fix(codepipeline): the CodeBuild action now works with imported proje…

…cts (#4637) Because of the way the IAM library was used in the CodeBuild CodePipeline action, it was not possible to provide an imported project to the action (it would result in an error being thrown from the IAM library for the KMS key permissions). Fixes #4613
aws · Oct 23, 2019 · 6c4085e · 6c4085e
1 parent 86b79df
commit 6c4085e
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 45 deletions.
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.ts
@@ -107,10 +107,14 @@ export class CodeBuildAction extends Action {
     }));
 
     // allow the Project access to the Pipeline's artifact Bucket
-    if ((this.actionProperties.outputs || []).length > 0) {
-      options.bucket.grantReadWrite(this.props.project);
-    } else {
-      options.bucket.grantRead(this.props.project);
+    // but only if the project is not imported
+    // (ie., has a role) - otherwise, the IAM library throws an error
+    if (this.props.project.role) {
+      if ((this.actionProperties.outputs || []).length > 0) {
+        options.bucket.grantReadWrite(this.props.project);
+      } else {
+        options.bucket.grantRead(this.props.project);
+      }
     }
 
     if (this.props.project instanceof codebuild.Project) {

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/codebuild/test.codebuild-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/codebuild/test.codebuild-action.ts
@@ -1,66 +1,125 @@
+import { expect, haveResourceLike } from "@aws-cdk/assert";
 import codebuild = require('@aws-cdk/aws-codebuild');
 import codecommit = require('@aws-cdk/aws-codecommit');
 import codepipeline = require('@aws-cdk/aws-codepipeline');
+import s3 = require('@aws-cdk/aws-s3');
 import { App, Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import cpactions = require('../../lib');
 
 // tslint:disable:object-literal-key-quotes
 
 export = {
-  'a cross-account CodeBuild action with outputs': {
-    'causes an error'(test: Test) {
-      const app = new App();
+  'CodeBuild action': {
+    'that is cross-account and has outputs': {
+      'causes an error'(test: Test) {
+        const app = new App();
 
-      const projectStack = new Stack(app, 'ProjectStack', {
-        env: {
-          region: 'us-west-2',
-          account: '012345678912',
-        },
-      });
-      const project = new codebuild.PipelineProject(projectStack, 'Project');
+        const projectStack = new Stack(app, 'ProjectStack', {
+          env: {
+            region: 'us-west-2',
+            account: '012345678912',
+          },
+        });
+        const project = new codebuild.PipelineProject(projectStack, 'Project');
+
+        const pipelineStack = new Stack(app, 'PipelineStack', {
+          env: {
+            region: 'us-west-2',
+            account: '012345678913',
+          },
+        });
+        const sourceOutput = new codepipeline.Artifact();
+        const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline', {
+          stages: [
+            {
+              stageName: 'Source',
+              actions: [new cpactions.CodeCommitSourceAction({
+                actionName: 'CodeCommit',
+                repository: codecommit.Repository.fromRepositoryName(pipelineStack, 'Repo', 'repo-name'),
+                output: sourceOutput,
+              })],
+            },
+          ],
+        });
+        const buildStage = pipeline.addStage({
+          stageName: 'Build',
+        });
+
+        // this works fine - no outputs!
+        buildStage.addAction(new cpactions.CodeBuildAction({
+          actionName: 'Build1',
+          input: sourceOutput,
+          project,
+        }));
+
+        const buildAction2 = new cpactions.CodeBuildAction({
+          actionName: 'Build2',
+          input: sourceOutput,
+          project,
+          outputs: [new codepipeline.Artifact()],
+        });
+
+        test.throws(() => {
+          buildStage.addAction(buildAction2);
+        }, /https:\/\/github\.com\/aws\/aws-cdk\/issues\/4169/);
+
+        test.done();
+      },
+    },
+
+    'can be backed by an imported project'(test: Test) {
+      const stack = new Stack();
+
+      const codeBuildProject = codebuild.PipelineProject.fromProjectName(stack, 'CodeBuild',
+        'codeBuildProjectNameInAnotherAccount');
 
-      const pipelineStack = new Stack(app, 'PipelineStack', {
-        env: {
-          region: 'us-west-2',
-          account: '012345678913',
-        },
-      });
       const sourceOutput = new codepipeline.Artifact();
-      const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline', {
+      new codepipeline.Pipeline(stack, 'Pipeline', {
         stages: [
           {
             stageName: 'Source',
-            actions: [new cpactions.CodeCommitSourceAction({
-              actionName: 'CodeCommit',
-              repository: codecommit.Repository.fromRepositoryName(pipelineStack, 'Repo', 'repo-name'),
-              output: sourceOutput,
-            })],
+            actions: [
+              new cpactions.S3SourceAction({
+                actionName: 'S3_Source',
+                bucket: new s3.Bucket(stack, 'Bucket'),
+                bucketKey: 'key',
+                output: sourceOutput,
+              }),
+            ],
+          },
+          {
+            stageName: 'Build',
+            actions: [
+              new cpactions.CodeBuildAction({
+                actionName: 'CodeBuild',
+                input: sourceOutput,
+                project: codeBuildProject,
+              }),
+            ],
           },
         ],
       });
-      const buildStage = pipeline.addStage({
-        stageName: 'Build',
-      });
 
-      // this works fine - no outputs!
-      buildStage.addAction(new cpactions.CodeBuildAction({
-        actionName: 'Build1',
-        input: sourceOutput,
-        project,
+      expect(stack).to(haveResourceLike('AWS::CodePipeline::Pipeline', {
+        "Stages": [
+          {
+            "Name": "Source",
+          },
+          {
+            "Name": "Build",
+            "Actions": [
+              {
+                "Name": "CodeBuild",
+                "Configuration": {
+                  "ProjectName": "codeBuildProjectNameInAnotherAccount",
+                },
+              },
+            ],
+          },
+        ],
       }));
 
-      const buildAction2 = new cpactions.CodeBuildAction({
-        actionName: 'Build2',
-        input: sourceOutput,
-        project,
-        outputs: [new codepipeline.Artifact()],
-      });
-
-      test.throws(() => {
-        buildStage.addAction(buildAction2);
-      }, /https:\/\/github\.com\/aws\/aws-cdk\/issues\/4169/);
-
       test.done();
     },
   },