From b195ab3ed88cce055c6843fe418432c030644728 Mon Sep 17 00:00:00 2001 From: Kaixiang Zhao Date: Fri, 7 Jun 2019 16:31:07 -0700 Subject: [PATCH 1/3] feat(codebuild): add functionality to allow using private registry and cross-account ECR repository as build image Fixes #2175 --- packages/@aws-cdk/aws-codebuild/README.md | 7 +- .../@aws-cdk/aws-codebuild/lib/project.ts | 94 ++++++----- packages/@aws-cdk/aws-codebuild/package.json | 2 + .../test/integ.docker-asset.lit.expected.json | 38 ++--- .../integ.docker-registry.lit.expected.json | 148 ++++++++++++++++++ .../test/integ.docker-registry.lit.ts | 34 ++++ .../test/integ.ecr.lit.expected.json | 42 ++--- 7 files changed, 269 insertions(+), 96 deletions(-) create mode 100644 packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json create mode 100644 packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts diff --git a/packages/@aws-cdk/aws-codebuild/README.md b/packages/@aws-cdk/aws-codebuild/README.md index 1d20e66e2d3ea..5e8b948c64b5c 100644 --- a/packages/@aws-cdk/aws-codebuild/README.md +++ b/packages/@aws-cdk/aws-codebuild/README.md @@ -175,8 +175,7 @@ of the constants such as `WindowsBuildImage.WIN_SERVER_CORE_2016_BASE` or Alternatively, you can specify a custom image using one of the static methods on `XxxBuildImage`: -* Use `.fromDockerHub(image)` to reference an image publicly available in Docker - Hub. +* Use `.fromDockerRegistry(image[, secretsManagerCredential])` to reference an image in any public or private Docker registry. * Use `.fromEcrRepository(repo[, tag])` to reference an image available in an ECR repository. * Use `.fromAsset(this, id, { directory: dir })` to use an image created from a @@ -190,6 +189,10 @@ The following example shows how to define an image from an ECR repository: [ECR example](./test/integ.ecr.lit.ts) +The following example shows how to define an image from a private docker registry: + +[Docker Registry example](./test/integ.docker-registry.lit.ts) + ## Events CodeBuild projects can be used either as a source for events or be triggered diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts index d8c35077938c0..df338ffde7e29 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/project.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts @@ -6,6 +6,7 @@ import ecr = require('@aws-cdk/aws-ecr'); import events = require('@aws-cdk/aws-events'); import iam = require('@aws-cdk/aws-iam'); import kms = require('@aws-cdk/aws-kms'); +import secretsmanager = require('@aws-cdk/aws-secretsmanager'); import { Aws, Construct, IResource, Resource, Stack, Token } from '@aws-cdk/cdk'; import { BuildArtifacts, CodePipelineBuildArtifacts, NoBuildArtifacts } from './artifacts'; import { Cache } from './cache'; @@ -813,6 +814,17 @@ export class Project extends ProjectBase { return p; } + private attachEcrPermission() { + this.addToRolePolicy(new iam.PolicyStatement() + .addAllResources() + .addActions( + 'ecr:GetAutheticationToken', + 'ecr:GetDownloadUrlForLayer', + 'ecr:BatchGetImage', + 'ecr:BatchCheckLayerAvailability' + )); + } + private renderEnvironment(env: BuildEnvironment = {}, projectVars: { [name: string]: BuildEnvironmentVariable } = {}): CfnProject.EnvironmentProperty { const vars: { [name: string]: BuildEnvironmentVariable } = {}; @@ -830,6 +842,10 @@ export class Project extends ProjectBase { const hasEnvironmentVars = Object.keys(vars).length > 0; + if (isECRImage(this.buildImage.imageId)) { + this.attachEcrPermission(); + } + const errors = this.buildImage.validate(env); if (errors.length > 0) { throw new Error("Invalid CodeBuild environment: " + errors.join('\n')); @@ -838,6 +854,12 @@ export class Project extends ProjectBase { return { type: this.buildImage.type, image: this.buildImage.imageId, + imagePullCredentialsType: this.buildImage.imagePullCredentialsType, + registryCredential: this.buildImage.secretsManagerCredential ? + { + credentialProvider: 'SECRETS_MANAGER', + credential: this.buildImage.secretsManagerCredential.secretArn + } : undefined, privilegedMode: env.privileged || false, computeType: env.computeType || this.buildImage.defaultComputeType, environmentVariables: !hasEnvironmentVars ? undefined : Object.keys(vars).map(name => ({ @@ -945,6 +967,11 @@ export enum ComputeType { Large = 'BUILD_GENERAL1_LARGE' } +export enum ImagePullCredentialsType { + CodeBuild = 'CODEBUILD', + ServiceRole = 'SERVICE_ROLE' +} + export interface BuildEnvironment { /** * The image used for the builds. @@ -1003,6 +1030,16 @@ export interface IBuildImage { */ readonly defaultComputeType: ComputeType; + /** + * The type of credentials AWS CodeBuild uses to pull images in your build. + */ + readonly imagePullCredentialsType?: ImagePullCredentialsType; + + /** + * The credentials for access to a private registry. + */ + readonly secretsManagerCredential?: secretsmanager.ISecret; + /** * Allows the image a chance to validate whether the passed configuration is correct. * @@ -1023,7 +1060,7 @@ export interface IBuildImage { * * You can also specify a custom image using one of the static methods: * - * - LinuxBuildImage.fromDockerHub(image) + * - LinuxBuildImage.fromDockerRegistry(image[, secretsManagerCredential]) * - LinuxBuildImage.fromEcrRepository(repo[, tag]) * - LinuxBuildImage.fromAsset(parent, id, props) * @@ -1067,8 +1104,8 @@ export class LinuxBuildImage implements IBuildImage { /** * @returns a Linux build image from a Docker Hub image. */ - public static fromDockerHub(name: string): LinuxBuildImage { - return new LinuxBuildImage(name); + public static fromDockerRegistry(name: string, secretsManagerCredential?: secretsmanager.ISecret): LinuxBuildImage { + return new LinuxBuildImage(name, ImagePullCredentialsType.ServiceRole, secretsManagerCredential); } /** @@ -1083,9 +1120,7 @@ export class LinuxBuildImage implements IBuildImage { * @param tag Image tag (default "latest") */ public static fromEcrRepository(repository: ecr.IRepository, tag: string = 'latest'): LinuxBuildImage { - const image = new LinuxBuildImage(repository.repositoryUriForTag(tag)); - repository.addToResourcePolicy(ecrAccessForCodeBuildService()); - return image; + return new LinuxBuildImage(repository.repositoryUriForTag(tag), ImagePullCredentialsType.ServiceRole); } /** @@ -1093,19 +1128,16 @@ export class LinuxBuildImage implements IBuildImage { */ public static fromAsset(scope: Construct, id: string, props: DockerImageAssetProps): LinuxBuildImage { const asset = new DockerImageAsset(scope, id, props); - const image = new LinuxBuildImage(asset.imageUri); - - // allow this codebuild to pull this image (CodeBuild doesn't use a role, so - // we can't use `asset.grantUseImage()`. - asset.repository.addToResourcePolicy(ecrAccessForCodeBuildService()); - - return image; + return new LinuxBuildImage(asset.imageUri, ImagePullCredentialsType.ServiceRole); } public readonly type = 'LINUX_CONTAINER'; public readonly defaultComputeType = ComputeType.Small; - private constructor(public readonly imageId: string) { + private constructor( + public readonly imageId: string, + public readonly imagePullCredentialsType?: ImagePullCredentialsType, + public readonly secretsManagerCredential?: secretsmanager.ISecret) { } public validate(_: BuildEnvironment): string[] { @@ -1148,7 +1180,7 @@ export class LinuxBuildImage implements IBuildImage { * * You can also specify a custom image using one of the static methods: * - * - WindowsBuildImage.fromDockerHub(image) + * - WindowsBuildImage.fromDockerRegistry(image[, secretsManagerCredential]) * - WindowsBuildImage.fromEcrRepository(repo[, tag]) * - WindowsBuildImage.fromAsset(parent, id, props) * @@ -1160,8 +1192,8 @@ export class WindowsBuildImage implements IBuildImage { /** * @returns a Windows build image from a Docker Hub image. */ - public static fromDockerHub(name: string): WindowsBuildImage { - return new WindowsBuildImage(name); + public static fromDockerRegistry(name: string, secretsManagerCredential?: secretsmanager.ISecret): WindowsBuildImage { + return new WindowsBuildImage(name, ImagePullCredentialsType.ServiceRole, secretsManagerCredential); } /** @@ -1176,9 +1208,7 @@ export class WindowsBuildImage implements IBuildImage { * @param tag Image tag (default "latest") */ public static fromEcrRepository(repository: ecr.IRepository, tag: string = 'latest'): WindowsBuildImage { - const image = new WindowsBuildImage(repository.repositoryUriForTag(tag)); - repository.addToResourcePolicy(ecrAccessForCodeBuildService()); - return image; + return new WindowsBuildImage(repository.repositoryUriForTag(tag), ImagePullCredentialsType.ServiceRole); } /** @@ -1186,18 +1216,15 @@ export class WindowsBuildImage implements IBuildImage { */ public static fromAsset(scope: Construct, id: string, props: DockerImageAssetProps): WindowsBuildImage { const asset = new DockerImageAsset(scope, id, props); - const image = new WindowsBuildImage(asset.imageUri); - - // allow this codebuild to pull this image (CodeBuild doesn't use a role, so - // we can't use `asset.grantUseImage()`. - asset.repository.addToResourcePolicy(ecrAccessForCodeBuildService()); - - return image; + return new WindowsBuildImage(asset.imageUri, ImagePullCredentialsType.ServiceRole); } public readonly type = 'WINDOWS_CONTAINER'; public readonly defaultComputeType = ComputeType.Medium; - private constructor(public readonly imageId: string) { + private constructor( + public readonly imageId: string, + public readonly imagePullCredentialsType?: ImagePullCredentialsType, + public readonly secretsManagerCredential?: secretsmanager.ISecret) { } public validate(buildEnvironment: BuildEnvironment): string[] { @@ -1287,13 +1314,6 @@ function extendBuildSpec(buildSpec: any, extend: any) { } } -function ecrAccessForCodeBuildService(): iam.PolicyStatement { - return new iam.PolicyStatement() - .describe('CodeBuild') - .addServicePrincipal('codebuild.amazonaws.com') - .addActions( - 'ecr:GetDownloadUrlForLayer', - 'ecr:BatchGetImage', - 'ecr:BatchCheckLayerAvailability' - ); +function isECRImage(imageUri: string) { + return /^(.+).dkr.ecr.(.+).amazonaws.com[.]{0,1}[a-z]{0,3}\/([^:]+):?.*$/.test(imageUri); } diff --git a/packages/@aws-cdk/aws-codebuild/package.json b/packages/@aws-cdk/aws-codebuild/package.json index 902a474c6498d..d1936bb8bac4c 100644 --- a/packages/@aws-cdk/aws-codebuild/package.json +++ b/packages/@aws-cdk/aws-codebuild/package.json @@ -87,6 +87,7 @@ "@aws-cdk/aws-iam": "^0.33.0", "@aws-cdk/aws-kms": "^0.33.0", "@aws-cdk/aws-s3": "^0.33.0", + "@aws-cdk/aws-secretsmanager": "^0.33.0", "@aws-cdk/cdk": "^0.33.0" }, "homepage": "https://github.com/awslabs/aws-cdk", @@ -101,6 +102,7 @@ "@aws-cdk/aws-iam": "^0.33.0", "@aws-cdk/aws-kms": "^0.33.0", "@aws-cdk/aws-s3": "^0.33.0", + "@aws-cdk/aws-secretsmanager": "^0.33.0", "@aws-cdk/cdk": "^0.33.0" }, "engines": { diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json index 04b128f3787bb..084547adaa8ff 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json @@ -39,33 +39,6 @@ ] } ] - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "codebuild.", - { - "Ref": "AWS::URLSuffix" - } - ] - ] - } - }, - "Sid": "CodeBuild" - } - ], - "Version": "2012-10-17" } }, "DependsOn": [ @@ -261,6 +234,16 @@ "Properties": { "PolicyDocument": { "Statement": [ + { + "Action": [ + "ecr:GetAutheticationToken", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "logs:CreateLogGroup", @@ -438,6 +421,7 @@ ] ] }, + "ImagePullCredentialsType": "SERVICE_ROLE", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" }, diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json new file mode 100644 index 0000000000000..b8cd00a66ffb2 --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json @@ -0,0 +1,148 @@ +{ + "Resources": { + "MyProjectRole9BBE5233": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": { + "Fn::Join": [ + "", + [ + "codebuild.", + { + "Ref": "AWS::URLSuffix" + } + ] + ] + } + } + } + ], + "Version": "2012-10-17" + } + } + }, + "MyProjectRoleDefaultPolicyB19B7C29": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + } + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":logs:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":log-group:/aws/codebuild/", + { + "Ref": "MyProject39F7B0AE" + }, + ":*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "MyProjectRoleDefaultPolicyB19B7C29", + "Roles": [ + { + "Ref": "MyProjectRole9BBE5233" + } + ] + } + }, + "MyProject39F7B0AE": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Artifacts": { + "Type": "NO_ARTIFACTS" + }, + "Environment": { + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "my-registry/my-repo", + "ImagePullCredentialsType": "SERVICE_ROLE", + "PrivilegedMode": false, + "RegistryCredential": { + "Credential": { + "Fn::Join": [ + "", + [ + "arn:aws:secretsmanager:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":secret:my-secrets-123456" + ] + ] + }, + "CredentialProvider": "SECRETS_MANAGER" + }, + "Type": "LINUX_CONTAINER" + }, + "ServiceRole": { + "Fn::GetAtt": [ + "MyProjectRole9BBE5233", + "Arn" + ] + }, + "Source": { + "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"ls\"\n ]\n }\n }\n}", + "Type": "NO_SOURCE" + } + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts new file mode 100644 index 0000000000000..c3d2c1940294d --- /dev/null +++ b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts @@ -0,0 +1,34 @@ +import secretsmanager = require('@aws-cdk/aws-secretsmanager'); +import cdk = require('@aws-cdk/cdk'); +import codebuild = require('../lib'); + +class TestStack extends cdk.Stack { + constructor(scope: cdk.App, id: string) { + super(scope, id); + + const secrets = secretsmanager.Secret.fromSecretArn(this, "MySecrets", + `arn:aws:secretsmanager:${this.region}:${this.accountId}:secret:my-secrets-123456`); + + new codebuild.Project(this, 'MyProject', { + buildSpec: { + version: "0.2", + phases: { + build: { + commands: [ 'ls' ] + } + } + }, + /// !show + environment: { + buildImage: codebuild.LinuxBuildImage.fromDockerRegistry("my-registry/my-repo", secrets) + } + /// !hide + }); + } +} + +const app = new cdk.App(); + +new TestStack(app, 'test-codebuild-docker-asset'); + +app.synth(); diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json index 6e1d7e8eb23cc..e76321be1beb0 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json @@ -1,36 +1,7 @@ { "Resources": { "MyRepoF4F48043": { - "Type": "AWS::ECR::Repository", - "Properties": { - "RepositoryPolicyText": { - "Statement": [ - { - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Effect": "Allow", - "Principal": { - "Service": { - "Fn::Join": [ - "", - [ - "codebuild.", - { - "Ref": "AWS::URLSuffix" - } - ] - ] - } - }, - "Sid": "CodeBuild" - } - ], - "Version": "2012-10-17" - } - } + "Type": "AWS::ECR::Repository" }, "MyProjectRole9BBE5233": { "Type": "AWS::IAM::Role", @@ -64,6 +35,16 @@ "Properties": { "PolicyDocument": { "Statement": [ + { + "Action": [ + "ecr:GetAutheticationToken", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "logs:CreateLogGroup", @@ -185,6 +166,7 @@ ] ] }, + "ImagePullCredentialsType": "SERVICE_ROLE", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" }, From aba3103b4999540ad287e1aea2de95b72d83fe68 Mon Sep 17 00:00:00 2001 From: Kaixiang Zhao Date: Thu, 20 Jun 2019 15:19:51 -0700 Subject: [PATCH 2/3] feat(codebuild): add functionality to allow using private registry and cross-account ECR repository as build image Fixes #2175 --- .../@aws-cdk/aws-codebuild/lib/project.ts | 34 ++++++++----------- .../test/integ.docker-registry.lit.ts | 6 ++-- 2 files changed, 17 insertions(+), 23 deletions(-) diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts index 6abdb136f0d58..88d092fd2b8df 100644 --- a/packages/@aws-cdk/aws-codebuild/lib/project.ts +++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts @@ -6,7 +6,7 @@ import events = require('@aws-cdk/aws-events'); import iam = require('@aws-cdk/aws-iam'); import kms = require('@aws-cdk/aws-kms'); import secretsmanager = require('@aws-cdk/aws-secretsmanager'); -import { Aws, CfnResource, Construct, Duration, IResource, Lazy, PhysicalName, Resource, ResourceIdentifiers, Stack } from '@aws-cdk/cdk'; +import { Aws, CfnResource, Construct, Duration, IResource, Lazy, PhysicalName, Resource, ResourceIdentifiers, Stack, Token } from '@aws-cdk/cdk'; import { IArtifacts } from './artifacts'; import { BuildSpec } from './build-spec'; import { Cache } from './cache'; @@ -782,14 +782,15 @@ export class Project extends ProjectBase { } private attachEcrPermission() { - this.addToRolePolicy(new iam.PolicyStatement() - .addAllResources() - .addActions( - 'ecr:GetAutheticationToken', - 'ecr:GetDownloadUrlForLayer', - 'ecr:BatchGetImage', - 'ecr:BatchCheckLayerAvailability' - )); + this.addToRolePolicy(new iam.PolicyStatement({ + resources: ['*'], + actions: [ + 'ecr:GetAutheticationToken', + 'ecr:GetDownloadUrlForLayer', + 'ecr:BatchGetImage', + 'ecr:BatchCheckLayerAvailability' + ] + })); } private renderEnvironment(env: BuildEnvironment = {}, @@ -1271,16 +1272,9 @@ export enum BuildEnvironmentVariableType { PARAMETER_STORE = 'PARAMETER_STORE' } -<<<<<<< HEAD function isECRImage(imageUri: string) { - return /^(.+).dkr.ecr.(.+).amazonaws.com[.]{0,1}[a-z]{0,3}\/([^:]+):?.*$/.test(imageUri); -======= -function ecrAccessForCodeBuildService(): iam.PolicyStatement { - const s = new iam.PolicyStatement({ - principals: [new iam.ServicePrincipal('codebuild.amazonaws.com')], - actions: ['ecr:GetDownloadUrlForLayer', 'ecr:BatchGetImage', 'ecr:BatchCheckLayerAvailability'], - }); - s.sid = 'CodeBuild'; - return s; ->>>>>>> upstream/master + if (!Token.isUnresolved(imageUri)) { + return /^(.+).dkr.ecr.(.+).amazonaws.com[.]{0,1}[a-z]{0,3}\/([^:]+):?.*$/.test(imageUri); + } + return false; } diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts index c3d2c1940294d..c82ab1394a04d 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts +++ b/packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts @@ -7,17 +7,17 @@ class TestStack extends cdk.Stack { super(scope, id); const secrets = secretsmanager.Secret.fromSecretArn(this, "MySecrets", - `arn:aws:secretsmanager:${this.region}:${this.accountId}:secret:my-secrets-123456`); + `arn:aws:secretsmanager:${this.region}:${this.account}:secret:my-secrets-123456`); new codebuild.Project(this, 'MyProject', { - buildSpec: { + buildSpec: codebuild.BuildSpec.fromObject({ version: "0.2", phases: { build: { commands: [ 'ls' ] } } - }, + }), /// !show environment: { buildImage: codebuild.LinuxBuildImage.fromDockerRegistry("my-registry/my-repo", secrets) From 08cf809a4d5eeea3b95bbf2be312bf5e852f140b Mon Sep 17 00:00:00 2001 From: Kaixiang Zhao Date: Fri, 21 Jun 2019 09:51:37 -0700 Subject: [PATCH 3/3] Fix test error --- .../test/integ.docker-asset.lit.expected.json | 10 ---------- .../aws-codebuild/test/integ.ecr.lit.expected.json | 13 ++----------- 2 files changed, 2 insertions(+), 21 deletions(-) diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json index 5b9ba148a056c..32ead4e776695 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json @@ -235,16 +235,6 @@ "Properties": { "PolicyDocument": { "Statement": [ - { - "Action": [ - "ecr:GetAutheticationToken", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "logs:CreateLogGroup", diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json index e76321be1beb0..b7899d62a391b 100644 --- a/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json +++ b/packages/@aws-cdk/aws-codebuild/test/integ.ecr.lit.expected.json @@ -1,7 +1,8 @@ { "Resources": { "MyRepoF4F48043": { - "Type": "AWS::ECR::Repository" + "Type": "AWS::ECR::Repository", + "DeletionPolicy": "Retain" }, "MyProjectRole9BBE5233": { "Type": "AWS::IAM::Role", @@ -35,16 +36,6 @@ "Properties": { "PolicyDocument": { "Statement": [ - { - "Action": [ - "ecr:GetAutheticationToken", - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:BatchCheckLayerAvailability" - ], - "Effect": "Allow", - "Resource": "*" - }, { "Action": [ "logs:CreateLogGroup",