You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a code pipeline that is written in CDK code using type script. The part in the "assetPublishingCodeBuildDefaults" is not able to call. Kindly help.
`import { CodeBuildStep, CodePipeline, CodePipelineSource } from "aws-cdk-lib/pipelines";
import { Construct } from "constructs";
import { checkovSkip } from "@diligentcorp/checkov-helper";
import { PipelineProps } from "../config";
import * as iam from "aws-cdk-lib/aws-iam";
import { Pipeline } from "aws-cdk-lib/aws-codepipeline";
import { BuildSpec, ComputeType, WindowsBuildImage, LinuxBuildImage, WindowsImageType } from "aws-cdk-lib/aws-codebuild";
import { GitHubStep } from "@diligentcorp/pipeline-github-token";
import { AwsAccounts } from "../constants";
After synth it should invoke the below command in the "assetPublishingCodeBuildDefaults" step cdk -a ./ deploy ImageBuilder --require-approval never and npx cdk -a ./ destroy -f ImageBuilder
Instead its calling the below, cdk -a . deploy PipelineDev --require-approval=never --verbose
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hello Team,
I have a code pipeline that is written in CDK code using type script. The part in the "assetPublishingCodeBuildDefaults" is not able to call. Kindly help.
`import { CodeBuildStep, CodePipeline, CodePipelineSource } from "aws-cdk-lib/pipelines";
import { Construct } from "constructs";
import { checkovSkip } from "@diligentcorp/checkov-helper";
import { PipelineProps } from "../config";
import * as iam from "aws-cdk-lib/aws-iam";
import { Pipeline } from "aws-cdk-lib/aws-codepipeline";
import { BuildSpec, ComputeType, WindowsBuildImage, LinuxBuildImage, WindowsImageType } from "aws-cdk-lib/aws-codebuild";
import { GitHubStep } from "@diligentcorp/pipeline-github-token";
import { AwsAccounts } from "../constants";
const ROOT_PATH = "cdk";
// This is for building the React Components
const createReactServiceStep = (scope: Construct, props: PipelineProps, connection: CodePipelineSource): CodeBuildStep => {
// Based on https://docs.aws.amazon.com/codebuild/latest/userguide/sample-windows.html
return new GitHubStep("ReactService", {
input: connection,
buildEnvironment: {
buildImage: LinuxBuildImage.STANDARD_7_0,
computeType: ComputeType.MEDIUM,
},
partialBuildSpec: BuildSpec.fromObject({
version: "0.2",
phases: {
install: {
"runtime-versions": {
nodejs: "latest",
},
},
},
}),
commands: [
"cd ./",
"ls -al",
"echo $CODEBUILD_SOURCE_VERSION",
"mv ./src/config/env.js.example ./src/config/env.js",
"rmdir ./src/atlas",
"aws s3 cp s3://dccommunity-app-common/atlas.zip ./src/",
"unzip ./src/atlas.zip -d ./src/",
"rm -rf ./src/atlas.zip",
"ls -al ./src/atlas/",
//'npm cache clean --force',
//'npm install',
// 'S3_PATH=$(echo ${CODEBUILD_SOURCE_VERSION} | sed -e "s/arn:aws:s3::://g" | cut -d"/" -f1)',
// 'echo $S3_PATH',
"codebuild-breakpoint",
"npm ci --save-dev webpack-merge --legacy-peer-deps",
//'npm ci',
"npm run production",
//'aws s3 cp /root/.npm/_logs/2023-09-26TZ-debug.log s3://dccommunity-app-common/',
"ls -al",
"cd ./Build && ls -al",
"cd $CODEBUILD_SRC_DIR",
],
rolePolicyStatements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: [
arn:aws:s3:::${props.stackName?.toLowerCase()}-pipelineartifactsbucket*],actions: ["s3:"],
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: [
arn:aws:s3:::dccommunity-app-common*],actions: ["s3:*"],
}),
new iam.PolicyStatement({
actions: ["kms:Decrypt"],
resources: [props.globalSecretsConfig.globalKmsKeyArn],
}),
],
primaryOutputDirectory: "./Build",
});
};
export const createPipeline = (scope: Construct, props: PipelineProps): CodePipeline => {
const crossAccountKeys = [AwsAccounts.Tools].includes(props.env!.account!); // only -tools pipelines can do cross account deployments
