diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json index 1d9619be9c0c9..ebb4a166033b5 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.expected.json @@ -1,5 +1,146 @@ { "Resources": { + "SourceBucketDDD2130A": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "SourceBucketPolicy703DFBF9": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "SourceBucketDDD2130A" + } + }, + "DependsOn": [ + "SourceBucketPolicy703DFBF9" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "__entrypoint__.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "SourceBucketDDD2130A" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, "TestPipelineArtifactsBucketEncryptionKey13258842": { "Type": "AWS::KMS::Key", "Properties": { @@ -17,7 +158,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -39,7 +184,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -153,7 +309,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -307,6 +474,12 @@ "Arn" ] }, + { + "Fn::GetAtt": [ + "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", + "Arn" + ] + }, { "Fn::GetAtt": [ "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8", @@ -327,7 +500,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -359,23 +543,28 @@ { "ActionTypeId": { "Category": "Source", - "Owner": "ThirdParty", - "Provider": "GitHub", + "Owner": "AWS", + "Provider": "S3", "Version": "1" }, "Configuration": { - "Owner": "OWNER", - "Repo": "REPO", - "Branch": "master", - "OAuthToken": "not-a-secret", - "PollForSourceChanges": true + "S3Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "S3ObjectKey": "key" }, - "Name": "GitHub", + "Name": "S3", "OutputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], + "RoleArn": { + "Fn::GetAtt": [ + "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", + "Arn" + ] + }, "RunOrder": 1 } ], @@ -398,7 +587,7 @@ }, "InputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], "Name": "Synth", @@ -497,7 +686,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -519,7 +719,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -546,7 +757,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -693,7 +915,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -715,7 +948,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -742,7 +986,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -766,7 +1021,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -788,7 +1054,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -815,7 +1092,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -839,7 +1127,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -861,7 +1160,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -888,7 +1198,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -965,7 +1286,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -987,7 +1319,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -1014,7 +1357,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -1038,7 +1392,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -1060,7 +1425,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -1087,7 +1463,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -1126,6 +1513,133 @@ "TestPipelineRole63C35BBD" ] }, + "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/key" + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "TestPipelineArtifactsBucket026AF2F9", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestPipelineArtifactsBucket026AF2F9", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "TestPipelineArtifactsBucketEncryptionKey13258842", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD", + "Roles": [ + { + "Ref": "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0" + } + ] + } + }, "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926": { "Type": "AWS::IAM::Role", "Properties": { @@ -1143,7 +1657,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1222,7 +1740,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" }, @@ -1238,7 +1764,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" } @@ -1264,7 +1798,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" }, @@ -1395,7 +1937,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1453,7 +1999,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1481,7 +2031,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1539,7 +2093,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1567,7 +2125,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1625,7 +2187,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1653,7 +2219,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1711,7 +2281,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1786,7 +2360,9 @@ "Type": "AWS::Lambda::Function", "Properties": { "Code": { - "S3Bucket": "cdk-hnb659fds-assets-12345678-test-region", + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, "S3Key": "6c6c8f170c2cc5c6e35d90fe172fbc17cae75777b84707d58332dee79f444404.zip" }, "Role": { @@ -1842,7 +2418,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" }, @@ -1858,7 +2442,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" } @@ -1884,7 +2476,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" }, @@ -2104,7 +2704,9 @@ "Type": "AWS::Lambda::Function", "Properties": { "Code": { - "S3Bucket": "cdk-hnb659fds-assets-12345678-test-region", + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, "S3Key": "6c6c8f170c2cc5c6e35d90fe172fbc17cae75777b84707d58332dee79f444404.zip" }, "Role": { @@ -2160,7 +2762,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" }, @@ -2176,7 +2786,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" } @@ -2202,7 +2820,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" }, diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts index a5d257b78523e..2bcf8654368c1 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts @@ -2,9 +2,10 @@ import * as codepipeline from '@aws-cdk/aws-codepipeline'; import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions'; import * as iam from '@aws-cdk/aws-iam'; +import * as s3 from '@aws-cdk/aws-s3'; import * as sns from '@aws-cdk/aws-sns'; import * as subscriptions from '@aws-cdk/aws-sns-subscriptions'; -import { App, SecretValue, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; +import { App, RemovalPolicy, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; import { Construct } from 'constructs'; import * as cdkp from '../lib'; @@ -12,7 +13,6 @@ class MyStage extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { super(scope, id, props); const stack = new Stack(this, 'MyStack', { - env: props?.env, }); const topic = new sns.Topic(stack, 'Topic'); topic.grantPublish(new iam.AccountPrincipal(stack.account)); @@ -23,7 +23,6 @@ class MySafeStage extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { super(scope, id, props); const stack = new Stack(this, 'MySafeStack', { - env: props?.env, }); new sns.Topic(stack, 'MySafeTopic'); } @@ -36,18 +35,20 @@ export class TestCdkStack extends Stack { // The code that defines your stack goes here const sourceArtifact = new codepipeline.Artifact(); const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); + const sourceBucket = new s3.Bucket(this, 'SourceBucket', { + removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true, + }); const pipeline = new cdkp.CdkPipeline(this, 'TestPipeline', { selfMutating: false, pipelineName: 'TestPipeline', cloudAssemblyArtifact, - sourceAction: new codepipeline_actions.GitHubSourceAction({ - actionName: 'GitHub', + sourceAction: new codepipeline_actions.S3SourceAction({ + bucket: sourceBucket, output: sourceArtifact, - oauthToken: SecretValue.plainText('not-a-secret'), - owner: 'OWNER', - repo: 'REPO', - trigger: codepipeline_actions.GitHubTrigger.POLL, + bucketKey: 'key', + actionName: 'S3', }), synthAction: cdkp.SimpleSynthAction.standardYarnSynth({ sourceArtifact, @@ -74,28 +75,21 @@ export class TestCdkStack extends Stack { topic.addSubscription(new subscriptions.EmailSubscription('test@email.com')); unattachedStage.addApplication(new MyStage(this, 'SingleStage', { - env: { account: this.account, region: this.region }, }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); const stage1 = pipeline.addApplicationStage(new MyStage(this, 'PreProduction', { - env: { account: this.account, region: this.region }, }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); stage1.addApplication(new MySafeStage(this, 'SafeProduction', { - env: { account: this.account, region: this.region }, })); stage1.addApplication(new MySafeStage(this, 'DisableSecurityCheck', { - env: { account: this.account, region: this.region }, }), { confirmBroadeningPermissions: false }); const stage2 = pipeline.addApplicationStage(new MyStage(this, 'NoSecurityCheck', { - env: { account: this.account, region: this.region }, })); - stage2.addApplication(new MyStage(this, 'EnableSecurityCheck', { - env: { account: this.account, region: this.region }, - }), { confirmBroadeningPermissions: true }); + stage2.addApplication(new MyStage(this, 'EnableSecurityCheck', { }), { confirmBroadeningPermissions: true }); } } @@ -104,7 +98,5 @@ const app = new App({ '@aws-cdk/core:newStyleStackSynthesis': 'true', }, }); -new TestCdkStack(app, 'PipelineSecurityStack', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, -}); +new TestCdkStack(app, 'PipelineSecurityStack'); app.synth(); diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.expected.json b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.expected.json index cd761893998ed..57ebcfe3c9483 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.expected.json +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.expected.json @@ -1,5 +1,146 @@ { "Resources": { + "SourceBucketDDD2130A": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "SourceBucketPolicy703DFBF9": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "SourceBucketDDD2130A" + } + }, + "DependsOn": [ + "SourceBucketPolicy703DFBF9" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "__entrypoint__.