10

AWS CDK stacks target an account or region based on an evironment, details here. Here is an example of an app that deploys one stack into multiple target accounts:

const envEU  = { account: '2383838383', region: 'eu-west-1' };
const envUSA = { account: '8373873873', region: 'us-west-2' };

new MyFirstStack(app, 'first-stack-eu', { env: envEU });
new MyFirstStack(app, 'first-stack-us', { env: envUSA });

My question is how to deploy these 2 stacks - is it possible to deploy them as a single operation? If so, what credentials are used and what roles are required on the 2 accounts?

Ideally, I'd like to be able to do a single command to deploy all stacks across all accounts:

cdk deploy ...

Or is the deployment only possible via 2 steps? 

cdk deploy first-stack-eu --profile=profile_for_account_2383838383
cdk deploy first-stack-us --profile=profile_for_account_8373873873
John
  • 10,837
  • 17
  • 78
  • 141

4 Answers4

9

I ended up using the cdk-assume-role-credential-plugin to perform the task. The description of that plugin states:

This plugin allows the CDK CLI to automatically obtain AWS credentials from a stack's target AWS account. This means that you can run a single command (i.e. cdk synth) with a set of AWS credentials, and the CLI will determine the target AWS account for each stack and automatically obtain temporary credentials for the target AWS account by assuming a role in the account.

I wrote up a detailed tutorial on how to use this plugin to perform AWS cross-account deployments using CDK here: https://johntipper.org/aws-cdk-cross-account-deployments-with-cdk-pipelines-and-cdk-assume-role-credential-plugin/

John
  • 10,837
  • 17
  • 78
  • 141
5

In cloudformation you can use Stack Sets for multi-account and multi-region deployments.

However, this is not yet supported in CDK according to the GitHub issue:

Marcin
  • 215,873
  • 14
  • 235
  • 294
2

As of v2 of CDK this is available by default:

Now by default when you bootstrap an AWS account it will create a set of IAM roles for you, which the CDK will assume when performing actions in that account.

Ramón J Romero y Vigil
  • 17,373
  • 7
  • 77
  • 125
-1

If you have multiple stacks in your app you have to pass every stack into the cdk deploy command e.g. cdk deploy WmStackRouteCertStack004BE231 WmStackUploadStackF8C20A98

I don't know of a way to deploy all stacks in an app, I don't like this behavior and it's the reason I try to avoid creating multiple stacks

Jonny Rimek
  • 1,061
  • 11
  • 20
  • But this doesn't address what credentials are required to deploy multiple stacks when the stacks are to be deployed to differing acounts? – John Apr 29 '20 at 14:00
  • 1
    @John you can use the [cdk credential plugin](https://aws.amazon.com/blogs/devops/cdk-credential-plugin/) or even implement your own [credential provider](https://docs.aws.amazon.com/cdk/api/latest/typescript/api/aws-cdk/credentialprovidersource.html) – ozeebee Sep 30 '20 at 16:48
  • interesting, I guess I misunderstood the question. We only deploy one stack at a time in our CI/CD. even though our infrastructure code is in a monorepo – Jonny Rimek Oct 01 '20 at 21:21