Need Help Configuring CDK w/ Sub Account Structure

wcrawford · February 13, 2024, 3:30pm

Hello everyone,

I currently have a CDK project and accounts with the following structure: Main Account has multiple sub accounts: dev, provision account, etc.

CDK application references these accounts directly. Within the calls themselves they are targeting specific resources within the accounts.

I followed the Localstack tutorials and ran cdklocal bootstrap aws://000000000000/us-east-1. The environment gets initialized but when I run cdklocal deploy. I am receiving a 400 response when the cdk tries to create s3 bucket in the specific sub accounts. I am also receiving an error from an SSM Get-Parameter: Deployment failed: Error: SSM parameter /cdk-bootstrap/foo/version not found. Has the environment been bootstrapped? Please run 'cdk bootstrap' (see https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html).

I have multiple questions:

Is the current way our cdk app is architected with the sub-account structure preventing us from using Localstack?
Why am I receiving the SSM error when I have already bootstrapped the project with cdklocal?

lkkgr · February 14, 2024, 1:00pm

Hi @wcrawford,
Thanks for reaching out.
As you have not attached any code I took the liberty to create a simple sample in Python myself to investigate your issue. To address your questions:

No it’s not. You can use CDK with multi-account setups. The following way:
Create trust between accounts, ie in my case I had 000000000000 as main account and 000000000001 and 000000000002 as sub accounts. To create a trust relationship I used the CDK cli at bootstrap the following way (ofc this is not the only solution to do it, but perhaps this is the simplest)

AWS_ACCESS_KEY_ID=000000000002 AWS_SECRET_ACCESS_KEY=test cdklocal bootstrap aws://000000000002/us-east-1 --trust 000000000000 --cloudformation-execution-policies "arn:aws:iam::aws:policy/AdministratorAccess"

More information about the multi-account behaviour of LocalStack you can find it here.
Then your app.py looks something similar:

...
app = cdk.App()

CdkMainAccountStack(app, "CdkMainAccountStack",
    env=cdk.Environment(account='000000000000', region='us-east-1'),
    )

CdkSubAccountStack(app, "CdkSubAccountStack-000000000001",
    env=cdk.Environment(account='000000000001', region='us-east-1'),
    )

CdkSubAccountStack(app, "CdkSubAccountStack-000000000002",
    env=cdk.Environment(account='000000000002', region='us-east-1'),
    )

app.synth()

Regarding the SSM error. Can you please verify that you are adding the parameter and not looking it up (Get-Parameter)? In my case this looked like this:

ssm_parameter = ssm.StringParameter(self, "Version",
    parameter_name="/cdk-bootstrap/foo/version",
    string_value="v1.0"
)

Please let us know if any of this helped or you have further questions.

Topic		Replies	Views
Opensearch (cdklocal) deploy failed Platform localstack	5	270	February 13, 2024
ECR authentication issue when using cdklocal deploy Platform localstack	1	542	March 26, 2023
'NoneType' object is not a mapping when deploying cdk stack Platform	1	131	January 26, 2024
Remote docker host. How to? Platform localstack	1	554	May 22, 2023
Cdklocal integration with Glue service Platform localstack	1	240	May 31, 2023

Need Help Configuring CDK w/ Sub Account Structure

Related Topics