From ae710d5637f83aef4a906ae3ada8aeff94f2fe4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Horn=C3=A1k?= Date: Mon, 11 Dec 2023 22:52:57 +0100 Subject: [PATCH 1/2] fix: KMS access denied errors when downloading the static env file (#5514) ## Bug description Since Copilot 1.32.0 cross account deployments are broken for all services (except static website) due to lacking permissions on the task execution role to perform the `kms:Decrypt` operation on the required key. ## Background Since #5329 the artifacts are encrypted with a [Kms Key](https://github.com/bencehornak/copilot-cli/blob/1146bf995d687bfff615a5c7d35266fb8bcb0b56/internal/pkg/template/templates/app/cf.yml#L17-L63), which belongs to the App stack. Due to the wrong configuration of the `ExecutionRole` resource if one deploys the workload to a different account than where the app stack is located, the download of the env file fails due to the lacking `kms:Decrypt` permission on the corresponding key. https://github.com/bencehornak/copilot-cli/blob/67db7a2d4f94c69c836586f714341e587b1b8220/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml#L39-L43 Note that this policy grants access to all keys in the _workload's_ account (which is not a great practice either, see #4628), which is wrong, considering that the key is located in the app's account. ## Fix The policy was changed to the following: ``` - Effect: 'Allow' Action: - 'kms:Decrypt' Resource: - !Ref ArtifactKeyARN ``` where `ArtifactKeyARN` is the ARN of the Kms Key. ## TODO - [x] There are many failing test cases, because the generated YAML changes. Is there a way to efficiently fix all of these test cases? - [x] Would it make sense to add a test case, which prevents this bug in the feature? If yes, how? -> changed some test cases to test if the KMS key ARN gets passed to the stacks ## Conclusion Fixes partially: #4628. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License. --- internal/pkg/cli/deploy/backend.go | 1 + internal/pkg/cli/deploy/job.go | 1 + internal/pkg/cli/deploy/lbws.go | 1 + internal/pkg/cli/deploy/rdws.go | 1 + internal/pkg/cli/deploy/static_site.go | 1 + internal/pkg/cli/deploy/worker.go | 1 + internal/pkg/deploy/cloudformation/stack/backend_svc.go | 2 ++ .../cloudformation/stack/backend_svc_integration_test.go | 1 + .../pkg/deploy/cloudformation/stack/backend_svc_test.go | 4 ++++ .../stack/lb_grpc_web_service_integration_test.go | 1 + .../stack/lb_network_web_service_integration_test.go | 1 + .../stack/lb_web_service_integration_test.go | 1 + internal/pkg/deploy/cloudformation/stack/lb_web_svc.go | 2 ++ .../pkg/deploy/cloudformation/stack/lb_web_svc_test.go | 5 +++++ internal/pkg/deploy/cloudformation/stack/rd_web_svc.go | 2 ++ .../pkg/deploy/cloudformation/stack/scheduled_job.go | 2 ++ .../stack/scheduled_job_integration_test.go | 1 + .../deploy/cloudformation/stack/scheduled_job_test.go | 5 +++++ internal/pkg/deploy/cloudformation/stack/static_site.go | 6 ++++++ .../cloudformation/stack/static_site_integration_test.go | 1 + .../pkg/deploy/cloudformation/stack/static_site_test.go | 9 ++++++++- .../stack/testdata/stacklocal/cf.params.json | 1 + .../workloads/backend/http-autoscaling-params.json | 1 + .../workloads/backend/http-autoscaling-template.yml | 5 ++++- .../workloads/backend/http-full-config-params.json | 1 + .../workloads/backend/http-full-config-template.yml | 5 ++++- .../workloads/backend/http-only-path-params.json | 1 + .../workloads/backend/http-only-path-template.yml | 5 ++++- .../workloads/backend/https-path-alias-params.json | 1 + .../workloads/backend/https-path-alias-template.yml | 5 ++++- .../backend/simple-params-without-port-config.json | 1 + .../stack/testdata/workloads/backend/simple-params.json | 1 + .../backend/simple-template-without-port-config.yml | 5 ++++- .../stack/testdata/workloads/backend/simple-template.yml | 5 ++++- .../stack/testdata/workloads/job-test.params.json | 1 + .../stack/testdata/workloads/job-test.stack.yml | 5 ++++- .../stack/testdata/workloads/rdws-prod.stack.yml | 3 +++ .../stack/testdata/workloads/rdws-test.stack.yml | 5 ++++- .../testdata/workloads/static-site-test.params.json | 1 + .../stack/testdata/workloads/static-site-test.stack.yml | 7 ++++--- .../stack/testdata/workloads/static-site.params.json | 1 + .../stack/testdata/workloads/static-site.stack.yml | 7 ++++--- .../stack/testdata/workloads/svc-grpc-test.params.json | 1 + .../stack/testdata/workloads/svc-grpc-test.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-nlb-dev.params.json | 1 + .../stack/testdata/workloads/svc-nlb-dev.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-nlb-prod.params.json | 1 + .../stack/testdata/workloads/svc-nlb-prod.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-nlb-test.params.json | 1 + .../stack/testdata/workloads/svc-nlb-test.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-prod.params.json | 1 + .../stack/testdata/workloads/svc-prod.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-staging.params.json | 1 + .../stack/testdata/workloads/svc-staging.stack.yml | 5 ++++- .../stack/testdata/workloads/svc-test.params.json | 1 + .../stack/testdata/workloads/svc-test.stack.yml | 5 ++++- .../testdata/workloads/windows-svc-test.params.json | 1 + .../stack/testdata/workloads/windows-svc-test.stack.yml | 5 ++++- .../stack/testdata/workloads/worker-test.params.json | 1 + .../stack/testdata/workloads/worker-test.stack.yml | 5 ++++- .../stack/windows_lb_web_service_integration_test.go | 1 + .../stack/worker_service_integration_test.go | 1 + internal/pkg/deploy/cloudformation/stack/worker_svc.go | 2 ++ .../pkg/deploy/cloudformation/stack/worker_svc_test.go | 4 ++++ internal/pkg/deploy/cloudformation/stack/workload.go | 6 ++++++ .../templates/workloads/jobs/scheduled-job/cf.yml | 3 +++ .../templates/workloads/partials/cf/executionrole.yml | 2 +- .../templates/workloads/partials/cf/instancerole.yml | 2 +- .../template/templates/workloads/services/backend/cf.yml | 3 +++ .../template/templates/workloads/services/lb-web/cf.yml | 3 +++ .../template/templates/workloads/services/rd-web/cf.yml | 3 +++ .../templates/workloads/services/static-site/cf.yml | 7 ++++--- .../template/templates/workloads/services/worker/cf.yml | 3 +++ 73 files changed, 181 insertions(+), 29 deletions(-) diff --git a/internal/pkg/cli/deploy/backend.go b/internal/pkg/cli/deploy/backend.go index 8df9d749504..459363c03a7 100644 --- a/internal/pkg/cli/deploy/backend.go +++ b/internal/pkg/cli/deploy/backend.go @@ -106,6 +106,7 @@ func (d *backendSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) ( Manifest: d.backendMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/cli/deploy/job.go b/internal/pkg/cli/deploy/job.go index 671ffdecf09..b27e64819a0 100644 --- a/internal/pkg/cli/deploy/job.go +++ b/internal/pkg/cli/deploy/job.go @@ -109,6 +109,7 @@ func (d *jobDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*jobSta Manifest: d.jobMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/cli/deploy/lbws.go b/internal/pkg/cli/deploy/lbws.go index 904abaaee6d..0814aa52c12 100644 --- a/internal/pkg/cli/deploy/lbws.go +++ b/internal/pkg/cli/deploy/lbws.go @@ -169,6 +169,7 @@ func (d *lbWebSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*s Manifest: d.lbMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, RootUserARN: in.RootUserARN, Addons: d.addons, diff --git a/internal/pkg/cli/deploy/rdws.go b/internal/pkg/cli/deploy/rdws.go index c13ef5581e3..afbdc9c11a8 100644 --- a/internal/pkg/cli/deploy/rdws.go +++ b/internal/pkg/cli/deploy/rdws.go @@ -153,6 +153,7 @@ func (d *rdwsDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*rdwsS Manifest: d.rdwsMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/cli/deploy/static_site.go b/internal/pkg/cli/deploy/static_site.go index 92426cabbab..794825e23e3 100644 --- a/internal/pkg/cli/deploy/static_site.go +++ b/internal/pkg/cli/deploy/static_site.go @@ -177,6 +177,7 @@ func (d *staticSiteDeployer) stackConfiguration(in *StackRuntimeConfiguration) ( Manifest: d.staticSiteMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, RootUserARN: in.RootUserARN, Addons: d.addons, diff --git a/internal/pkg/cli/deploy/worker.go b/internal/pkg/cli/deploy/worker.go index faeef576a55..72a1721e666 100644 --- a/internal/pkg/cli/deploy/worker.go +++ b/internal/pkg/cli/deploy/worker.go @@ -186,6 +186,7 @@ func (d *workerSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (* Manifest: d.wsMft, RawManifest: d.rawMft, ArtifactBucketName: d.resources.S3Bucket, + ArtifactKey: d.resources.KMSKeyARN, RuntimeConfig: *rc, Addons: d.addons, }) diff --git a/internal/pkg/deploy/cloudformation/stack/backend_svc.go b/internal/pkg/deploy/cloudformation/stack/backend_svc.go index 61e37c55efc..175350e37d3 100644 --- a/internal/pkg/deploy/cloudformation/stack/backend_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/backend_svc.go @@ -34,6 +34,7 @@ type BackendServiceConfig struct { EnvManifest *manifest.Environment Manifest *manifest.BackendService ArtifactBucketName string + ArtifactKey string RawManifest string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer @@ -55,6 +56,7 @@ func NewBackendService(conf BackendServiceConfig) (*BackendService, error) { app: conf.App.Name, permBound: conf.App.PermissionsBoundary, artifactBucketName: conf.ArtifactBucketName, + artifactKey: conf.ArtifactKey, rc: conf.RuntimeConfig, image: conf.Manifest.ImageConfig.Image, rawManifest: conf.RawManifest, diff --git a/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go b/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go index 86055313494..7967e09e455 100644 --- a/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/backend_svc_integration_test.go @@ -98,6 +98,7 @@ func TestBackendService_TemplateAndParamsGeneration(t *testing.T) { }, EnvManifest: envConfig, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", Manifest: mft.(*manifest.BackendService), RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: fmt.Sprintf("%s.%s.local", envName, appName), diff --git a/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go b/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go index d1e77c199b1..27a5ab25927 100644 --- a/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go +++ b/internal/pkg/deploy/cloudformation/stack/backend_svc_test.go @@ -680,6 +680,10 @@ func TestBackendService_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, { ParameterKey: aws.String(WorkloadTargetContainerParamKey), ParameterValue: aws.String("frontend"), diff --git a/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go index d57166869da..bd14b078577 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_grpc_web_service_integration_test.go @@ -86,6 +86,7 @@ func TestGrpcLoadBalancedWebService_Template(t *testing.T) { EnvManifest: envConfig, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: svcDiscoveryEndpointName, AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go index 86f9dee91d7..724362da0d3 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go @@ -106,6 +106,7 @@ func TestNetworkLoadBalancedWebService_Template(t *testing.T) { EnvManifest: envConfig, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: svcDiscoveryEndpointName, AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go index 98dfe46aeeb..5853afcbcc9 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_service_integration_test.go @@ -132,6 +132,7 @@ func TestLoadBalancedWebService_TemplateInteg(t *testing.T) { EnvManifest: envConfig, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: svcDiscoveryEndpointName, AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go b/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go index 4d4c63193c9..e906deabde8 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go @@ -59,6 +59,7 @@ type LoadBalancedWebServiceConfig struct { RuntimeConfig RuntimeConfig RootUserARN string ArtifactBucketName string + ArtifactKey string Addons NestedStackConfigurer AppHostedZoneID string } @@ -101,6 +102,7 @@ func NewLoadBalancedWebService(conf LoadBalancedWebServiceConfig, app: conf.App.Name, permBound: conf.App.PermissionsBoundary, artifactBucketName: