From f2aa08ec3b434e843cb3d8bf513a8f7bc37d9b56 Mon Sep 17 00:00:00 2001 From: Joshua Weber <57131123+daschaa@users.noreply.github.com> Date: Thu, 18 Aug 2022 18:51:34 +0200 Subject: [PATCH] fix(codebuild): ReportGroup missing test permissions when set to CODE_COVERAGE (#21656) Fixes #21534 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-codebuild/README.md | 2 + .../aws-codebuild/lib/report-group.ts | 10 +- packages/@aws-cdk/aws-codebuild/package.json | 1 + .../aws-codebuild/test/integ.report-group.ts | 49 +++ ...aultTestDeployAssert57960C5A.template.json | 1 + .../aws-cdk-report-group.template.json | 194 ++++++++++ .../test/report-group.integ.snapshot/cdk.out | 1 + .../report-group.integ.snapshot/integ.json | 11 + .../report-group.integ.snapshot/manifest.json | 64 ++++ .../report-group.integ.snapshot/tree.json | 343 ++++++++++++++++++ .../aws-codebuild/test/report-group.test.ts | 77 ++++ 11 files changed, 750 insertions(+), 3 deletions(-) create mode 100644 packages/@aws-cdk/aws-codebuild/test/integ.report-group.ts create mode 100644 packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/ReportGroupIntegTestDefaultTestDeployAssert57960C5A.template.json create mode 100644 packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/aws-cdk-report-group.template.json create mode 100644 packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/cdk.out create mode 100644 packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/integ.json create mode 100644 packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/manifest.json create mode 100644 packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/tree.json diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md index 15fcb2b1d6321..5722c3ec35b9c 100644 --- a/packages/@aws-cdk/aws-codebuild/README.md +++ b/packages/@aws-cdk/aws-codebuild/README.md @@ -509,6 +509,8 @@ declare const reportGroup: codebuild.ReportGroup; reportGroup.grantWrite(project); ``` +The created policy will adjust to the report group type. If no type is specified when creating the report group the created policy will contain the action for the test report group type. + For more information on the test reports feature, see the [AWS CodeBuild documentation](https://docs.aws.amazon.com/codebuild/latest/userguide/test-reporting.html). diff --git a/packages/@aws-cdk/aws-codebuild/lib/report-group.ts b/packages/@aws-cdk/aws-codebuild/lib/report-group.ts index 1cf148cc0c133..f951cebbe08ca 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/report-group.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/report-group.ts @@ -38,14 +38,16 @@ abstract class ReportGroupBase extends cdk.Resource implements IReportGroup { public abstract readonly reportGroupArn: string; public abstract readonly reportGroupName: string; protected abstract readonly exportBucket?: s3.IBucket; + protected abstract readonly type?: ReportGroupType; public grantWrite(identity: iam.IGrantable): iam.Grant { + const typeAction = this.type === ReportGroupType.CODE_COVERAGE ? 'codebuild:BatchPutCodeCoverages' : 'codebuild:BatchPutTestCases'; const ret = iam.Grant.addToPrincipal({ grantee: identity, actions: [ 'codebuild:CreateReport', 'codebuild:UpdateReport', - 'codebuild:BatchPutTestCases', + typeAction, ], resourceArns: [this.reportGroupArn], }); @@ -134,6 +136,7 @@ export class ReportGroup extends ReportGroupBase { public readonly reportGroupName = reportGroupName; public readonly reportGroupArn = renderReportGroupArn(scope, reportGroupName); protected readonly exportBucket = undefined; + protected readonly type = undefined; } return new Import(scope, id); @@ -142,14 +145,15 @@ export class ReportGroup extends ReportGroupBase { public readonly reportGroupArn: string; public readonly reportGroupName: string; protected readonly exportBucket?: s3.IBucket; + protected readonly type?: ReportGroupType; constructor(scope: Construct, id: string, props: ReportGroupProps = {}) { super(scope, id, { physicalName: props.reportGroupName, }); - + this.type = props.type ? props.type : ReportGroupType.TEST; const resource = new CfnReportGroup(this, 'Resource', { - type: props.type ? props.type : ReportGroupType.TEST, + type: this.type, exportConfig: { exportConfigType: props.exportBucket ? 