const inputConnection = CodePipelineSource.connection("DiligentCorp/maple-react", props.branch, {
connectionArn: props.codeStarArn,
});
//const reactServiceStep = createReactServiceStep(scope, props, inputConnection);
//const buildServiceStep = createBuildServiceStep(scope, props, inputConnection);
const synthStep = new GitHubStep("SynthStep", {
primaryOutputDirectory:
${ROOT_PATH}/cdk.out,input: inputConnection,
// additional inputs must land on the DIST_PATH expected by Image Builder (DIST_PATH in constants.ts)
/additionalInputs: {
//'src/dist': buildServiceStep,
'./build': reactServiceStep,
},/
commands: [
"DOCKER_TAG=$(echo ${CODEBUILD_RESOLVED_SOURCE_VERSION} | cut -c -7)",
"IMAGE_BUILDER_TASK_ID=$CODEBUILD_LOG_PATH", // CODEBUILD_LOG_PATH equals CodeBuild execution ID
"cd cdk",
"n 18",
"npm ci",
//'make verify',
"npx cdk synth",
//'make security_scan',
],
rolePolicyStatements: [
// Although cdk context should be used instead of lookups in prod environments, lookup role is convenient for sandbox/tmp scoped envs,
// So both cdk context and lookup role can be used to complement each other. See https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines-readme.html#context-lookups
new iam.PolicyStatement({
actions: ["sts:AssumeRole"],
resources: ["*"],
conditions: {
StringEquals: {
"iam:ResourceTag/aws-cdk:bootstrap-role": ["lookup"],
},
},
}),
],
});
const pipeline = new CodePipeline(scope, "Pipeline", {
...(props.scope
? {
// for short-lived scoped pipelines we configure s3 buckets to be destroyed
codePipeline: new Pipeline(scope, props.stackName!, {
/*artifactBucket: new s3.Bucket(scope, 'ArtifactBucket', {
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
}),
crossAccountKeys,
enableKeyRotation: crossAccountKeys, /
}),
}
: {
selfMutation: true,
crossAccountKeys: true,
//crossAccountKeys,
//enableKeyRotation: crossAccountKeys,
}),
publishAssetsInParallel: false, // see https://bliskavka.com/2022/09/25/speed-up-cdk-pipelines/
synth: synthStep,
codeBuildDefaults: {
partialBuildSpec: BuildSpec.fromObject({
env: {
variables: {
// CDK env variables propagation
DIL_CDK_SCOPE: props.scope,
GIT_BRANCH: props.branch,
},
},
}),
},
assetPublishingCodeBuildDefaults: {
partialBuildSpec: BuildSpec.fromObject({
phases: {
post_build: {
commands: ["npx cdk -a ./ deploy ImageBuilder --require-approval never", "npx cdk -a ./ destroy -f ImageBuilder"],
},
},
}),
rolePolicy: [
new iam.PolicyStatement({
actions: ["sts:AssumeRole"],
resources: [""],
conditions: {
StringEquals: {
"iam:ResourceTag/aws-cdk:bootstrap-role": ["deploy", "file-publishing"], // special case for Image Builder
},
},
}),
],
},
});
checkovSkip(pipeline, { type: "AWS::S3::Bucket" }, [
{
id: "CKV_AWS_18",
comment: "Pipeline bucket does not need access logging",
},
{ id: "CKV_AWS_21", comment: "Pipeline bucket does not need versioning" },
]);
checkovSkip(pipeline, { type: "AWS::IAM::Policy" }, [
{
id: "CKV_AWS_111",
comment: "False positive on Assets access permissions",
},
]);
return pipeline;
};
/* export const addPipelineSlackNotification = (pipeline: Pipeline, slackConfigName: string) => {
const scope = Stack.of(pipeline);
const slack = chatbot.SlackChannelConfiguration.fromSlackChannelConfigurationArn(
scope,
'SlackChannel',
scope.formatArn({
region: '',
service: 'chatbot',
resource: 'chat-configuration',
resourceName:
slack-channel/${slackConfigName},}),
);
new notifications.NotificationRule(scope,
${scope.stackName}SlackNotification, {source: pipeline,
events: ['codepipeline-pipeline-pipeline-execution-succeeded', 'codepipeline-pipeline-pipeline-execution-failed'],
targets: [slack],
});
}; /
Synth:PS C:\Users\lkar\PoovarasuLatestCode\Maple-React\cdk> cdk synth PipelineDevNo image builder task ID and/or local dist path provided. Skipping image builder stack creation.