conf.ArtifactBucketName, + artifactKey: conf.ArtifactKey, rc: conf.RuntimeConfig, image: conf.Manifest.ImageConfig.Image, rawManifest: conf.RawManifest, diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go b/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go index 7f7da14378e..3679ecb1e95 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go @@ -552,6 +552,10 @@ func TestLoadBalancedWebService_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, } testCases := map[string]struct { httpsEnabled bool @@ -966,6 +970,7 @@ func TestLoadBalancedWebService_SerializedParameters(t *testing.T) { "Parameters": { "AddonsTemplateURL": "", "AppName": "phonetool", + "ArtifactKeyARN": "", "ContainerImage": "111111111111.dkr.ecr.us-west-2.amazonaws.com/phonetool/frontend:manual-bf3678c", "ContainerPort": "80", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go b/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go index a6f3f55a9b7..53d9f3a2a20 100644 --- a/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go @@ -55,6 +55,7 @@ type RequestDrivenWebServiceConfig struct { Manifest *manifest.RequestDrivenWebService RawManifest string ArtifactBucketName string + ArtifactKey string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer } @@ -75,6 +76,7 @@ func NewRequestDrivenWebService(cfg RequestDrivenWebServiceConfig) (*RequestDriv app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, image: cfg.Manifest.ImageConfig.Image, rawManifest: cfg.RawManifest, diff --git a/internal/pkg/deploy/cloudformation/stack/scheduled_job.go b/internal/pkg/deploy/cloudformation/stack/scheduled_job.go index 26ebd9b335c..f68ac97b1ef 100644 --- a/internal/pkg/deploy/cloudformation/stack/scheduled_job.go +++ b/internal/pkg/deploy/cloudformation/stack/scheduled_job.go @@ -92,6 +92,7 @@ type ScheduledJobConfig struct { Env string Manifest *manifest.ScheduledJob ArtifactBucketName string + ArtifactKey string RawManifest string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer @@ -113,6 +114,7 @@ func NewScheduledJob(cfg ScheduledJobConfig) (*ScheduledJob, error) { app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, image: cfg.Manifest.ImageConfig.Image, rawManifest: cfg.RawManifest, diff --git a/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go b/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go index ecccb46de19..ee61dd7ba3c 100644 --- a/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/scheduled_job_integration_test.go @@ -69,6 +69,7 @@ func TestScheduledJob_Template(t *testing.T) { Env: envName, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: "test.my-app.local", AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go b/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go index be36a178b8d..fc0bae78ffd 100644 --- a/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go +++ b/internal/pkg/deploy/cloudformation/stack/scheduled_job_test.go @@ -496,6 +496,10 @@ func TestScheduledJob_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, { ParameterKey: aws.String(ScheduledJobScheduleParamKey), ParameterValue: aws.String("cron(0 0 * * ? *)"), @@ -590,6 +594,7 @@ func TestScheduledJob_SerializedParameters(t *testing.T) { "Parameters": { "AddonsTemplateURL": "", "AppName": "phonetool", + "ArtifactKeyARN": "", "ContainerImage": "111111111111.dkr.ecr.us-west-2.amazonaws.com/phonetool/frontend:manual-bf3678c", "EnvFileARN": "", "EnvName": "test", diff --git a/internal/pkg/deploy/cloudformation/stack/static_site.go b/internal/pkg/deploy/cloudformation/stack/static_site.go index 6c2280bb224..40cd2511a27 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site.go @@ -37,6 +37,7 @@ type StaticSiteConfig struct { RuntimeConfig RuntimeConfig RootUserARN string ArtifactBucketName string + ArtifactKey string Addons NestedStackConfigurer AssetMappingURL string AppHostedZoneID string @@ -69,6 +70,7 @@ func NewStaticSite(cfg *StaticSiteConfig) (*StaticSite, error) { app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, rawManifest: cfg.RawManifest, parser: fs, @@ -167,6 +169,10 @@ func (s *StaticSite) Parameters() ([]*cloudformation.Parameter, error) { ParameterKey: aws.String(WorkloadAddonsTemplateURLParamKey), ParameterValue: aws.String(s.rc.AddonsTemplateURL), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(s.wkld.artifactKey), + }, }, nil } diff --git a/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go b/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go index cd2706f339c..cb965e3861e 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go @@ -103,6 +103,7 @@ func TestStaticSiteService_TemplateAndParamsGeneration(t *testing.T) { Region: "us-west-2", }, ArtifactBucketName: "stackset-bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", AssetMappingURL: "s3://stackset-bucket/mappingfile", RootUserARN: "arn:aws:iam::123456789123:root", AppHostedZoneID: "Z00DEF", diff --git a/internal/pkg/deploy/cloudformation/stack/static_site_test.go b/internal/pkg/deploy/cloudformation/stack/static_site_test.go index b67e8f8bd2d..8fa6265d85f 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site_test.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site_test.go @@ -269,6 +269,10 @@ func TestStaticSite_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadAddonsTemplateURLParamKey), ParameterValue: aws.String("mockURL"), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"), + }, }, }, } @@ -291,7 +295,8 @@ func TestStaticSite_Parameters(t *testing.T) { Name: aws.String(testEnvName), }, }, - Manifest: testManifest, + Manifest: testManifest, + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", }) require.NoError(t, err) @@ -328,6 +333,7 @@ func TestStaticSite_SerializedParameters(t *testing.T) { "owner": "copilot", }, }, + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", }) params, err := c.SerializedParameters() require.NoError(t, err) @@ -335,6 +341,7 @@ func TestStaticSite_SerializedParameters(t *testing.T) { "Parameters": { "AddonsTemplateURL": "", "AppName": "phonetool", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvName": "test", "WorkloadName": "frontend" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json index d092a66f1ba..5daccff785b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/stacklocal/cf.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "", "ContainerImage": "mockImageURL:latest", "ContainerPort": "5000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json index 8bf31af09cb..d924c14223f 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "http-autoscaling", "TargetPort": "8080", "RulePath": "http-autoscaling-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml index 3462caf5799..7fd26eba2bd 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-autoscaling-template.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -153,7 +156,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json index d8d06a99bc9..5d5d88d972b 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvFileARNForfluentbit": "", "TargetContainer": "http-full-config", "TargetPort": "8081", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml index 17a2b2c2bf0..5aad68427ca 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-full-config-template.yml @@ -33,6 +33,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -188,7 +191,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json index 56ec85eff0a..5f3f64b6075 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "http-only-path", "TargetPort": "8080", "RulePath": "http-only-path-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml index 4a8419b5a1d..212cd72614d 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/http-only-path-template.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -153,7 +156,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json index a4dd3947157..a5da4ce5482 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "80", "EnvFileARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "https-path-alias", "TargetPort": "80", "RulePath": "https-path-alias-path", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml index 226f8d55589..768bc6b95f4 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/https-path-alias-template.yml @@ -29,6 +29,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -137,7 +140,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json index 7ae5bceaab2..193e4ab8564 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params-without-port-config.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "-1", "EnvFileARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "simple-backend", "TargetPort": "-1" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json index b323326f94d..4aff9fd94cb 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-params.json @@ -11,6 +11,7 @@ "LogRetention": "30", "ContainerPort": "8080", "EnvFileARN": "", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "TargetContainer": "simple-backend", "TargetPort": "8080" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml index 058aa9b0c62..050ed625703 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template-without-port-config.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -143,7 +146,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml index 3a5e0a544d5..4725ef12beb 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/backend/simple-template.yml @@ -29,6 +29,9 @@ Parameters: Description: "URL of the environment file." Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -146,7 +149,7 @@ Resources: Action: - "kms:Decrypt" Resource: - - !Sub "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*" + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json index 873a9d82462..bfa8723f9c3 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "alpine", "EnvFileARN": "", "EnvFileARNFornginx": "", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml index 7fbea528fe3..1f8c72375ad 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml @@ -31,6 +31,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' EnvFileARNFornginx: Description: 'URL of the environment file for the nginx sidecar.' Type: String @@ -283,7 +286,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml index 5e1a6ed2aa7..2b84e637823 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-prod.stack.yml @@ -40,6 +40,9 @@ Parameters: Description: 'URL of the addons nested stack template within the S3 bucket.' Type: String Default: '' + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: # App Runner will not accept an AccessRole for ImageRepositoryTypes other than ECR. diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml index adfc49dcbd7..afc31e355ca 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/rdws-test.stack.yml @@ -40,6 +40,9 @@ Parameters: Description: 'URL of the addons nested stack template within the S3 bucket.' Type: String Default: '' + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: # App Runner will not accept an AccessRole for ImageRepositoryTypes other than ECR. @@ -125,7 +128,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - PolicyName: 'Publish2SNS' PolicyDocument: Version: '2012-10-17' diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json index 9f107ee1f44..f5a7e13d05a 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvName": "test", "WorkloadName": "static" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml index 3445c5205d6..3a822c9a3c6 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site-test.stack.yml @@ -15,6 +15,9 @@ Parameters: Description: URL of the addons nested stack template within the S3 bucket. Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: !Not [!Equals [!Ref AddonsTemplateURL, ""]] @@ -286,9 +289,7 @@ Resources: - arn:aws:s3:::stackset-bucket/local-assets/* - Effect: Allow Action: kms:Decrypt - Resource: - Fn::ImportValue: - !Sub "${AppName}-ArtifactKey" + Resource: !Ref ArtifactKeyARN Condition: StringEquals: kms:EncryptionContext:aws:s3:arn: "arn:aws:s3:::stackset-bucket" diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json index 9276eab4a18..cab0cc72033 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EnvName": "my-env", "WorkloadName": "static" }, diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml index bfaa26debdc..2f05401cedf 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml @@ -15,6 +15,9 @@ Parameters: Description: URL of the addons nested stack template within the S3 bucket. Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: !Not [!Equals [!Ref AddonsTemplateURL, ""]] @@ -292,9 +295,7 @@ Resources: - arn:aws:s3:::stackset-bucket/local-assets/* - Effect: Allow Action: kms:Decrypt - Resource: - Fn::ImportValue: - !Sub "${AppName}-ArtifactKey" + Resource: !Ref ArtifactKeyARN Condition: StringEquals: kms:EncryptionContext:aws:s3:arn: "arn:aws:s3:::stackset-bucket" diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json index d2416d9429e..fdcfd38d1c3 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "50051", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml index 7bd4f2aec59..d72629ee460 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-grpc-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -151,7 +154,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json index 3e6cc384e65..1c8a1c4616d 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml index 0664650c225..d869bd83709 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-dev.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' NLBAliases: Type: String Default: "" @@ -150,7 +153,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json index 09bfe66c09e..aea1666ad7e 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml index 12349669848..93846de570f 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' EnvFileARNFornginx: Description: 'URL of the environment file for the nginx sidecar.' Type: String @@ -208,7 +211,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json index 59c43adb725..d6ab0166b8c 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "true", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml index 0548fb3cf0e..23bfd98c1f2 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' NLBAliases: Type: String Default: "" @@ -145,7 +148,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json index 44a0e1d56e9..32ccf5eb4c2 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml index ee8b5829916..287e183479a 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LoggingEnvFileARN: Description: 'URL of the environment file for the logging sidecar.' Type: String @@ -309,7 +312,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json index 74ede637a1c..0f528e74f3f 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "123456789000.dkr.ecr.us-east-1.amazonaws.com/vault/e2e:cicdtest", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml index a5547f648f7..5bb7172eb61 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -153,7 +156,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json index 1ad135acb1d..5cdcaaaf330 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "4000", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml index 7ee2f7c9a41..0e646a28113 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -151,7 +154,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json index 7222f6607db..c63c12b5c11 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "", "ContainerPort": "80", "DNSDelegated": "false", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml index 40b7a16c9ab..93dea51c69e 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/windows-svc-test.stack.yml @@ -34,6 +34,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: @@ -142,7 +145,7 @@ Resources: # If a bucket URL is specified, that means the template exists. Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json index 752c4dd48eb..238d4bded46 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.params.json @@ -2,6 +2,7 @@ "Parameters": { "AddonsTemplateURL": "", "AppName": "my-app", + "ArtifactKeyARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ContainerImage": "amazon/ecs-example", "EnvFileARN": "", "EnvName": "test", diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml index 5c449beb4a1..93b4a61f9f9 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/worker-test.stack.yml @@ -130,6 +130,9 @@ Parameters: Description: 'URL of the environment file.' Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 @@ -251,7 +254,7 @@ Resources: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN - !If - HasEnvFile - PolicyName: !Join ['', [!Ref AppName, '-', !Ref EnvName, '-', !Ref WorkloadName, GetEnvFilePolicy]] diff --git a/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go index 4b18af30301..20fa8ed3160 100644 --- a/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/windows_lb_web_service_integration_test.go @@ -71,6 +71,7 @@ func TestWindowsLoadBalancedWebService_Template(t *testing.T) { }, }, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", Manifest: v, RuntimeConfig: stack.RuntimeConfig{ AccountID: "123456789123", diff --git a/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go index 84c42fa623f..671f3d00f1e 100644 --- a/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/worker_service_integration_test.go @@ -69,6 +69,7 @@ func TestWorkerService_Template(t *testing.T) { Env: envName, Manifest: v, ArtifactBucketName: "bucket", + ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", RawManifest: string(manifestBytes), RuntimeConfig: stack.RuntimeConfig{ ServiceDiscoveryEndpoint: "test.my-app.local", diff --git a/internal/pkg/deploy/cloudformation/stack/worker_svc.go b/internal/pkg/deploy/cloudformation/stack/worker_svc.go index 52cc24c8fa5..2e05280fe62 100644 --- a/internal/pkg/deploy/cloudformation/stack/worker_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/worker_svc.go @@ -32,6 +32,7 @@ type WorkerServiceConfig struct { Env string Manifest *manifest.WorkerService ArtifactBucketName string + ArtifactKey string RawManifest string RuntimeConfig RuntimeConfig Addons NestedStackConfigurer @@ -53,6 +54,7 @@ func NewWorkerService(cfg WorkerServiceConfig) (*WorkerService, error) { app: cfg.App.Name, permBound: cfg.App.PermissionsBoundary, artifactBucketName: cfg.ArtifactBucketName, + artifactKey: cfg.ArtifactKey, rc: cfg.RuntimeConfig, image: cfg.Manifest.ImageConfig.Image, rawManifest: cfg.RawManifest, diff --git a/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go b/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go index d59863b3191..507900bfef1 100644 --- a/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go +++ b/internal/pkg/deploy/cloudformation/stack/worker_svc_test.go @@ -325,5 +325,9 @@ func TestWorkerService_Parameters(t *testing.T) { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(""), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(""), + }, }, params) } diff --git a/internal/pkg/deploy/cloudformation/stack/workload.go b/internal/pkg/deploy/cloudformation/stack/workload.go index d639fc98c4c..d49c9c221e0 100644 --- a/internal/pkg/deploy/cloudformation/stack/workload.go +++ b/internal/pkg/deploy/cloudformation/stack/workload.go @@ -37,6 +37,7 @@ const ( WorkloadTaskCountParamKey = "TaskCount" WorkloadLogRetentionParamKey = "LogRetention" WorkloadEnvFileARNParamKey = "EnvFileARN" + WorkloadArtifactKeyARNParamKey = "ArtifactKeyARN" WorkloadLoggingEnvFileARNParamKey = "LoggingEnvFileARN" FmtSidecarEnvFileARNParamKey = "EnvFileARNFor%s" @@ -152,6 +153,7 @@ type wkld struct { app string permBound string artifactBucketName string + artifactKey string rc RuntimeConfig image location rawManifest string @@ -374,6 +376,10 @@ func (w *ecsWkld) envFileParams() []*cloudformation.Parameter { ParameterKey: aws.String(WorkloadEnvFileARNParamKey), ParameterValue: aws.String(w.rc.EnvFileARNs[w.name]), }, + { + ParameterKey: aws.String(WorkloadArtifactKeyARNParamKey), + ParameterValue: aws.String(w.wkld.artifactKey), + }, } // Decide whether to inject a Log container env file. If there is log configuration // in the manifest, we should inject either an empty string or the configured env file arn, diff --git a/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml b/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml index 00837e73904..d5626edb72a 100644 --- a/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml +++ b/internal/pkg/template/templates/workloads/jobs/scheduled-job/cf.yml @@ -47,6 +47,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: # If a bucket URL is specified, that means the template exists. !Not [!Equals [!Ref AddonsTemplateURL, ""]] diff --git a/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml b/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml index 88b7ef5b3c9..e0f25772c1a 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/executionrole.yml @@ -40,7 +40,7 @@ ExecutionRole: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN # Optional IAM permission required by ECS task def env file # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html#taskdef-envfiles-iam # Example EnvFileARN: arn:aws:s3:::stackset-demo-infrastruc-pipelinebuiltartifactbuc-11dj7ctf52wyf/manual/1638391936/env diff --git a/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml b/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml index 31f0f991f9d..8d6342822b5 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/instancerole.yml @@ -57,7 +57,7 @@ InstanceRole: Action: - 'kms:Decrypt' Resource: - - !Sub 'arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - !Ref ArtifactKeyARN {{- end }} {{- if .Publish }} {{- if .Publish.Topics }} diff --git a/internal/pkg/template/templates/workloads/services/backend/cf.yml b/internal/pkg/template/templates/workloads/services/backend/cf.yml index 5ec9c6ededf..c64f5bb3734 100644 --- a/internal/pkg/template/templates/workloads/services/backend/cf.yml +++ b/internal/pkg/template/templates/workloads/services/backend/cf.yml @@ -45,6 +45,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 diff --git a/internal/pkg/template/templates/workloads/services/lb-web/cf.yml b/internal/pkg/template/templates/workloads/services/lb-web/cf.yml index 369eea610b3..3580887582b 100644 --- a/internal/pkg/template/templates/workloads/services/lb-web/cf.yml +++ b/internal/pkg/template/templates/workloads/services/lb-web/cf.yml @@ -50,6 +50,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' TargetContainer: Type: String TargetPort: diff --git a/internal/pkg/template/templates/workloads/services/rd-web/cf.yml b/internal/pkg/template/templates/workloads/services/rd-web/cf.yml index 6602f010ee8..ff8bbe3d2ff 100644 --- a/internal/pkg/template/templates/workloads/services/rd-web/cf.yml +++ b/internal/pkg/template/templates/workloads/services/rd-web/cf.yml @@ -44,6 +44,9 @@ Parameters: Description: 'URL of the addons nested stack template within the S3 bucket.' Type: String Default: '' + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: # App Runner will not accept an AccessRole for ImageRepositoryTypes other than ECR. diff --git a/internal/pkg/template/templates/workloads/services/static-site/cf.yml b/internal/pkg/template/templates/workloads/services/static-site/cf.yml index 886624acc84..5458dd63b30 100644 --- a/internal/pkg/template/templates/workloads/services/static-site/cf.yml +++ b/internal/pkg/template/templates/workloads/services/static-site/cf.yml @@ -27,6 +27,9 @@ Parameters: Description: URL of the addons nested stack template within the S3 bucket. Type: String Default: "" + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' Conditions: HasAddons: !Not [!Equals [!Ref AddonsTemplateURL, ""]] @@ -329,9 +332,7 @@ Resources: - arn:aws:s3:::{{.AssetMappingFileBucket}}/local-assets/* - Effect: Allow Action: kms:Decrypt - Resource: - Fn::ImportValue: - !Sub "${AppName}-ArtifactKey" + Resource: !Ref ArtifactKeyARN Condition: StringEquals: kms:EncryptionContext:aws:s3:arn: "arn:aws:s3:::{{.AssetMappingFileBucket}}" diff --git a/internal/pkg/template/templates/workloads/services/worker/cf.yml b/internal/pkg/template/templates/workloads/services/worker/cf.yml index d09915ef55c..a9898300e5d 100644 --- a/internal/pkg/template/templates/workloads/services/worker/cf.yml +++ b/internal/pkg/template/templates/workloads/services/worker/cf.yml @@ -43,6 +43,9 @@ Parameters: Description: 'URL of the environment file for the {{$sidecar.Name}} sidecar.' Default: "" {{- end }} + ArtifactKeyARN: + Type: String + Description: 'KMS Key used for encrypting artifacts' LogRetention: Type: Number Default: 30 From 8de7d2b1e4ca83399d0652b43f13c82849d1d0b6 Mon Sep 17 00:00:00 2001 From: Adithya Kolla <71282729+KollaAdithya@users.noreply.github.com> Date: Mon, 11 Dec 2023 14:38:07 -0800 Subject: [PATCH 2/2] fix: revert changes to custom resources of passing hostedzoneids (#5540) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sorry again for this mistake 🙇 I did not anticipate that it breaks the permissions required to create environment and services. Previously we added the logic to pass all the HostedZoneId as params in the custom resource in #5315.
