Skip to content

Commit

Permalink
Merge branch 'master' into ecs-refactor
Browse files Browse the repository at this point in the history
  • Loading branch information
@mergify
mergify[bot] authored Jun 14, 2021
2 parents 162538c + cbd7552 commit c6d5d18
Show file tree
Hide file tree
Showing 8 changed files with 156 additions and 67 deletions.
4 changes: 2 additions & 2 deletions packages/@aws-cdk/core/lib/stack-synthesizers/default-synthesizer.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ export const BOOTSTRAP_QUALIFIER_CONTEXT = '@aws-cdk/core:bootstrapQualifier';
/**
* The minimum bootstrap stack version required by this app.
*/
const MIN_BOOTSTRAP_STACK_VERSION = 4;
const MIN_BOOTSTRAP_STACK_VERSION = 6;

/**
* Configuration properties for DefaultStackSynthesizer
Expand Down Expand Up @@ -643,4 +643,4 @@ function validateDockerImageAssetSource(asset: DockerImageAssetSource) {
throw new Error(`'${key}' is only allowed in combination with 'directoryName', got: ${JSON.stringify(asset)}`);
}
}
}
}
2 changes: 1 addition & 1 deletion packages/@aws-cdk/core/test/stack-synthesis/new-style-synthesis.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ nodeunitShim({
test.deepEqual(assertions.length, 1);
test.deepEqual(assertions[0].Assert, {
'Fn::Not': [
{ 'Fn::Contains': [['1', '2', '3'], { Ref: 'BootstrapVersion' }] },
{ 'Fn::Contains': [['1', '2', '3', '4', '5'], { Ref: 'BootstrapVersion' }] },
],
});

Expand Down
8 changes: 7 additions & 1 deletion packages/@aws-cdk/pipelines/lib/actions/update-pipeline-action.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import * as codepipeline from '@aws-cdk/aws-codepipeline';
import * as cpactions from '@aws-cdk/aws-codepipeline-actions';
import * as events from '@aws-cdk/aws-events';
import * as iam from '@aws-cdk/aws-iam';
import { Stack } from '@aws-cdk/core';
import { Construct } from 'constructs';
import { embeddedAsmPath } from '../private/construct-internals';

Expand Down Expand Up @@ -97,7 +98,12 @@ export class UpdatePipelineAction extends CoreConstruct implements codepipeline.
// allow the self-mutating project permissions to assume the bootstrap Action role
selfMutationProject.addToRolePolicy(new iam.PolicyStatement({
actions: ['sts:AssumeRole'],
resources: ['arn:*:iam::*:role/*-deploy-role-*', 'arn:*:iam::*:role/*-publishing-role-*'],
resources: [`arn:*:iam::${Stack.of(this).account}:role/*`],
conditions: {
'ForAnyValue:StringEquals': {
'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'],
},
},
}));
selfMutationProject.addToRolePolicy(new iam.PolicyStatement({
actions: ['cloudformation:DescribeStacks'],
Expand Down
50 changes: 50 additions & 0 deletions packages/@aws-cdk/pipelines/test/actions/update-pipeline-action.test.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
import {
arrayWith,
} from '@aws-cdk/assert-internal';
import '@aws-cdk/assert-internal/jest';
import * as cp from '@aws-cdk/aws-codepipeline';
import { Stack } from '@aws-cdk/core';
import * as cdkp from '../../lib';
import { TestApp } from '../testutil';

let app: TestApp;
let pipelineStack: Stack;

test('self-update project role has proper permissions', () => {
app = new TestApp();
pipelineStack = new Stack(app, 'PipelineStack');

new cdkp.UpdatePipelineAction(pipelineStack, 'Update', {
cloudAssemblyInput: new cp.Artifact(),
pipelineStackHierarchicalId: pipelineStack.node.path,
projectName: 'pipeline-selfupdate',
});

expect(pipelineStack).toHaveResourceLike('AWS::IAM::Policy', {
PolicyDocument: {
Statement: arrayWith(
{
Action: 'sts:AssumeRole',
Effect: 'Allow',
Resource: { 'Fn::Join': ['', ['arn:*:iam::', { Ref: 'AWS::AccountId' }, ':role/*']] },
Condition: {
'ForAnyValue:StringEquals': {
'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'],
},
},
},
{
Action: 'cloudformation:DescribeStacks',
Effect: 'Allow',
Resource: '*',
},
{
Action: 's3:ListBucket',
Effect: 'Allow',
Resource: '*',
},
),
},
});

