Skip to content

Commit

Permalink
feat(codepipeline): generate a Role for every AWS-owned Action used i…
Browse files Browse the repository at this point in the history 
…n a Pipeline. (#3105)

Instead of granting permissions to the Pipeline's Role,
which results in a Policy with a very wide range of permissions,
generate a separate Role for each AWS-owned Action added to the Pipeline.
The Pipeline Role will assume each Action-specific Role
(permissions are granted for that automatically)
before the Action is executed.

Also allow overriding this default behavior by specifying a Role for AWS-owned Actions.
  • Loading branch information
@skinny85
skinny85 authored Jun 28, 2019
1 parent 9a38109 commit 921dcc9
Show file tree
Hide file tree
Showing 39 changed files with 5,375 additions and 1,032 deletions.
288 changes: 223 additions & 65 deletions packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"Resources": {
"ArtifactBucket7410C9EF": {
"DeletionPolicy": "Delete",
"Type": "AWS::S3::Bucket"
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Delete"
},
"CodePipelineRoleB3A660B4": {
"Type": "AWS::IAM::Role",
Expand Down Expand Up @@ -70,75 +70,22 @@
]
},
{
"Action": "iam:PassRole",
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"CodePipelineDeployChangeSetRoleF9F2B343",
"CodePipelineDeployExecuteCodePipelineActionRoleAE36AF49",
"Arn"
]
}
},
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks"
],
"Condition": {
"StringEqualsIfExists": {
"cloudformation:ChangeSetName": "CICD-ChangeSet"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/CICD/*"
]
]
}
},
{
"Action": "cloudformation:ExecuteChangeSet",
"Condition": {
"StringEquals": {
"cloudformation:ChangeSetName": "CICD-ChangeSet"
}
},
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/CICD/*"
]
"Fn::GetAtt": [
"CodePipelineDeployChangeSetCodePipelineActionRoleB3BCDD8A",
"Arn"
]
}
}
Expand Down Expand Up @@ -202,15 +149,15 @@
},
"Configuration": {
"StackName": "CICD",
"ActionMode": "CHANGE_SET_REPLACE",
"ChangeSetName": "CICD-ChangeSet",
"TemplatePath": "Artifact_CICDGitHubF8BA7ADD::CICD.template.yaml",
"RoleArn": {
"Fn::GetAtt": [
"CodePipelineDeployChangeSetRoleF9F2B343",
"Arn"
]
}
},
"ActionMode": "CHANGE_SET_REPLACE",
"ChangeSetName": "CICD-ChangeSet",
"TemplatePath": "Artifact_CICDGitHubF8BA7ADD::CICD.template.yaml"
},
"InputArtifacts": [
{
Expand All @@ -219,6 +166,12 @@
],
"Name": "ChangeSet",
"OutputArtifacts": [],
"RoleArn": {
"Fn::GetAtt": [
"CodePipelineDeployChangeSetCodePipelineActionRoleB3BCDD8A",
"Arn"
]
},
"RunOrder": 10
},
{
Expand All @@ -236,6 +189,12 @@
"InputArtifacts": [],
"Name": "Execute",
"OutputArtifacts": [],
"RoleArn": {
"Fn::GetAtt": [
"CodePipelineDeployExecuteCodePipelineActionRoleAE36AF49",
"Arn"
]
},
"RunOrder": 999
}
],
Expand All @@ -254,6 +213,205 @@
"CodePipelineRoleB3A660B4"
]
},
"CodePipelineDeployExecuteCodePipelineActionRoleAE36AF49": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
},
"CodePipelineDeployExecuteCodePipelineActionRoleDefaultPolicy2B66E78C": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "cloudformation:ExecuteChangeSet",
"Condition": {
"StringEquals": {
"cloudformation:ChangeSetName": "CICD-ChangeSet"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/CICD/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "CodePipelineDeployExecuteCodePipelineActionRoleDefaultPolicy2B66E78C",
"Roles": [
{
"Ref": "CodePipelineDeployExecuteCodePipelineActionRoleAE36AF49"
}
]
}
},
"CodePipelineDeployChangeSetCodePipelineActionRoleB3BCDD8A": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::",
{
"Ref": "AWS::AccountId"
},
":root"
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
},
"CodePipelineDeployChangeSetCodePipelineActionRoleDefaultPolicy87FA0C1E": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"CodePipelineDeployChangeSetRoleF9F2B343",
"Arn"
]
}
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"ArtifactBucket7410C9EF",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"ArtifactBucket7410C9EF",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks"
],
"Condition": {
"StringEqualsIfExists": {
"cloudformation:ChangeSetName": "CICD-ChangeSet"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":cloudformation:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":stack/CICD/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "CodePipelineDeployChangeSetCodePipelineActionRoleDefaultPolicy87FA0C1E",
"Roles": [
{
"Ref": "CodePipelineDeployChangeSetCodePipelineActionRoleB3BCDD8A"
}
]
}
},
"CodePipelineDeployChangeSetRoleF9F2B343": {
"Type": "AWS::IAM::Role",
"Properties": {
Expand Down
5 changes: 1 addition & 4 deletions packages/@aws-cdk/app-delivery/test/test.pipeline-deploy-stack-action.ts
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { countResources, expect, haveResource, isSuperObject } from '@aws-cdk/assert';
import { expect, haveResource, isSuperObject } from '@aws-cdk/assert';
import cfn = require('@aws-cdk/aws-cloudformation');
import codebuild = require('@aws-cdk/aws-codebuild');
import codepipeline = require('@aws-cdk/aws-codepipeline');
Expand Down Expand Up @@ -268,9 +268,6 @@ export = nodeunit.testCase({
}));

// THEN //
// there should be 3 policies 1. CodePipeline, 2. Codebuild, 3.
// ChangeSetDeploy Action
expect(pipelineStack).to(countResources('AWS::IAM::Policy', 3));
expect(pipelineStack).to(haveResource('AWS::IAM::Policy', {
PolicyDocument: {
Version: '2012-10-17',
Expand Down
Loading

0 comments on commit 921dcc9

Please sign in to comment.