pwrdrvr/microapps-core

v0.3 - Cross Account Deployments

Closed this issue · 2 comments

Motivations

  • Larger organizations will have single CloudFront distributions with different dev teams deploying apps into different AWS accounts
  • MicroApps needs the ability to register child account Lambdas on a parent account CloudFront / MicroApps deploy

To-Do

  • Split Lambda and DynamoDB access into two different DeployerSvc requests
  • Update microapps-publish to detect and use the new style when it is supported
  • Setup GHPublicChild account for cross account testing
  • Create Child account CDK construct
  • Create Child account CDK stack
  • Add parameters to Parent account construct / stack to allow child account DeployerSvc to invoke
  • CI - Add Child account CDK stack deployment
  • CI - Add Child account deploy of child-demo app
  • Test and confirm that child-demo app appears in Release app and that app invoke works
  • Address inevitable issues with edge-to-origin request signing - Most likely there will be a problem with the target account or region being passed to the signing functions
  • Fix colliding names for the edge-role child stack for the basic and basic-prefix stacks
  • Fix registration of child account permission to invoke parent account deployer

Design

  • DeployerSvc
    • Add a stub version of this that invokes the Deployer in the primary account
      • This Deployer stub should grant the API Gateway in the primary account permission to invoke the lambda in the secondary account
  • microapps-publish
    • Add any parameters needed to publish to another account?
    • This can probably be handled with no parameters as the Deployer lambda can return the necessary config info
  • Apps from multiple accounts can all be served from a single prefix

Request Dispatch

MicroApps - Architecture

Deployment

Image

The base work for this is done but proving that this sorts of deployments work remains to be completed

Stacks are created, CI is updated, manually adding the edge to origin arn to the resource policy of the demo-app alias allows this to work, but the edge to origin role arn export is not yet working