From 74639adb468e423aa9c274b7ce339486ef28393b Mon Sep 17 00:00:00 2001 From: BLasan Date: Wed, 17 Mar 2021 15:50:36 +0530 Subject: [PATCH 1/3] chore(aws-codepipeline-actions-bitbucket): add grantPutAcl to resolve the access denied issue Previously access control lists for putObject was not called. This had led in getting access denied issue when trying to upload objects into the s3 bucket --- .../aws-codepipeline-actions/lib/bitbucket/source-action.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts index 085ff15e9f162..bdaca541dbf05 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts +++ b/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts @@ -117,6 +117,7 @@ export class BitBucketSourceAction extends Action { // the action needs to write the output to the pipeline bucket options.bucket.grantReadWrite(options.role); + options.bucket.grantPutAcl(options.role); // if codeBuildCloneOutput is true, // save the connectionArn in the Artifact instance From a1a1e11fbdc95770ded09d65bbb92efe9798d7bc Mon Sep 17 00:00:00 2001 From: BLasan Date: Mon, 22 Mar 2021 22:47:02 +0530 Subject: [PATCH 2/3] test(aws-codepipeline-actions-bitbucket): add test case to check granting s3:putObjectAcl to the codebuild-pipeline with bitbucket --- .../bitbucket/bitbucket-source-action.test.ts | 34 +++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts index eccbb53970d33..af7ca89f99e04 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts @@ -1,4 +1,4 @@ -import { expect, haveResourceLike } from '@aws-cdk/assert'; +import { arrayWith, expect, haveResourceLike, objectLike } from '@aws-cdk/assert'; import * as codebuild from '@aws-cdk/aws-codebuild'; import * as codepipeline from '@aws-cdk/aws-codepipeline'; import { Stack } from '@aws-cdk/core'; @@ -82,7 +82,37 @@ nodeunitShim({ test.done(); }, - + 'grant s3 putObjectACL to the following CodeBuild Project'(test: Test) { + const stack = new Stack(); + createBitBucketAndCodeBuildPipeline(stack, { + codeBuildCloneOutput: true, + }); + expect(stack).to(haveResourceLike('AWS::IAM::Policy', { + 'PolicyDocument': { + 'Statement': arrayWith( + objectLike({ + 'Action': 's3:PutObjectAcl', + 'Effect': 'Allow', + 'Resource': { + 'Fn::Join': [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucket22248F97", + "Arn" + ] + }, + "/*", + ], + ], + }, + }), + ), + }, + })); + test.done(); + }, 'setting triggerOnPush=false reflects in the configuration'(test: Test) { const stack = new Stack(); From 4a63ea779aa74824f3aeeaceecc64f047804ab2e Mon Sep 17 00:00:00 2001 From: BLasan Date: Mon, 22 Mar 2021 23:48:04 +0530 Subject: [PATCH 3/3] chore(aws-codepipeline-actions-bitbucket): fix linting issues --- .../bitbucket/bitbucket-source-action.test.ts | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts index af7ca89f99e04..ef5a06305bd56 100644 --- a/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts +++ b/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts @@ -85,31 +85,31 @@ nodeunitShim({ 'grant s3 putObjectACL to the following CodeBuild Project'(test: Test) { const stack = new Stack(); createBitBucketAndCodeBuildPipeline(stack, { - codeBuildCloneOutput: true, + codeBuildCloneOutput: true, }); expect(stack).to(haveResourceLike('AWS::IAM::Policy', { - 'PolicyDocument': { - 'Statement': arrayWith( - objectLike({ - 'Action': 's3:PutObjectAcl', - 'Effect': 'Allow', - 'Resource': { - 'Fn::Join': [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucket22248F97", - "Arn" - ] - }, - "/*", + 'PolicyDocument': { + 'Statement': arrayWith( + objectLike({ + 'Action': 's3:PutObjectAcl', + 'Effect': 'Allow', + 'Resource': { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + 'PipelineArtifactsBucket22248F97', + 'Arn', ], - ], - }, - }), - ), - }, + }, + '/*', + ], + ], + }, + }), + ), + }, })); test.done(); },