No image builder task ID and/or local dist path provided. Skipping image builder stack creation.
No image builder task ID and/or local dist path provided. Skipping image builder stack creation.
Resources:
DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Statement:
- Action: kms:
Effect: Allow
Principal:
AWS: arn:aws:iam::633284109855:root
Resource: ""
- Action:
- kms:Decrypt
- kms:DescribeKey
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::987356601633:role/cdk-hnb659fds-deploy-role-987356601633-ca-central-1
Resource: ""
Version: "2012-10-17"
Tags:
- Key: highbond_service
Value: maple-dev
- Key: map-migrated
Value: mig43359
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/ArtifactsBucketEncryptionKey/Resource
DevDCCommunityPipelineArtifactsBucketEncryptionKeyAlias0408B343:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/codepipeline-devdccommunitypipeline-34338236
TargetKeyId:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/ArtifactsBucketEncryptionKeyAlias/Resource
DevDCCommunityPipelineArtifactsBucket64785C4B:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
SSEAlgorithm: aws:kms
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
Tags:
- Key: highbond_service
Value: maple-dev
- Key: map-migrated
Value: mig43359
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/ArtifactsBucket/Resource
DevDCCommunityPipelineArtifactsBucketPolicy10B99854:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: DevDCCommunityPipelineArtifactsBucket64785C4B
PolicyDocument:
Statement:
- Action: s3:*
Condition:
Bool:
aws:SecureTransport: "false"
Effect: Deny
Principal:
AWS: ""
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /
- Action:
- s3:GetBucket*
- s3:GetObject*
- s3:List*
Effect: Allow
Principal:
AWS:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::987356601633:role/cdk-hnb659fds-deploy-role-987356601633-ca-central-1
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /*
Version: "2012-10-17"
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/ArtifactsBucket/Policy/Resource
DevDCCommunityPipelineRole59597551:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: codepipeline.amazonaws.com
Version: "2012-10-17"
Tags:
- Key: highbond_service
Value: maple-dev
- Key: map-migrated
Value: mig43359
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Role/Resource
DevDCCommunityPipelineRoleDefaultPolicy448138B9:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- s3:Abort*
- s3:DeleteObject*
- s3:GetBucket*
- s3:GetObject*
- s3:List*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
Effect: Allow
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /*
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:GenerateDataKey*
- kms:ReEncrypt*
Effect: Allow
Resource:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
- Action: sts:AssumeRole
Effect: Allow
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineDeploydevcacentral1ApproveDeploymentCodePipelineActionRole8DCB0E35
- Arn
- Fn::GetAtt:
- DevDCCommunityPipelineSourceDiligentCorpmaplereactCodePipelineActionRole85633F35
- Arn
- Fn::GetAtt:
- PipelineCodeBuildActionRole226DB0CB
- Arn
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::987356601633:role/cdk-hnb659fds-deploy-role-987356601633-ca-central-1
Version: "2012-10-17"
PolicyName: DevDCCommunityPipelineRoleDefaultPolicy448138B9
Roles:
- Ref: DevDCCommunityPipelineRole59597551
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Role/DefaultPolicy/Resource
DevDCCommunityPipelineC810D261:
Type: AWS::CodePipeline::Pipeline
Properties:
ArtifactStore:
EncryptionKey:
Id:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
Type: KMS
Location:
Ref: DevDCCommunityPipelineArtifactsBucket64785C4B
Type: S3
RoleArn:
Fn::GetAtt:
- DevDCCommunityPipelineRole59597551
- Arn
Stages:
- Actions:
- ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeStarSourceConnection
Version: "1"
Configuration:
ConnectionArn: arn:aws:codestar-connections:us-east-1:633284109855:connection/b5632ce5-d439-4554-8feb-d302f5e186a3
