fix(integ-runner): region is not passed to CDK App

When using the `toolkit-lib` deployment engine, the selected region
was not being passed to the CDK app.

In the old engine, we could set the `AWS_REGION` environment variable
and the CDK CLI would respect that, but the toolkit lib was passing that
environment variable directly to the CDK app which was not respecting
that. Fix that by threading the region through as an explicit parameter
and adding an override parameter to the `AwsCliCompatible` base
credentials: we don't necessarily want to read this only from the INI
files.

Additionally: add a validation to make sure that the CDK app respects
the region we are requesting. CDK integ tests should either not
pass an environment, or read `$CDK_DEFAULT_REGION` to determine the
current region. It was too easy to just override the region with a
hardcoded one, but that breaks the integ runner's attempts to isolate
tests across regions. Guard against that by validating.

Also in this PR: disable the update workflow. I've lost 2 hours
debugging why my deployment was failing with nonsenical values and the
answer was: the checked-in snapshot was nonsensical, and the update
workflow will first deploy the checked-in snapshot and only then
deploy the current snapshot. Good idea, bad execution: if existing
snapshots are not region-agnostic they are guaranteed to fail. We
should probably resynthesize them from the previous git commit instead.
Whatever it is, what we do right now doesn't work so I'm disabling it.

Author: rix0rrr

packages/@aws-cdk/integ-runner/bin/integ-runner

@@ -1,4 +1,3 @@
 #!/usr/bin/env node
-const { cli } = require('../lib');
-cli();
+require('../lib/run-cli');
 

packages/@aws-cdk/integ-runner/lib/cli.ts

@@ -40,7 +40,7 @@ export function parseCliArgs(args: string[] = []) {
     .option('strict', { type: 'boolean', default: false, desc: 'Fail if any specified tests are not found' })
     .options('from-file', { type: 'string', desc: 'Read TEST names from a file (one TEST per line)' })
     .option('inspect-failures', { type: 'boolean', desc: 'Keep the integ test cloud assembly if a failure occurs for inspection', default: false })
-    .option('disable-update-workflow', { type: 'boolean', default: false, desc: 'If this is "true" then the stack update workflow will be disabled' })
+    .option('disable-update-workflow', { type: 'boolean', default: true, desc: 'DEPRECATED. Update workflow has been temporarily disabled until we can make it work correctly.' })
     .option('language', {
       alias: 'l',
       default: ['javascript', 'typescript', 'python', 'go'],
@@ -100,7 +100,7 @@ export function parseCliArgs(args: string[] = []) {
     clean: argv.clean as boolean,
     force: argv.force as boolean,
     dryRun: argv['dry-run'] as boolean,
-    disableUpdateWorkflow: argv['disable-update-workflow'] as boolean,
+    disableUpdateWorkflow: true,
     language: arrayFromYargs(argv.language),
     watch: argv.watch as boolean,
     strict: argv.strict as boolean,
@@ -186,7 +186,7 @@ async function run(options: ReturnType<typeof parseCliArgs>, { engine }: EngineO
         clean: options.clean,
         dryRun: options.dryRun,
         verbosity: options.verbosity,
-        updateWorkflow: !options.disableUpdateWorkflow,
+        updateWorkflow: false,
         watch: options.watch,
       });
       testsSucceeded = success;

packages/@aws-cdk/integ-runner/lib/engines/toolkit-lib.ts

@@ -1,8 +1,9 @@
 import * as path from 'node:path';
 import type { DeployOptions, ICdk, ListOptions, SynthFastOptions, SynthOptions, WatchEvents } from '@aws-cdk/cdk-cli-wrapper';
 import type { DefaultCdkOptions, DestroyOptions } from '@aws-cdk/cloud-assembly-schema/lib/integ-tests';
-import type { DeploymentMethod, ICloudAssemblySource, IIoHost, IoMessage, IoRequest, NonInteractiveIoHostProps, StackSelector } from '@aws-cdk/toolkit-lib';
-import { ExpandStackSelection, MemoryContext, NonInteractiveIoHost, StackSelectionStrategy, Toolkit } from '@aws-cdk/toolkit-lib';
+import { UNKNOWN_REGION } from '@aws-cdk/cx-api';
+import type { DeploymentMethod, ICloudAssemblySource, IIoHost, IoMessage, IoRequest, IReadableCloudAssembly, NonInteractiveIoHostProps, StackSelector } from '@aws-cdk/toolkit-lib';
+import { BaseCredentials, ExpandStackSelection, MemoryContext, NonInteractiveIoHost, StackSelectionStrategy, Toolkit } from '@aws-cdk/toolkit-lib';
 import * as chalk from 'chalk';
 import * as fs from 'fs-extra';
 
