Skip to content

Commit

Permalink
feat(codebuild): allow specifying principals and credentials for pull…
Browse files Browse the repository at this point in the history 
…ing build images.

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes #2175

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
  • Loading branch information
@Kaixiang-AWS @skinny85
Kaixiang-AWS authored and skinny85 committed Jul 6, 2019
1 parent ec1c5b7 commit cad83dc
Show file tree
Hide file tree
Showing 10 changed files with 466 additions and 143 deletions.
2 changes: 2 additions & 0 deletions allowed-breaking-changes.txt
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
removed:@aws-cdk/aws-ec2.Port.toRuleJSON
removed:@aws-cdk/aws-codebuild.LinuxBuildImage.fromDockerHub
removed:@aws-cdk/aws-codebuild.WindowsBuildImage.fromDockerHub
change-return-type:@aws-cdk/aws-codebuild.PipelineProject.addSecondaryArtifact
change-return-type:@aws-cdk/aws-codebuild.Project.addSecondaryArtifact
removed:@aws-cdk/aws-ec2.Connections.allowFromAnyIPv4
Expand Down
7 changes: 5 additions & 2 deletions packages/@aws-cdk/aws-codebuild/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,7 @@ of the constants such as `WindowsBuildImage.WIN_SERVER_CORE_2016_BASE` or
Alternatively, you can specify a custom image using one of the static methods on
`XxxBuildImage`:

* Use `.fromDockerHub(image)` to reference an image publicly available in Docker
Hub.
* Use `.fromDockerRegistry(image[, { secretsManagerCredentials }])` to reference an image in any public or private Docker registry.
* Use `.fromEcrRepository(repo[, tag])` to reference an image available in an
ECR repository.
* Use `.fromAsset(directory)` to use an image created from a
Expand All @@ -201,6 +200,10 @@ The following example shows how to define an image from an ECR repository:

[ECR example](./test/integ.ecr.lit.ts)

The following example shows how to define an image from a private docker registry:

[Docker Registry example](./test/integ.docker-registry.lit.ts)

## Events

CodeBuild projects can be used either as a source for events or be triggered
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-codebuild/lib/artifacts.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ export interface ArtifactsProps {
* Artifacts definition for a CodeBuild Project.
*/
export abstract class Artifacts implements IArtifacts {
public static s3(props: S3ArtifactsProps): Artifacts {
public static s3(props: S3ArtifactsProps): IArtifacts {
return new S3Artifacts(props);
}

Expand Down
278 changes: 203 additions & 75 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
View file

Large diffs are not rendered by default.

10 changes: 5 additions & 5 deletions packages/@aws-cdk/aws-codebuild/lib/source.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,23 +50,23 @@ export interface SourceProps {
* Source provider definition for a CodeBuild Project.
*/
export abstract class Source implements ISource {
public static s3(props: S3SourceProps): Source {
public static s3(props: S3SourceProps): ISource {
return new S3Source(props);
}

public static codeCommit(props: CodeCommitSourceProps): Source {
public static codeCommit(props: CodeCommitSourceProps): ISource {
return new CodeCommitSource(props);
}

public static gitHub(props: GitHubSourceProps): Source {
public static gitHub(props: GitHubSourceProps): ISource {
return new GitHubSource(props);
}

public static gitHubEnterprise(props: GitHubEnterpriseSourceProps): Source {
public static gitHubEnterprise(props: GitHubEnterpriseSourceProps): ISource {
return new GitHubEnterpriseSource(props);
}

public static bitBucket(props: BitBucketSourceProps): Source {
public static bitBucket(props: BitBucketSourceProps): ISource {
return new BitBucketSource(props);
}

Expand Down
4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-codebuild/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@
"@aws-cdk/aws-kms": "^0.37.0",
"@aws-cdk/aws-s3": "^0.37.0",
"@aws-cdk/aws-s3-assets": "^0.37.0",
"@aws-cdk/aws-secretsmanager": "^0.37.0",
"@aws-cdk/core": "^0.37.0"
},
"homepage": "https://github.com/awslabs/aws-cdk",
Expand All @@ -105,6 +106,7 @@
"@aws-cdk/aws-kms": "^0.37.0",
"@aws-cdk/aws-s3": "^0.37.0",
"@aws-cdk/aws-s3-assets": "^0.37.0",
"@aws-cdk/aws-secretsmanager": "^0.37.0",
"@aws-cdk/core": "^0.37.0"
},
"engines": {
Expand All @@ -118,4 +120,4 @@
]
},
"stability": "stable"
}
}
69 changes: 41 additions & 28 deletions packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,33 +39,6 @@
]
}
]
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"codebuild.",
{
"Ref": "AWS::URLSuffix"
}
]
]
}
},
"Sid": "CodeBuild"
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
Expand Down Expand Up @@ -262,6 +235,45 @@
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ecr:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":repository/",
{
"Fn::GetAtt": [
"MyImageAdoptRepository6CA902F6",
"RepositoryName"
]
}
]
]
}
},
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogGroup",
Expand Down Expand Up @@ -439,6 +451,7 @@
]
]
},
"ImagePullCredentialsType": "SERVICE_ROLE",
"PrivilegedMode": false,
"Type": "LINUX_CONTAINER"
},
Expand All @@ -455,4 +468,4 @@
}
}
}
}
}
148 changes: 148 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"Resources": {
"MyProjectRole9BBE5233": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"codebuild.",
{
"Ref": "AWS::URLSuffix"
}
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
},
"MyProjectRoleDefaultPolicyB19B7C29": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "MyProject39F7B0AE"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "MyProject39F7B0AE"
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyProjectRoleDefaultPolicyB19B7C29",
"Roles": [
{
"Ref": "MyProjectRole9BBE5233"
}
]
}
},
"MyProject39F7B0AE": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"Type": "NO_ARTIFACTS"
},
"Environment": {
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "my-registry/my-repo",
"ImagePullCredentialsType": "SERVICE_ROLE",
"PrivilegedMode": false,
"RegistryCredential": {
"Credential": {
"Fn::Join": [
"",
[
"arn:aws:secretsmanager:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":secret:my-secrets-123456"
]
]
},
"CredentialProvider": "SECRETS_MANAGER"
},
"Type": "LINUX_CONTAINER"
},
"ServiceRole": {
"Fn::GetAtt": [
"MyProjectRole9BBE5233",
"Arn"
]
},
"Source": {
"BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"ls\"\n ]\n }\n }\n}",
"Type": "NO_SOURCE"
}
}
}
}
}
36 changes: 36 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
import secretsmanager = require('@aws-cdk/aws-secretsmanager');
import cdk = require('@aws-cdk/core');
import codebuild = require('../lib');

class TestStack extends cdk.Stack {
constructor(scope: cdk.App, id: string) {
super(scope, id);

const secrets = secretsmanager.Secret.fromSecretArn(this, "MySecrets",
`arn:aws:secretsmanager:${this.region}:${this.account}:secret:my-secrets-123456`);

new codebuild.Project(this, 'MyProject', {
buildSpec: codebuild.BuildSpec.fromObject({
version: "0.2",
phases: {
build: {
commands: [ 'ls' ]
}
}
}),
/// !show
environment: {
buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('my-registry/my-repo', {
secretsManagerCredentials: secrets,
}),
},
/// !hide
});
}
}

const app = new cdk.App();

new TestStack(app, 'test-codebuild-docker-asset');

app.synth();
Loading

0 comments on commit cad83dc

Please sign in to comment.