fix(codebuild): remove oauthToken property from source (aws#2252)

Auth field should not be set since it's ignored by CodeBuild https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectSource.html#CodeBuild-Type-ProjectSource-auth BREAKING CHANGE: customers who use GitHub, GitHubEnterprise or Bitbucket as source will need to remove the oauthToken field as it's no longer available Fixes aws#2199
Kaixiang-AWS · Apr 16, 2019 · 8705af3 · 8705af3
1 parent a09d364
commit 8705af3
Show file tree

Hide file tree

Showing 6 changed files with 236 additions and 89 deletions.
diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md
@@ -90,20 +90,25 @@ Example:
 const gitHubSource = new codebuild.GitHubSource({
  owner: 'awslabs',
  repo: 'aws-cdk',
- oauthToken: new secretsmanager.SecretString(this, 'GitHubOAuthToken', {
- secretId: 'my-github-token',
- }).stringValue,
  webhook: true, // optional, default: false
 });
 ```
 
+To provide GitHub credentials, please either go to AWS CodeBuild Console to connect
+or call `ImportSourceCredentials` to persist your personal access token.
+Example:
+
+```
+aws codebuild import-source-credentials --server-type GITHUB --auth-type PERSONAL_ACCESS_TOKEN --token <token_value>
+```
+
 ### `BitBucketSource`
 
 This source type can be used to build code from a BitBucket repository.
 
 ## Environment
 
-By default, projects use a small instance with an Ubuntu 14.04 image. You
+By default, projects use a small instance with an Ubuntu 18.04 image. You
 can use the `environment` property to customize the build environment:
 
 * `buildImage` defines the Docker image used. See [Images](#images) below for

diff --git a/packages/@aws-cdk/aws-codebuild/lib/source.ts b/packages/@aws-cdk/aws-codebuild/lib/source.ts
@@ -1,7 +1,6 @@
 import codecommit = require('@aws-cdk/aws-codecommit');
 import iam = require('@aws-cdk/aws-iam');
 import s3 = require('@aws-cdk/aws-s3');
-import { SecretValue } from '@aws-cdk/cdk';
 import { CfnProject } from './codebuild.generated';
 import { Project } from './project';
 
@@ -211,13 +210,6 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
  */
  readonly repo: string;
 
- /**
- * The oAuthToken used to authenticate when cloning source git repo.
- * Note that you need to give CodeBuild permissions to your GitHub account in order for the token to work.
- * That is a one-time operation that can be done through the AWS Console for CodeBuild.
- */
- readonly oauthToken: SecretValue;
-
  /**
  * Whether to create a webhook that will trigger a build every time a commit is pushed to the GitHub repository.
  *
@@ -239,14 +231,12 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
 export class GitHubSource extends GitBuildSource {
  public readonly type: SourceType = SourceType.GitHub;
  private readonly httpsCloneUrl: string;
- private readonly oauthToken: SecretValue;
  private readonly reportBuildStatus: boolean;
  private readonly webhook?: boolean;
 
  constructor(props: GitHubSourceProps) {
  super(props);
  this.httpsCloneUrl = `https://github.com/${props.owner}/${props.repo}.git`;
- this.oauthToken = props.oauthToken;
  this.webhook = props.webhook;
  this.reportBuildStatus = props.reportBuildStatus === undefined ? true : props.reportBuildStatus;
  }
@@ -261,7 +251,6 @@ export class GitHubSource extends GitBuildSource {
 
  protected toSourceProperty(): any {
  return {
- auth: { type: 'OAUTH', resource: this.oauthToken },
  location: this.httpsCloneUrl,
  reportBuildStatus: this.reportBuildStatus,
  };
@@ -277,11 +266,6 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
  */
  readonly httpsCloneUrl: string;
 
- /**
- * The OAuth token used to authenticate when cloning the git repository.
- */
- readonly oauthToken: SecretValue;
-
  /**
  * Whether to ignore SSL errors when connecting to the repository.
