From 47b5ca06c50a566af8d1fed4202164b85f793d18 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Fri, 24 Jun 2022 18:54:25 +0200 Subject: [PATCH 1/2] fix(pipelines): 'ConfirmPermissionsBroadening' uses wrong node version (#20861) The CodeBuild Project that is used when the `ConfirmPermissionsBroadening` feature is enabled does not have a CodeBuild image specified. This makes it use the `standard:2.0` image by default, which is AL2-based and comes with Node 12. CDK tooling now requires Node 14 to run. Make it use the `standard:5.0` image like all other CodeBuild projects, which contains Node 14. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/private/application-security-check.ts | 3 +++ .../test/compliance/security-check.test.ts | 17 ++++++++++++++--- .../PipelineSecurityStack.assets.json | 4 ++-- .../PipelineSecurityStack.template.json | 4 ++-- .../manifest.json | 2 +- .../pipeline-security.integ.snapshot/tree.json | 6 +++--- 6 files changed, 25 insertions(+), 11 deletions(-) diff --git a/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts b/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts index b94324290ac37..38aaa04abf802 100644 --- a/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts +++ b/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts @@ -99,6 +99,9 @@ export class ApplicationSecurityCheck extends Construct { ` --message "${message.join('\n')}"`; this.cdkDiffProject = new codebuild.Project(this, 'CDKSecurityCheck', { + environment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_5_0, + }, buildSpec: codebuild.BuildSpec.fromObject({ version: 0.2, phases: { diff --git a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts index f8c53a40e3e37..958145f67ceb3 100644 --- a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts +++ b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts @@ -40,8 +40,9 @@ behavior('security check option generates lambda/codebuild at pipeline scope', ( }); function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::Lambda::Function', 1); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::Lambda::Function', { + const template = Template.fromStack(pipelineStack); + template.resourceCountIs('AWS::Lambda::Function', 1); + template.hasResourceProperties('AWS::Lambda::Function', { Role: { 'Fn::GetAtt': [ stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), @@ -50,7 +51,17 @@ behavior('security check option generates lambda/codebuild at pipeline scope', ( }, }); // 1 for github build, 1 for synth stage, and 1 for the application security check - Template.fromStack(pipelineStack).resourceCountIs('AWS::CodeBuild::Project', 3); + template.resourceCountIs('AWS::CodeBuild::Project', 3); + + // No CodeBuild project has a build image that is not standard:5.0 + const projects = template.findResources('AWS::CodeBuild::Project', { + Properties: { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + }, + }); + expect(Object.keys(projects).length).toEqual(3); } }); diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json index c697034eb608a..c218215c95fd8 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json @@ -27,7 +27,7 @@ } } }, - "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f": { + "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115": { "source": { "path": "PipelineSecurityStack.template.json", "packaging": "file" @@ -35,7 +35,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f.json", + "objectKey": "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json index 4a198bda45898..c2ecebd2a612a 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json @@ -2603,7 +2603,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -2947,7 +2947,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json index 2f600dffd75c4..e9ce1f9e4e7bf 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json @@ -65,7 +65,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json index 66cb3d249a4f4..6a70ad206ee3f 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json @@ -268,7 +268,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::KMS::Alias", "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinesecuritystacktestpipelinef7060861", + "aliasName": "alias/codepipeline-pipelinesecuritystack-testpipeline-f7060861", "targetKeyId": { "Fn::GetAtt": [ "TestPipelineArtifactsBucketEncryptionKey13258842", @@ -3519,7 +3519,7 @@ }, "environment": { "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:1.0", + "image": "aws/codebuild/standard:5.0", "imagePullCredentialsType": "CODEBUILD", "privilegedMode": false, "computeType": "BUILD_GENERAL1_SMALL" @@ -4065,7 +4065,7 @@ }, "environment": { "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:1.0", + "image": "aws/codebuild/standard:5.0", "imagePullCredentialsType": "CODEBUILD", "privilegedMode": false, "computeType": "BUILD_GENERAL1_SMALL" From 4832cb4aab966d2caaf9c4500069016c0cfd60d4 Mon Sep 17 00:00:00 2001 From: Mitchell Valine Date: Fri, 24 Jun 2022 13:05:13 -0700 Subject: [PATCH 2/2] chore(release): 2.29.1 --- CHANGELOG.v2.alpha.md | 2 ++ CHANGELOG.v2.md | 7 +++++++ version.v2.json | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index 831a6163a8954..15741bb1f1f30 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,8 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.29.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.29.0-alpha.0...v2.29.1-alpha.0) (2022-06-24) + ## [2.29.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.28.1-alpha.0...v2.29.0-alpha.0) (2022-06-22) ## [2.28.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.28.0-alpha.0...v2.28.1-alpha.0) (2022-06-15) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 6425cd0b1092b..c174cf702a885 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.29.1](https://github.com/aws/aws-cdk/compare/v2.29.0...v2.29.1) (2022-06-24) + + +### Bug Fixes + +* **pipelines:** 'ConfirmPermissionsBroadening' uses wrong node version ([#20861](https://github.com/aws/aws-cdk/issues/20861)) ([47b5ca0](https://github.com/aws/aws-cdk/commit/47b5ca06c50a566af8d1fed4202164b85f793d18)) + ## [2.29.0](https://github.com/aws/aws-cdk/compare/v2.28.1...v2.29.0) (2022-06-22) diff --git a/version.v2.json b/version.v2.json index bccd2b9853286..ccbb94cfe0aea 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.29.0", - "alphaVersion": "2.29.0-alpha.0" + "version": "2.29.1", + "alphaVersion": "2.29.1-alpha.0" } \ No newline at end of file