FullRepositoryId: DiligentCorp/maple-react
BranchName: CDK-dc-community-maple-react
Name: DiligentCorp_maple-react
OutputArtifacts:
- Name: DiligentCorp_maple_react_Source
RoleArn:
Fn::GetAtt:
- DevDCCommunityPipelineSourceDiligentCorpmaplereactCodePipelineActionRole85633F35
- Arn
RunOrder: 1
Name: Source
- Actions:
- ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: "1"
Configuration:
ProjectName:
Ref: DevDCCommunityPipelineBuildSynthStepCdkBuildProjectCD2E28CF
EnvironmentVariables: '[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"959b4c1e5881f232d01c92c32489b7dea282550a0ce7060bea021497cd836664"}]'
InputArtifacts:
- Name: DiligentCorp_maple_react_Source
Name: SynthStep
OutputArtifacts:
- Name: SynthStep_Output
RoleArn:
Fn::GetAtt:
- PipelineCodeBuildActionRole226DB0CB
- Arn
RunOrder: 1
Name: Build
- Actions:
- ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: "1"
Configuration:
ProjectName:
Ref: PipelineUpdatePipelineSelfMutationDAA41400
EnvironmentVariables: '[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"1fff9ae23e26cad95a43e966d10344fef0d2b8198be700b43191fd3a6e59755a"}]'
InputArtifacts:
- Name: SynthStep_Output
Name: SelfMutate
RoleArn:
Fn::GetAtt:
- PipelineCodeBuildActionRole226DB0CB
- Arn
RunOrder: 1
Name: UpdatePipeline
- Actions:
- ActionTypeId:
Category: Approval
Owner: AWS
Provider: Manual
Version: "1"
Name: Approve_Deployment
RoleArn:
Fn::GetAtt:
- DevDCCommunityPipelineDeploydevcacentral1ApproveDeploymentCodePipelineActionRole8DCB0E35
- Arn
RunOrder: 1
- ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: "1"
Configuration:
ProjectName:
Ref: DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyC65855F8
InputArtifacts:
- Name: SynthStep_Output
Name: DevDCCommunityPipeline-StripAssetsFromAssembly
RoleArn:
Fn::GetAtt:
- PipelineCodeBuildActionRole226DB0CB
- Arn
RunOrder: 1
- ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: "1"
Configuration:
StackName: DevCommunity
Capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
RoleArn:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::987356601633:role/cdk-hnb659fds-cfn-exec-role-987356601633-ca-central-1
TemplateConfiguration: SynthStep_Output::assembly-PipelineDev-Deploy-dev-ca-central-1/PipelineDevDeploydevcacentral1DCCommunityD3A43DAD.template.json.config.json
ActionMode: CHANGE_SET_REPLACE
ChangeSetName: PipelineChange
TemplatePath: SynthStep_Output::assembly-PipelineDev-Deploy-dev-ca-central-1/PipelineDevDeploydevcacentral1DCCommunityD3A43DAD.template.json
InputArtifacts:
- Name: SynthStep_Output
Name: DevCommunity.Prepare
RoleArn:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::987356601633:role/cdk-hnb659fds-deploy-role-987356601633-ca-central-1
RunOrder: 2
- ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: "1"
Configuration:
StackName: DevCommunity
ActionMode: CHANGE_SET_EXECUTE
ChangeSetName: PipelineChange
Name: DevCommunity.Deploy
RoleArn:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::987356601633:role/cdk-hnb659fds-deploy-role-987356601633-ca-central-1
RunOrder: 3
Name: Deploy-dev-ca-central-1
Tags:
- Key: highbond_service
Value: maple-dev
- Key: map-migrated
Value: mig43359
DependsOn:
- DevDCCommunityPipelineRoleDefaultPolicy448138B9
- DevDCCommunityPipelineRole59597551
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Resource
DevDCCommunityPipelineSourceDiligentCorpmaplereactCodePipelineActionRole85633F35:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS: arn:aws:iam::633284109855:root
Version: "2012-10-17"
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Source/DiligentCorp_maple-react/CodePipelineActionRole/Resource
DevDCCommunityPipelineSourceDiligentCorpmaplereactCodePipelineActionRoleDefaultPolicyC04A1AF0:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: codestar-connections:UseConnection
Effect: Allow
Resource: arn:aws:codestar-connections:us-east-1:633284109855:connection/b5632ce5-d439-4554-8feb-d302f5e186a3