'S3' : 'NO_EXPORT', s3Destination: props.exportBucket diff --git a/packages/@aws-cdk/aws-codebuild/package.json b/packages/@aws-cdk/aws-codebuild/package.json index 50e52f654e5bb..b9c15e0b82297 100644 --- a/packages/@aws-cdk/aws-codebuild/package.json +++ b/packages/@aws-cdk/aws-codebuild/package.json @@ -89,6 +89,7 @@ "@aws-cdk/aws-sqs": "0.0.0", "@aws-cdk/cdk-build-tools": "0.0.0", "@aws-cdk/integ-runner": "0.0.0", + "@aws-cdk/integ-tests": "0.0.0", "@aws-cdk/cfn2ts": "0.0.0", "@aws-cdk/pkglint": "0.0.0", "@types/jest": "^27.5.2", diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.report-group.ts b/packages/@aws-cdk/aws-codebuild/test/integ.report-group.ts new file mode 100644 index 0000000000000..740d220c40ee0 --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/integ.report-group.ts @@ -0,0 +1,49 @@ +import * as cdk from '@aws-cdk/core'; +import * as integ from '@aws-cdk/integ-tests'; +import * as codebuild from '../lib'; + +const app = new cdk.App(); + +const stack = new cdk.Stack(app, 'aws-cdk-report-group'); + +const reportGroupCodeCoverage = new codebuild.ReportGroup(stack, 'CoverageReportGroup', { + type: codebuild.ReportGroupType.CODE_COVERAGE, +}); + +const reportGroupTest = new codebuild.ReportGroup(stack, 'TestReportGroup', { + type: codebuild.ReportGroupType.TEST, +}); + +const project = new codebuild.Project(stack, 'MyProject', { + buildSpec: codebuild.BuildSpec.fromObject({ + version: '0.2', + phases: { + build: { + commands: ['echo "Nothing to do!"'], + }, + }, + reports: { + [reportGroupTest.reportGroupArn]: { + 'base-directory': 'test-reports', + 'file-format': 'JUNITXML', + 'files': [ + '**/*', + ], + }, + [reportGroupCodeCoverage.reportGroupArn]: { + 'base-directory': 'coverage', + 'file-format': 'CLOVERXML', + 'files': ['clover.xml'], + }, + }, + }), + grantReportGroupPermissions: false, +}); +reportGroupCodeCoverage.grantWrite(project); +reportGroupTest.grantWrite(project); + +new integ.IntegTest(app, 'ReportGroupIntegTest', { + testCases: [stack], +}); + +app.synth(); diff --git a/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/ReportGroupIntegTestDefaultTestDeployAssert57960C5A.template.json b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/ReportGroupIntegTestDefaultTestDeployAssert57960C5A.template.json new file mode 100644 index 0000000000000..9e26dfeeb6e64 --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/ReportGroupIntegTestDefaultTestDeployAssert57960C5A.template.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/aws-cdk-report-group.template.json b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/aws-cdk-report-group.template.json new file mode 100644 index 0000000000000..1188be27cb4af --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/aws-cdk-report-group.template.json @@ -0,0 +1,194 @@ +{ + "Resources": { + "CoverageReportGroupE23151CF": { + "Type": "AWS::CodeBuild::ReportGroup", + "Properties": { + "ExportConfig": { + "ExportConfigType": "NO_EXPORT" + }, + "Type": "CODE_COVERAGE" + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "TestReportGroup1F49A500": { + "Type": "AWS::CodeBuild::ReportGroup", + "Properties": { + "ExportConfig": { + "ExportConfigType": "NO_EXPORT" + }, + "Type": "TEST" + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "MyProjectRole9BBE5233": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "MyProjectRoleDefaultPolicyB19B7C29": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] + } + ] + }, + { + "Action": [ + "codebuild:BatchPutCodeCoverages", + "codebuild:CreateReport", + "codebuild:UpdateReport" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "CoverageReportGroupE23151CF", + "Arn" + ] + } + }, + { + "Action": [ + "codebuild:BatchPutTestCases", + "codebuild:CreateReport", + "codebuild:UpdateReport" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "TestReportGroup1F49A500", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", + "Roles": [ + { + "Ref": "MyProjectRole9BBE5233" + } + ] + } + }, + "MyProject39F7B0AE": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Artifacts": { + "Type": "NO_ARTIFACTS" + }, + "Environment": { + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "aws/codebuild/standard:1.0", + "ImagePullCredentialsType": "CODEBUILD", + "PrivilegedMode": false, + "Type": "LINUX_CONTAINER" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "MyProjectRole9BBE5233", + "Arn" + ] + }, + "Source": { + "BuildSpec": { + "Fn::Join": [ + "", + [ + "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"echo \\\"Nothing to do!