  *
@@ -296,19 +280,16 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
 export class GitHubEnterpriseSource extends GitBuildSource {
  public readonly type: SourceType = SourceType.GitHubEnterprise;
  private readonly httpsCloneUrl: string;
- private readonly oauthToken: SecretValue;
  private readonly ignoreSslErrors?: boolean;
 
  constructor(props: GitHubEnterpriseSourceProps) {
  super(props);
  this.httpsCloneUrl = props.httpsCloneUrl;
- this.oauthToken = props.oauthToken;
  this.ignoreSslErrors = props.ignoreSslErrors;
  }
 
  protected toSourceProperty(): any {
  return {
- auth: { type: 'OAUTH', resource: this.oauthToken },
  location: this.httpsCloneUrl,
  insecureSsl: this.ignoreSslErrors,
  };

diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.github.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.github.expected.json
@@ -0,0 +1,129 @@
+{
+ "Resources": {
+ "MyProjectRole9BBE5233": {
+ "Type": "AWS::IAM::Role",
+ "Properties": {
+ "AssumeRolePolicyDocument": {
+ "Statement": [
+ {
+ "Action": "sts:AssumeRole",
+ "Effect": "Allow",
+ "Principal": {
+ "Service": {
+ "Fn::Join": [
+ "",
+ [
+ "codebuild.",
+ {
+ "Ref": "AWS::URLSuffix"
+ }
+ ]
+ ]
+ }
+ }
+ }
+ ],
+ "Version": "2012-10-17"
+ }
+ }
+ },
+ "MyProjectRoleDefaultPolicyB19B7C29": {
+ "Type": "AWS::IAM::Policy",
+ "Properties": {
+ "PolicyDocument": {
+ "Statement": [
+ {
+ "Action": [
+ "logs:CreateLogGroup",
+ "logs:CreateLogStream",
+ "logs:PutLogEvents"
+ ],
+ "Effect": "Allow",
+ "Resource": [
+ {
+ "Fn::Join": [
+ "",
+ [
+ "arn:",
+ {
+ "Ref": "AWS::Partition"
+ },
+ ":logs:",
+ {
+ "Ref": "AWS::Region"
+ },
+ ":",
+ {
+ "Ref": "AWS::AccountId"
+ },
+ ":log-group:/aws/codebuild/",
+ {
+ "Ref": "MyProject39F7B0AE"
+ }
+ ]
+ ]
+ },
+ {
+ "Fn::Join": [
+ "",
+ [
+ "arn:",
+ {
+ "Ref": "AWS::Partition"
+ },
+ ":logs:",
+ {
+ "Ref": "AWS::Region"
+ },
+ ":",
+ {
+ "Ref": "AWS::AccountId"
+ },
+ ":log-group:/aws/codebuild/",
+ {
+ "Ref": "MyProject39F7B0AE"
+ },
+ ":*"
+ ]
+ ]
+ }
+ ]
+ }
+ ],
+ "Version": "2012-10-17"
+ },
+ "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29",
+ "Roles": [
+ {
+ "Ref": "MyProjectRole9BBE5233"
+ }
+ ]
+ }
+ },
+ "MyProject39F7B0AE": {
+ "Type": "AWS::CodeBuild::Project",
+ "Properties": {
+ "Artifacts": {
+ "Type": "NO_ARTIFACTS"
+ },
+ "Environment": {
+ "ComputeType": "BUILD_GENERAL1_SMALL",
+ "Image": "aws/codebuild/standard:1.0",
+ "PrivilegedMode": false,
+ "Type": "LINUX_CONTAINER"
+ },
+ "ServiceRole": {
+ "Fn::GetAtt": [
+ "MyProjectRole9BBE5233",
+ "Arn"
+ ]
+ },
+ "Source": {
+ "Location": "https://github.com/awslabs/aws-cdk.git",
+ "ReportBuildStatus": false,
+ "Type": "GITHUB"
+ }
+ }
+ }
+ }
+}
diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.github.ts b/packages/@aws-cdk/aws-codebuild/test/integ.github.ts
@@ -0,0 +1,23 @@
+import cdk = require('@aws-cdk/cdk');
+import codebuild = require('../lib');
+
+class TestStack extends cdk.Stack {
+ constructor(scope: cdk.App, id: string) {
+ super(scope, id);
+