- Action:
- s3:Abort*
- s3:DeleteObject*
- s3:GetBucket*
- s3:GetObject*
- s3:List*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
Effect: Allow
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /*
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:GenerateDataKey*
- kms:ReEncrypt*
Effect: Allow
Resource:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
- Action:
- s3:PutObjectAcl
- s3:PutObjectVersionAcl
Effect: Allow
Resource:
Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /*
Version: "2012-10-17"
PolicyName: DevDCCommunityPipelineSourceDiligentCorpmaplereactCodePipelineActionRoleDefaultPolicyC04A1AF0
Roles:
- Ref: DevDCCommunityPipelineSourceDiligentCorpmaplereactCodePipelineActionRole85633F35
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Source/DiligentCorp_maple-react/CodePipelineActionRole/DefaultPolicy/Resource
DevDCCommunityPipelineBuildSynthStepCdkBuildProjectRole9997A2ED:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Build/SynthStep/CdkBuildProject/Role/Resource
DevDCCommunityPipelineBuildSynthStepCdkBuildProjectRoleDefaultPolicyA1677301:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- Fn::Join:
- ""
- - arn:aws:logs:ca-central-1:633284109855:log-group:/aws/codebuild/
- Ref: DevDCCommunityPipelineBuildSynthStepCdkBuildProjectCD2E28CF
- :*
- Fn::Join:
- ""
- - arn:aws:logs:ca-central-1:633284109855:log-group:/aws/codebuild/
- Ref: DevDCCommunityPipelineBuildSynthStepCdkBuildProjectCD2E28CF
- Action:
- codebuild:BatchPutCodeCoverages
- codebuild:BatchPutTestCases
- codebuild:CreateReport
- codebuild:CreateReportGroup
- codebuild:UpdateReport
Effect: Allow
Resource:
Fn::Join:
- ""
- - arn:aws:codebuild:ca-central-1:633284109855:report-group/
- Ref: DevDCCommunityPipelineBuildSynthStepCdkBuildProjectCD2E28CF
- -*
- Action: sts:AssumeRole
Condition:
StringEquals:
iam:ResourceTag/aws-cdk:bootstrap-role:
- lookup
Effect: Allow
Resource: ""
- Action:
- secretsmanager:DescribeSecret
- secretsmanager:GetSecretValue
Effect: Allow
Resource: arn:aws:secretsmanager:us-west-2:653313865769:secret:GITHUB/PACKAGES_TOKEN_STRING-AEX1vx
- Action:
- kms:Decrypt
- kms:DescribeKey
Effect: Allow
Resource: arn:aws:kms:us-west-2:653313865769:key/71e9d452-224a-44c1-a64a-9e61306f6398
- Action:
- s3:Abort
- s3:DeleteObject*
- s3:GetBucket*
- s3:GetObject*
- s3:List*
- s3:PutObject
- s3:PutObjectLegalHold
- s3:PutObjectRetention
- s3:PutObjectTagging
- s3:PutObjectVersionTagging
Effect: Allow
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /*
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:GenerateDataKey*
- kms:ReEncrypt*
Effect: Allow
Resource:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
Version: "2012-10-17"
PolicyName: DevDCCommunityPipelineBuildSynthStepCdkBuildProjectRoleDefaultPolicyA1677301
Roles:
- Ref: DevDCCommunityPipelineBuildSynthStepCdkBuildProjectRole9997A2ED
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Build/SynthStep/CdkBuildProject/Role/DefaultPolicy/Resource
DevDCCommunityPipelineBuildSynthStepCdkBuildProjectCD2E28CF:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Type: CODEPIPELINE
Cache:
Type: NO_CACHE
Description: Pipeline step DevDCCommunityPipeline/DevDCCommunityPipeline/Build/SynthStep
EncryptionKey:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:6.0
ImagePullCredentialsType: CODEBUILD
PrivilegedMode: false
Type: LINUX_CONTAINER
ServiceRole:
Fn::GetAtt:
- DevDCCommunityPipelineBuildSynthStepCdkBuildProjectRole9997A2ED
- Arn
Source:
BuildSpec: |-
{
"env": {
"variables": {
"DIL_CDK_SCOPE": "Dev",
"GIT_BRANCH": "CDK-dc-community-maple-react"
}
},
"version": "0.2",
"phases": {
"install": {
"commands": [
"export GITHUB_TOKEN=$(aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-west-2:653313865769:secret:GITHUB/PACKAGES_TOKEN_STRING-AEX1vx --output text --query SecretString --region us-west-2)",
"npm config set //npm.pkg.github.com/:_authToken ${GITHUB_TOKEN}",
"npm config set @DiligentCorp:registry https://npm.pkg.github.com",