\\\"\"\n ]\n }\n },\n \"reports\": {\n \"", + { + "Fn::GetAtt": [ + "TestReportGroup1F49A500", + "Arn" + ] + }, + "\": {\n \"base-directory\": \"test-reports\",\n \"file-format\": \"JUNITXML\",\n \"files\": [\n \"**/*\"\n ]\n },\n \"", + { + "Fn::GetAtt": [ + "CoverageReportGroupE23151CF", + "Arn" + ] + }, + "\": {\n \"base-directory\": \"coverage\",\n \"file-format\": \"CLOVERXML\",\n \"files\": [\n \"clover.xml\"\n ]\n }\n }\n}" + ] + ] + }, + "Type": "NO_SOURCE" + }, + "Cache": { + "Type": "NO_CACHE" + }, + "EncryptionKey": "alias/aws/s3" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/cdk.out b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/cdk.out new file mode 100644 index 0000000000000..588d7b269d34f --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"20.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/integ.json b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/integ.json new file mode 100644 index 0000000000000..e54db9584709d --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/integ.json @@ -0,0 +1,11 @@ +{ + "version": "20.0.0", + "testCases": { + "ReportGroupIntegTest/DefaultTest": { + "stacks": [ + "aws-cdk-report-group" + ], + "assertionStack": "ReportGroupIntegTestDefaultTestDeployAssert57960C5A" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/manifest.json b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/manifest.json new file mode 100644 index 0000000000000..4c731d0cd7073 --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/manifest.json @@ -0,0 +1,64 @@ +{ + "version": "20.0.0", + "artifacts": { + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-report-group": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-report-group.template.json", + "validateOnSynth": false + }, + "metadata": { + "/aws-cdk-report-group/CoverageReportGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "CoverageReportGroupE23151CF" + } + ], + "/aws-cdk-report-group/TestReportGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TestReportGroup1F49A500", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" + ] + } + ], + "/aws-cdk-report-group/MyProject/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyProjectRole9BBE5233" + } + ], + "/aws-cdk-report-group/MyProject/Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyProjectRoleDefaultPolicyB19B7C29" + } + ], + "/aws-cdk-report-group/MyProject/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyProject39F7B0AE" + } + ] + }, + "displayName": "aws-cdk-report-group" + }, + "ReportGroupIntegTestDefaultTestDeployAssert57960C5A": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "ReportGroupIntegTestDefaultTestDeployAssert57960C5A.template.json", + "validateOnSynth": false + }, + "displayName": "ReportGroupIntegTest/DefaultTest/DeployAssert" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/tree.json b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/tree.json new file mode 100644 index 0000000000000..cc252f27f1b98 --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/report-group.integ.snapshot/tree.json @@ -0,0 +1,343 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.71" + } + }, + "aws-cdk-report-group": { + "id": "aws-cdk-report-group", + "path": "aws-cdk-report-group", + "children": { + "CoverageReportGroup": { + "id": "CoverageReportGroup", + "path": "aws-cdk-report-group/CoverageReportGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-report-group/CoverageReportGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CodeBuild::ReportGroup", + "aws:cdk:cloudformation:props": { + "exportConfig": { + "exportConfigType": "NO_EXPORT" + }, + "type": "CODE_COVERAGE" + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-codebuild.CfnReportGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-codebuild.ReportGroup", + "version": "0.0.0" + } + }, + "TestReportGroup": { + "id": "TestReportGroup", + "path": "aws-cdk-report-group/TestReportGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-report-group/TestReportGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CodeBuild::ReportGroup", + "aws:cdk:cloudformation:props": { + "exportConfig": { + "exportConfigType": "NO_EXPORT" + }, + "type": "TEST" + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-codebuild.CfnReportGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-codebuild.ReportGroup", + "version": "0.0.0" + } + }, + "MyProject": { + "id": "MyProject", + "path": "aws-cdk-report-group/MyProject", + "children": { + "Role": { + "id": "Role", + "path": "aws-cdk-report-group/MyProject/Role", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-report-group/MyProject/Role/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codebuild.