From 8705af3b467ebae4f82ae51e48f0b46ba2f75e7b Mon Sep 17 00:00:00 2001 From: Kaixiang-AWS Date: Tue, 16 Apr 2019 07:02:41 -0700 Subject: [PATCH] fix(codebuild): remove oauthToken property from source (#2252) Auth field should not be set since it's ignored by CodeBuild https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectSource.html#CodeBuild-Type-ProjectSource-auth BREAKING CHANGE: customers who use GitHub, GitHubEnterprise or Bitbucket as source will need to remove the oauthToken field as it's no longer available Fixes #2199 --- packages/@aws-cdk/aws-codebuild/README.md | 13 +- packages/@aws-cdk/aws-codebuild/lib/source.ts | 19 --- .../test/integ.github.expected.json | 129 ++++++++++++++++++ .../aws-codebuild/test/integ.github.ts | 23 ++++ .../aws-codebuild/test/test.codebuild.ts | 77 ++++++++++- .../aws-codebuild/test/test.project.ts | 64 --------- 6 files changed, 236 insertions(+), 89 deletions(-) create mode 100644 packages/@aws-cdk/aws-codebuild/test/integ.github.expected.json create mode 100644 packages/@aws-cdk/aws-codebuild/test/integ.github.ts diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md index 10a60f51bf0a0..b8ab1a0b47cf5 100644 --- a/packages/@aws-cdk/aws-codebuild/README.md +++ b/packages/@aws-cdk/aws-codebuild/README.md @@ -90,20 +90,25 @@ Example: const gitHubSource = new codebuild.GitHubSource({ owner: 'awslabs', repo: 'aws-cdk', - oauthToken: new secretsmanager.SecretString(this, 'GitHubOAuthToken', { - secretId: 'my-github-token', - }).stringValue, webhook: true, // optional, default: false }); ``` +To provide GitHub credentials, please either go to AWS CodeBuild Console to connect +or call `ImportSourceCredentials` to persist your personal access token. +Example: + +``` +aws codebuild import-source-credentials --server-type GITHUB --auth-type PERSONAL_ACCESS_TOKEN --token +``` + ### `BitBucketSource` This source type can be used to build code from a BitBucket repository. ## Environment -By default, projects use a small instance with an Ubuntu 14.04 image. You +By default, projects use a small instance with an Ubuntu 18.04 image. You can use the `environment` property to customize the build environment: * `buildImage` defines the Docker image used. See [Images](#images) below for diff --git a/packages/@aws-cdk/aws-codebuild/lib/source.ts b/packages/@aws-cdk/aws-codebuild/lib/source.ts index 0e04cfc30bb07..75c03a90aba82 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/source.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/source.ts @@ -1,7 +1,6 @@ import codecommit = require('@aws-cdk/aws-codecommit'); import iam = require('@aws-cdk/aws-iam'); import s3 = require('@aws-cdk/aws-s3'); -import { SecretValue } from '@aws-cdk/cdk'; import { CfnProject } from './codebuild.generated'; import { Project } from './project'; @@ -211,13 +210,6 @@ export interface GitHubSourceProps extends GitBuildSourceProps { */ readonly repo: string; - /** - * The oAuthToken used to authenticate when cloning source git repo. - * Note that you need to give CodeBuild permissions to your GitHub account in order for the token to work. - * That is a one-time operation that can be done through the AWS Console for CodeBuild. - */ - readonly oauthToken: SecretValue; - /** * Whether to create a webhook that will trigger a build every time a commit is pushed to the GitHub repository. * @@ -239,14 +231,12 @@ export interface GitHubSourceProps extends GitBuildSourceProps { export class GitHubSource extends GitBuildSource { public readonly type: SourceType = SourceType.GitHub; private readonly httpsCloneUrl: string; - private readonly oauthToken: SecretValue; private readonly reportBuildStatus: boolean; private readonly webhook?: boolean; constructor(props: GitHubSourceProps) { super(props); this.httpsCloneUrl = `https://github.com/${props.owner}/${props.repo}.git`; - this.oauthToken = props.oauthToken; this.webhook = props.webhook; this.reportBuildStatus = props.reportBuildStatus === undefined ? true : props.reportBuildStatus; } @@ -261,7 +251,6 @@ export class GitHubSource extends GitBuildSource { protected toSourceProperty(): any { return { - auth: { type: 'OAUTH', resource: this.oauthToken }, location: this.httpsCloneUrl, reportBuildStatus: this.reportBuildStatus, }; @@ -277,11 +266,6 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps { */ readonly httpsCloneUrl: string; - /** - * The OAuth token used to authenticate when cloning the git repository. - */ - readonly oauthToken: SecretValue; - /** * Whether to ignore SSL errors when connecting to the repository. * @@ -296,19 +280,16 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps { export class GitHubEnterpriseSource extends GitBuildSource { public readonly type: SourceType = SourceType.GitHubEnterprise; private readonly httpsCloneUrl: string; - private readonly oauthToken: SecretValue; private readonly ignoreSslErrors?: boolean; constructor(props: GitHubEnterpriseSourceProps) { super(props); this.httpsCloneUrl = props.httpsCloneUrl; - this.oauthToken = props.oauthToken; this.ignoreSslErrors = props.ignoreSslErrors; } protected toSourceProperty(): any { return { - auth: { type: 'OAUTH', resource: this.oauthToken }, location: this.httpsCloneUrl, insecureSsl: this.ignoreSslErrors, }; diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.github.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.github.expected.json new file mode 100644 index 0000000000000..f7e1d10aa84e0 --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/integ.github.expected.json @@ -0,0 +1,129 @@ +{ + "Resources": { + "MyProjectRole9BBE5233": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "codebuild.", + { + "Ref": "AWS::URLSuffix" + } + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "MyProjectRoleDefaultPolicyB19B7C29": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + }, + ":*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", + "Roles": [ + { + "Ref": "MyProjectRole9BBE5233" + } + ] + } + }, + "MyProject39F7B0AE": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Artifacts": { + "Type": "NO_ARTIFACTS" + }, + "Environment": { + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "aws/codebuild/standard:1.0", + "PrivilegedMode": false, + "Type": "LINUX_CONTAINER" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "MyProjectRole9BBE5233", + "Arn" + ] + }, + "Source": { + "Location": "https://github.com/awslabs/aws-cdk.git", + "ReportBuildStatus": false, + "Type": "GITHUB" + } + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.github.ts b/packages/@aws-cdk/aws-codebuild/test/integ.github.ts new file mode 100644 index 0000000000000..e9784a5d2c507 --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/integ.github.ts @@ -0,0 +1,23 @@ +import cdk = require('@aws-cdk/cdk'); +import codebuild = require('../lib'); + +class TestStack extends cdk.Stack { + constructor(scope: cdk.App, id: string) { + super(scope, id); + + const source = new codebuild.GitHubSource({ + owner: 'awslabs', + repo: 'aws-cdk', + reportBuildStatus: false, + }); + new codebuild.Project(this, 'MyProject', { + source + }); + } +} + +const app = new cdk.App(); + +new TestStack(app, 'test-codebuild-github'); + +app.run(); diff --git a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts index acfcdeca8b419..210d13b43b5dd 100644 --- a/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts +++ b/packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts @@ -470,6 +470,79 @@ export = { }); test.done(); }, + 'with GitHub source'(test: Test) { + const stack = new cdk.Stack(); + + new codebuild.Project(stack, 'Project', { + source: new codebuild.GitHubSource({ + owner: 'testowner', + repo: 'testrepo', + cloneDepth: 3, + webhook: true, + reportBuildStatus: false, + }) + }); + + expect(stack).to(haveResource('AWS::CodeBuild::Project', { + Source: { + Type: "GITHUB", + Location: 'https://github.com/testowner/testrepo.git', + ReportBuildStatus: false, + GitCloneDepth: 3, + } + })); + + expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', { + Triggers: { + Webhook: true, + }, + })); + + test.done(); + }, + 'with GitHubEnterprise source'(test: Test) { + const stack = new cdk.Stack(); + + new codebuild.Project(stack, 'MyProject', { + source: new codebuild.GitHubEnterpriseSource({ + httpsCloneUrl: 'https://github.testcompany.com/testowner/testrepo', + ignoreSslErrors: true, + cloneDepth: 4, + }) + }); + + expect(stack).to(haveResource('AWS::CodeBuild::Project', { + Source: { + Type: "GITHUB_ENTERPRISE", + InsecureSsl: true, + GitCloneDepth: 4, + Location: 'https://github.testcompany.com/testowner/testrepo' + } + })); + + test.done(); + }, + 'with Bitbucket source'(test: Test) { + const stack = new cdk.Stack(); + + new codebuild.Project(stack, 'Project', { + source: new codebuild.BitBucketSource({ + owner: 'testowner', + repo: 'testrepo', + cloneDepth: 5, + }) + }); + + expect(stack).to(haveResource('AWS::CodeBuild::Project', { + Source: { + Type: 'BITBUCKET', + Location: 'https://bitbucket.org/testowner/testrepo.git', + GitCloneDepth: 5, + }, + })); + + test.done(); + }, 'fail creating a Project when no build spec is given'(test: Test) { const stack = new cdk.Stack(); @@ -1065,8 +1138,8 @@ export = { { source: new codebuild.CodePipelineSource(), shouldPassValidation: false }, { source: new codebuild.CodeCommitSource({ repository: repo }), shouldPassValidation: false }, { source: new codebuild.S3BucketSource({ bucket, path: 'path/to/source.zip' }), shouldPassValidation: false }, - { source: new codebuild.GitHubSource({ owner: 'awslabs', repo: 'aws-cdk', oauthToken: new cdk.SecretValue()}), shouldPassValidation: true }, - { source: new codebuild.GitHubEnterpriseSource({ httpsCloneUrl: 'url', oauthToken: new cdk.SecretValue()}), shouldPassValidation: true }, + { source: new codebuild.GitHubSource({ owner: 'awslabs', repo: 'aws-cdk' }), shouldPassValidation: true }, + { source: new codebuild.GitHubEnterpriseSource({ httpsCloneUrl: 'url' }), shouldPassValidation: true }, { source: new codebuild.BitBucketSource({ owner: 'awslabs', repo: 'aws-cdk' }), shouldPassValidation: true } ]; diff --git a/packages/@aws-cdk/aws-codebuild/test/test.project.ts b/packages/@aws-cdk/aws-codebuild/test/test.project.ts index 8e7728d71e463..520d6aaf0a192 100644 --- a/packages/@aws-cdk/aws-codebuild/test/test.project.ts +++ b/packages/@aws-cdk/aws-codebuild/test/test.project.ts @@ -1,7 +1,6 @@ import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert'; import assets = require('@aws-cdk/assets'); import cdk = require('@aws-cdk/cdk'); -import { SecretValue } from '@aws-cdk/cdk'; import { Test } from 'nodeunit'; import codebuild = require('../lib'); @@ -59,7 +58,6 @@ export = { owner: 'testowner', repo: 'testrepo', cloneDepth: 3, - oauthToken: SecretValue.plainText("test_oauth_token"), }) }); @@ -67,10 +65,6 @@ export = { expect(stack).to(haveResource('AWS::CodeBuild::Project', { Source: { Type: "GITHUB", - Auth: { - Type: 'OAUTH', - Resource: 'test_oauth_token' - }, Location: 'https://github.com/testowner/testrepo.git', ReportBuildStatus: true, GitCloneDepth: 3, @@ -89,7 +83,6 @@ export = { source: new codebuild.GitHubSource({ owner: 'testowner', repo: 'testrepo', - oauthToken: SecretValue.plainText("test_oauth_token"), reportBuildStatus: false, }) }); @@ -113,7 +106,6 @@ export = { source: new codebuild.GitHubSource({ owner: 'testowner', repo: 'testrepo', - oauthToken: SecretValue.plainText("test_oauth_token"), webhook: true, }) }); @@ -129,62 +121,6 @@ export = { }, }, - 'github enterprise auth test'(test: Test) { - // GIVEN - const stack = new cdk.Stack(); - - // WHEN - new codebuild.Project(stack, 'Project', { - source: new codebuild.GitHubEnterpriseSource({ - httpsCloneUrl: 'https://github.testcompany.com/testowner/testrepo', - ignoreSslErrors: true, - cloneDepth: 4, - oauthToken: SecretValue.plainText("test_oauth_token"), - }) - }); - - // THEN - expect(stack).to(haveResource('AWS::CodeBuild::Project', { - Source: { - Type: "GITHUB_ENTERPRISE", - Auth: { - Type: 'OAUTH', - Resource: 'test_oauth_token' - }, - InsecureSsl: true, - GitCloneDepth: 4, - Location: 'https://github.testcompany.com/testowner/testrepo' - } - })); - - test.done(); - }, - - 'bitbucket auth test'(test: Test) { - // GIVEN - const stack = new cdk.Stack(); - - // WHEN - new codebuild.Project(stack, 'Project', { - source: new codebuild.BitBucketSource({ - owner: 'testowner', - repo: 'testrepo', - cloneDepth: 5, - }) - }); - - // THEN - expect(stack).to(haveResource('AWS::CodeBuild::Project', { - Source: { - Type: 'BITBUCKET', - Location: 'https://bitbucket.org/testowner/testrepo.git', - GitCloneDepth: 5, - }, - })); - - test.done(); - }, - 'construct from asset'(test: Test) { // GIVEN const stack = new cdk.Stack();