 But this introduces a bug as @Lou1415926 described in this issue https://github.com/aws/copilot-cli/issues/5535#issuecomment-1846327824 So reverting this changes as these are not necessary because `listHostedZonesByName` always fetches all the public hosted zones followed by private hosted zones.
 And also I think these modifications for filtering of hosted zones are not required in custom resources
because `listHostedZonesByName` api call always lists all the public hosted zones first and at last it lists private hosted zones.
The logic we have in all the custom resources always works to fetch public hosted zone. 
 ```
 const data = await appRoute53Client.listHostedZonesByName({ DNSName: domainName, MaxItems: "1", }).promise();

 ``` --- .../lib/custom-domain-app-runner.js | 5 +- cf-custom-resources/lib/custom-domain.js | 33 ++-------- cf-custom-resources/lib/dns-cert-validator.js | 24 +------ cf-custom-resources/lib/dns-delegation.js | 24 +++---- .../lib/wkld-cert-validator.js | 14 +--- cf-custom-resources/lib/wkld-custom-domain.js | 14 +--- .../test/custom-domain-app-runner-test.js | 13 +++- .../test/custom-domain-test.js | 66 ------------------- internal/pkg/cli/deploy/env.go | 34 ++-------- internal/pkg/cli/deploy/env_test.go | 25 ++----- internal/pkg/cli/deploy/lbws.go | 8 --- internal/pkg/cli/deploy/mocks/mock_env.go | 38 ----------- internal/pkg/cli/deploy/rdws.go | 9 ++- internal/pkg/cli/deploy/static_site.go | 8 --- internal/pkg/cli/deploy/static_site_test.go | 14 ---- internal/pkg/cli/deploy/workload.go | 31 ++++----- internal/pkg/cli/deploy/workload_test.go | 40 +++++------ internal/pkg/deploy/app.go | 10 ++- .../pkg/deploy/cloudformation/stack/env.go | 1 - .../deploy/cloudformation/stack/env_test.go | 8 --- ...lb_network_web_service_integration_test.go | 5 +- .../deploy/cloudformation/stack/lb_web_svc.go | 10 +-- .../cloudformation/stack/lb_web_svc_test.go | 10 +-- .../deploy/cloudformation/stack/rd_web_svc.go | 1 - .../cloudformation/stack/static_site.go | 10 +-- .../stack/static_site_integration_test.go | 6 +- .../template-with-basic-manifest.yml | 2 - ...emplate-with-default-access-log-config.yml | 2 - .../template-with-defaultvpc-flowlogs.yml | 2 - .../template-with-importedvpc-flowlogs.yml | 2 - .../testdata/workloads/static-site.stack.yml | 4 -- .../testdata/workloads/svc-nlb-prod.stack.yml | 4 -- .../testdata/workloads/svc-nlb-test.stack.yml | 2 - .../cloudformation/stack/transformers.go | 10 --- internal/pkg/template/env.go | 7 -- .../environment/partials/custom-resources.yml | 17 +---- .../templates/workloads/partials/cf/nlb.yml | 8 --- .../workloads/services/rd-web/cf.yml | 3 - .../workloads/services/static-site/cf.yml | 8 --- internal/pkg/template/workload.go | 1 - 40 files changed, 100 insertions(+), 433 deletions(-) diff --git a/cf-custom-resources/lib/custom-domain-app-runner.js b/cf-custom-resources/lib/custom-domain-app-runner.js index 613c6430116..bbe0533c261 100644 --- a/cf-custom-resources/lib/custom-domain-app-runner.js +++ b/cf-custom-resources/lib/custom-domain-app-runner.js @@ -95,10 +95,7 @@ exports.handler = async function (event, context) { }), }); appRunnerClient = new AWS.AppRunner(); - appHostedZoneID = props.RootHostedZoneId - if (!appHostedZoneID){ - appHostedZoneID = await domainHostedZoneID(appDNSName); - } + appHostedZoneID = await domainHostedZoneID(appDNSName); switch (event.RequestType) { case "Create": case "Update": diff --git a/cf-custom-resources/lib/custom-domain.js b/cf-custom-resources/lib/custom-domain.js index 56eb6cf37d7..23a2ef81ef2 100644 --- a/cf-custom-resources/lib/custom-domain.js +++ b/cf-custom-resources/lib/custom-domain.js @@ -98,10 +98,7 @@ const writeCustomDomainRecord = async function ( accessDNS, accessHostedZone, aliasTypes, - action, - rootHostedZoneId, - appHostedZoneId, - envHostedZoneId + action ) { const actions = []; for (const alias of aliases) { @@ -114,8 +111,7 @@ const writeCustomDomainRecord = async function ( accessDNS, accessHostedZone, aliasType.domain, - action, - envHostedZoneId + action )); break; case aliasTypes.AppDomainZone: @@ -125,8 +121,7 @@ const writeCustomDomainRecord = async function ( accessDNS, accessHostedZone, aliasType.domain, - action, - appHostedZoneId + action )); break; case aliasTypes.RootDomainZone: @@ -136,8 +131,7 @@ const writeCustomDomainRecord = async function ( accessDNS, accessHostedZone, aliasType.domain, - action, - rootHostedZoneId + action )); break; // We'll skip if it is the other alias type since it will be in another account's route53. @@ -153,10 +147,9 @@ const writeARecord = async function ( accessDNS, accessHostedZone, domain, - action, - hostedZoneID + action ) { - let hostedZoneId = hostedZoneID || hostedZoneCache.get(domain); + let hostedZoneId = hostedZoneCache.get(domain); if (!hostedZoneId) { const hostedZones = await route53 .listHostedZonesByName({ @@ -240,9 +233,6 @@ exports.handler = async function (event, context) { props.PublicAccessHostedZone, aliasTypes, changeRecordAction.Upsert, - props.RootHostedZoneId, - props.AppHostedZoneId, - props.EnvHostedZoneId ); break; case "Update": @@ -254,9 +244,6 @@ exports.handler = async function (event, context) { props.PublicAccessHostedZone, aliasTypes, changeRecordAction.Upsert, - props.RootHostedZoneId, - props.AppHostedZoneId, - props.EnvHostedZoneId ); // After upserting new aliases, delete unused ones. For example: previously we have ["foo.com", "bar.com"], // and now the aliases param is updated to just ["foo.com"] then we'll delete "bar.com". @@ -274,9 +261,6 @@ exports.handler = async function (event, context) { props.PublicAccessHostedZone, aliasTypes, changeRecordAction.Delete, - props.RootHostedZoneId, - props.AppHostedZoneId, - props.EnvHostedZoneId ); break; case "Delete": @@ -287,10 +271,7 @@ exports.handler = async function (event, context) { props.PublicAccessDNS, props.PublicAccessHostedZone, aliasTypes, - changeRecordAction.Delete, - props.RootHostedZoneId, - props.AppHostedZoneId, - props.EnvHostedZoneId + changeRecordAction.Delete ); break; default: diff --git a/cf-custom-resources/lib/dns-cert-validator.js b/cf-custom-resources/lib/dns-cert-validator.js index ac1994805cf..5c2d980fff9 100644 --- a/cf-custom-resources/lib/dns-cert-validator.js +++ b/cf-custom-resources/lib/dns-cert-validator.js @@ -212,8 +212,6 @@ const validateCertificate = async function( options, envRoute53, appRoute53, - rootHostedZoneId, - appHostedZoneId, envHostedZoneId, certificateARN, acm @@ -223,8 +221,6 @@ const validateCertificate = async function( options, envRoute53, appRoute53, - rootHostedZoneId, - appHostedZoneId, envHostedZoneId ); @@ -245,9 +241,7 @@ const updateHostedZoneRecords = async function ( options, envRoute53, appRoute53, - rootHostedZoneId, - appHostedZoneId, - envHostedZoneId, + envHostedZoneId ) { const promises = []; for (const option of options) { @@ -271,7 +265,6 @@ const updateHostedZoneRecords = async function ( record: option.ResourceRecord, action: action, domainName: domainType.domain, - hostedZoneId: appHostedZoneId, }) ); break; @@ -282,7 +275,6 @@ const updateHostedZoneRecords = async function ( record: option.ResourceRecord, action: action, domainName: domainType.domain, - hostedZoneId: rootHostedZoneId, }) ); break; @@ -301,8 +293,6 @@ const deleteHostedZoneRecords = async function ( envRoute53, appRoute53, acm, - rootHostedZoneId, - appHostedZoneId, envHostedZoneId ) { let listCertificatesInput = {}; @@ -364,8 +354,6 @@ const deleteHostedZoneRecords = async function ( filteredRecordOption, envRoute53, appRoute53, - rootHostedZoneId, - appHostedZoneId, envHostedZoneId ); } catch (e) { @@ -428,8 +416,6 @@ const deleteCertificate = async function ( arn, certDomain, region, - rootHostedZoneId, - appHostedZoneId, envHostedZoneId, rootDnsRole ) { @@ -477,8 +463,6 @@ const deleteCertificate = async function ( envRoute53, appRoute53, acm, - rootHostedZoneId, - appHostedZoneId, envHostedZoneId ); @@ -642,7 +626,7 @@ exports.certificateRequestHandler = async function (event, context) { ); responseData.Arn = physicalResourceId = response.CertificateArn; // Set physicalResourceId as soon as we can. options = await waitForValidationOptionsToBeReady(response.CertificateArn, sansToUse, acm); - await validateCertificate(options, envRoute53, appRoute53, props.RootHostedZoneId, props.AppHostedZoneId, props.EnvHostedZoneId, response.CertificateArn, acm); + await validateCertificate(options, envRoute53, appRoute53, props.EnvHostedZoneId, response.CertificateArn, acm); break; case "Update": // Exit early if cert doesn't change. @@ -660,7 +644,7 @@ exports.certificateRequestHandler = async function (event, context) { ); responseData.Arn = physicalResourceId = response.CertificateArn; options = await waitForValidationOptionsToBeReady(response.CertificateArn, sansToUse, acm); - await validateCertificate(options, envRoute53, appRoute53, props.RootHostedZoneId, props.AppHostedZoneId, props.EnvHostedZoneId, response.CertificateArn, acm); + await validateCertificate(options, envRoute53, appRoute53, props.EnvHostedZoneId, response.CertificateArn, acm); break; case "Delete": // If the resource didn't create correctly, the physical resource ID won't be the @@ -670,8 +654,6 @@ exports.certificateRequestHandler = async function (event, context) { physicalResourceId, certDomain, props.Region, - props.RootHostedZoneId, - props.AppHostedZoneId, props.EnvHostedZoneId, props.RootDNSRole ); diff --git a/cf-custom-resources/lib/dns-delegation.js b/cf-custom-resources/lib/dns-delegation.js index 1bd7abf981c..5bbe12eca1b 100644 --- a/cf-custom-resources/lib/dns-delegation.js +++ b/cf-custom-resources/lib/dns-delegation.js @@ -90,8 +90,7 @@ const createSubdomainInRoot = async function ( domainName, subDomain, nameServers, - rootDnsRole, - hostedZoneId + rootDnsRole ) { const route53 = new aws.Route53({ credentials: new aws.ChainableTemporaryCredentials({ @@ -99,7 +98,7 @@ const createSubdomainInRoot = async function ( masterCredentials: new aws.EnvironmentCredentials("AWS"), }), }); - if (!hostedZoneId) { + const hostedZones = await route53 .listHostedZonesByName({ DNSName: domainName, @@ -116,8 +115,8 @@ const createSubdomainInRoot = async function ( // HostedZoneIDs are of the form /hostedzone/1234455, but the actual // ID is after the last slash. - hostedZoneId = domainHostedZone.Id.split("/").pop(); - } + const hostedZoneId = domainHostedZone.Id.split("/").pop(); + const changeBatch = await route53 .changeResourceRecordSets({ ChangeBatch: { @@ -159,8 +158,7 @@ const deleteSubdomainInRoot = async function ( requestId, domainName, subDomain, - rootDnsRole, - hostedZoneId + rootDnsRole ) { const route53 = new aws.Route53({ credentials: new aws.ChainableTemporaryCredentials({ @@ -168,7 +166,7 @@ const deleteSubdomainInRoot = async function ( masterCredentials: new aws.EnvironmentCredentials("AWS"), }), }); - if (!hostedZoneId) { + const hostedZones = await route53 .listHostedZonesByName({ DNSName: domainName, @@ -185,8 +183,8 @@ const deleteSubdomainInRoot = async function ( // HostedZoneIDs are of the form /hostedzone/1234455, but the actual // ID is after the last slash. - hostedZoneId = domainHostedZone.Id.split("/").pop(); - } + const hostedZoneId = domainHostedZone.Id.split("/").pop(); + // Find the recordsets for this subdomain, and then remove it // from the hosted zone. const recordSets = await route53 @@ -277,8 +275,7 @@ exports.domainDelegationHandler = async function (event, context) { props.DomainName, props.SubdomainName, props.NameServers, - props.RootDNSRole, - props.RootHostedZoneId + props.RootDNSRole ); break; case "Delete": @@ -286,8 +283,7 @@ exports.domainDelegationHandler = async function (event, context) { event.RequestId, props.DomainName, props.SubdomainName, - props.RootDNSRole, - props.RootHostedZoneId + props.RootDNSRole ); break; default: diff --git a/cf-custom-resources/lib/wkld-cert-validator.js b/cf-custom-resources/lib/wkld-cert-validator.js index 138b5fa8e46..52f38dd802a 100644 --- a/cf-custom-resources/lib/wkld-cert-validator.js +++ b/cf-custom-resources/lib/wkld-cert-validator.js @@ -10,7 +10,7 @@ const ATTEMPTS_CERTIFICATE_VALIDATED = 19; const ATTEMPTS_CERTIFICATE_NOT_IN_USE = 12; const DELAY_CERTIFICATE_VALIDATED_IN_S = 30; -let rootHostedZoneID,appHostedZoneID,envHostedZoneID, appName, envName, serviceName, certificateDomain, domainTypes, rootDNSRole, domainName, isCloudFrontCert; +let envHostedZoneID, appName, envName, serviceName, certificateDomain, domainTypes, rootDNSRole, domainName, isCloudFrontCert; let defaultSleep = function (ms) { return new Promise((resolve) => setTimeout(resolve, ms)); }; @@ -168,8 +168,6 @@ exports.handler = async function (event, context) { const aliases = new Set(props.Aliases); // Initialize global variables. - rootHostedZoneID = props.RootHostedZoneId; - appHostedZoneID = props.AppHostedZoneId; envHostedZoneID = props.EnvHostedZoneId; envName = props.EnvName; appName = props.AppName; @@ -750,23 +748,17 @@ async function domainResources(alias) { }; } if (domainTypes.AppDomainZone.regex.test(alias)) { - if (!appHostedZoneID){ - appHostedZoneID = await hostedZoneID.app() - } return { domain: domainTypes.AppDomainZone.domain, route53Client: clients.app.route53(), - hostedZoneID: appHostedZoneID, + hostedZoneID: await hostedZoneID.app(), }; } if (domainTypes.RootDomainZone.regex.test(alias)) { - if (!rootHostedZoneID){ - rootHostedZoneID = await hostedZoneID.root() - } return { domain: domainTypes.RootDomainZone.domain, route53Client: clients.root.route53(), - hostedZoneID: rootHostedZoneID, + hostedZoneID: await hostedZoneID.root(), }; } throw new UnrecognizedDomainTypeError(`unrecognized domain type for ${alias}`); diff --git a/cf-custom-resources/lib/wkld-custom-domain.js b/cf-custom-resources/lib/wkld-custom-domain.js index 88d415906de..2b0736b7389 100644 --- a/cf-custom-resources/lib/wkld-custom-domain.js +++ b/cf-custom-resources/lib/wkld-custom-domain.js @@ -6,7 +6,7 @@ const ATTEMPTS_VALIDATION_OPTIONS_READY = 10; const ATTEMPTS_RECORD_SETS_CHANGE = 10; const DELAY_RECORD_SETS_CHANGE_IN_S = 30; -let rootHostedZoneID,appHostedZoneID,envHostedZoneID, appName, envName, serviceName, domainTypes, rootDNSRole, domainName; +let envHostedZoneID, appName, envName, serviceName, domainTypes, rootDNSRole, domainName; let defaultSleep = function (ms) { return new Promise((resolve) => setTimeout(resolve, ms)); }; @@ -157,8 +157,6 @@ exports.handler = async function (event, context) { const aliases = new Set(props.Aliases); // Initialize global variables. - rootHostedZoneID = props.RootHostedZoneId; - appHostedZoneID = props.AppHostedZoneId; envHostedZoneID = props.EnvHostedZoneId; envName = props.EnvName; appName = props.AppName; @@ -446,23 +444,17 @@ async function domainResources(alias) { }; } if (domainTypes.AppDomainZone.regex.test(alias)) { - if (!appHostedZoneID){ - appHostedZoneID = await hostedZoneID.app() - } return { domain: domainTypes.AppDomainZone.domain, route53Client: clients.app.route53(), - hostedZoneID: appHostedZoneID, + hostedZoneID: await hostedZoneID.app(), }; } if (domainTypes.RootDomainZone.regex.test(alias)) { - if (!rootHostedZoneID){ - rootHostedZoneID = await hostedZoneID.root() - } return { domain: domainTypes.RootDomainZone.domain, route53Client: clients.root.route53(), - hostedZoneID: rootHostedZoneID, + hostedZoneID: await hostedZoneID.root(), }; } throw new UnrecognizedDomainTypeError(`unrecognized domain type for ${alias}`); diff --git a/cf-custom-resources/test/custom-domain-app-runner-test.js b/cf-custom-resources/test/custom-domain-app-runner-test.js index 90f3a6875e7..783dfeb7ab1 100644 --- a/cf-custom-resources/test/custom-domain-app-runner-test.js +++ b/cf-custom-resources/test/custom-domain-app-runner-test.js @@ -13,8 +13,8 @@ const nock = require("nock"); let origLog = console.log; describe("Custom Domain for App Runner Service", () => { - const [mockServiceARN, mockCustomDomain, mockHostedZoneID, mockResponseURL, mockPhysicalResourceID, mockLogicalResourceID, mockTarget, mockAppDNSName,mockAppHostedZoneID] = - ["mockService", "mockDomain", "mockHostedZoneID", "https://mock.com/", "mockPhysicalResourceID", "mockLogicalResourceID", "mockTarget", "mockAppDNSName","Z00ABC" ]; + const [mockServiceARN, mockCustomDomain, mockHostedZoneID, mockResponseURL, mockPhysicalResourceID, mockLogicalResourceID, mockTarget, mockAppDNSName] = + ["mockService", "mockDomain", "mockHostedZoneID", "https://mock.com/", "mockPhysicalResourceID", "mockLogicalResourceID", "mockTarget", "mockAppDNSName", ]; beforeEach(() => { // Prevent logging. @@ -635,6 +635,13 @@ describe("Custom Domain for App Runner Service", () => { test("success", () => { const mockTarget = "mockTarget"; + const mockListHostedZonesByName = sinon.fake.resolves({ + HostedZones: [ + { + Id: "/hostedzone/mockHostedZoneID", + }, + ], + }); // Able to retrieve the hosted zone ID. const mockAssociateCustomDomain = sinon.fake.resolves({DNSTarget: mockTarget,}); const mockWaitFor = sinon.fake.resolves(); const mockDescribeCustomDomains = sinon.stub(); @@ -682,6 +689,7 @@ describe("Custom Domain for App Runner Service", () => { AWS.mock("Route53", "changeResourceRecordSets", mockChangeResourceRecordSets); AWS.mock("Route53", "waitFor", mockWaitFor); AWS.mock("AppRunner", "describeCustomDomains", mockDescribeCustomDomains); + AWS.mock("Route53", "listHostedZonesByName", mockListHostedZonesByName); const expectedResponse = nock(mockResponseURL) .put("/", (body) => { @@ -697,7 +705,6 @@ describe("Custom Domain for App Runner Service", () => { ServiceARN: mockServiceARN, AppDNSRole: "", CustomDomain: mockCustomDomain, - RootHostedZoneId: mockAppHostedZoneID, }, PhysicalResourceId: mockPhysicalResourceID, LogicalResourceId: mockLogicalResourceID, diff --git a/cf-custom-resources/test/custom-domain-test.js b/cf-custom-resources/test/custom-domain-test.js index 5c1aa1af3f9..341e40a57eb 100644 --- a/cf-custom-resources/test/custom-domain-test.js +++ b/cf-custom-resources/test/custom-domain-test.js @@ -17,16 +17,12 @@ describe("DNS Validated Certificate Handler", () => { const testEnvName = "test"; const testDomainName = "example.com"; const testAliases = `{"frontend": ["v1.${testEnvName}.${testAppName}.${testDomainName}", "foobar.com"]}`; - const testAliases2 = `{"frontend": ["v2.${testEnvName}.${testAppName}.${testDomainName}", "foobar.com"]}`; const testUpdatedAliases = `{"frontend": ["v2.${testEnvName}.${testAppName}.${testDomainName}", "foobar.com"]}`; const testAccessDNS = "examp-publi-gsedbvf8t12c-852245110.us-west-1.elb.amazonaws.com."; const testLBHostedZone = "Z1H1FL5HABSF5"; const testHostedZoneId = "Z3P5QSUBK4POTI"; const testRootDNSRole = "mockRole"; - const mockRootHostedZoneId = "Z00ABC" - const mockAppHostedZoneID = "Z00DEF" - const mockEnvHostedZoneID = "Z00GHI" beforeEach(() => { handler.withDefaultResponseURL(ResponseURL); @@ -246,68 +242,6 @@ describe("DNS Validated Certificate Handler", () => { }); }); - test("Create success with out listhostedzones api call", () => { - const changeResourceRecordSetsFake = sinon.fake.resolves({ - ChangeInfo: { - Id: "bogus", - }, - }); - - AWS.mock( - "Route53", - "changeResourceRecordSets", - changeResourceRecordSetsFake - ); - - const request = nock(ResponseURL) - .put("/", (body) => { - return body.Status === "SUCCESS"; - }) - .reply(200); - return LambdaTester(handler.handler) - .event({ - RequestType: "Create", - ResourceProperties: { - AppName: testAppName, - EnvName: testEnvName, - DomainName: testDomainName, - Aliases: testAliases2, - Region: "us-east-1", - PublicAccessDNS: testAccessDNS, - PublicAccessHostedZone: testLBHostedZone, - AppDNSRole: testRootDNSRole, - RootHostedZoneId: mockRootHostedZoneId, - AppHostedZoneId:mockAppHostedZoneID, - EnvHostedZoneId: mockEnvHostedZoneID, - }, - }) - .expectResolve(() => { - sinon.assert.calledWith( - changeResourceRecordSetsFake, - sinon.match({ - ChangeBatch: { - Changes: [ - { - Action: "UPSERT", - ResourceRecordSet: { - Name: `v2.${testEnvName}.${testAppName}.${testDomainName}`, - Type: "A", - AliasTarget: { - HostedZoneId: testLBHostedZone, - DNSName: testAccessDNS, - EvaluateTargetHealth: true, - }, - }, - }, - ], - }, - HostedZoneId: mockEnvHostedZoneID, - }) - ); - expect(request.isDone()).toBe(true); - }); - }); - test("Update success", () => { const changeResourceRecordSetsFake = sinon.fake.resolves({ ChangeInfo: { diff --git a/internal/pkg/cli/deploy/env.go b/internal/pkg/cli/deploy/env.go index 5e9f5baf06d..d9239d81f68 100644 --- a/internal/pkg/cli/deploy/env.go +++ b/internal/pkg/cli/deploy/env.go @@ -20,7 +20,6 @@ import ( "github.com/aws/copilot-cli/internal/pkg/aws/ec2" "github.com/aws/copilot-cli/internal/pkg/aws/elbv2" "github.com/aws/copilot-cli/internal/pkg/aws/partitions" - "github.com/aws/copilot-cli/internal/pkg/aws/route53" awss3 "github.com/aws/copilot-cli/internal/pkg/aws/s3" "github.com/aws/copilot-cli/internal/pkg/aws/sessions" "github.com/aws/copilot-cli/internal/pkg/cli/deploy/patch" @@ -79,9 +78,6 @@ type stackDescriber interface { Resources() ([]*stack.Resource, error) } -type domainHostedZoneGetter interface { - PublicDomainHostedZoneID(domainName string) (string, error) -} type envDeployer struct { app *config.Application env *config.Environment @@ -100,7 +96,6 @@ type envDeployer struct { envDescriber envDescriber lbDescriber lbDescriber newServiceStackDescriber func(string) stackDescriber - domainHostedZoneGetter domainHostedZoneGetter // Dependencies for parsing addons. ws WorkspaceAddonsReaderPathGetter @@ -178,8 +173,7 @@ func NewEnvDeployer(in *NewEnvDeployerInput) (*envDeployer, error) { parseAddons: sync.OnceValues(func() (stackBuilder, error) { return addon.ParseFromEnv(in.Workspace) }), - ws: in.Workspace, - domainHostedZoneGetter: route53.New(defaultSession), + ws: in.Workspace, } return deployer, nil } @@ -404,21 +398,12 @@ func (d *envDeployer) buildStackInput(in *DeployEnvironmentInput) (*cfnstack.Env if err != nil { return nil, err } - var appHostedZoneID string - if d.app.Domain != "" { - appHostedZoneID, err = appDomainHostedZoneId(d.app.Name, d.app.Domain, d.domainHostedZoneGetter) - if err != nil { - return nil, err - } - } return &cfnstack.EnvConfig{ Name: d.env.Name, App: deploy.AppInformation{ - Name: d.app.Name, - Domain: d.app.Domain, - AccountPrincipalARN: in.RootUserARN, - RootDomainHostedZoneId: d.app.DomainHostedZoneID, - AppDomainHostedZoneId: appHostedZoneID, + Name: d.app.Name, + Domain: d.app.Domain, + AccountPrincipalARN: in.RootUserARN, }, AdditionalTags: d.app.Tags, Addons: addons, @@ -597,14 +582,3 @@ func (d *envDeployer) cfManagedPrefixListID() (string, error) { return id, nil } - -func appDomainHostedZoneId(appName, domain string, domainHostedZoneGetter domainHostedZoneGetter) (string, error) { - if domain == "" { - return "", nil - } - appHostedZoneID, err := domainHostedZoneGetter.PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", appName, domain)) - if err != nil { - return "", fmt.Errorf("get public public hosted zone ID for domain %s: %w", fmt.Sprintf("%s.