Description
Describe the feature
When running integration tests, invoke the CLI with credentials to a different account than the target account.
Use Case
A fairly common setup for deploying CDK apps is providing the CLI with credentials to a role in centralized account (Account S) to perform the deployments to a target account (Account T).
This differs from the "standard" scenario where the CLI is executed with credentials to the target account. To make this setup work, the customer needs to setup trust relationships between both accounts, creating one variation of a cross-account auth setup.
In such a case, the CLI needs to take special care when invoking any AWS APIs because it must make sure its doing so with the appropriate assumed role. Running tests with this setup will automatically catch bugs that fail to do so.
For example: #31845
Proposed Solution
We already control CLI invocation inside our tests via the TestFixture (FLW: its probably ok to assume all tests use it). This means our fixture can assume a role in Account S, and invoke the CLI with its credentials, leaving Account T as is.
aws-cdk/packages/@aws-cdk-testing/cli-integ/lib/with-cdk-app.ts
Lines 525 to 540 in 33872f3
The only thing left to unpack here is where will the fixture get 2 accounts from? Currently, our framework only provides different regions in the same account.
So, we need to first implement the test environment allocation service to make this work.
Other Information
Some peripheral considerations:
- We need to provide a way for tests to opt out of this behavior (there may be good reasons for it).
- Do we add this as a permutation of the test? or instead?
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CDK version used
ALL
Environment details (OS name and version, etc.)
ALL