@@ -27,6 +28,11 @@ export interface ToolkitLibEngineOptions {
    * @default false
    */
   readonly showOutput?: boolean;
+
+  /**
+   * The region the CDK app should synthesize itself for
+   */
+  readonly region: string;
 }
 
 /**
@@ -42,7 +48,12 @@ export class ToolkitLibRunnerEngine implements ICdk {
     this.showOutput = options.showOutput ?? false;
 
     this.toolkit = new Toolkit({
-      ioHost: this.showOutput? new IntegRunnerIoHost() : new NoopIoHost(),
+      ioHost: this.showOutput ? new IntegRunnerIoHost() : new NoopIoHost(),
+      sdkConfig: {
+        baseCredentials: BaseCredentials.awsCliCompatible({
+          defaultRegion: options.region,
+        }),
+      },
       // @TODO - these options are currently available on the action calls
       // but toolkit-lib needs them at the constructor level.
       // Need to decide what to do with them.
@@ -73,6 +84,7 @@ export class ToolkitLibRunnerEngine implements ICdk {
       stacks: this.stackSelector(options),
       validateStacks: options.validation,
     });
+    await this.validateRegion(lock);
     await lock.dispose();
   }
 
@@ -100,6 +112,7 @@ export class ToolkitLibRunnerEngine implements ICdk {
     try {
       // @TODO - use produce to mimic the current behavior more closely
       const lock = await cx.produce();
+      await this.validateRegion(lock);
       await lock.dispose();
       // We should fix this once we have stabilized toolkit-lib as engine.
       // What we really should do is this:
@@ -217,7 +230,6 @@ export class ToolkitLibRunnerEngine implements ICdk {
       workingDirectory: this.options.workingDirectory,
       outdir,
       lookups: options.lookups,
-      resolveDefaultEnvironment: false, // not part of the integ-runner contract
       contextStore: new MemoryContext(options.context),
       env: this.options.env,
       synthOptions: {
@@ -256,6 +268,37 @@ export class ToolkitLibRunnerEngine implements ICdk {
       method: options.deploymentMethod ?? 'change-set',
     };
   }
+
+  /**
+   * Check that the regions for the stacks in the CloudAssembly match the regions requested on the engine
+   *
+   * This prevents misconfiguration of the integ test app. People tend to put:
+   *
+   * ```ts
+   * new Stack(app, 'Stack', {
+   *   env: {
+   *     region: 'some-region-that-suits-me',
+   *   }
+   * });
+   * ```
+   *
+   * Into their integ tests, instead of:
+   *
+   * ```ts
+   * {
+   *   region: process.env.CDK_DEFAULT_REGION,
+   * }
+   * ```
+   *
+   * This catches that misconfiguration.
+   */
+  private async validateRegion(asm: IReadableCloudAssembly) {
+    for (const stack of asm.cloudAssembly.stacksRecursively) {
+      if (stack.environment.region !== this.options.region && stack.environment.region !== UNKNOWN_REGION) {
+        throw new Error(`Stack ${stack.displayName} synthesizes for region ${stack.environment.region}, even though ${this.options.region} was requested. Please configure \`{ env: { region: process.env.CDK_DEFAULT_REGION, account: process.env.CDK_DEFAULT_ACCOUNT } }\`, or use no env at all. Do not hardcode a region or account.`);
+      }
+    }
+  }
 }
 
