Passing deploy role to stack params

[hoangnd25]

I found that cdk deploy role aren't being used for deployment, resulted in unnecessary permissions needed for deplooyment.
#82 (comment)

The easiest option to fix it seems to be passing cdk deploy role to CloudFormation stack params.

However, might need to look into using @aws-cdk/toolkit-lib to handle deployment if possible.

[netlify]

✅ Deploy Preview for sst-docs canceled.

Name	Link
🔨 Latest commit	dc702c7
🔍 Latest deploy log	https://app.netlify.com/projects/sst-docs/deploys/689d6568cf567c0008289b7b

[maddie-j]

Having experienced the same permissions issues with my team after bumping from v2.47.3 -> v2.49.2, can confirm copying this change into our repo using patch-package has fixed the problem!

Would appreciate this getting merged in soon so we can replace the patch with an actual fixed package 😊

[runlevel5]

@jayair wondering if you could help review this PR? Many thanks

[michael-harley]

I have tried this, upgrade from 2.48.5 -> 2.49.3 and then implement the code change using the pnpm patch sst

But still get this error:

|   PUBLISH_ASSETS_COMPLETE 
|   repo-name/Parameter_url AWS::SSM::Parameter CREATE_COMPLETE 
|   repo-name/CloudFrontFunction AWS::CloudFront::Function CREATE_FAILED Resource handler returned message: "Invalid request provided: AWS::CloudFront::Function: (Service: CloudFront, Status Code: 409, Request ID: 8b8ddb94-febf-472a-b0e0-4c4a10fe203c) (SDK Attempt Count: 1)" (RequestToken: 48e5b1ea-0cfa-4e46-d021-0f6ac418f5cd, HandlerErrorCode: InvalidRequest)

After trying to re-deploy, I now get this error

✖  Errors
    UPDATE_FAILED
   stack: Stack [pr-1136-repo-name-] does not exist

I think it's not stable, usually when it does not exist, SST will automatically create the stack

[FlanaganSe]

I have tried this, upgrade from 2.48.5 -> 2.49.3 and then implement the code change using the pnpm patch sst

But still get this error:

|   PUBLISH_ASSETS_COMPLETE 
|   repo-name/Parameter_url AWS::SSM::Parameter CREATE_COMPLETE 
|   repo-name/CloudFrontFunction AWS::CloudFront::Function CREATE_FAILED Resource handler returned message: "Invalid request provided: AWS::CloudFront::Function: (Service: CloudFront, Status Code: 409, Request ID: 8b8ddb94-febf-472a-b0e0-4c4a10fe203c) (SDK Attempt Count: 1)" (RequestToken: 48e5b1ea-0cfa-4e46-d021-0f6ac418f5cd, HandlerErrorCode: InvalidRequest)

After trying to re-deploy, I now get this error

✖  Errors
    UPDATE_FAILED
   stack: Stack [pr-1136-repo-name-] does not exist

I think it's not stable, usually when it does not exist, SST will automatically create the stack

I believe that's a different issue than the one that this PR is trying to fix. This PR is in regards to permissions issues.
...I believe, I haven't tried the patch to see if this issue may persist with the changes -- I may try so soon.

But we are awaiting the permission issues to be resolved before we can update to v2.49.X

[hoangnd25]

I have tried this, upgrade from 2.48.5 -> 2.49.3 and then implement the code change using the pnpm patch sst
But still get this error:

|   PUBLISH_ASSETS_COMPLETE 
|   repo-name/Parameter_url AWS::SSM::Parameter CREATE_COMPLETE 
|   repo-name/CloudFrontFunction AWS::CloudFront::Function CREATE_FAILED Resource handler returned message: "Invalid request provided: AWS::CloudFront::Function: (Service: CloudFront, Status Code: 409, Request ID: 8b8ddb94-febf-472a-b0e0-4c4a10fe203c) (SDK Attempt Count: 1)" (RequestToken: 48e5b1ea-0cfa-4e46-d021-0f6ac418f5cd, HandlerErrorCode: InvalidRequest)

After trying to re-deploy, I now get this error

✖  Errors
    UPDATE_FAILED
   stack: Stack [pr-1136-repo-name-] does not exist

I think it's not stable, usually when it does not exist, SST will automatically create the stack

I believe that's a different issue than the one that this PR is trying to fix. This PR is in regards to permissions issues. ...I believe, I haven't tried the patch to see if this issue may persist with the changes -- I may try so soon.

But we are awaiting the permission issues to be resolved before we can update to v2.49.X

Hey yea it looks like a different issue.

I do notice that issue since v2.49 update though.

So basically here is how it can happen:

• Initiate a deployment
• One of the stacks failed to deploy and the deployment get rolled back and stacks removed.
• Initiate another deployment & ended up with stack not found error.

For me, I just need to do another deployment (with the initial deployment issue fixed) and won't see stack not found error anymore.

Maybe this will fix the issue #105 🤷

[FlanaganSe]

Worth noting that this patch doesn't fully fix the permission issues that we experience in local development with v2.49.2 -- we now have a permission error for being unauthorized to iam:PassRole.

I'm not sure of the old implementation -- I assume it was assuming a role rather than passing?

Edit: Perhaps obviously so -- this is issue/PR is directly in regard to passing a role😄