v0.3 - Cross Account Deployments
Closed this issue · 2 comments
huntharo commented
Motivations
- Larger organizations will have single CloudFront distributions with different dev teams deploying apps into different AWS accounts
- MicroApps needs the ability to register child account Lambdas on a parent account CloudFront / MicroApps deploy
To-Do
- Split Lambda and DynamoDB access into two different DeployerSvc requests
- Update
microapps-publish
to detect and use the new style when it is supported - Setup GHPublicChild account for cross account testing
- Create Child account CDK construct
- Create Child account CDK stack
- Add parameters to Parent account construct / stack to allow child account DeployerSvc to invoke
- CI - Add Child account CDK stack deployment
- CI - Add Child account deploy of
child-demo
app - Test and confirm that
child-demo
app appears in Release app and that app invoke works - Address inevitable issues with edge-to-origin request signing - Most likely there will be a problem with the target account or region being passed to the signing functions
- Fix colliding names for the
edge-role
child stack for thebasic
andbasic-prefix
stacks - Fix registration of child account permission to invoke parent account deployer
Design
- DeployerSvc
- Add a stub version of this that invokes the Deployer in the primary account
- This Deployer stub should grant the API Gateway in the primary account permission to invoke the lambda in the secondary account
- Add a stub version of this that invokes the Deployer in the primary account
microapps-publish
- Add any parameters needed to publish to another account?
- This can probably be handled with no parameters as the Deployer lambda can return the necessary config info
- Apps from multiple accounts can all be served from a single prefix
Request Dispatch
Deployment
huntharo commented
The base work for this is done but proving that this sorts of deployments work remains to be completed
huntharo commented
Stacks are created, CI is updated, manually adding the edge to origin arn to the resource policy of the demo-app alias allows this to work, but the edge to origin role arn export is not yet working