootstrap").Return(nil, fmt.Errorf("some bootstrap error"))
+				return mocks
+			},
+			expectedErr: fmt.Errorf("some bootstrap error"),
+		},
 	}
 
 	for name, tc := range testCases {