fix(codebuild): validate if a CodePipeline action that is cross-accou…

…nt does not have outputs (#4171) CodeBuild does not honor the key set on the project if the key is from a different account. That means a cross-account CodeBuild action effectively cannot have outputs (as they will be written with the default S3 key of the CodeBuild account, which the other actions won't have access to). Add validation that throws an error if there is an attempt to add a cross-account CodeBuild action with outputs. Fixes #4032
aws · Oct 3, 2019 · 1744f8a · 1744f8a
1 parent d7cfe20
commit 1744f8a
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 8 deletions.
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.ts
@@ -83,8 +83,19 @@ export class CodeBuildAction extends Action {
     this.props = props;
   }
 
-  protected bound(_scope: cdk.Construct, _stage: codepipeline.IStage, options: codepipeline.ActionBindOptions):
+  protected bound(scope: cdk.Construct, _stage: codepipeline.IStage, options: codepipeline.ActionBindOptions):
       codepipeline.ActionConfig {
+    // check for a cross-account action if there are any outputs
+    if ((this.actionProperties.outputs || []).length > 0) {
+      const pipelineStack = cdk.Stack.of(scope);
+      const projectStack = cdk.Stack.of(this.props.project);
+      if (pipelineStack.account !== projectStack.account) {
+        throw new Error('A cross-account CodeBuild action cannot have outputs. ' +
+          'This is a known CodeBuild limitation. ' +
+          'See https://github.com/aws/aws-cdk/issues/4169 for details');
+      }
+    }
+
     // grant the Pipeline role the required permissions to this Project
     options.role.addToPolicy(new iam.PolicyStatement({
       resources: [this.props.project.projectArn],

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/codebuild/test.codebuild-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/codebuild/test.codebuild-action.ts
@@ -0,0 +1,67 @@
+import codebuild = require('@aws-cdk/aws-codebuild');
+import codecommit = require('@aws-cdk/aws-codecommit');
+import codepipeline = require('@aws-cdk/aws-codepipeline');
+import { App, Stack } from '@aws-cdk/core';
+import { Test } from 'nodeunit';
+import cpactions = require('../../lib');
+
+// tslint:disable:object-literal-key-quotes
+
+export = {
+  'a cross-account CodeBuild action with outputs': {
+    'causes an error'(test: Test) {
+      const app = new App();
+
+      const projectStack = new Stack(app, 'ProjectStack', {
+        env: {
+          region: 'us-west-2',
+          account: '012345678901',
+        },
+      });
+      const project = new codebuild.PipelineProject(projectStack, 'Project');
+
+      const pipelineStack = new Stack(app, 'PipelineStack', {
+        env: {
+          region: 'us-west-2',
+          account: '123456789012',
+        },
+      });
+      const sourceOutput = new codepipeline.Artifact();
+      const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline', {
+        stages: [
+          {
+            stageName: 'Source',
+            actions: [new cpactions.CodeCommitSourceAction({
+              actionName: 'CodeCommit',
+              repository: codecommit.Repository.fromRepositoryName(pipelineStack, 'Repo', 'repo-name'),
+              output: sourceOutput,
+            })],
+          },
+        ],
+      });
+      const buildStage = pipeline.addStage({
+        stageName: 'Build',
+      });
+
+      // this works fine - no outputs!
+      buildStage.addAction(new cpactions.CodeBuildAction({
+        actionName: 'Build1',
+        input: sourceOutput,
+        project,
+      }));
+
+      const buildAction2 = new cpactions.CodeBuildAction({
+        actionName: 'Build2',
+        input: sourceOutput,
+        project,
+        outputs: [new codepipeline.Artifact()],
+      });
+
+      test.throws(() => {
+        buildStage.addAction(buildAction2);
+      }, /https:\/\/github\.com\/aws\/aws-cdk\/issues\/4169/);
+
+      test.done();
+    },
+  },
+};
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/test.pipeline.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/test.pipeline.ts
@@ -873,7 +873,6 @@ export = {
                 actionName: 'CodeBuild',
                 project,
                 input: sourceOutput,
-                outputs: [new codepipeline.Artifact()],
               }),
             ],
           },
@@ -922,9 +921,6 @@ export = {
                 "s3:GetObject*",
                 "s3:GetBucket*",
                 "s3:List*",
-                "s3:DeleteObject*",
-                "s3:PutObject*",
-                "s3:Abort*",
               ],
               "Effect": "Allow",
               "Resource": [
@@ -958,9 +954,6 @@ export = {
               "Action": [
                 "kms:Decrypt",
                 "kms:DescribeKey",
-                "kms:Encrypt",
-                "kms:ReEncrypt*",
-                "kms:GenerateDataKey*",
               ],
               "Effect": "Allow",
               "Resource": "*",