From 6523cc01384e7582fd072602a2c58fe008cd0e0c Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Thu, 24 Oct 2024 10:43:06 +0200 Subject: [PATCH 1/2] fix(cli): cross-account asset publishing doesn't work without bootstrap stack If the bootstrap stack can't be found, it can't be validated. We used to fail closed, but that just means that cross-account publishing is broken. Instead, we have to fail open. Fixes #31866. --- packages/aws-cdk/lib/api/util/checks.ts | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/packages/aws-cdk/lib/api/util/checks.ts b/packages/aws-cdk/lib/api/util/checks.ts index 11c1c856eb384..a094156ba74fb 100644 --- a/packages/aws-cdk/lib/api/util/checks.ts +++ b/packages/aws-cdk/lib/api/util/checks.ts @@ -18,13 +18,19 @@ export async function determineAllowCrossAccountAssetPublishing(sdk: ISDK, custo return true; } - // other scenarios are highly irregular and potentially dangerous so we prevent it by - // instructing cdk-assets to detect foreign bucket ownership and reject. + // If there is a staging bucket AND the bootstrap version is old, then we want to protect + // against accidental cross-account publishing. return false; } catch (e) { + // You would think we would need to fail closed here, but the reality is + // that we get here if we couldn't find the bootstrap stack: that is + // completely valid, and many large organizations may have their own method + // of creating bootstrap resources. If they do, there's nothing for us to validate, + // but we can't use that as a reason to disallow cross-account publishing. We'll just + // have to trust they did their due diligence. So we fail open. debug(`Error determining cross account asset publishing: ${e}`); - debug('Defaulting to disallowing cross account asset publishing'); - return false; + debug('Defaulting to allowing cross account asset publishing'); + return true; } } From af27bf6864f71628095c68ce94a3dbe4b891737d Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Thu, 24 Oct 2024 11:12:52 +0200 Subject: [PATCH 2/2] Add test --- packages/aws-cdk/test/api/util/checks.test.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packages/aws-cdk/test/api/util/checks.test.ts b/packages/aws-cdk/test/api/util/checks.test.ts index 2db7e3d1603ea..660577a8f6aec 100644 --- a/packages/aws-cdk/test/api/util/checks.test.ts +++ b/packages/aws-cdk/test/api/util/checks.test.ts @@ -50,6 +50,15 @@ describe('determineAllowCrossAccountAssetPublishing', () => { expect(result).toBe(true); }); + it('should return true if looking up the bootstrap stack fails', async () => { + AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { + callback(new Error('Could not read bootstrap stack')); + }); + + const result = await determineAllowCrossAccountAssetPublishing(mockSDK); + expect(result).toBe(true); + }); + it('should return false for other scenarios', async () => { AWSMock.mock('CloudFormation', 'describeStacks', (_params: any, callback: Function) => { callback(null, {