Refactoring where "allowCrossAccountAssetPublishing" lives

packages/aws-cdk/lib/api/deployments.ts

@@ -385,7 +385,7 @@ export class Deployments {
     const env = await this.envs.accessStackForReadOnlyStackOperations(stackArtifact);
     const cfn = env.sdk.cloudFormation();
 
-    const proof = await uploadStackTemplateAssets(stackArtifact, this.assetSdkProvider, env.resolvedEnvironment);
+    const proof = await uploadStackTemplateAssets(stackArtifact, this.assetSdkProvider, env);
 
     // Upload the template, if necessary, before passing it to CFN
     let cfnParam;

packages/aws-cdk/lib/api/environment-resources.ts

@@ -206,6 +206,10 @@ export class NoBootstrapStackEnvironmentResources extends EnvironmentResources {
   public async lookupToolkit(): Promise<ToolkitInfo> {
     throw new Error('Trying to perform an operation that requires a bootstrap stack; you should not see this error, this is a bug in the CDK CLI.');
   }
+
+  public async allowCrossAccountAssetPublishing(): Promise<boolean> {
+    return true;
+  }
 }
 
 /**

packages/aws-cdk/lib/api/util/cloudformation.ts

@@ -12,6 +12,7 @@ import { AssetManifestBuilder } from '../../util/asset-manifest-builder';
 import { AssetsPublishedProof, multipleAssetPublishedProof, publishAssets } from '../../util/asset-publishing';
 import { SdkProvider } from '../aws-auth';
 import { Deployments } from '../deployments';
+import { TargetEnvironment } from '../environment-access';
 
 export type Template = {
   Parameters?: Record<string, TemplateParameter>;
@@ -365,7 +366,7 @@ function templatesFromAssetManifestArtifact(artifact: cxapi.AssetManifestArtifac
 async function uploadBodyParameterAndCreateChangeSet(options: PrepareChangeSetOptions): Promise<DescribeChangeSetOutput | undefined> {
   try {
     const env = (await options.deployments.envs.accessStackForMutableStackOperations(options.stack));
-    const proof = await uploadStackTemplateAssets(options.stack, options.sdkProvider, env.resolvedEnvironment);
+    const proof = await uploadStackTemplateAssets(options.stack, options.sdkProvider, env);
 
     let bodyParameter;
     const bodyAction = await makeBodyParameter(options.stack, env, proof);
@@ -377,7 +378,9 @@ async function uploadBodyParameterAndCreateChangeSet(options: PrepareChangeSetOp
       case 'upload':
         const builder = new AssetManifestBuilder();
         bodyParameter = bodyAction.addToManifest(builder);
-        await publishAssets(builder.toManifest(options.stack.assembly.directory), options.sdkProvider, env.resolvedEnvironment);
+        await publishAssets(builder.toManifest(options.stack.assembly.directory), options.sdkProvider, env.resolvedEnvironment, {
+          allowCrossAccount: await env.resources.allowCrossAccountAssetPublishing(),
+        });
         break;
     }
 
@@ -418,13 +421,14 @@ async function uploadBodyParameterAndCreateChangeSet(options: PrepareChangeSetOp
 export async function uploadStackTemplateAssets(
   stack: cxapi.CloudFormationStackArtifact,
   sdkProvider: SdkProvider,
-  environment: cxapi.Environment,
+  env: TargetEnvironment,
 ): Promise<AssetsPublishedProof> {
   const assetDependencies = stack.dependencies.filter(cxapi.AssetManifestArtifact.isAssetManifestArtifact);
+  const allowCrossAccount = await env.resources.allowCrossAccountAssetPublishing();
 
   return multipleAssetPublishedProof(assetDependencies, (artifact) => {
     const templates = templatesFromAssetManifestArtifact(artifact);
-    return publishAssets(templates, sdkProvider, environment);
+    return publishAssets(templates, sdkProvider, env.resolvedEnvironment, { allowCrossAccount });
   });
 }
 

packages/aws-cdk/lib/util/type-brands.ts

@@ -37,8 +37,6 @@ export type Branded<T, B> = T & Brand<B>;
  * values which are branded by construction (really just an elaborate
  * way to write 'as').
  */
-export function createBranded<A extends Branded<any, any>>(value: TypeUnderlyingBrand<A>): A {
-  return value as A;
+export function createBranded<A, B>(value: A): Branded<A, B> {
+  return value as Branded<A, B>;
 }
-
-type TypeUnderlyingBrand<A> = A extends Branded<infer T, any> ? T : never;

packages/aws-cdk/test/api/bootstrap.test.ts

@@ -11,9 +11,6 @@ const env = {
   name: 'mock',
 };
 
-jest.mock('../../lib/api/util/checks', () => ({
-  determineAllowCrossAccountAssetPublishing: jest.fn().mockResolvedValue(true),
-}));
 let sdk: MockSdkProvider;
 let executed: boolean;
 let protectedTermination: boolean;

packages/aws-cdk/test/api/deploy-stack.test.ts

@@ -6,11 +6,10 @@ import { setCI } from '../../lib/logging';
 import { DEFAULT_FAKE_TEMPLATE, testStack } from '../util';
 import { MockedObject, mockResolvedEnvironment, MockSdk, MockSdkProvider, SyncHandlerSubsetOf } from '../util/mock-sdk';
 import { NoBootstrapStackEnvironmentResources } from '../../lib/api/environment-resources';
+import { createBranded } from '../../lib/util/type-brands';
+import { StringWithoutPlaceholders } from '../../lib/api/util/placeholders';
 