%s", appName, domain), err) - } - return appHostedZoneID, nil -} diff --git a/internal/pkg/cli/deploy/env_test.go b/internal/pkg/cli/deploy/env_test.go index 9fa0b56ef1e..ea656a6d416 100644 --- a/internal/pkg/cli/deploy/env_test.go +++ b/internal/pkg/cli/deploy/env_test.go @@ -44,9 +44,8 @@ type envDeployerMocks struct { stackDescribers map[string]*mocks.MockstackDescriber ws *mocks.MockWorkspaceAddonsReaderPathGetter - parseAddons func() (stackBuilder, error) - addons *mocks.MockstackBuilder - domainHostedZoneGetter *mocks.MockdomainHostedZoneGetter + parseAddons func() (stackBuilder, error) + addons *mocks.MockstackBuilder } func TestEnvDeployer_UploadArtifacts(t *testing.T) { @@ -395,9 +394,7 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { ) mockError := errors.New("some error") mockApp := &config.Application{ - Name: mockAppName, - Domain: "example.com", - DomainHostedZoneID: "v1.example.com", + Name: mockAppName, } testCases := map[string]struct { inManifest manifest.Environment @@ -422,7 +419,6 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { m.parseAddons = func() (stackBuilder, error) { return nil, &addon.ErrAddonsNotFound{} } - m.domainHostedZoneGetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, mockApp.Domain)).Return("Z00ABC", nil) m.envDeployer.EXPECT().DeployedEnvironmentParameters(gomock.Any(), gomock.Any()).Return(nil, mockError) }, wantedError: errors.New("describe environment stack parameters: some error"), @@ -437,7 +433,6 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { } m.envDeployer.EXPECT().DeployedEnvironmentParameters(gomock.Any(), gomock.Any()).Return(nil, nil) m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", mockError) - m.domainHostedZoneGetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, mockApp.Domain)).Return("Z00ABC", nil) }, wantedError: errors.New("retrieve environment stack force update ID: some error"), }, @@ -452,7 +447,6 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { m.envDeployer.EXPECT().DeployedEnvironmentParameters(gomock.Any(), gomock.Any()).Return(nil, nil) m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", nil) m.stackSerializer.EXPECT().Template().Return("", mockError) - m.domainHostedZoneGetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, mockApp.Domain)).Return("Z00ABC", nil) }, wantedError: errors.New("generate stack template: some error"), }, @@ -468,7 +462,6 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", nil) m.stackSerializer.EXPECT().Template().Return("", nil) m.stackSerializer.EXPECT().SerializedParameters().Return("", mockError) - m.domainHostedZoneGetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, mockApp.Domain)).Return("Z00ABC", nil) }, wantedError: errors.New("generate stack template parameters: some error"), }, @@ -508,7 +501,6 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", nil) m.stackSerializer.EXPECT().Template().Return("aloo", nil) m.stackSerializer.EXPECT().SerializedParameters().Return("gobi", nil) - m.domainHostedZoneGetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, mockApp.Domain)).Return("Z00ABC", nil).Return("Z00ABC", nil) }, wantedTemplate: "aloo", @@ -528,7 +520,6 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", nil) m.stackSerializer.EXPECT().Template().Return("aloo", nil) m.stackSerializer.EXPECT().SerializedParameters().Return("gobi", nil) - m.domainHostedZoneGetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, mockApp.Domain)).Return("Z00ABC", nil) }, wantedTemplate: "aloo", @@ -541,10 +532,9 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { defer ctrl.Finish() m := &envDeployerMocks{ - appCFN: mocks.NewMockappResourcesGetter(ctrl), - envDeployer: mocks.NewMockenvironmentDeployer(ctrl), - stackSerializer: cfnmocks.NewMockStackConfiguration(ctrl), - domainHostedZoneGetter: mocks.NewMockdomainHostedZoneGetter(ctrl), + appCFN: mocks.NewMockappResourcesGetter(ctrl), + envDeployer: mocks.NewMockenvironmentDeployer(ctrl), + stackSerializer: cfnmocks.NewMockStackConfiguration(ctrl), } tc.setUpMocks(m, ctrl) d := envDeployer{ @@ -558,8 +548,7 @@ func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) { newStack: func(_ *cfnstack.EnvConfig, _ string, _ []*awscfn.Parameter) (cloudformation.StackConfiguration, error) { return m.stackSerializer, nil }, - parseAddons: m.parseAddons, - domainHostedZoneGetter: m.domainHostedZoneGetter, + parseAddons: m.parseAddons, } actual, err := d.GenerateCloudFormationTemplate(&DeployEnvironmentInput{ Manifest: &tc.inManifest, diff --git a/internal/pkg/cli/deploy/lbws.go b/internal/pkg/cli/deploy/lbws.go index 0814aa52c12..a31fac419ff 100644 --- a/internal/pkg/cli/deploy/lbws.go +++ b/internal/pkg/cli/deploy/lbws.go @@ -142,13 +142,6 @@ func (d *lbWebSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*s if err := d.validateNLBRuntime(); err != nil { return nil, err } - var appHostedZoneID string - if d.app.Domain != "" { - appHostedZoneID, err = appDomainHostedZoneId(d.app.Name, d.app.Domain, d.domainHostedZoneGetter) - if err != nil { - return nil, err - } - } var opts []stack.LoadBalancedWebServiceOption if d.lbMft.HTTPOrBool.ImportedALB != nil { lb, err := d.elbGetter.LoadBalancer(aws.StringValue(d.lbMft.HTTPOrBool.ImportedALB)) @@ -173,7 +166,6 @@ func (d *lbWebSvcDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*s RuntimeConfig: *rc, RootUserARN: in.RootUserARN, Addons: d.addons, - AppHostedZoneID: appHostedZoneID, }, opts...) if err != nil { return nil, fmt.Errorf("create stack configuration: %w", err) diff --git a/internal/pkg/cli/deploy/mocks/mock_env.go b/internal/pkg/cli/deploy/mocks/mock_env.go index 3fcbe918c7a..c1982de6a8b 100644 --- a/internal/pkg/cli/deploy/mocks/mock_env.go +++ b/internal/pkg/cli/deploy/mocks/mock_env.go @@ -453,41 +453,3 @@ func (mr *MockstackDescriberMockRecorder) Resources() *gomock.Call { mr.mock.ctrl.T.Helper() return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Resources", reflect.TypeOf((*MockstackDescriber)(nil).Resources)) } - -// MockdomainHostedZoneGetter is a mock of domainHostedZoneGetter interface. -type MockdomainHostedZoneGetter struct { - ctrl *gomock.Controller - recorder *MockdomainHostedZoneGetterMockRecorder -} - -// MockdomainHostedZoneGetterMockRecorder is the mock recorder for MockdomainHostedZoneGetter. -type MockdomainHostedZoneGetterMockRecorder struct { - mock *MockdomainHostedZoneGetter -} - -// NewMockdomainHostedZoneGetter creates a new mock instance. -func NewMockdomainHostedZoneGetter(ctrl *gomock.Controller) *MockdomainHostedZoneGetter { - mock := &MockdomainHostedZoneGetter{ctrl: ctrl} - mock.recorder = &MockdomainHostedZoneGetterMockRecorder{mock} - return mock -} - -// EXPECT returns an object that allows the caller to indicate expected use. -func (m *MockdomainHostedZoneGetter) EXPECT() *MockdomainHostedZoneGetterMockRecorder { - return m.recorder -} - -// PublicDomainHostedZoneID mocks base method. -func (m *MockdomainHostedZoneGetter) PublicDomainHostedZoneID(domainName string) (string, error) { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "PublicDomainHostedZoneID", domainName) - ret0, _ := ret[0].(string) - ret1, _ := ret[1].(error) - return ret0, ret1 -} - -// PublicDomainHostedZoneID indicates an expected call of PublicDomainHostedZoneID. -func (mr *MockdomainHostedZoneGetterMockRecorder) PublicDomainHostedZoneID(domainName interface{}) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PublicDomainHostedZoneID", reflect.TypeOf((*MockdomainHostedZoneGetter)(nil).PublicDomainHostedZoneID), domainName) -} diff --git a/internal/pkg/cli/deploy/rdws.go b/internal/pkg/cli/deploy/rdws.go index afbdc9c11a8..82cb3fbde0b 100644 --- a/internal/pkg/cli/deploy/rdws.go +++ b/internal/pkg/cli/deploy/rdws.go @@ -143,11 +143,10 @@ func (d *rdwsDeployer) stackConfiguration(in *StackRuntimeConfiguration) (*rdwsS default: conf, err = stack.NewRequestDrivenWebService(stack.RequestDrivenWebServiceConfig{ App: deploy.AppInformation{ - Name: d.app.Name, - Domain: d.app.Domain, - PermissionsBoundary: d.app.PermissionsBoundary, - AccountPrincipalARN: in.RootUserARN, - RootDomainHostedZoneId: d.app.DomainHostedZoneID, + Name: d.app.Name, + Domain: d.app.Domain, + PermissionsBoundary: d.app.PermissionsBoundary, + AccountPrincipalARN: in.RootUserARN, }, Env: d.env.Name, Manifest: d.rdwsMft, diff --git a/internal/pkg/cli/deploy/static_site.go b/internal/pkg/cli/deploy/static_site.go index 794825e23e3..780e049fb74 100644 --- a/internal/pkg/cli/deploy/static_site.go +++ b/internal/pkg/cli/deploy/static_site.go @@ -163,13 +163,6 @@ func (d *staticSiteDeployer) stackConfiguration(in *StackRuntimeConfiguration) ( if err := validateMinAppVersion(d.app.Name, d.name, d.appVersionGetter, version.AppTemplateMinStaticSite); err != nil { return nil, fmt.Errorf("static sites not supported: %w", err) } - var appHostedZoneID string - if d.app.Domain != "" { - appHostedZoneID, err = appDomainHostedZoneId(d.app.Name, d.app.Domain, d.domainHostedZoneGetter) - if err != nil { - return nil, err - } - } conf, err := d.newStack(&stack.StaticSiteConfig{ App: d.app, @@ -182,7 +175,6 @@ func (d *staticSiteDeployer) stackConfiguration(in *StackRuntimeConfiguration) ( RootUserARN: in.RootUserARN, Addons: d.addons, AssetMappingURL: in.StaticSiteAssetMappingURL, - AppHostedZoneID: appHostedZoneID, }) if err != nil { return nil, fmt.Errorf("create stack configuration: %w", err) diff --git a/internal/pkg/cli/deploy/static_site_test.go b/internal/pkg/cli/deploy/static_site_test.go index 74727d70a61..0b5b29f2eae 100644 --- a/internal/pkg/cli/deploy/static_site_test.go +++ b/internal/pkg/cli/deploy/static_site_test.go @@ -139,7 +139,6 @@ func TestStaticSiteDeployer_UploadArtifacts(t *testing.T) { func TestStaticSiteDeployer_stackConfiguration(t *testing.T) { tests := map[string]struct { - setUpMocks func(m *mocks.MockdomainHostedZoneGetter) deployer *staticSiteDeployer wantErr string wantTemplate string @@ -331,9 +330,6 @@ func TestStaticSiteDeployer_stackConfiguration(t *testing.T) { }, }, "success with app alias": { - setUpMocks: func(m *mocks.MockdomainHostedZoneGetter) { - m.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", "mockApp", "example.com")).Return("Z00AB", nil).Return("Z00AB", nil) - }, deployer: &staticSiteDeployer{ svcDeployer: &svcDeployer{ workloadDeployer: &workloadDeployer{ @@ -406,9 +402,6 @@ func TestStaticSiteDeployer_stackConfiguration(t *testing.T) { }, }, "success with overrider": { - setUpMocks: func(m *mocks.MockdomainHostedZoneGetter) { - m.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", "mockApp", "example.com")).Return("Z00AB", nil) - }, deployer: &staticSiteDeployer{ svcDeployer: &svcDeployer{ workloadDeployer: &workloadDeployer{ @@ -450,13 +443,6 @@ func TestStaticSiteDeployer_stackConfiguration(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { - ctrl := gomock.NewController(t) - defer ctrl.Finish() - if tc.setUpMocks != nil { - mocks := mocks.NewMockdomainHostedZoneGetter(ctrl) - tc.setUpMocks(mocks) - tc.deployer.domainHostedZoneGetter = mocks - } out, gotErr := tc.deployer.stackConfiguration(&StackRuntimeConfiguration{}) if tc.wantErr != "" { require.EqualError(t, gotErr, tc.wantErr) diff --git a/internal/pkg/cli/deploy/workload.go b/internal/pkg/cli/deploy/workload.go index 37b93b6f533..8ca10485727 100644 --- a/internal/pkg/cli/deploy/workload.go +++ b/internal/pkg/cli/deploy/workload.go @@ -24,7 +24,6 @@ import ( "github.com/aws/copilot-cli/internal/pkg/aws/ecr" "github.com/aws/copilot-cli/internal/pkg/aws/identity" "github.com/aws/copilot-cli/internal/pkg/aws/partitions" - "github.com/aws/copilot-cli/internal/pkg/aws/route53" "github.com/aws/copilot-cli/internal/pkg/aws/s3" "github.com/aws/copilot-cli/internal/pkg/aws/sessions" "github.com/aws/copilot-cli/internal/pkg/config" @@ -181,21 +180,20 @@ type workloadDeployer struct { workspacePath string // Dependencies. - fs afero.Fs - s3Client uploader - addons stackBuilder - repository repositoryService - deployer serviceDeployer - tmplGetter deployedTemplateGetter - endpointGetter endpointGetter - spinner spinner - templateFS template.Reader - envVersionGetter versionGetter - overrider Overrider - docker dockerEngineRunChecker - customResources customResourcesFunc - labeledTermPrinter func(fw syncbuffer.FileWriter, bufs []*syncbuffer.LabeledSyncBuffer, opts ...syncbuffer.LabeledTermPrinterOption) LabeledTermPrinter - domainHostedZoneGetter domainHostedZoneGetter + fs afero.Fs + s3Client uploader + addons stackBuilder + repository repositoryService + deployer serviceDeployer + tmplGetter deployedTemplateGetter + endpointGetter endpointGetter + spinner spinner + templateFS template.Reader + envVersionGetter versionGetter + overrider Overrider + docker dockerEngineRunChecker + customResources customResourcesFunc + labeledTermPrinter func(fw syncbuffer.FileWriter, bufs []*syncbuffer.LabeledSyncBuffer, opts ...syncbuffer.LabeledTermPrinterOption) LabeledTermPrinter // Cached variables. defaultSess *session.Session @@ -337,7 +335,6 @@ func newWorkloadDeployer(in *WorkloadDeployerInput) (*workloadDeployer, error) { store: store, envConfig: envConfig, labeledTermPrinter: labeledTermPrinter, - domainHostedZoneGetter: route53.New(defaultSession), mft: in.Mft, rawMft: in.RawMft, diff --git a/internal/pkg/cli/deploy/workload_test.go b/internal/pkg/cli/deploy/workload_test.go index 90acff9d9ab..8b18c76be80 100644 --- a/internal/pkg/cli/deploy/workload_test.go +++ b/internal/pkg/cli/deploy/workload_test.go @@ -61,7 +61,6 @@ type deployMocks struct { mockValidator *mocks.MockaliasCertValidator mockLabeledTermPrinter *mocks.MockLabeledTermPrinter mockdockerEngineRunChecker *mocks.MockdockerEngineRunChecker - mockdomainHostedZonegetter *mocks.MockdomainHostedZoneGetter } type mockTemplateFS struct { @@ -1211,7 +1210,6 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) { m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil) m.mockEnvVersionGetter.EXPECT().Version().Return("v1.42.0", nil) m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), "mockBucket", false, gomock.Any()).Return(nil) - m.mockdomainHostedZonegetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, "mockDomain")).Return("Z00ABC", nil) }, }, "success": { @@ -1236,7 +1234,6 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) { m.mockEnvVersionGetter.EXPECT().Version().Return("v1.42.0", nil) m.mockValidator.EXPECT().ValidateCertAliases([]string{"example.com", "foobar.com"}, mockCertARNs).Return(nil).Times(2) m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), "mockBucket", false, gomock.Any()).Return(nil) - m.mockdomainHostedZonegetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, "mockDomain")).Return("Z00ABC", nil) }, }, "success with http redirect disabled and alb certs imported": { @@ -1312,7 +1309,6 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) { m.mockEnvVersionGetter.EXPECT().Version().Return("v1.42.0", nil) m.mockAppVersionGetter.EXPECT().Version().Return("v1.0.0", nil).Times(2) m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), "mockBucket", false, gomock.Any()).Return(nil) - m.mockdomainHostedZonegetter.EXPECT().PublicDomainHostedZoneID(fmt.Sprintf("%s.%s", mockAppName, "mockDomain")).Return("Z00ABC", nil) }, }, "success with force update": { @@ -1344,14 +1340,13 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) { defer ctrl.Finish() m := &deployMocks{ - mockAppVersionGetter: mocks.NewMockversionGetter(ctrl), - mockEnvVersionGetter: mocks.NewMockversionGetter(ctrl), - mockEndpointGetter: mocks.NewMockendpointGetter(ctrl), - mockServiceDeployer: mocks.NewMockserviceDeployer(ctrl), - mockServiceForceUpdater: mocks.NewMockserviceForceUpdater(ctrl), - mockSpinner: mocks.NewMockspinner(ctrl), - mockValidator: mocks.NewMockaliasCertValidator(ctrl), - mockdomainHostedZonegetter: mocks.NewMockdomainHostedZoneGetter(ctrl), + mockAppVersionGetter: mocks.NewMockversionGetter(ctrl), + mockEnvVersionGetter: mocks.NewMockversionGetter(ctrl), + mockEndpointGetter: mocks.NewMockendpointGetter(ctrl), + mockServiceDeployer: mocks.NewMockserviceDeployer(ctrl), + mockServiceForceUpdater: mocks.NewMockserviceForceUpdater(ctrl), + mockSpinner: mocks.NewMockspinner(ctrl), + mockValidator: mocks.NewMockaliasCertValidator(ctrl), } tc.mock(m) @@ -1363,17 +1358,16 @@ func TestWorkloadDeployer_DeployWorkload(t *testing.T) { deployer := lbWebSvcDeployer{ svcDeployer: &svcDeployer{ workloadDeployer: &workloadDeployer{ - name: mockName, - app: tc.inApp, - env: tc.inEnvironment, - envConfig: tc.inEnvironmentConfig(), - resources: mockResources, - deployer: m.mockServiceDeployer, - endpointGetter: m.mockEndpointGetter, - spinner: m.mockSpinner, - envVersionGetter: m.mockEnvVersionGetter, - overrider: new(override.Noop), - domainHostedZoneGetter: m.mockdomainHostedZonegetter, + name: mockName, + app: tc.inApp, + env: tc.inEnvironment, + envConfig: tc.inEnvironmentConfig(), + resources: mockResources, + deployer: m.mockServiceDeployer, + endpointGetter: m.mockEndpointGetter, + spinner: m.mockSpinner, + envVersionGetter: m.mockEnvVersionGetter, + overrider: new(override.Noop), }, newSvcUpdater: func(f func(*session.Session) serviceForceUpdater) serviceForceUpdater { return m.mockServiceForceUpdater diff --git a/internal/pkg/deploy/app.go b/internal/pkg/deploy/app.go index 50c060df389..0ec649571c9 100644 --- a/internal/pkg/deploy/app.go +++ b/internal/pkg/deploy/app.go @@ -27,12 +27,10 @@ type CreateAppInput struct { // AppInformation holds information about the application that need to be propagated to the env stacks and workload stacks. type AppInformation struct { - AccountPrincipalARN string - Domain string - Name string - PermissionsBoundary string - RootDomainHostedZoneId string - AppDomainHostedZoneId string + AccountPrincipalARN string + Domain string + Name string + PermissionsBoundary string } // DNSDelegationRole returns the ARN of the app's DNS delegation role. diff --git a/internal/pkg/deploy/cloudformation/stack/env.go b/internal/pkg/deploy/cloudformation/stack/env.go index 8b82e5f978d..fa14cf61574 100644 --- a/internal/pkg/deploy/cloudformation/stack/env.go +++ b/internal/pkg/deploy/cloudformation/stack/env.go @@ -219,7 +219,6 @@ func (e *Env) Template() (string, error) { SerializedManifest: string(e.in.RawMft), ForceUpdateID: forceUpdateID, DelegateDNS: e.in.App.Domain != "", - HostedZones: convertHostedZones(e.in.App), }) if err != nil { return "", err diff --git a/internal/pkg/deploy/cloudformation/stack/env_test.go b/internal/pkg/deploy/cloudformation/stack/env_test.go index 124ed256a17..e6681b130b1 100644 --- a/internal/pkg/deploy/cloudformation/stack/env_test.go +++ b/internal/pkg/deploy/cloudformation/stack/env_test.go @@ -134,9 +134,6 @@ func TestEnv_Template(t *testing.T) { // GIVEN inEnvConfig := mockDeployEnvironmentInput() - inEnvConfig.App.Domain = "example.com" - inEnvConfig.App.RootDomainHostedZoneId = "Z00ABC" - inEnvConfig.App.AppDomainHostedZoneId = "Z00DEF" mockParser := mocks.NewMockembedFS(ctrl) mockParser.EXPECT().Read(gomock.Any()).Return(&template.Content{Buffer: bytes.NewBufferString("data")}, nil).AnyTimes() mockParser.EXPECT().ParseEnv(gomock.Any()).DoAndReturn(func(data *template.EnvOpts) (*template.Content, error) { @@ -173,11 +170,6 @@ func TestEnv_Template(t *testing.T) { ArtifactBucketARN: "arn:aws:s3:::mockbucket", SerializedManifest: "name: env\ntype: Environment\n", ForceUpdateID: "mockPreviousForceUpdateID", - DelegateDNS: true, - HostedZones: &template.HostedZones{ - RootDomainHostedZoneId: "Z00ABC", - AppDomainHostedZoneId: "Z00DEF", - }, }, data) return &template.Content{Buffer: bytes.NewBufferString("mockTemplate")}, nil }) diff --git a/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go b/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go index 724362da0d3..889f99a6e35 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_network_web_service_integration_test.go @@ -102,7 +102,7 @@ func TestNetworkLoadBalancedWebService_Template(t *testing.T) { }, } serializer, err := stack.NewLoadBalancedWebService(stack.LoadBalancedWebServiceConfig{ - App: &config.Application{Name: appName, Domain: "example.com", DomainHostedZoneID: "Z00ABC"}, + App: &config.Application{Name: appName, Domain: "example.com"}, EnvManifest: envConfig, Manifest: v, ArtifactBucketName: "bucket", @@ -114,8 +114,7 @@ func TestNetworkLoadBalancedWebService_Template(t *testing.T) { EnvVersion: "v1.42.0", Version: "v1.29.0", }, - RootUserARN: "arn:aws:iam::123456789123:root", - AppHostedZoneID: "Z00DEF", + RootUserARN: "arn:aws:iam::123456789123:root", }) tpl, err := serializer.Template() require.NoError(t, err, "template should render") diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go b/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go index e906deabde8..1f1c2a3bbfe 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go @@ -61,7 +61,6 @@ type LoadBalancedWebServiceConfig struct { ArtifactBucketName string ArtifactKey string Addons NestedStackConfigurer - AppHostedZoneID string } // NewLoadBalancedWebService creates a new CFN stack with an ECS service from a manifest file, given the options. @@ -78,11 +77,9 @@ func NewLoadBalancedWebService(conf LoadBalancedWebServiceConfig, if conf.App.Domain != "" { dnsDelegationEnabled = true appInfo = deploy.AppInformation{ - Name: conf.App.Name, - Domain: conf.App.Domain, - AccountPrincipalARN: conf.RootUserARN, - RootDomainHostedZoneId: conf.App.DomainHostedZoneID, - AppDomainHostedZoneId: conf.AppHostedZoneID, + Name: conf.App.Name, + Domain: conf.App.Domain, + AccountPrincipalARN: conf.RootUserARN, } httpsEnabled = true } @@ -243,7 +240,6 @@ func (s *LoadBalancedWebService) Template() (string, error) { // NLB configs. AppDNSName: nlbConfig.appDNSName, AppDNSDelegationRole: nlbConfig.appDNSDelegationRole, - HostedZones: convertHostedZones(s.appInfo), NLB: nlbConfig.settings, // service connect and service discovery options. diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go b/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go index 3679ecb1e95..fd8deb15530 100644 --- a/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go +++ b/internal/pkg/deploy/cloudformation/stack/lb_web_svc_test.go @@ -233,9 +233,8 @@ Outputs: lbws, err := NewLoadBalancedWebService(LoadBalancedWebServiceConfig{ App: &config.Application{ - Name: "phonetool", - Domain: "phonetool.com", - DomainHostedZoneID: "Z00ABC", + Name: "phonetool", + Domain: "phonetool.com", }, EnvManifest: &manifest.Environment{ Workload: manifest.Workload{ @@ -255,7 +254,6 @@ Outputs: }, Addons: mockAddons{}, ArtifactBucketName: "bucket", - AppHostedZoneID: "Z00DEF", }, func(s *LoadBalancedWebService) { s.parser = parser }) @@ -355,10 +353,6 @@ Outputs: ContainerName: "frontend", }, }, - HostedZones: &template.HostedZones{ - RootDomainHostedZoneId: "Z00ABC", - AppDomainHostedZoneId: "Z00DEF", - }, }, actual) }) diff --git a/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go b/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go index 53d9f3a2a20..8d77cd2f025 100644 --- a/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go +++ b/internal/pkg/deploy/cloudformation/stack/rd_web_svc.go @@ -150,7 +150,6 @@ func (s *RequestDrivenWebService) Template() (string, error) { AppRunnerVPCEndpoint: s.manifest.Private.Advanced.Endpoint, Count: s.manifest.Count, Secrets: convertSecrets(s.manifest.RequestDrivenWebServiceConfig.Secrets), - HostedZones: convertHostedZones(s.app), }) if err != nil { return "", err diff --git a/internal/pkg/deploy/cloudformation/stack/static_site.go b/internal/pkg/deploy/cloudformation/stack/static_site.go index 40cd2511a27..2bcd8e6cd5c 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site.go @@ -40,7 +40,6 @@ type StaticSiteConfig struct { ArtifactKey string Addons NestedStackConfigurer AssetMappingURL string - AppHostedZoneID string } // NewStaticSite creates a new CFN stack from a manifest file, given the options. @@ -56,11 +55,9 @@ func NewStaticSite(cfg *StaticSiteConfig) (*StaticSite, error) { if cfg.App.Domain != "" { dnsDelegationEnabled = true appInfo = deploy.AppInformation{ - Name: cfg.App.Name, - Domain: cfg.App.Domain, - AccountPrincipalARN: cfg.RootUserARN, - RootDomainHostedZoneId: cfg.App.DomainHostedZoneID, - AppDomainHostedZoneId: cfg.AppHostedZoneID, + Name: cfg.App.Name, + Domain: cfg.App.Domain, + AccountPrincipalARN: cfg.RootUserARN, } } return &StaticSite{ @@ -138,7 +135,6 @@ func (s *StaticSite) Template() (string, error) { AppDNSName: dnsName, AppDNSDelegationRole: dnsDelegationRole, - HostedZones: convertHostedZones(s.appInfo), AssetMappingFileBucket: bucket, AssetMappingFilePath: path, StaticSiteAlias: staticSiteAlias, diff --git a/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go b/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go index cb965e3861e..d26f042f953 100644 --- a/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go +++ b/internal/pkg/deploy/cloudformation/stack/static_site_integration_test.go @@ -91,9 +91,8 @@ func TestStaticSiteService_TemplateAndParamsGeneration(t *testing.T) { } serializer, err := stack.NewStaticSite(&stack.StaticSiteConfig{ App: &config.Application{ - Name: appName, - Domain: "example.com", - DomainHostedZoneID: "Z00ABC", + Name: appName, + Domain: "example.com", }, EnvManifest: envConfig, Manifest: v, @@ -106,7 +105,6 @@ func TestStaticSiteService_TemplateAndParamsGeneration(t *testing.T) { ArtifactKey: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", AssetMappingURL: "s3://stackset-bucket/mappingfile", RootUserARN: "arn:aws:iam::123456789123:root", - AppHostedZoneID: "Z00DEF", }) require.NoError(t, err, "stack should be able to be initialized") tpl, err := serializer.Template() diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml index cb0cb460c7d..1d6200f74da 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-basic-manifest.yml @@ -972,7 +972,6 @@ Resources: SubdomainName: !Sub ${EnvironmentName}.