feat(aws-cloudformation): add permission management to CreateUpdate and Delete Stack CodePipeline Actions #880
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
skinny85
force-pushed
the
feature/cfn-stack-action-perms
branch
from
0a19539
to
0af0279
Compare
|
My refactoring changed the order of some permissions. |
skinny85
force-pushed
the
feature/cfn-stack-action-perms
branch
from
0af0279
to
0213e6b
Compare
In 2 integ tests, as it turns out. |
|
@skinny85 can you please add a PR description and make sure your PR title adheres to conventionalcommits |
eladb
approved these changes
Oct 10, 2018
| @@ -210,6 +210,10 @@ export abstract class PipelineCloudFormationDeployAction extends PipelineCloudFo | |||
| this.role.addToPolicy(new iam.PolicyStatement().addAction('*').addAllResources()); | |||
| } | |||
| } | |||
|
|
|||
| props.stage.pipelineRole.addToPolicy(new iam.PolicyStatement() | |||
There was a problem hiding this comment.
Add a comment explaining why this is needed
There was a problem hiding this comment.
I don't reckon that's needed for all actions (you need this only to CreateReplaceChangeSet, but not to ExecuteChangeSet, for example). Factoring this here violates the principle of least privilege to me. Since this allows passing a role with permissions to do "everything" (via CloudFormation), I would argue we need this to be as tight as possible.
There was a problem hiding this comment.
It's not needed for all Actions. This code has been moved to PipelineCloudFormationDeployAction, of which all subclasses need it. ExecuteChangeSet extends a different class (PipelineCloudFormationAction), and thus does not have this permission.
There was a problem hiding this comment.
Add a comment explaining why this is needed
Done.
skinny85
changed the title
skinny85
force-pushed
the
feature/cfn-stack-action-perms
branch
from
0213e6b
to
64810de
Compare
|
Updated the comment according to Elad's feedback. |
…nd Delete Stack CodePipeline Actions.
skinny85
force-pushed
the
feature/cfn-stack-action-perms
branch
from
64810de
to
3ace300
Compare
|
Rebased to solve a conflict. |
RomainMuller
added a commit
that referenced
this pull request
Oct 12, 2018
__IMPORTANT NOTE__: This release includes a [breaking change](#845) in the AWS CodePipeline construct library: * The `inputArtifacts` and `outputArtifacts` properties of `Action` were intended for internal usage only, and have consequently been renamed to `_inputArtifacts` and `_outputArtifacts` respectively. * The `artifact` property of `Action` classes was renamed to `outputArtifact`. * The `artifactName` property of `Action` classes was renamed to `outputArtifactName`. * It is no longer possible to add output artifacts to `Actions` by instantiating `Artifact`. This release also includes a [fix](#911) for a bug that would make the toolkit unusable for multi-stack applications. In order to benefit from this fix, a globally installed CDK toolkit must also be updated: ```shell $ npm i -g aws-cdk $ cdk --version 0.12.0 (build ...) ``` Like always, you will also need to update your project's library versions: |Language|Update?| |--------|-------| |JavaScript/TypeScript (npm)|[`npx npm-check-updates -u`](https://www.npmjs.com/package/npm-check-updates)| |Java (maven)|[`mvn versions:use-latest-versions`](https://www.mojohaus.org/versions-maven-plugin/use-latest-versions-mojo.html) |.NET (NuGet)|[`nuget update`](https://docs.microsoft.com/en-us/nuget/tools/cli-ref-update) * **aws-cdk:** multi-stack apps can be synthesized or deployed [#911](#911). * **@aws-cdk/aws-codebuild:** allow passing oauth token to GitHubEnterpriseSource [#908](#908) * **@aws-cdk/aws-codepipeline:** make input and output artifact names optional when creating Actions. [#845](#945) * **@aws-cdk/aws-cloudformation:** add permission management to CreateUpdate and Delete Stack CodePipeline Actions. [#880](#880)
RomainMuller
added a commit
that referenced
this pull request
Oct 12, 2018
* **aws-codebuild:** allow passing oauth token to GitHubEnterpriseSource ([#908](#908)) ([c23da91](c23da91)) * **toolkit:** multi-stack apps cannot be synthesized or deployed ([#911](#911)) ([5511076](5511076)), closes [#868](#868) [#294](#294) [#910](#910) * **aws-cloudformation:** add permission management to CreateUpdate and Delete Stack CodePipeline Actions. ([#880](#880)) ([8b3ae43](8b3ae43)) * **aws-codepipeline:** make input and output artifact names optional when creating Actions. ([#845](#845)) ([3d91c93](3d91c93)) * **aws-codepipeline:** this commit contains the following breaking changes: * Rename 'artifactName' in Action construction properties to 'outputArtifactName' * Rename the 'artifact' property of Actions to 'outputArtifact' * No longer allow adding output artifacts to Actions by instantiating the Artifact class * Rename Action#input/outputArtifacts properties to _input/_outputArtifacts Previously, we always required customers to explicitly name the output artifacts the Actions used in the Pipeline, and to explicitly "wire together" the outputs of one Action as inputs to another. With this change, the CodePipeline Construct generates artifact names, if the customer didn't provide one explicitly, and tries to find the first available output artifact to use as input to a newly created Action that needs it, thus turning both the input and output artifacts from required to optional properties.
Merged
RomainMuller
added a commit
that referenced
this pull request
Oct 12, 2018
* **aws-codebuild:** allow passing oauth token to GitHubEnterpriseSource ([#908](#908)) ([c23da91](c23da91)) * **toolkit:** multi-stack apps cannot be synthesized or deployed ([#911](#911)) ([5511076](5511076)), closes [#868](#868) [#294](#294) [#910](#910) * **aws-cloudformation:** add permission management to CreateUpdate and Delete Stack CodePipeline Actions. ([#880](#880)) ([8b3ae43](8b3ae43)) * **aws-codepipeline:** make input and output artifact names optional when creating Actions. ([#845](#845)) ([3d91c93](3d91c93)) * **aws-codepipeline:** this commit contains the following breaking changes: * Rename 'artifactName' in Action construction properties to 'outputArtifactName' * Rename the 'artifact' property of Actions to 'outputArtifact' * No longer allow adding output artifacts to Actions by instantiating the Artifact class * Rename Action#input/outputArtifacts properties to _input/_outputArtifacts Previously, we always required customers to explicitly name the output artifacts the Actions used in the Pipeline, and to explicitly "wire together" the outputs of one Action as inputs to another. With this change, the CodePipeline Construct generates artifact names, if the customer didn't provide one explicitly, and tries to find the first available output artifact to use as input to a newly created Action that needs it, thus turning both the input and output artifacts from required to optional properties.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Follow-up from #843.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.