 jest.mock('../../lib/api/hotswap-deployments');
-jest.mock('../../lib/api/util/checks', () => ({
-  determineAllowCrossAccountAssetPublishing: jest.fn().mockResolvedValue(true),
-}));
 
 const FAKE_STACK = testStack({
   stackName: 'withouterrors',
@@ -83,10 +82,17 @@ function standardDeployStackArguments(): DeployStackOptions {
   const resolvedEnvironment = mockResolvedEnvironment();
   return {
     stack: FAKE_STACK,
-    sdk,
+    env: {
+      didAssumeRole: true,
+      isFallbackCredentials: false,
+      resolvedEnvironment,
+      sdk,
+      resources: new NoBootstrapStackEnvironmentResources(resolvedEnvironment, sdk),
+      replacePlaceholders(x: string | undefined): Promise<StringWithoutPlaceholders | undefined> {
+        return Promise.resolve(x ? createBranded(x) : undefined);
+      },
+    },
     sdkProvider,
-    resolvedEnvironment,
-    envResources: new NoBootstrapStackEnvironmentResources(resolvedEnvironment, sdk),
   };
 }
 
@@ -590,19 +596,16 @@ test('deploy not skipped if template did not change but tags changed', async ()
   });
 
   // WHEN
-  const resolvedEnvironment = mockResolvedEnvironment();
   await deployStack({
+    ...standardDeployStackArguments(),
     stack: FAKE_STACK,
-    sdk,
     sdkProvider,
-    resolvedEnvironment,
     tags: [
       {
         Key: 'Key',
         Value: 'NewValue',
       },
     ],
-    envResources: new NoBootstrapStackEnvironmentResources(resolvedEnvironment, sdk),
   });
 
   // THEN

packages/aws-cdk/test/api/environment-resources.test.ts

@@ -18,6 +18,7 @@ beforeEach(() => {
 
 afterEach(() => {
   toolkitMock.dispose();
+  jest.clearAllMocks();
 });
 
 function mockToolkitInfo(ti: ToolkitInfo) {
@@ -69,10 +70,6 @@ describe('validateversion without bootstrap stack', () => {
     mockToolkitInfo(ToolkitInfo.bootstrapStackNotFoundInfo('TestBootstrapStack'));
   });
 
-  afterEach(() => {
-    jest.clearAllMocks();
-  });
-
   test('validating version with explicit SSM parameter succeeds', async () => {
     // GIVEN
     mockSdk.stubSsm({
@@ -140,4 +137,58 @@ describe('validateversion without bootstrap stack', () => {
     // WHEN
     await expect(envResources().validateVersion(8, '/abc')).rejects.toThrow(/Has the environment been bootstrapped?/);
   });
-});
+});
+
+describe('determineAllowCrossAccountAssetPublishing', () => {
+  it('should return true when hasStagingBucket is false', async () => {
+    mockToolkitInfo(ToolkitInfo.fromStack(mockBootstrapStack(mockSdk, {
+      Outputs: [{ OutputKey: 'BootstrapVersion', OutputValue: '1' }],
+    })));
+
+    const result = await envResources().allowCrossAccountAssetPublishing();
+    expect(result).toBe(true);
+  });
+
+  it.each(['', '-', '*', '---'])('should return true when the bucket output does not look like a real bucket', async (notABucketName) => {
+    mockToolkitInfo(ToolkitInfo.fromStack(mockBootstrapStack(mockSdk, {
+      Outputs: [
+        { OutputKey: 'BootstrapVersion', OutputValue: '1' },
+        { OutputKey: 'BucketName', OutputValue: notABucketName },
+      ],
+    })));
+
+    const result = await envResources().allowCrossAccountAssetPublishing();
+    expect(result).toBe(true);
+  });
+
+  it('should return true when bootstrap version is >= 21', async () => {
+    mockToolkitInfo(ToolkitInfo.fromStack(mockBootstrapStack(mockSdk, {
+      Outputs: [
+        { OutputKey: 'BootstrapVersion', OutputValue: '21' },
+        { OutputKey: 'BucketName', OutputValue: 'some-bucket' },
+      ],
+    })));
+
+    const result = await envResources().allowCrossAccountAssetPublishing();
+    expect(result).toBe(true);
+  });
+
+  it('should return true if looking up the bootstrap stack fails', async () => {
+    mockToolkitInfo(ToolkitInfo.bootstrapStackNotFoundInfo('TestBootstrapStack'));
+
+    const result = await envResources().allowCrossAccountAssetPublishing();
+    expect(result).toBe(true);
+  });
+
+  it('should return false for other scenarios', async () => {
+    mockToolkitInfo(ToolkitInfo.fromStack(mockBootstrapStack(mockSdk, {
+      Outputs: [
+        { OutputKey: 'BootstrapVersion', OutputValue: '20' },
+        { OutputKey: 'BucketName', OutputValue: 'some-bucket' },
+      ],
+    })));
+
+    const result = await envResources().allowCrossAccountAssetPublishing();
+    expect(result).toBe(false);
+  });
+});

packages/aws-cdk/test/util/mock-toolkitinfo.ts

@@ -31,6 +31,7 @@ export class MockToolkitInfo extends ToolkitInfo {
   public readonly version: number;
   public readonly variant: string;
   public readonly stackName = 'MockBootstrapStack';
+  public readonly allowCrossAccountAssetPublishing = false;
 
   private readonly _bootstrapStack?: CloudFormationStack;