+ const source = new codebuild.GitHubSource({
+ owner: 'awslabs',
+ repo: 'aws-cdk',
+ reportBuildStatus: false,
+ });
+ new codebuild.Project(this, 'MyProject', {
+ source
+ });
+ }
+}
+
+const app = new cdk.App();
+
+new TestStack(app, 'test-codebuild-github');
+
+app.run();
diff --git a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts
@@ -470,6 +470,79 @@ export = {
  });
  test.done();
  },
+ 'with GitHub source'(test: Test) {
+ const stack = new cdk.Stack();
+
+ new codebuild.Project(stack, 'Project', {
+ source: new codebuild.GitHubSource({
+ owner: 'testowner',
+ repo: 'testrepo',
+ cloneDepth: 3,
+ webhook: true,
+ reportBuildStatus: false,
+ })
+ });
+
+ expect(stack).to(haveResource('AWS::CodeBuild::Project', {
+ Source: {
+ Type: "GITHUB",
+ Location: 'https://github.com/testowner/testrepo.git',
+ ReportBuildStatus: false,
+ GitCloneDepth: 3,
+ }
+ }));
+
+ expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
+ Triggers: {
+ Webhook: true,
+ },
+ }));
+
+ test.done();
+ },
+ 'with GitHubEnterprise source'(test: Test) {
+ const stack = new cdk.Stack();
+
+ new codebuild.Project(stack, 'MyProject', {
+ source: new codebuild.GitHubEnterpriseSource({
+ httpsCloneUrl: 'https://github.testcompany.com/testowner/testrepo',
+ ignoreSslErrors: true,
+ cloneDepth: 4,
+ })
+ });
+
+ expect(stack).to(haveResource('AWS::CodeBuild::Project', {
+ Source: {
+ Type: "GITHUB_ENTERPRISE",
+ InsecureSsl: true,
+ GitCloneDepth: 4,
+ Location: 'https://github.testcompany.com/testowner/testrepo'
+ }
+ }));
+
+ test.done();
+ },
+ 'with Bitbucket source'(test: Test) {
+ const stack = new cdk.Stack();
+
+ new codebuild.Project(stack, 'Project', {
+ source: new codebuild.BitBucketSource({
+ owner: 'testowner',
+ repo: 'testrepo',
+ cloneDepth: 5,
+ })
+ });
+
+ expect(stack).to(haveResource('AWS::CodeBuild::Project', {
+ Source: {
+ Type: 'BITBUCKET',
+ Location: 'https://bitbucket.org/testowner/testrepo.git',
+ GitCloneDepth: 5,
+ },
+ }));
+
+ test.done();
+ },
  'fail creating a Project when no build spec is given'(test: Test) {
  const stack = new cdk.Stack();
 
@@ -1065,8 +1138,8 @@ export = {
  { source: new codebuild.CodePipelineSource(), shouldPassValidation: false },
  { source: new codebuild.CodeCommitSource({ repository: repo }), shouldPassValidation: false },
  { source: new codebuild.S3BucketSource({ bucket, path: 'path/to/source.zip' }), shouldPassValidation: false },
- { source: new codebuild.GitHubSource({ owner: 'awslabs', repo: 'aws-cdk', oauthToken: new cdk.SecretValue()}), shouldPassValidation: true },
- { source: new codebuild.GitHubEnterpriseSource({ httpsCloneUrl: 'url', oauthToken: new cdk.SecretValue()}), shouldPassValidation: true },
+ { source: new codebuild.GitHubSource({ owner: 'awslabs', repo: 'aws-cdk' }), shouldPassValidation: true },
+ { source: new codebuild.GitHubEnterpriseSource({ httpsCloneUrl: 'url' }), shouldPassValidation: true },
  { source: new codebuild.BitBucketSource({ owner: 'awslabs', repo: 'aws-cdk' }), shouldPassValidation: true }
  ];