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "SourceBucketDDD2130A" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, "PipelineArtifactsBucketEncryptionKeyF5BF0670": { "Type": "AWS::KMS::Key", "Properties": { @@ -17,7 +158,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -39,7 +184,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -153,7 +309,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -283,6 +450,12 @@ "Arn" ] }, + { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] + }, { "Fn::GetAtt": [ "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", @@ -297,7 +470,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -329,23 +513,28 @@ { "ActionTypeId": { "Category": "Source", - "Owner": "ThirdParty", - "Provider": "GitHub", + "Owner": "AWS", + "Provider": "S3", "Version": "1" }, "Configuration": { - "Owner": "OWNER", - "Repo": "REPO", - "Branch": "master", - "OAuthToken": "not-a-secret", - "PollForSourceChanges": true + "S3Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "S3ObjectKey": "key" }, - "Name": "GitHub", + "Name": "S3", "OutputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], + "RoleArn": { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] + }, "RunOrder": 1 } ], @@ -368,7 +557,7 @@ }, "InputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], "Name": "Synth", @@ -471,7 +660,7 @@ }, "InputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], "Name": "UseSource", @@ -501,7 +690,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -523,7 +723,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -550,7 +761,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -582,6 +804,133 @@ "PipelineRoleB27FAA37" ] }, + "PipelineSourceS3CodePipelineActionRole83895A58": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/key" + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineArtifactsBucketEncryptionKeyF5BF0670", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", + "Roles": [ + { + "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" + } + ] + } + }, "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { "Type": "AWS::IAM::Role", "Properties": { @@ -599,7 +948,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -678,7 +1031,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -694,7 +1055,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" } @@ -720,7 +1089,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -852,7 +1229,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -910,7 +1291,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -989,7 +1374,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" }, @@ -1005,7 +1398,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" } @@ -1031,7 +1432,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" }, @@ -1169,7 +1578,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" }, @@ -1185,7 +1602,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" } @@ -1211,7 +1636,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" }, @@ -1232,7 +1665,18 @@ } }, "Effect": "Allow", - "Resource": "arn:*:iam::12345678:role/*" + "Resource": { + "Fn::Join": [ + "", + [ + "arn:*:iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/*" + ] + ] + } }, { "Action": [ @@ -1350,7 +1794,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] }, @@ -1382,7 +1830,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/*" + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/*" ] ] } @@ -1404,7 +1860,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/*" + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/*" ] ] } @@ -1422,7 +1886,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::12345678:role/cdk-hnb659fds-file-publishing-role-12345678-test-region" + "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } }, { diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts index e5461ebe6efe1..2dc718ca525a9 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets-single-upload.ts @@ -2,8 +2,9 @@ import * as path from 'path'; import * as codepipeline from '@aws-cdk/aws-codepipeline'; import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions'; +import * as s3 from '@aws-cdk/aws-s3'; import * as s3_assets from '@aws-cdk/aws-s3-assets'; -import { App, CfnResource, SecretValue, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; +import { App, CfnResource, RemovalPolicy, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; import { Construct } from 'constructs'; import * as cdkp from '../lib'; @@ -37,18 +38,20 @@ class CdkpipelinesDemoPipelineStack extends Stack { const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); const integTestArtifact = new codepipeline.Artifact('IntegTests'); + const sourceBucket = new s3.Bucket(this, 'SourceBucket', { + removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true, + }); const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { cloudAssemblyArtifact, singlePublisherPerType: true, // Where the source can be found - sourceAction: new codepipeline_actions.GitHubSourceAction({ - actionName: 'GitHub', + sourceAction: new codepipeline_actions.S3SourceAction({ + bucket: sourceBucket, output: sourceArtifact, - oauthToken: SecretValue.plainText('not-a-secret'), - owner: 'OWNER', - repo: 'REPO', - trigger: codepipeline_actions.GitHubTrigger.POLL, + bucketKey: 'key', + actionName: 'S3', }), // How it will be built @@ -67,9 +70,7 @@ class CdkpipelinesDemoPipelineStack extends Stack { // This is where we add the application stages // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, - })); + const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); stage.addActions( new cdkp.ShellScriptAction({ actionName: 'UseSource', @@ -88,7 +89,5 @@ const app = new App({ '@aws-cdk/core:newStyleStackSynthesis': 'true', }, }); -new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, -}); +new CdkpipelinesDemoPipelineStack(app, 'PipelineStack'); app.synth(); diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.expected.json b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.expected.json index 89fe06e7c3e32..32190a9c57562 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.expected.json +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.expected.json @@ -1,5 +1,146 @@ { "Resources": { + "SourceBucketDDD2130A": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "SourceBucketPolicy703DFBF9": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "SourceBucketDDD2130A" + } + }, + "DependsOn": [ + "SourceBucketPolicy703DFBF9" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "__entrypoint__.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "SourceBucketDDD2130A" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, "PipelineArtifactsBucketEncryptionKeyF5BF0670": { "Type": "AWS::KMS::Key", "Properties": { @@ -17,7 +158,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -39,7 +184,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -153,7 +309,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -283,6 +450,12 @@ "Arn" ] }, + { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] + }, { "Fn::GetAtt": [ "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", @@ -297,7 +470,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -329,23 +513,28 @@ { "ActionTypeId": { "Category": "Source", - "Owner": "ThirdParty", - "Provider": "GitHub", + "Owner": "AWS", + "Provider": "S3", "Version": "1" }, "Configuration": { - "Owner": "OWNER", - "Repo": "REPO", - "Branch": "master", - "OAuthToken": "not-a-secret", - "PollForSourceChanges": true + "S3Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "S3ObjectKey": "key" }, - "Name": "GitHub", + "Name": "S3", "OutputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], + "RoleArn": { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] + }, "RunOrder": 1 } ], @@ -368,7 +557,7 @@ }, "InputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], "Name": "Synth", @@ -498,7 +687,7 @@ }, "InputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], "Name": "UseSource", @@ -528,7 +717,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -550,7 +750,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -577,7 +788,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -609,6 +831,133 @@ "PipelineRoleB27FAA37" ] }, + "PipelineSourceS3CodePipelineActionRole83895A58": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/key" + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineArtifactsBucketEncryptionKeyF5BF0670", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", + "Roles": [ + { + "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" + } + ] + } + }, "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { "Type": "AWS::IAM::Role", "Properties": { @@ -626,7 +975,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -705,7 +1058,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -721,7 +1082,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" } @@ -747,7 +1116,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -879,7 +1256,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -937,7 +1318,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -1016,7 +1401,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" }, @@ -1032,7 +1425,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" } @@ -1058,7 +1459,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" }, @@ -1196,7 +1605,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" }, @@ -1212,7 +1629,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" } @@ -1238,7 +1663,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" }, @@ -1259,7 +1692,18 @@ } }, "Effect": "Allow", - "Resource": "arn:*:iam::12345678:role/*" + "Resource": { + "Fn::Join": [ + "", + [ + "arn:*:iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/*" + ] + ] + } }, { "Action": [ @@ -1377,7 +1821,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] }, @@ -1409,7 +1857,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/*" + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/*" ] ] } @@ -1431,7 +1887,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/*" + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/*" ] ] } @@ -1449,7 +1913,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::12345678:role/cdk-hnb659fds-file-publishing-role-12345678-test-region" + "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } }, { @@ -1526,7 +1990,7 @@ ] }, "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g cdk-assets@1\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk-assets --path \\\"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\\\" --verbose publish \\\"8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5:12345678-test-region\\\"\"\n ]\n }\n }\n}", + "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g cdk-assets@1\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk-assets --path \\\"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\\\" --verbose publish \\\"8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5:current_account-current_region\\\"\"\n ]\n }\n }\n}", "Type": "CODEPIPELINE" }, "Cache": { @@ -1560,7 +2024,7 @@ ] }, "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g cdk-assets@1\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk-assets --path \\\"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\\\" --verbose publish \\\"ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e:12345678-test-region\\\"\"\n ]\n }\n }\n}", + "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g cdk-assets@1\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk-assets --path \\\"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\\\" --verbose publish \\\"ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e:current_account-current_region\\\"\"\n ]\n }\n }\n}", "Type": "CODEPIPELINE" }, "Cache": { diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts index 41b2e6ae0cdc2..c2c9d0a733df8 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-assets.ts @@ -2,8 +2,9 @@ import * as path from 'path'; import * as codepipeline from '@aws-cdk/aws-codepipeline'; import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions'; +import * as s3 from '@aws-cdk/aws-s3'; import * as s3_assets from '@aws-cdk/aws-s3-assets'; -import { App, CfnResource, SecretValue, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; +import { App, CfnResource, RemovalPolicy, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; import { Construct } from 'constructs'; import * as cdkp from '../lib'; @@ -37,17 +38,19 @@ class CdkpipelinesDemoPipelineStack extends Stack { const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); const integTestArtifact = new codepipeline.Artifact('IntegTests'); + const sourceBucket = new s3.Bucket(this, 'SourceBucket', { + removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true, + }); const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { cloudAssemblyArtifact, // Where the source can be found - sourceAction: new codepipeline_actions.GitHubSourceAction({ - actionName: 'GitHub', + sourceAction: new codepipeline_actions.S3SourceAction({ + bucket: sourceBucket, output: sourceArtifact, - oauthToken: SecretValue.plainText('not-a-secret'), - owner: 'OWNER', - repo: 'REPO', - trigger: codepipeline_actions.GitHubTrigger.POLL, + bucketKey: 'key', + actionName: 'S3', }), // How it will be built @@ -66,9 +69,7 @@ class CdkpipelinesDemoPipelineStack extends Stack { // This is where we add the application stages // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, - })); + const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); stage.addActions( new cdkp.ShellScriptAction({ actionName: 'UseSource', @@ -87,7 +88,5 @@ const app = new App({ '@aws-cdk/core:newStyleStackSynthesis': 'true', }, }); -new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, -}); +new CdkpipelinesDemoPipelineStack(app, 'PipelineStack'); app.synth(); diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.expected.json b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.expected.json index 49ac746217192..8ac5312c4acbe 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.expected.json +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.expected.json @@ -1,5 +1,146 @@ { "Resources": { + "SourceBucketDDD2130A": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "SourceBucketPolicy703DFBF9": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "SourceBucketDDD2130A" + } + }, + "DependsOn": [ + "SourceBucketPolicy703DFBF9" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "__entrypoint__.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "SourceBucketDDD2130A" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, "PipelineArtifactsBucketAEA9A052": { "Type": "AWS::S3::Bucket", "Properties": { @@ -149,6 +290,12 @@ "PipelineMyWaveProduceCodePipelineActionRoleE0DCE9D3", "Arn" ] + }, + { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] } ] } @@ -178,23 +325,30 @@ { "ActionTypeId": { "Category": "Source", - "Owner": "ThirdParty", - "Provider": "GitHub", + "Owner": "AWS", + "Provider": "S3", "Version": "1" }, "Configuration": { - "Owner": "cdklabs", - "Repo": "construct-hub-probe", - "Branch": "main", - "OAuthToken": "{{resolve:secretsmanager:github-token:SecretString:::}}", - "PollForSourceChanges": true + "S3Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "S3ObjectKey": "key" + }, + "Name": { + "Ref": "SourceBucketDDD2130A" }, - "Name": "cdklabs_construct-hub-probe", "OutputArtifacts": [ { - "Name": "cdklabs_construct_hub_probe_Source" + "Name": "c8afb86a650460a8cc607cf72a0827e7c93d0d6d5c_Source" } ], + "RoleArn": { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] + }, "RunOrder": 1 } ], @@ -216,7 +370,7 @@ }, "InputArtifacts": [ { - "Name": "cdklabs_construct_hub_probe_Source" + "Name": "c8afb86a650460a8cc607cf72a0827e7c93d0d6d5c_Source" } ], "Name": "Synth", @@ -252,7 +406,7 @@ }, "InputArtifacts": [ { - "Name": "cdklabs_construct_hub_probe_Source" + "Name": "c8afb86a650460a8cc607cf72a0827e7c93d0d6d5c_Source" } ], "Name": "Produce", @@ -280,7 +434,7 @@ }, "InputArtifacts": [ { - "Name": "cdklabs_construct_hub_probe_Source" + "Name": "c8afb86a650460a8cc607cf72a0827e7c93d0d6d5c_Source" } ], "Name": "Consume", @@ -309,6 +463,118 @@ "PipelineRoleB27FAA37" ] }, + "PipelineSourceS3CodePipelineActionRole83895A58": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/key" + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", + "Roles": [ + { + "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" + } + ] + } + }, "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { "Type": "AWS::IAM::Role", "Properties": { @@ -347,7 +613,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -363,7 +637,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" } @@ -389,7 +671,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -493,7 +783,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -572,7 +866,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineMyWaveProduce884410D6" }, @@ -588,7 +890,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineMyWaveProduce884410D6" } @@ -614,7 +924,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineMyWaveProduce884410D6" }, @@ -711,7 +1029,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -790,7 +1112,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineMyWaveConsumeC5D5CCD7" }, @@ -806,7 +1136,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineMyWaveConsumeC5D5CCD7" } @@ -832,7 +1170,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineMyWaveConsumeC5D5CCD7" }, @@ -929,7 +1275,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.ts index 2a2351375ef62..23c4db5195d93 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-with-variables.ts @@ -1,7 +1,7 @@ // eslint-disable-next-line import/no-extraneous-dependencies /// !cdk-integ VariablePipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import { GitHubTrigger } from '@aws-cdk/aws-codepipeline-actions'; -import { App, Stack, StackProps } from '@aws-cdk/core'; +import * as s3 from '@aws-cdk/aws-s3'; +import { App, Stack, StackProps, RemovalPolicy } from '@aws-cdk/core'; import { Construct } from 'constructs'; import * as pipelines from '../lib'; @@ -9,11 +9,16 @@ class PipelineStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); + const sourceBucket = new s3.Bucket(this, 'SourceBucket', { + removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true, + }); const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { - input: pipelines.CodePipelineSource.gitHub('cdklabs/construct-hub-probe', 'main', { - trigger: GitHubTrigger.POLL, - }), + input: pipelines.CodePipelineSource.s3(sourceBucket, 'key'), + // input: pipelines.CodePipelineSource.gitHub('cdklabs/construct-hub-probe', 'main', { + // trigger: GitHubTrigger.POLL, + // }), commands: ['mkdir cdk.out', 'touch cdk.out/dummy'], }), selfMutation: false, @@ -45,8 +50,5 @@ const app = new App({ }, }); -new PipelineStack(app, 'VariablePipelineStack', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, -}); - -app.synth(); \ No newline at end of file +new PipelineStack(app, 'VariablePipelineStack'); +app.synth(); diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline.expected.json b/packages/@aws-cdk/pipelines/test/integ.pipeline.expected.json index 4674a0e8891fa..55c602dc91d09 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline.expected.json +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline.expected.json @@ -1,5 +1,146 @@ { "Resources": { + "SourceBucketDDD2130A": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "SourceBucketPolicy703DFBF9": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "SourceBucketDDD2130A" + } + }, + "DependsOn": [ + "SourceBucketPolicy703DFBF9" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "be270bbdebe0851c887569796e3997437cca54ce86893ed94788500448e92824.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "__entrypoint__.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": "nodejs12.x", + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "SourceBucketDDD2130A" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, "PipelineArtifactsBucketEncryptionKeyF5BF0670": { "Type": "AWS::KMS::Key", "Properties": { @@ -17,7 +158,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -39,7 +184,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -153,7 +309,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -277,6 +444,12 @@ "Arn" ] }, + { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] + }, { "Fn::GetAtt": [ "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", @@ -291,7 +464,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] } @@ -323,23 +507,28 @@ { "ActionTypeId": { "Category": "Source", - "Owner": "ThirdParty", - "Provider": "GitHub", + "Owner": "AWS", + "Provider": "S3", "Version": "1" }, "Configuration": { - "Owner": "OWNER", - "Repo": "REPO", - "Branch": "master", - "OAuthToken": "not-a-secret", - "PollForSourceChanges": true + "S3Bucket": { + "Ref": "SourceBucketDDD2130A" + }, + "S3ObjectKey": "key" }, - "Name": "GitHub", + "Name": "S3", "OutputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], + "RoleArn": { + "Fn::GetAtt": [ + "PipelineSourceS3CodePipelineActionRole83895A58", + "Arn" + ] + }, "RunOrder": 1 } ], @@ -362,7 +551,7 @@ }, "InputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], "Name": "Synth", @@ -433,7 +622,7 @@ }, "InputArtifacts": [ { - "Name": "Artifact_Source_GitHub" + "Name": "Artifact_Source_S3" } ], "Name": "UseSource", @@ -463,7 +652,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-cfn-exec-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-cfn-exec-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -485,7 +685,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -512,7 +723,18 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:role/cdk-hnb659fds-deploy-role-12345678-test-region" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } ] ] }, @@ -544,6 +766,133 @@ "PipelineRoleB27FAA37" ] }, + "PipelineSourceS3CodePipelineActionRole83895A58": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "SourceBucketDDD2130A", + "Arn" + ] + }, + "/key" + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketAEA9A052", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineArtifactsBucketEncryptionKeyF5BF0670", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", + "Roles": [ + { + "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" + } + ] + } + }, "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { "Type": "AWS::IAM::Role", "Properties": { @@ -561,7 +910,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -640,7 +993,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -656,7 +1017,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" } @@ -682,7 +1051,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" }, @@ -814,7 +1191,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -872,7 +1253,11 @@ { "Ref": "AWS::Partition" }, - ":iam::12345678:root" + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" ] ] } @@ -951,7 +1336,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" }, @@ -967,7 +1360,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" } @@ -993,7 +1394,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelinePreProdUseSourceProject2E711EB4" }, @@ -1131,7 +1540,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" }, @@ -1147,7 +1564,15 @@ { "Ref": "AWS::Partition" }, - ":logs:test-region:12345678:log-group:/aws/codebuild/", + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" } @@ -1173,7 +1598,15 @@ { "Ref": "AWS::Partition" }, - ":codebuild:test-region:12345678:report-group/", + ":codebuild:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":report-group/", { "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" }, @@ -1194,7 +1627,18 @@ } }, "Effect": "Allow", - "Resource": "arn:*:iam::12345678:role/*" + "Resource": { + "Fn::Join": [ + "", + [ + "arn:*:iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/*" + ] + ] + } }, { "Action": [ diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline.ts index f263e65a7f09c..29963e50ebc3b 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline.ts @@ -1,7 +1,8 @@ /// !cdk-integ PipelineStack import * as codepipeline from '@aws-cdk/aws-codepipeline'; import * as codepipeline_actions from '@aws-cdk/aws-codepipeline-actions'; -import { App, CfnResource, SecretValue, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; +import * as s3 from '@aws-cdk/aws-s3'; +import { App, CfnResource, RemovalPolicy, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; import { Construct } from 'constructs'; import * as cdkp from '../lib'; @@ -27,17 +28,19 @@ class CdkpipelinesDemoPipelineStack extends Stack { const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); const integTestArtifact = new codepipeline.Artifact('IntegTests'); + const sourceBucket = new s3.Bucket(this, 'SourceBucket', { + removalPolicy: RemovalPolicy.DESTROY, + autoDeleteObjects: true, + }); const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { cloudAssemblyArtifact, // Where the source can be found - sourceAction: new codepipeline_actions.GitHubSourceAction({ - actionName: 'GitHub', + sourceAction: new codepipeline_actions.S3SourceAction({ + bucket: sourceBucket, output: sourceArtifact, - oauthToken: SecretValue.plainText('not-a-secret'), - owner: 'OWNER', - repo: 'REPO', - trigger: codepipeline_actions.GitHubTrigger.POLL, + bucketKey: 'key', + actionName: 'S3', }), // How it will be built @@ -56,9 +59,7 @@ class CdkpipelinesDemoPipelineStack extends Stack { // This is where we add the application stages // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, - })); + const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); stage.addActions( new cdkp.ShellScriptAction({ actionName: 'UseSource', @@ -77,7 +78,5 @@ const app = new App({ '@aws-cdk/core:newStyleStackSynthesis': 'true', }, }); -new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION }, -}); -app.synth(); \ No newline at end of file +new CdkpipelinesDemoPipelineStack(app, 'PipelineStack'); +app.synth();