fix(pipelines): reduce assets IAM policy size (#9333)

Collapse the PipelineAssetsRoleDefaultPolicy into a single up-front policy that
doesn't grow per-asset. This relaxes some of the permissions in exchange for
avoiding an O(N) policy size.

fixes #9316

_Testing notes:_ Successfully deployed a pipeline with 49 assets (25 file assets and 24 docker assets). 50 assets is the limit for a single stage of the pipeline. To scale out past 50 assets, we will need to segment the assets pipeline stage into multiple stages. I'm considering that out-of-scope for this bugfix.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: njlynch

packages/@aws-cdk/pipelines/lib/pipeline.ts

@@ -242,10 +242,11 @@ interface AssetPublishingProps {
  */
 class AssetPublishing extends Construct {
   private readonly publishers: Record<string, PublishAssetsAction> = {};
+  private readonly assetRoles: Record<string, iam.IRole> = {};
   private readonly myCxAsmRoot: string;
 
   private readonly stage: codepipeline.IStage;
-  private assetRole?: iam.Role;
+  private readonly pipeline: codepipeline.Pipeline;
   private _fileAssetCtr = 1;
   private _dockerAssetCtr = 1;
 
@@ -256,6 +257,7 @@ class AssetPublishing extends Construct {
     // We MUST add the Stage immediately here, otherwise it will be in the wrong place
     // in the pipeline!
     this.stage = this.props.pipeline.addStage({ stageName: 'Assets' });
+    this.pipeline = this.props.pipeline;
   }
 
   /**
@@ -269,15 +271,9 @@ class AssetPublishing extends Construct {
     // FIXME: this is silly, we need the relative path here but no easy way to get it
     const relativePath = path.relative(this.myCxAsmRoot, command.assetManifestPath);
 
-    // This role is used by both the CodePipeline build action and related CodeBuild project. Consolidating these two
-    // roles into one, and re-using across all assets, saves significant size of the final synthesized output.
-    // Modeled after the CodePipeline role and 'CodePipelineActionRole' roles.
-    // Late-binding here to prevent creating the role in cases where no asset actions are created.
-    if (!this.assetRole) {
-      this.assetRole = new iam.Role(this, 'Role', {
-        roleName: PhysicalName.GENERATE_IF_NEEDED,
-        assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal('codebuild.amazonaws.com'), new iam.AccountPrincipal(Stack.of(this).account)),
-      });
+    // Late-binding here (rather than in the constructor) to prevent creating the role in cases where no asset actions are created.
+    if (!this.assetRoles[command.assetType]) {
+      this.generateAssetRole(command.assetType);
     }
 
     let action = this.publishers[command.assetId];
@@ -298,7 +294,7 @@ class AssetPublishing extends Construct {
         cloudAssemblyInput: this.props.cloudAssemblyInput,
         cdkCliVersion: this.props.cdkCliVersion,
         assetType: command.assetType,
-        role: this.assetRole,
+        role: this.assetRoles[command.assetType],
       });
       this.stage.addAction(action);
     }
@@ -321,9 +317,78 @@ class AssetPublishing extends Construct {
       }
     }
   }
+
+  /**
+   * This role is used by both the CodePipeline build action and related CodeBuild project. Consolidating these two
+   * roles into one, and re-using across all assets, saves significant size of the final synthesized output.
+   * Modeled after the CodePipeline role and 'CodePipelineActionRole' roles.
+   * Generates one role per asset type to separate file and Docker/image-based permissions.
+   */
+  private generateAssetRole(assetType: AssetType) {
+    if (this.assetRoles[assetType]) { return this.assetRoles[assetType]; }
+
+    const rolePrefix = assetType === AssetType.DOCKER_IMAGE ? 'Docker' : 'File';
+    const assetRole = new iam.Role(this, `${rolePrefix}Role`, {
+      roleName: PhysicalName.GENERATE_IF_NEEDED,
+      assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal('codebuild.amazonaws.com'), new iam.AccountPrincipal(Stack.of(this).account)),
+    });
+
+    // Logging permissions
+    const logGroupArn = Stack.of(this).formatArn({
+      service: 'logs',
+      resource: 'log-group',
+      sep: ':',
+      resourceName: '/aws/codebuild/*',
+    });
+    assetRole.addToPolicy(new iam.PolicyStatement({
+      resources: [logGroupArn],
+      actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
+    }));
+
+    // CodeBuild report groups
+    const codeBuildArn = Stack.of(this).formatArn({
+      service: 'codebuild',
+      resource: 'report-group',
+      resourceName: '*',
+    });
+    assetRole.addToPolicy(new iam.PolicyStatement({
+      actions: [
+        'codebuild:CreateReportGroup',
+        'codebuild:CreateReport',
+        'codebuild:UpdateReport',
+        'codebuild:BatchPutTestCases',
+      ],
+      resources: [codeBuildArn],
+    }));
+
+    // CodeBuild start/stop
+    assetRole.addToPolicy(new iam.PolicyStatement({
+      resources: ['*'],
+      actions: [
+        'codebuild:BatchGetBuilds',
+        'codebuild:StartBuild',
+        'codebuild:StopBuild',
+      ],
+    }));
+
+    // Publishing role access
+    const rolePattern = assetType === AssetType.DOCKER_IMAGE
+      ? 'arn:*:iam::*:role/*-image-publishing-role-*'
+      : 'arn:*:iam::*:role/*-file-publishing-role-*';
+    assetRole.addToPolicy(new iam.PolicyStatement({
+      actions: ['sts:AssumeRole'],
+      resources: [rolePattern],
+    }));
+
+    // Artifact access
+    this.pipeline.artifactBucket.grantRead(assetRole);
+
+    this.assetRoles[assetType] = assetRole.withoutPolicyUpdates();
+    return this.assetRoles[assetType];
+  }
 }
 
 function maybeSuffix(x: string | undefined, suffix: string): string | undefined {
   if (x === undefined) { return undefined; }
   return `${x}${suffix}`;
-}
+}