feat(codebuild): add functionality to allow using private registry an…

…d cross-account ECR repository as build image Fixes aws#2175
Kaixiang-AWS · Jun 20, 2019 · aba3103 · aba3103
1 parent 2eafda7
commit aba3103
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 23 deletions.
diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts
@@ -6,7 +6,7 @@ import events = require('@aws-cdk/aws-events');
 import iam = require('@aws-cdk/aws-iam');
 import kms = require('@aws-cdk/aws-kms');
 import secretsmanager = require('@aws-cdk/aws-secretsmanager');
-import { Aws, CfnResource, Construct, Duration, IResource, Lazy, PhysicalName, Resource, ResourceIdentifiers, Stack } from '@aws-cdk/cdk';
+import { Aws, CfnResource, Construct, Duration, IResource, Lazy, PhysicalName, Resource, ResourceIdentifiers, Stack, Token } from '@aws-cdk/cdk';
 import { IArtifacts } from './artifacts';
 import { BuildSpec } from './build-spec';
 import { Cache } from './cache';
@@ -782,14 +782,15 @@ export class Project extends ProjectBase {
   }
 
   private attachEcrPermission() {
-    this.addToRolePolicy(new iam.PolicyStatement()
-    .addAllResources()
-    .addActions(
-      'ecr:GetAutheticationToken',
-      'ecr:GetDownloadUrlForLayer',
-      'ecr:BatchGetImage',
-      'ecr:BatchCheckLayerAvailability'
-    ));
+    this.addToRolePolicy(new iam.PolicyStatement({
+      resources: ['*'],
+      actions: [
+        'ecr:GetAutheticationToken',
+        'ecr:GetDownloadUrlForLayer',
+        'ecr:BatchGetImage',
+        'ecr:BatchCheckLayerAvailability'
+      ]
+    }));
   }
 
   private renderEnvironment(env: BuildEnvironment = {},
@@ -1271,16 +1272,9 @@ export enum BuildEnvironmentVariableType {
   PARAMETER_STORE = 'PARAMETER_STORE'
 }
 
-<<<<<<< HEAD
 function isECRImage(imageUri: string) {
-  return /^(.+).dkr.ecr.(.+).amazonaws.com[.]{0,1}[a-z]{0,3}\/([^:]+):?.*$/.test(imageUri);
-=======
-function ecrAccessForCodeBuildService(): iam.PolicyStatement {
-  const s = new iam.PolicyStatement({
-    principals: [new iam.ServicePrincipal('codebuild.amazonaws.com')],
-    actions: ['ecr:GetDownloadUrlForLayer', 'ecr:BatchGetImage', 'ecr:BatchCheckLayerAvailability'],
-  });
-  s.sid = 'CodeBuild';
-  return s;
->>>>>>> upstream/master
+  if (!Token.isUnresolved(imageUri)) {
+    return /^(.+).dkr.ecr.(.+).amazonaws.com[.]{0,1}[a-z]{0,3}\/([^:]+):?.*$/.test(imageUri);
+  }
+  return false;
 }
diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts
@@ -7,17 +7,17 @@ class TestStack extends cdk.Stack {
     super(scope, id);
 
     const secrets = secretsmanager.Secret.fromSecretArn(this, "MySecrets",
-    `arn:aws:secretsmanager:${this.region}:${this.accountId}:secret:my-secrets-123456`);
+    `arn:aws:secretsmanager:${this.region}:${this.account}:secret:my-secrets-123456`);
 
     new codebuild.Project(this, 'MyProject', {
-      buildSpec: {
+      buildSpec: codebuild.BuildSpec.fromObject({
         version: "0.2",
         phases: {
           build: {
             commands: [ 'ls' ]
           }
         }
-      },
+      }),
       /// !show
       environment: {
         buildImage: codebuild.LinuxBuildImage.fromDockerRegistry("my-registry/my-repo", secrets)