"npm config set @acl-services:registry https://npm.pkg.github.com"
]
},
"build": {
"commands": [
"DOCKER_TAG=$(echo ${CODEBUILD_RESOLVED_SOURCE_VERSION} | cut -c -7)",
"IMAGE_BUILDER_TASK_ID=$CODEBUILD_LOG_PATH",
"cd cdk",
"n 18",
"npm ci",
"npx cdk synth"
]
}
},
"artifacts": {
"base-directory": "cdk/cdk.out",
"files": [
"**/"
]
}
}
Type: CODEPIPELINE
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Build/SynthStep/CdkBuildProject/Resource
DevDCCommunityPipelineDeploydevcacentral1ApproveDeploymentCodePipelineActionRole8DCB0E35:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS: arn:aws:iam::633284109855:root
Version: "2012-10-17"
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Deploy-dev-ca-central-1/Approve_Deployment/CodePipelineActionRole/Resource
DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyRoleF14DE405:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Deploy-dev-ca-central-1/DevDCCommunityPipeline-StripAssetsFromAssembly/DevDCCommunityPipeline-StripAssetsFromAssembly/Role/Resource
DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyRoleDefaultPolicyB19FA6D3:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- Fn::Join:
- ""
- - arn:aws:logs:ca-central-1:633284109855:log-group:/aws/codebuild/
- Ref: DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyC65855F8
- :
- Fn::Join:
- ""
- - arn:aws:logs:ca-central-1:633284109855:log-group:/aws/codebuild/
- Ref: DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyC65855F8
- Action:
- codebuild:BatchPutCodeCoverages
- codebuild:BatchPutTestCases
- codebuild:CreateReport
- codebuild:CreateReportGroup
- codebuild:UpdateReport
Effect: Allow
Resource:
Fn::Join:
- ""
- - arn:aws:codebuild:ca-central-1:633284109855:report-group/
- Ref: DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyC65855F8
- -*
- Action: s3:*
Effect: Allow
Resource: arn:aws:s3:::*
- Action:
- s3:GetBucket*
- s3:GetObject*
- s3:List*
Effect: Allow
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /*
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:GenerateDataKey*
- kms:ReEncrypt*
Effect: Allow
Resource:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
Version: "2012-10-17"
PolicyName: DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyRoleDefaultPolicyB19FA6D3
Roles:
- Ref: DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyRoleF14DE405
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Deploy-dev-ca-central-1/DevDCCommunityPipeline-StripAssetsFromAssembly/DevDCCommunityPipeline-StripAssetsFromAssembly/Role/DefaultPolicy/Resource
DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyC65855F8:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Type: CODEPIPELINE
Cache:
Type: NO_CACHE
Description: Pipeline step DevDCCommunityPipeline/DevDCCommunityPipeline/Deploy-dev-ca-central-1/DevDCCommunityPipeline-StripAssetsFromAssembly
EncryptionKey:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:6.0
ImagePullCredentialsType: CODEBUILD
PrivilegedMode: false
Type: LINUX_CONTAINER
ServiceRole:
Fn::GetAtt:
- DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyRoleF14DE405
- Arn
Source:
BuildSpec: |-
{
"env": {
"variables": {
"DIL_CDK_SCOPE": "Dev",
"GIT_BRANCH": "CDK-dc-community-maple-react"
}
},
"version": "0.2",
"phases": {
"build": {
"commands": [
"S3_PATH=${CODEBUILD_SOURCE_VERSION#"arn:aws:s3:::"}",
"ZIP_ARCHIVE=$(basename $S3_PATH)",
"rm -rfv asset.",
"zip -r -q -A $ZIP_ARCHIVE ",
"aws s3 cp $ZIP_ARCHIVE s3://$S3_PATH"
]
}
}
}
Type: CODEPIPELINE
Metadata:
aws:cdk:path: PipelineDev/DevDCCommunityPipeline/Deploy-dev-ca-central-1/DevDCCommunityPipeline-StripAssetsFromAssembly/DevDCCommunityPipeline-StripAssetsFromAssembly/Resource
PipelineCodeBuildActionRole226DB0CB:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS:
Fn::GetAtt:
- DevDCCommunityPipelineRole59597551
- Arn
Version: "2012-10-17"
Tags:
- Key: highbond_service
Value: maple-dev
- Key: map-migrated
Value: mig43359
- Key: Service
