From 2f7b73561fa1f147fa1897a87ebef802f34ef143 Mon Sep 17 00:00:00 2001 From: Adam Ruka Date: Tue, 2 Jul 2019 14:04:41 -0700 Subject: [PATCH] fix(codepipeline): grant the CodeCommit source Action read-write permissions to the Pipeline's Bucket. Fixes #3170 --- .../lib/codecommit/source-action.ts | 2 +- ...g.cfn-template-from-repo.lit.expected.json | 9 +++- ...yed-through-codepipeline.lit.expected.json | 16 ++++++- ...uild-multiple-inputs-outputs.expected.json | 46 +++++++++---------- ...g.pipeline-code-commit-build.expected.json | 7 +++ .../integ.pipeline-code-commit.expected.json | 7 +++ .../test/integ.pipeline-events.expected.json | 7 +++ .../test/__snapshots__/synth.test.js.snap | 7 +++ 8 files changed, 75 insertions(+), 26 deletions(-) diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts index 9cc1793aa905f..f8ce21d23f95d 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts +++ b/packages/@aws-cdk/aws-codepipeline-actions/lib/codecommit/source-action.ts @@ -91,7 +91,7 @@ export class CodeCommitSourceAction extends Action { // the Action will write the contents of the Git repository to the Bucket, // so its Role needs write permissions to the Pipeline Bucket - options.bucket.grantWrite(options.role); + options.bucket.grantReadWrite(options.role); // https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html#aa-acp options.role.addToPolicy(new iam.PolicyStatement({ diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json index a10e73ff2e813..90048bde3a70f 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json @@ -69,6 +69,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -448,6 +450,9 @@ "Statement": [ { "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", "s3:DeleteObject*", "s3:PutObject*", "s3:Abort*" @@ -478,6 +483,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -810,4 +817,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json index 341eafcf03554..d94d8873b169a 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json @@ -62,6 +62,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -79,6 +81,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -567,6 +571,9 @@ "Statement": [ { "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", "s3:DeleteObject*", "s3:PutObject*", "s3:Abort*" @@ -597,6 +604,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -675,6 +684,9 @@ "Statement": [ { "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", "s3:DeleteObject*", "s3:PutObject*", "s3:Abort*" @@ -705,6 +717,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -1610,4 +1624,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.expected.json index ac65273faee7c..3ce027cd3cced 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.expected.json @@ -158,9 +158,25 @@ }, { "Action": [ - "s3:DeleteObject*", - "s3:PutObject*", - "s3:Abort*" + "codecommit:GetBranch", + "codecommit:GetCommit", + "codecommit:UploadArchive", + "codecommit:GetUploadArchiveStatus", + "codecommit:CancelUploadArchive" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyRepoF4F48043", + "Arn" + ] + } + }, + { + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" ], "Effect": "Allow", "Resource": [ @@ -188,25 +204,9 @@ }, { "Action": [ - "codecommit:GetBranch", - "codecommit:GetCommit", - "codecommit:UploadArchive", - "codecommit:GetUploadArchiveStatus", - "codecommit:CancelUploadArchive" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "MyRepoF4F48043", - "Arn" - ] - } - }, - { - "Action": [ - "s3:GetObject*", - "s3:GetBucket*", - "s3:List*" + "s3:DeleteObject*", + "s3:PutObject*", + "s3:Abort*" ], "Effect": "Allow", "Resource": [ @@ -650,4 +650,4 @@ } } } -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json index 92bc958303174..9f7dd0e13cdc7 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json @@ -284,6 +284,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -654,6 +656,9 @@ "Statement": [ { "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", "s3:DeleteObject*", "s3:PutObject*", "s3:Abort*" @@ -684,6 +689,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json index ed584c2eec19e..360da5b54c718 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit.expected.json @@ -134,6 +134,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -419,6 +421,9 @@ "Statement": [ { "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", "s3:DeleteObject*", "s3:PutObject*", "s3:Abort*" @@ -449,6 +454,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json index c0a966cd9214b..ca5873f6a6ed6 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-events.expected.json @@ -62,6 +62,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" @@ -379,6 +381,9 @@ "Statement": [ { "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", "s3:DeleteObject*", "s3:PutObject*", "s3:Abort*" @@ -409,6 +414,8 @@ }, { "Action": [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" diff --git a/packages/decdk/test/__snapshots__/synth.test.js.snap b/packages/decdk/test/__snapshots__/synth.test.js.snap index da4eb41f8f3e5..cb21a35759b02 100644 --- a/packages/decdk/test/__snapshots__/synth.test.js.snap +++ b/packages/decdk/test/__snapshots__/synth.test.js.snap @@ -2026,6 +2026,8 @@ Object { }, Object { "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", @@ -2699,6 +2701,9 @@ Object { "Statement": Array [ Object { "Action": Array [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*", "s3:DeleteObject*", "s3:PutObject*", "s3:Abort*", @@ -2729,6 +2734,8 @@ Object { }, Object { "Action": Array [ + "kms:Decrypt", + "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*",