 /**

packages/@aws-cdk/integ-runner/lib/run-cli.ts

@@ -0,0 +1,2 @@
+import { cli } from './cli';
+cli();

packages/@aws-cdk/integ-runner/lib/runner/engine.ts

@@ -18,9 +18,8 @@ export function makeEngine(options: IntegRunnerOptions): ICdk {
       return new ToolkitLibRunnerEngine({
         workingDirectory: options.test.directory,
         showOutput: options.showOutput,
-        env: {
-          ...options.env,
-        },
+        env: options.env,
+        region: options.region,
       });
     case 'cli-wrapper':
     default:
@@ -29,6 +28,8 @@ export function makeEngine(options: IntegRunnerOptions): ICdk {
         showOutput: options.showOutput,
         env: {
           ...options.env,
+          // The CDK CLI will interpret this and use it usefully
+          AWS_REGION: options.region,
         },
       });
   }

packages/@aws-cdk/integ-runner/lib/runner/runner-base.ts

@@ -26,6 +26,11 @@ export interface IntegRunnerOptions extends EngineOptions {
    */
   readonly test: IntegTest;
 
+  /**
+   * The region where the test should be deployed
+   */
+  readonly region: string;
+
   /**
    * The AWS profile to use when invoking the CDK CLI
    *

packages/@aws-cdk/integ-runner/lib/runner/snapshot-test-runner.ts

@@ -34,8 +34,11 @@ interface SnapshotAssembly {
  * the validation of the integration test snapshots
  */
 export class IntegSnapshotRunner extends IntegRunner {
-  constructor(options: IntegRunnerOptions) {
-    super(options);
+  constructor(options: Omit<IntegRunnerOptions, 'region'>) {
+    super({
+      ...options,
+      region: 'unused',
+    });
   }
 
   /**

packages/@aws-cdk/integ-runner/lib/workers/extract/extract_worker.ts

@@ -31,8 +31,8 @@ export async function integTestWorker(request: IntegTestBatchRequest): Promise<I
         engine: request.engine,
         test,
         profile: request.profile,
+        region: request.region,
         env: {
-          AWS_REGION: request.region,
           CDK_DOCKER: process.env.CDK_DOCKER ?? 'docker',
         },
         showOutput: verbosity >= 2,
@@ -99,8 +99,8 @@ export async function watchTestWorker(options: IntegWatchOptions): Promise<void>
     engine: options.engine,
     test,
     profile: options.profile,
+    region: options.region,
     env: {
-      AWS_REGION: options.region,
       CDK_DOCKER: process.env.CDK_DOCKER ?? 'docker',
     },
     showOutput: verbosity >= 2,

packages/@aws-cdk/integ-runner/test/engines/toolkit-lib.test.ts

@@ -223,9 +223,9 @@ describe('ToolkitLibRunnerEngine', () => {
         showOutput: true,
       });
 
-      expect(MockedToolkit).toHaveBeenCalledWith({
+      expect(MockedToolkit).toHaveBeenCalledWith(expect.objectContaining({
         ioHost: expect.any(Object),
-      });
+      }));
     });
 
     it('should throw error when no app is provided', async () => {

packages/@aws-cdk/toolkit-lib/lib/api/aws-auth/base-credentials.ts

@@ -92,10 +92,14 @@ export class BaseCredentials {
    */
   public static awsCliCompatible(options: AwsCliCompatibleOptions = {}): IBaseCredentialsProvider {
     return new class implements IBaseCredentialsProvider {
-      public sdkBaseConfig(ioHost: IActionAwareIoHost, clientConfig: SdkBaseClientConfig) {
+      public async sdkBaseConfig(ioHost: IActionAwareIoHost, clientConfig: SdkBaseClientConfig) {
         const ioHelper = IoHelper.fromActionAwareIoHost(ioHost);
         const awsCli = new AwsCliCompatible(ioHelper, clientConfig.requestHandler ?? {}, new IoHostSdkLogger(ioHelper));
-        return awsCli.baseConfig(options.profile);
+
+        const ret = await awsCli.baseConfig(options.profile);
+        return options.defaultRegion
+          ? { ...ret, defaultRegion: options.defaultRegion }
+          : ret;
       }
 
       public toString() {
@@ -140,6 +144,18 @@ export interface AwsCliCompatibleOptions {
    * @default - Use environment variable if set.
    */
   readonly profile?: string;
+
+  /**
+   * Use a different default region than the one in the profile
+   *
+   * If not supplied the environment variable AWS_REGION will be used, or
+   * whatever region is set in the indicated profile in `~/.aws/config`.
+   * If no region is set in the profile the region in `[default]` will
+   * be used.
+   *
+   * @default - Use region from `~/.aws/config`.
+   */
+  readonly defaultRegion?: string;
 }
 
 export interface CustomBaseCredentialsOption {