${AppName}.${AppDNSName} NameServers: !GetAtt EnvironmentHostedZone.NameServers RootDNSRole: !Ref AppDNSDelegationRole - EnvHostedZoneId: !Ref EnvironmentHostedZone HTTPSCert: Metadata: @@ -1005,7 +1004,6 @@ Resources: Aliases: !Ref Aliases AppDNSRole: !Ref AppDNSDelegationRole DomainName: !Ref AppDNSName - EnvHostedZoneId: !Ref EnvironmentHostedZone PublicAccessDNS: !GetAtt PublicLoadBalancer.DNSName PublicAccessHostedZone: !GetAtt PublicLoadBalancer.CanonicalHostedZoneID AppRunnerVpcEndpointSecurityGroup: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml index ec9825c9eda..69d8ab439e6 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-default-access-log-config.yml @@ -1128,7 +1128,6 @@ Resources: SubdomainName: !Sub ${EnvironmentName}.${AppName}.${AppDNSName} NameServers: !GetAtt EnvironmentHostedZone.NameServers RootDNSRole: !Ref AppDNSDelegationRole - EnvHostedZoneId: !Ref EnvironmentHostedZone HTTPSCert: Metadata: @@ -1161,7 +1160,6 @@ Resources: Aliases: !Ref Aliases AppDNSRole: !Ref AppDNSDelegationRole DomainName: !Ref AppDNSName - EnvHostedZoneId: !Ref EnvironmentHostedZone PublicAccessDNS: !GetAtt PublicLoadBalancer.DNSName PublicAccessHostedZone: !GetAtt PublicLoadBalancer.CanonicalHostedZoneID AppRunnerVpcEndpointSecurityGroup: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml index a31a995ca6e..9b5da1748cb 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-defaultvpc-flowlogs.yml @@ -978,7 +978,6 @@ Resources: SubdomainName: !Sub ${EnvironmentName}.${AppName}.${AppDNSName} NameServers: !GetAtt EnvironmentHostedZone.NameServers RootDNSRole: !Ref AppDNSDelegationRole - EnvHostedZoneId: !Ref EnvironmentHostedZone HTTPSCert: Metadata: @@ -1011,7 +1010,6 @@ Resources: Aliases: !Ref Aliases AppDNSRole: !Ref AppDNSDelegationRole DomainName: !Ref AppDNSName - EnvHostedZoneId: !Ref EnvironmentHostedZone PublicAccessDNS: !GetAtt PublicLoadBalancer.DNSName PublicAccessHostedZone: !GetAtt PublicLoadBalancer.CanonicalHostedZoneID VpcFlowLogGroup: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml index 758d670aaf8..96c67300756 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/environments/template-with-importedvpc-flowlogs.yml @@ -807,7 +807,6 @@ Resources: SubdomainName: !Sub ${EnvironmentName}.${AppName}.${AppDNSName} NameServers: !GetAtt EnvironmentHostedZone.NameServers RootDNSRole: !Ref AppDNSDelegationRole - EnvHostedZoneId: !Ref EnvironmentHostedZone HTTPSCert: Metadata: @@ -840,7 +839,6 @@ Resources: Aliases: !Ref Aliases AppDNSRole: !Ref AppDNSDelegationRole DomainName: !Ref AppDNSName - EnvHostedZoneId: !Ref EnvironmentHostedZone PublicAccessDNS: !GetAtt PublicLoadBalancer.DNSName PublicAccessHostedZone: !GetAtt PublicLoadBalancer.CanonicalHostedZoneID VpcFlowLogGroup: diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml index 2f05401cedf..5a6b10fba51 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/static-site.stack.yml @@ -378,8 +378,6 @@ Resources: RootDNSRole: arn:aws:iam::123456789123:role/my-app-DNSDelegationRole DomainName: example.com Aliases: ["*.example.com"] - RootHostedZoneId: "Z00ABC" - AppHostedZoneId: "Z00DEF" CustomDomainFunction: Type: AWS::Lambda::Function @@ -442,8 +440,6 @@ Resources: DomainName: example.com IsCloudFrontCertificate: true Aliases: ["*.example.com"] - RootHostedZoneId: "Z00ABC" - AppHostedZoneId: "Z00DEF" CertificateValidationFunction: Type: AWS::Lambda::Function diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml index 93846de570f..ac770d4d3a0 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-prod.stack.yml @@ -619,8 +619,6 @@ Resources: # If a bucket URL is specified, that means the template exists. DomainName: example.com Aliases: - nlb.example.com - RootHostedZoneId: "Z00ABC" - AppHostedZoneId: "Z00DEF" NLBCustomDomainFunction: Type: AWS::Lambda::Function Condition: HasAssociatedDomain @@ -686,8 +684,6 @@ Resources: # If a bucket URL is specified, that means the template exists. DomainName: example.com Aliases: - nlb.example.com - RootHostedZoneId: "Z00ABC" - AppHostedZoneId: "Z00DEF" NLBCertValidatorFunction: Type: AWS::Lambda::Function Condition: HasAssociatedDomain diff --git a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml index 23bfd98c1f2..6263177a018 100644 --- a/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml +++ b/internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-nlb-test.stack.yml @@ -507,8 +507,6 @@ Resources: # If a bucket URL is specified, that means the template exists. RootDNSRole: arn:aws:iam::123456789123:role/my-app-DNSDelegationRole DomainName: example.com Aliases: [] - RootHostedZoneId: "Z00ABC" - AppHostedZoneId: "Z00DEF" NLBCertValidatorFunction: Type: AWS::Lambda::Function Condition: HasAssociatedDomain diff --git a/internal/pkg/deploy/cloudformation/stack/transformers.go b/internal/pkg/deploy/cloudformation/stack/transformers.go index 1a120b8c1ad..77042537593 100644 --- a/internal/pkg/deploy/cloudformation/stack/transformers.go +++ b/internal/pkg/deploy/cloudformation/stack/transformers.go @@ -1357,13 +1357,3 @@ func (in uploadableCRs) convert() []uploadable { } return out } - -func convertHostedZones(app deploy.AppInformation) *template.HostedZones { - if app.Domain == "" { - return nil - } - return &template.HostedZones{ - RootDomainHostedZoneId: app.RootDomainHostedZoneId, - AppDomainHostedZoneId: app.AppDomainHostedZoneId, - } -} diff --git a/internal/pkg/template/env.go b/internal/pkg/template/env.go index 059f95b9ec2..61e59db8718 100644 --- a/internal/pkg/template/env.go +++ b/internal/pkg/template/env.go @@ -138,7 +138,6 @@ type EnvOpts struct { ForceUpdateID string DelegateDNS bool - HostedZones *HostedZones } // PublicHTTPConfig represents configuration for a public facing Load Balancer. @@ -245,12 +244,6 @@ type VPCFlowLogs struct { Retention *int } -// HostedZones represents copilot managed hostedzones to route traffic to specific domain. -type HostedZones struct { - RootDomainHostedZoneId string - AppDomainHostedZoneId string -} - // ParseEnv parses an environment's CloudFormation template with the specified data object and returns its content. func (t *Template) ParseEnv(data *EnvOpts) (*Content, error) { tpl, err := t.parse("base", envCFTemplatePath, withEnvParsingFuncs()) diff --git a/internal/pkg/template/templates/environment/partials/custom-resources.yml b/internal/pkg/template/templates/environment/partials/custom-resources.yml index 9f55e84bac5..178da537b61 100644 --- a/internal/pkg/template/templates/environment/partials/custom-resources.yml +++ b/internal/pkg/template/templates/environment/partials/custom-resources.yml @@ -12,11 +12,6 @@ DelegateDNSAction: SubdomainName: !Sub ${EnvironmentName}.${AppName}.${AppDNSName} NameServers: !GetAtt EnvironmentHostedZone.NameServers RootDNSRole: !Ref AppDNSDelegationRole - EnvHostedZoneId: !Ref EnvironmentHostedZone - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - AppHostedZoneId: {{.HostedZones.AppDomainHostedZoneId}} - {{- end}} HTTPSCert: Metadata: @@ -36,11 +31,6 @@ HTTPSCert: EnvHostedZoneId: !Ref EnvironmentHostedZone Region: !Ref AWS::Region RootDNSRole: !Ref AppDNSDelegationRole - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - AppHostedZoneId: {{.HostedZones.AppDomainHostedZoneId}} - {{- end}} - CustomDomainAction: Metadata: @@ -54,15 +44,10 @@ CustomDomainAction: Aliases: !Ref Aliases AppDNSRole: !Ref AppDNSDelegationRole DomainName: !Ref AppDNSName - EnvHostedZoneId: !Ref EnvironmentHostedZone {{- if .CDNConfig}} PublicAccessDNS: !GetAtt CloudFrontDistribution.DomainName PublicAccessHostedZone: Z2FDTNDATAQYW2 # See https://go.aws/3cPhvlX {{- else}} PublicAccessDNS: !GetAtt PublicLoadBalancer.DNSName PublicAccessHostedZone: !GetAtt PublicLoadBalancer.CanonicalHostedZoneID - {{- end}} - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - AppHostedZoneId: {{.HostedZones.AppDomainHostedZoneId}} - {{- end}} \ No newline at end of file + {{- end}} \ No newline at end of file diff --git a/internal/pkg/template/templates/workloads/partials/cf/nlb.yml b/internal/pkg/template/templates/workloads/partials/cf/nlb.yml index 7994c5f4443..20b1f29746d 100644 --- a/internal/pkg/template/templates/workloads/partials/cf/nlb.yml +++ b/internal/pkg/template/templates/workloads/partials/cf/nlb.yml @@ -139,10 +139,6 @@ NLBCustomDomainAction: RootDNSRole: {{ .AppDNSDelegationRole }} DomainName: {{ .AppDNSName }} Aliases: {{ if .NLB.Aliases }} {{ fmtSlice .NLB.Aliases }} {{ else }} [] {{ end }} - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - AppHostedZoneId: {{.HostedZones.AppDomainHostedZoneId}} - {{- end}} NLBCustomDomainFunction: Type: AWS::Lambda::Function @@ -223,10 +219,6 @@ NLBCertValidatorAction: RootDNSRole: {{ .AppDNSDelegationRole }} DomainName: {{ .AppDNSName }} Aliases: {{ if .NLB.Aliases }} {{ fmtSlice .NLB.Aliases }} {{ else }} [] {{ end }} - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - AppHostedZoneId: {{.HostedZones.AppDomainHostedZoneId}} - {{- end}} NLBCertValidatorFunction: Type: AWS::Lambda::Function diff --git a/internal/pkg/template/templates/workloads/services/rd-web/cf.yml b/internal/pkg/template/templates/workloads/services/rd-web/cf.yml index ff8bbe3d2ff..93ec10154a3 100644 --- a/internal/pkg/template/templates/workloads/services/rd-web/cf.yml +++ b/internal/pkg/template/templates/workloads/services/rd-web/cf.yml @@ -242,9 +242,6 @@ Resources: CustomDomain: {{ .Alias }} AppDNSRole: {{ .AppDNSDelegationRole }} AppDNSName: {{ .AppDNSName }} - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - {{- end}} CustomResourceRole: Metadata: diff --git a/internal/pkg/template/templates/workloads/services/static-site/cf.yml b/internal/pkg/template/templates/workloads/services/static-site/cf.yml index 5458dd63b30..379c3306468 100644 --- a/internal/pkg/template/templates/workloads/services/static-site/cf.yml +++ b/internal/pkg/template/templates/workloads/services/static-site/cf.yml @@ -417,10 +417,6 @@ Resources: RootDNSRole: {{ .AppDNSDelegationRole }} DomainName: {{ .AppDNSName }} Aliases: {{ if .StaticSiteAlias }} [{{ quote .StaticSiteAlias }}] {{ else }} [] {{ end }} - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - AppHostedZoneId: {{.HostedZones.AppDomainHostedZoneId}} - {{- end}} CustomDomainFunction: Type: AWS::Lambda::Function @@ -492,10 +488,6 @@ Resources: DomainName: {{ .AppDNSName }} IsCloudFrontCertificate: true Aliases: {{ if .StaticSiteAlias }} [{{ quote .StaticSiteAlias }}] {{ else }} [] {{ end }} - {{- if .HostedZones}} - RootHostedZoneId: {{.HostedZones.RootDomainHostedZoneId}} - AppHostedZoneId: {{.HostedZones.AppDomainHostedZoneId}} - {{- end}} CertificateValidationFunction: Type: AWS::Lambda::Function diff --git a/internal/pkg/template/workload.go b/internal/pkg/template/workload.go index 7a4ca172613..59bec6846e8 100644 --- a/internal/pkg/template/workload.go +++ b/internal/pkg/template/workload.go @@ -850,7 +850,6 @@ type WorkloadOpts struct { AWSSDKLayer *string AppDNSDelegationRole *string AppDNSName *string - HostedZones *HostedZones // Additional options for worker service templates. Subscribe *SubscribeOpts