});
110 changes: 59 additions & 51 deletions packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,36 +1,4 @@
{
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store."
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 4 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
},
"Resources": {
"PipelineArtifactsBucketEncryptionKeyF5BF0670": {
"Type": "AWS::KMS::Key",
Expand Down Expand Up @@ -63,6 +31,20 @@
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"PipelineArtifactsBucketEncryptionKeyAlias94A07392": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/codepipeline-pipelinestackpipelinee95eedaa",
"TargetKeyId": {
"Fn::GetAtt": [
"PipelineArtifactsBucketEncryptionKeyF5BF0670",
"Arn"
]
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"PipelineArtifactsBucketAEA9A052": {
"Type": "AWS::S3::Bucket",
"Properties": {
Expand Down Expand Up @@ -91,20 +73,6 @@
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
},
"PipelineArtifactsBucketEncryptionKeyAlias94A07392": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/codepipeline-pipelinestackpipelinee95eedaa",
"TargetKeyId": {
"Fn::GetAtt": [
"PipelineArtifactsBucketEncryptionKeyF5BF0670",
"Arn"
]
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"PipelineRoleB27FAA37": {
"Type": "AWS::IAM::Role",
"Properties": {
Expand Down Expand Up @@ -1166,11 +1134,17 @@
},
{
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:StringEquals": {
"iam:ResourceTag/aws-cdk:bootstrap-role": [
"image-publishing",
"file-publishing",
"deploy"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:*:iam::*:role/*-deploy-role-*",
"arn:*:iam::*:role/*-publishing-role-*"
]
"Resource": "arn:*:iam::12345678:role/*"
},
{
"Action": "cloudformation:DescribeStacks",
Expand Down Expand Up @@ -1457,5 +1431,39 @@
}
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store."
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
}
20 changes: 14 additions & 6 deletions packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1160,11 +1160,17 @@
},
{
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:StringEquals": {
"iam:ResourceTag/aws-cdk:bootstrap-role": [
"image-publishing",
"file-publishing",
"deploy"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:*:iam::*:role/*-deploy-role-*",
"arn:*:iam::*:role/*-publishing-role-*"
]
"Resource": "arn:*:iam::12345678:role/*"
},
{
"Action": "cloudformation:DescribeStacks",
Expand Down Expand Up @@ -1501,7 +1507,9 @@
[
"1",
"2",
"3"
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
Expand All @@ -1510,7 +1518,7 @@
}
]
},
"AssertDescription": "CDK bootstrap stack version 4 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
Expand Down
20 changes: 14 additions & 6 deletions packages/@aws-cdk/pipelines/test/integ.pipeline.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1093,11 +1093,17 @@
},
{
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:StringEquals": {
"iam:ResourceTag/aws-cdk:bootstrap-role": [
"image-publishing",
"file-publishing",
"deploy"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:*:iam::*:role/*-deploy-role-*",
"arn:*:iam::*:role/*-publishing-role-*"
]
"Resource": "arn:*:iam::12345678:role/*"
},
{
"Action": "cloudformation:DescribeStacks",
Expand Down Expand Up @@ -1228,7 +1234,9 @@
[
"1",
"2",
"3"
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
Expand All @@ -1237,7 +1245,7 @@
}
]
},
"AssertDescription": "CDK bootstrap stack version 4 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
Expand Down
9 changes: 9 additions & 0 deletions packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,9 @@ Resources:
- Ref: AWS::NoValue
RoleName:
Fn::Sub: cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region}
Tags:
- Key: aws-cdk:bootstrap-role
Value: file-publishing
ImagePublishingRole:
Type: AWS::IAM::Role
Properties:
Expand All @@ -247,6 +250,9 @@ Resources:
- Ref: AWS::NoValue
RoleName:
Fn::Sub: cdk-${Qualifier}-image-publishing-role-${AWS::AccountId}-${AWS::Region}
Tags:
- Key: aws-cdk:bootstrap-role
Value: image-publishing
LookupRole:
Type: AWS::IAM::Role
Properties:
Expand Down Expand Up @@ -430,6 +436,9 @@ Resources:
PolicyName: default
RoleName:
Fn::Sub: cdk-${Qualifier}-deploy-role-${AWS::AccountId}-${AWS::Region}
Tags:
- Key: aws-cdk:bootstrap-role
Value: deploy
CloudFormationExecutionRole:
Type: AWS::IAM::Role
Properties:
Expand Down

0 comments on commit c6d5d18

Please sign in to comment.