Skip to content

Commit

Permalink
fix(codebuild): grant the Project's Role permissions to the KMS Key i…
Browse files Browse the repository at this point in the history
…f it was passed. (#2715)

Without those permissions, uploading the Artifacts after the build will fail.
  • Loading branch information
skinny85 authored Jun 3, 2019
1 parent d0e19d5 commit 4e12fe6
Show file tree
Hide file tree
Showing 3 changed files with 80 additions and 1 deletion.
5 changes: 5 additions & 0 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
Original file line number Diff line number Diff line change
Expand Up @@ -494,6 +494,7 @@ export interface CommonProjectProps {
*/
readonly allowAllOutbound?: boolean;
}

export interface ProjectProps extends CommonProjectProps {
/**
* The source of the build.
Expand Down Expand Up @@ -711,6 +712,10 @@ export class Project extends ProjectBase {
this.projectName = resource.projectName;

this.addToRolePolicy(this.createLoggingPermission());

if (props.encryptionKey) {
props.encryptionKey.grantEncryptDecrypt(this);
}
}

public get securityGroups(): ec2.ISecurityGroup[] {
Expand Down
43 changes: 42 additions & 1 deletion packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { expect, haveResource, haveResourceLike } from '@aws-cdk/assert';
import codecommit = require('@aws-cdk/aws-codecommit');
import ec2 = require('@aws-cdk/aws-ec2');
import kms = require('@aws-cdk/aws-kms');
import s3 = require('@aws-cdk/aws-s3');
import cdk = require('@aws-cdk/cdk');
import { Test } from 'nodeunit';
Expand Down Expand Up @@ -714,7 +715,47 @@ export = {
})
, /Configure 'allowAllOutbound' directly on the supplied SecurityGroup/);
test.done();
}
},

'with a KMS Key adds decrypt permissions to the CodeBuild Role'(test: Test) {
const stack = new cdk.Stack();

const key = new kms.Key(stack, 'MyKey');

new codebuild.PipelineProject(stack, 'MyProject', {
encryptionKey: key,
});

expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
"PolicyDocument": {
"Statement": [
{}, // CloudWatch logs
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyKey6AB29FA6",
"Arn",
],
},
},
],
},
"Roles": [
{
"Ref": "MyProjectRole9BBE5233",
},
],
}));

test.done();
},
},

'using timeout and path in S3 artifacts sets it correctly'(test: Test) {
Expand Down
33 changes: 33 additions & 0 deletions packages/decdk/test/__snapshots__/synth.test.js.snap
Original file line number Diff line number Diff line change
Expand Up @@ -1787,6 +1787,21 @@ Object {
},
],
},
Object {
"Action": Array [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
],
"Effect": "Allow",
"Resource": Object {
"Fn::GetAtt": Array [
"Key961B73FD",
"Arn",
],
},
},
Object {
"Action": Array [
"s3:GetObject*",
Expand Down Expand Up @@ -1889,6 +1904,24 @@ Object {
},
"Resource": "*",
},
Object {
"Action": Array [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
],
"Effect": "Allow",
"Principal": Object {
"AWS": Object {
"Fn::GetAtt": Array [
"BuildProjectRoleAA92C755",
"Arn",
],
},
},
"Resource": "*",
},
],
"Version": "2012-10-17",
},
Expand Down

0 comments on commit 4e12fe6

Please sign in to comment.