From 958acc2e3d12284934e1a8641217f1d3b8793818 Mon Sep 17 00:00:00 2001
From: Adam Ruka <adamruka@amazon.com>
Date: Tue, 2 Jul 2019 16:50:08 -0700
Subject: [PATCH] fix(codepipeline): grant missing permisisons to the
 CloudFormationExecuteChangeSetAction. (#3178)

Fixes #3160
---
 .../app-delivery/test/integ.cicd.expected.json         |  8 ++++++--
 .../lib/cloudformation/pipeline-actions.ts             |  8 ++++++--
 .../test/cloudformation/test.pipeline-actions.ts       | 10 +++++++---
 .../integ.cfn-template-from-repo.lit.expected.json     |  8 ++++++--
 4 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json b/packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json
index 21344b4d43d45..5cf8e0a60e2eb 100644
--- a/packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json
+++ b/packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json
@@ -251,9 +251,13 @@
         "PolicyDocument": {
           "Statement": [
             {
-              "Action": "cloudformation:ExecuteChangeSet",
+              "Action": [
+                "cloudformation:DescribeChangeSet",
+                "cloudformation:DescribeStacks",
+                "cloudformation:ExecuteChangeSet"
+              ],
               "Condition": {
-                "StringEquals": {
+                "StringEqualsIfExists": {
                   "cloudformation:ChangeSetName": "CICD-ChangeSet"
                 }
               },
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts
index b47f288b268e8..721a91f465963 100644
--- a/packages/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts
+++ b/packages/@aws-cdk/aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts
@@ -494,8 +494,12 @@ class SingletonPolicy extends cdk.Construct implements iam.IGrantable {
 
   public grantExecuteChangeSet(props: { stackName: string, changeSetName: string, region?: string }): void {
     this.statementFor({
-      actions: ['cloudformation:ExecuteChangeSet'],
-      conditions: { StringEquals: { 'cloudformation:ChangeSetName': props.changeSetName } },
+      actions: [
+        'cloudformation:DescribeStacks',
+        'cloudformation:DescribeChangeSet',
+        'cloudformation:ExecuteChangeSet',
+      ],
+      conditions: { StringEqualsIfExists: { 'cloudformation:ChangeSetName': props.changeSetName } },
     }).addResources(this.stackArnFromProps(props));
   }
 
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/cloudformation/test.pipeline-actions.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/cloudformation/test.pipeline-actions.ts
index 534d261a68716..b07c7675c86bd 100644
--- a/packages/@aws-cdk/aws-codepipeline-actions/test/cloudformation/test.pipeline-actions.ts
+++ b/packages/@aws-cdk/aws-codepipeline-actions/test/cloudformation/test.pipeline-actions.ts
@@ -123,7 +123,7 @@ export = nodeunit.testCase({
 
       const stackArn = _stackArn('MyStack', stack);
       _assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:ExecuteChangeSet', stackArn,
-                               { StringEquals: { 'cloudformation:ChangeSetName': 'MyChangeSet' } });
+                               { StringEqualsIfExists: { 'cloudformation:ChangeSetName': 'MyChangeSet' } });
 
       _assertActionMatches(test, stage.actions, 'CloudFormation', 'Deploy', {
         ActionMode: 'CHANGE_SET_EXECUTE',
@@ -157,8 +157,12 @@ export = nodeunit.testCase({
         stack.resolve(pipelineRole.statements.map(s => s.toStatementJson())),
         [
           {
-            Action: 'cloudformation:ExecuteChangeSet',
-            Condition: { StringEquals: { 'cloudformation:ChangeSetName': 'MyChangeSet' } },
+            Action: [
+              'cloudformation:DescribeChangeSet',
+              'cloudformation:DescribeStacks',
+              'cloudformation:ExecuteChangeSet',
+            ],
+            Condition: { StringEqualsIfExists: { 'cloudformation:ChangeSetName': 'MyChangeSet' } },
             Effect: 'Allow',
             Resource: [
               // tslint:disable-next-line:max-line-length
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json
index a10e73ff2e813..3c773d87b0407 100644
--- a/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json
+++ b/packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json
@@ -770,9 +770,13 @@
         "PolicyDocument": {
           "Statement": [
             {
-              "Action": "cloudformation:ExecuteChangeSet",
+              "Action": [
+                "cloudformation:DescribeChangeSet",
+                "cloudformation:DescribeStacks",
+                "cloudformation:ExecuteChangeSet"
+              ],
               "Condition": {
-                "StringEquals": {
+                "StringEqualsIfExists": {
                   "cloudformation:ChangeSetName": "StagedChangeSet"
                 }
               },