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "aws-cdk-report-group/MyProject/Role/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-report-group/MyProject/Role/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + }, + ":*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] + } + ] + }, + { + "Action": [ + "codebuild:BatchPutCodeCoverages", + "codebuild:CreateReport", + "codebuild:UpdateReport" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "CoverageReportGroupE23151CF", + "Arn" + ] + } + }, + { + "Action": [ + "codebuild:BatchPutTestCases", + "codebuild:CreateReport", + "codebuild:UpdateReport" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "TestReportGroup1F49A500", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "MyProjectRoleDefaultPolicyB19B7C29", + "roles": [ + { + "Ref": "MyProjectRole9BBE5233" + } + ] + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-report-group/MyProject/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", + "aws:cdk:cloudformation:props": { + "artifacts": { + "type": "NO_ARTIFACTS" + }, + "environment": { + "type": "LINUX_CONTAINER", + "image": "aws/codebuild/standard:1.0", + "imagePullCredentialsType": "CODEBUILD", + "privilegedMode": false, + "computeType": "BUILD_GENERAL1_SMALL" + }, + "serviceRole": { + "Fn::GetAtt": [ + "MyProjectRole9BBE5233", + "Arn" + ] + }, + "source": { + "type": "NO_SOURCE", + "buildSpec": { + "Fn::Join": [ + "", + [ + "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"echo \\\"Nothing to do!\\\"\"\n ]\n }\n },\n \"reports\": {\n \"", + { + "Fn::GetAtt": [ + "TestReportGroup1F49A500", + "Arn" + ] + }, + "\": {\n \"base-directory\": \"test-reports\",\n \"file-format\": \"JUNITXML\",\n \"files\": [\n \"**/*\"\n ]\n },\n \"", + { + "Fn::GetAtt": [ + "CoverageReportGroupE23151CF", + "Arn" + ] + }, + "\": {\n \"base-directory\": \"coverage\",\n \"file-format\": \"CLOVERXML\",\n \"files\": [\n \"clover.xml\"\n ]\n }\n }\n}" + ] + ] + } + }, + "cache": { + "type": "NO_CACHE" + }, + "encryptionKey": "alias/aws/s3" + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-codebuild.CfnProject", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-codebuild.Project", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" + } + }, + "ReportGroupIntegTest": { + "id": "ReportGroupIntegTest", + "path": "ReportGroupIntegTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "ReportGroupIntegTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "ReportGroupIntegTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.71" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "ReportGroupIntegTest/DefaultTest/DeployAssert", + "constructInfo": { + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests.IntegTest", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/core.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/report-group.test.ts b/packages/@aws-cdk/aws-codebuild/test/report-group.test.ts index 387b5d5b65fa4..24d8005af64a4 100644 --- a/packages/@aws-cdk/aws-codebuild/test/report-group.test.ts +++ b/packages/@aws-cdk/aws-codebuild/test/report-group.test.ts @@ -165,4 +165,81 @@ describe('Test Reports Groups', () => { "Type": "TEST", }); }); + + test.each([ + [ReportGroupType.CODE_COVERAGE, 'codebuild:BatchPutCodeCoverages'], + [ReportGroupType.TEST, 'codebuild:BatchPutTestCases'], + ])('has correct policy when type is %s', (type: ReportGroupType, policyStatement: string) => { + const stack = new cdk.Stack(); + + const reportGroup = new codebuild.ReportGroup(stack, 'ReportGroup', { + type, + }); + + const project = new codebuild.Project(stack, 'TestProject', { + buildSpec: { + toBuildSpec: () => '', + isImmediate: true, + }, + }); + reportGroup.grantWrite(project); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: [ + "codebuild:CreateReport", + "codebuild:UpdateReport", + policyStatement, + ], + Effect: "Allow", + Resource: { + "Fn::GetAtt": [ + "ReportGroup8A84C76D", + "Arn", + ], + }, + }, + ]), + Version: "2012-10-17", + }, + }); + }); + + test('has policy for type test when type is not defined', () => { + const stack = new cdk.Stack(); + + const reportGroup = new codebuild.ReportGroup(stack, 'ReportGroup'); + + const project = new codebuild.Project(stack, 'TestProject', { + buildSpec: { + toBuildSpec: () => '', + isImmediate: true, + }, + }); + reportGroup.grantWrite(project); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: [ + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + ], + Effect: "Allow", + Resource: { + "Fn::GetAtt": [ + "ReportGroup8A84C76D", + "Arn", + ], + }, + }, + ]), + Version: "2012-10-17", + }, + }); + }); });