Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(codebuild): Project lacks permissions for SSM ParameterStore environment variables #11770

Merged
merged 3 commits into from
Nov 30, 2020
Merged

fix(codebuild): Project lacks permissions for SSM ParameterStore environment variables #11770

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e21f33c
fix(aws-codebuild): grant parameter store read permission for pipelin…
cvrajeesh Nov 29, 2020
0df9eb0
fix: remove unwanted import
cvrajeesh Nov 29, 2020
24844f9
Merge branch 'master' into fix/pipeline-build-stuck
mergify[bot] Nov 30, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -792,6 +792,7 @@ export class Project extends ProjectBase {
this.projectName = this.getResourceNameAttribute(resource.ref);

this.addToRolePolicy(this.createLoggingPermission());
this.addParameterStorePermission(props);
// add permissions to create and use test report groups
// with names starting with the project's name,
// unless the customer explicitly opts out of it
Expand Down Expand Up @@ -923,6 +924,30 @@ export class Project extends ProjectBase {
});
}

private addParameterStorePermission(props: ProjectProps) {
if (!props.environmentVariables) {
return;
}

const resources = Object.values(props.environmentVariables)
.filter(envVariable => envVariable.type === BuildEnvironmentVariableType.PARAMETER_STORE)
.map(envVariable => Stack.of(this).formatArn({
service: 'ssm',
resource: 'parameter',
sep: ':',
resourceName: envVariable.value,
}));

if (resources.length === 0) {
return;
}

this.addToRolePolicy(new iam.PolicyStatement({
actions: ['ssm:GetParameters'],
resources,
}));
}

private renderEnvironment(
env: BuildEnvironment = {},
projectVars: { [name: string]: BuildEnvironmentVariable } = {}): CfnProject.EnvironmentProperty {
Expand Down
154 changes: 153 additions & 1 deletion packages/@aws-cdk/aws-codebuild/test/test.project.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { countResources, expect, haveResource, haveResourceLike, objectLike, not, ResourcePart } from '@aws-cdk/assert';
import { countResources, expect, haveResource, haveResourceLike, objectLike, not, ResourcePart, arrayWith } from '@aws-cdk/assert';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as iam from '@aws-cdk/aws-iam';
import * as logs from '@aws-cdk/aws-logs';
Expand Down Expand Up @@ -738,4 +738,156 @@ export = {
test.done();
},
},

'EnvironmentVariables': {
'can use environment variables from parameter store'(test: Test) {
// GIVEN
const stack = new cdk.Stack();

// WHEN
new codebuild.Project(stack, 'Project', {
source: codebuild.Source.s3({
bucket: new s3.Bucket(stack, 'Bucket'),
path: 'path',
}),
environment: {
buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('myimage'),
},
environmentVariables: {
'ENV_VAR1': {
type: codebuild.BuildEnvironmentVariableType.PARAMETER_STORE,
value: '/params/param1',
},
},
});

// THEN
expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
Environment: objectLike({
EnvironmentVariables: [{
Name: 'ENV_VAR1',
Type: 'PARAMETER_STORE',
Value: '/params/param1',
}],
}),
}));

test.done();
},


'grant read permission for parameter store variables'(test: Test) {
// GIVEN
const stack = new cdk.Stack();

// WHEN
new codebuild.Project(stack, 'Project', {
source: codebuild.Source.s3({
bucket: new s3.Bucket(stack, 'Bucket'),
path: 'path',
}),
environment: {
buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('myimage'),
},
environmentVariables: {
'ENV_VAR1': {
type: codebuild.BuildEnvironmentVariableType.PARAMETER_STORE,
value: '/params/param1',
},
'ENV_VAR2': {
type: codebuild.BuildEnvironmentVariableType.PARAMETER_STORE,
value: '/params/param2',
},
},
});

// THEN
expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
'PolicyDocument': {
'Statement': arrayWith(objectLike({
'Action': 'ssm:GetParameters',
'Effect': 'Allow',
'Resource': [{
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':ssm:',
{
Ref: 'AWS::Region',
},
':',
{
Ref: 'AWS::AccountId',
},
':parameter:/params/param1',
],
],
},
{
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':ssm:',
{
Ref: 'AWS::Region',
},
':',
{
Ref: 'AWS::AccountId',
},
':parameter:/params/param2',
],
],
}],
})),
},
}));


test.done();
},

'should not grant read permission when variables are not from parameter store'(test: Test) {

// GIVEN
const stack = new cdk.Stack();

// WHEN
new codebuild.Project(stack, 'Project', {
source: codebuild.Source.s3({
bucket: new s3.Bucket(stack, 'Bucket'),
path: 'path',
}),
environment: {
buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('myimage'),
},
environmentVariables: {
'ENV_VAR1': {
type: codebuild.BuildEnvironmentVariableType.PLAINTEXT,
value: 'var1-value',
},
},
});

// THEN
expect(stack).notTo(haveResourceLike('AWS::IAM::Policy', {
'PolicyDocument': {
'Statement': arrayWith(objectLike({
'Action': 'ssm:GetParameters',
'Effect': 'Allow',
})),
},
}));

test.done();
},
},
};