fix(pipelines): specifying the Action Role for CodeBuild steps

[tobytipton]

This fix should address the issue #18291

fixes #18291

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[rix0rrr]

These should be two different roles. Please add a separate configuration field.

But this actually doesn't seem like the right fix. Can we look at the Maximum policy size of 10240 bytes exceeded error a little closer ?

How many roles do we have in there? Why is the policy so large?

[tobytipton]

I can change it to a buildActionRole property, if that makes better sense.

The Maximum policy size of 10240 bytes exceeded happens on the policy associated with the role which the Pipeline itself runs as because for each build role which is created the pipeline role needs to have the ability to assume that role, and because the CodeBuildAction will create a new role which means if you have to a lot of build actions to multiple stages that will cause those multiple roles to be added to the policy.

Scenario would be having a pipeline which deploys to multiple stages and each stage a code build action to do a test or change.

Pull request has been modified.

[saltman424]

@tobytipton if you are going to introduce a new property, you will need to either make that property default to using this.props.role, or else specify that property here (and possibly other places):

aws-cdk/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts

Lines 677 to 687 in 7294118

	const script = new CodeBuildStep(node.id, {
	commands,
	installCommands: [
	`npm install -g cdk-assets${installSuffix}`,
	],
	input: this._cloudAssemblyFileSet,
	buildEnvironment: {
	privileged: assets.some(asset => asset.assetType === AssetType.DOCKER_IMAGE),
	},
	role,
	});

@rix0rrr As a note, it does seem that the intention, in at least the following case, is for them to be the same (note that this comment expresses the desired behavior, but is not actually what is currently happening):

aws-cdk/packages/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts

Lines 807 to 812 in 7294118

	/**
	* This role is used by both the CodePipeline build action and related CodeBuild project. Consolidating these two
	* roles into one, and re-using across all assets, saves significant size of the final synthesized output.
	* Modeled after the CodePipeline role and 'CodePipelineActionRole' roles.
	* Generates one role per asset type to separate file and Docker/image-based permissions.
	*/

Regardless, a fix to this is desperately needed as, currently, the pipelines module can quickly become unusable (e.g. if you have a lot of Lambda functions with associated Code assets) since there does not seem to be a way to override this behavior.

[rix0rrr]

Is this change still necessary after #19114 ?

[saltman424]

@rix0rrr yes, but less often. If you have enough assets, you can still get too big of a policy document from having so many roles that the pipeline role needs to be able to assume. However, with #19114 those roles are all listed in a single policy statement rather than many, so the number of assets needed to hit the limit is now a lot larger, but I believe I hit the limit when I tried something similar to #19114 with about 150 or so assets.

[ekeyser]

Thanks for checking. I'm planning on implementing the feature flag for #19114 today or tomorrow and then attempting to test this weekend. I'll update this ticket with my findings. I wanted to wait a few days.

[ekeyser]

Yes, this change is still required. I deployed a stack using 1.150.0 with the iam minimize feature flag and still get errors regarding policy size exceeding 10240 bytes. Additionally, the role.without_policy_updates method appears to have in influence on what role is used for the pipeline.

[rix0rrr]

I am actively working on #20189 #20396, which will remove the need for manual control of the action role to stay within policy sizes.

We can still decide to merge this for environments where customers aren't allowed to create IAM roles, and they'll need a mechanism to pass in their custom roles.

[rix0rrr]

Please rename this to actionRole.

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: a9f937c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).