Skip to content

Commit

Permalink
fix(codebuild): Secret env variable as token from another account fai…
Browse files Browse the repository at this point in the history
…ls on Key decryption

fixes aws#14477
  • Loading branch information
Kruspe committed May 1, 2021
1 parent e31587a commit 983c357
Showing 1 changed file with 104 additions and 0 deletions.
104 changes: 104 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/test.project.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1231,6 +1231,110 @@ export = {
test.done();
},

"when provided as a Token referencing a different account, adds permission to decrypt keys in the Secret's account"(test: Test) {
// GIVEN
const stack = new cdk.Stack();
const secretToken = cdk.Lazy.string({ produce: () => 'arn:aws:secretsmanager:us-west-2:901234567890:secret:mysecret' });

// WHEN
const secret = secretsmanager.Secret.fromSecretPartialArn(stack, 'Secret', secretToken);
new codebuild.PipelineProject(stack, 'Project', {
environmentVariables: {
'ENV_VAR1': {
type: codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
value: secret.secretArn,
},
},
});

// THEN
expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
'PolicyDocument': {
'Statement': arrayWith({
'Action': 'kms:Decrypt',
'Effect': 'Allow',
'Resource': {
'Fn::Join': [
'',
[
'arn:',
{ 'Ref': 'AWS::Partition' },
':kms:',
{ 'Fn::Select': [3, { 'Fn::Split': [':', 'arn:aws:secretsmanager:us-west-2:901234567890:secret:mysecret'] }] },
':',
{ 'Fn::Select': [4, { 'Fn::Split': [':', 'arn:aws:secretsmanager:us-west-2:901234567890:secret:mysecret'] }] },
':key/*',
],
],
},
}),
},
}));

test.done();
},

'when the same new secret is provided with different JSON keys, only adds the resource once'(test: Test) {
// GIVEN
const stack = new cdk.Stack();

// WHEN
const secret1 = new secretsmanager.Secret(stack, 'Secret');
new codebuild.PipelineProject(stack, 'Project', {
environmentVariables: {
'ENV_VAR1': {
type: codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
value: `${secret1.secretArn}:value1`,
},
'ENV_VAR2': {
type: codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
value: `${secret1.secretArn}:value2`,
},
},
});

// THEN
expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
'Environment': {
'EnvironmentVariables': [
{
'Name': 'ENV_VAR1',
'Type': 'SECRETS_MANAGER',
'Value': {
'Fn::Join': ['', [
{ 'Ref': 'SecretA720EF05' },
':value1',
]],
},
},
{
'Name': 'ENV_VAR2',
'Type': 'SECRETS_MANAGER',
'Value': {
'Fn::Join': ['', [
{ 'Ref': 'SecretA720EF05' },
':value2',
]],
},
},
],
},
}));

// THEN
expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
'PolicyDocument': {
'Statement': arrayWith({
'Action': 'secretsmanager:GetSecretValue',
'Effect': 'Allow',
'Resource': { 'Ref': 'SecretA720EF05' },
}),
},
}));

test.done();
},

'can be provided as the ARN attribute of a new Secret, followed by a JSON key'(test: Test) {
// GIVEN
const stack = new cdk.Stack();
Expand Down

0 comments on commit 983c357

Please sign in to comment.