Value: maple-dev
Metadata:
aws:cdk:path: PipelineDev/Pipeline/CodeBuildActionRole/Resource
PipelineCodeBuildActionRoleDefaultPolicy1D62A6FE:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- codebuild:BatchGetBuilds
- codebuild:StartBuild
- codebuild:StopBuild
Effect: Allow
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineBuildSynthStepCdkBuildProjectCD2E28CF
- Arn
- Fn::GetAtt:
- DevDCCommunityPipelineDeploydevcacentral1DevDCCommunityPipelineStripAssetsFromAssemblyC65855F8
- Arn
- Fn::GetAtt:
- PipelineUpdatePipelineSelfMutationDAA41400
- Arn
Version: "2012-10-17"
PolicyName: PipelineCodeBuildActionRoleDefaultPolicy1D62A6FE
Roles:
- Ref: PipelineCodeBuildActionRole226DB0CB
Metadata:
aws:cdk:path: PipelineDev/Pipeline/CodeBuildActionRole/DefaultPolicy/Resource
checkov:
skip:
- id: CKV_AWS_111
comment: False positive on Assets access permissions
- id: CKV_AWS_111
comment: Allowing the pipeline to create Ec2 instances
PipelineUpdatePipelineSelfMutationRole57E559E8:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Version: "2012-10-17"
Tags:
- Key: highbond_service
Value: maple-dev
- Key: map-migrated
Value: mig43359
- Key: Service
Value: maple-dev
Metadata:
aws:cdk:path: PipelineDev/Pipeline/UpdatePipeline/SelfMutation/Role/Resource
PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
- Fn::Join:
- ""
- - arn:aws:logs:ca-central-1:633284109855:log-group:/aws/codebuild/
- Ref: PipelineUpdatePipelineSelfMutationDAA41400
- :
- Fn::Join:
- ""
- - arn:aws:logs:ca-central-1:633284109855:log-group:/aws/codebuild/
- Ref: PipelineUpdatePipelineSelfMutationDAA41400
- Action:
- codebuild:BatchPutCodeCoverages
- codebuild:BatchPutTestCases
- codebuild:CreateReport
- codebuild:CreateReportGroup
- codebuild:UpdateReport
Effect: Allow
Resource:
Fn::Join:
- ""
- - arn:aws:codebuild:ca-central-1:633284109855:report-group/
- Ref: PipelineUpdatePipelineSelfMutationDAA41400
- -
- Action: sts:AssumeRole
Condition:
ForAnyValue:StringEquals:
iam:ResourceTag/aws-cdk:bootstrap-role:
- image-publishing
- file-publishing
- deploy
Effect: Allow
Resource: arn::iam::633284109855:role/
- Action:
- cloudformation:DescribeStacks
- s3:ListBucket
Effect: Allow
Resource: ""
- Action:
- s3:GetBucket
- s3:GetObject*
- s3:List*
Effect: Allow
Resource:
- Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- Fn::Join:
- ""
- - Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucket64785C4B
- Arn
- /*
- Action:
- kms:Decrypt
- kms:DescribeKey
- kms:Encrypt
- kms:GenerateDataKey*
- kms:ReEncrypt*
Effect: Allow
Resource:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
Version: "2012-10-17"
PolicyName: PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E
Roles:
- Ref: PipelineUpdatePipelineSelfMutationRole57E559E8
Metadata:
aws:cdk:path: PipelineDev/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource
checkov:
skip:
- id: CKV_AWS_111
comment: False positive on Assets access permissions
- id: CKV_AWS_111
comment: Allowing the pipeline to create Ec2 instances
PipelineUpdatePipelineSelfMutationDAA41400:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Type: CODEPIPELINE
Cache:
Type: NO_CACHE
Description: Pipeline step DevDCCommunityPipeline/DevDCCommunityPipeline/UpdatePipeline/SelfMutate
EncryptionKey:
Fn::GetAtt:
- DevDCCommunityPipelineArtifactsBucketEncryptionKey967805E0
- Arn
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:6.0
ImagePullCredentialsType: CODEBUILD
PrivilegedMode: false
Type: LINUX_CONTAINER
ServiceRole:
Fn::GetAtt:
- PipelineUpdatePipelineSelfMutationRole57E559E8
- Arn
Source:
BuildSpec: |-
{
"env": {
"variables": {
"DIL_CDK_SCOPE": "Dev",
"GIT_BRANCH": "CDK-dc-community-maple-react"
}
},
"version": "0.2",
"phases": {
"install": {
"commands": [
"npm install -g aws-cdk@2"
]
},
"build": {
"commands": [
"cdk -a . deploy PipelineDev --require-approval=never --verbose"
]
}
}
}
Type: CODEPIPELINE
Tags:
- Key: highbond_service
Value: maple-dev
- Key: map-migrated
Value: mig43359
- Key: Service
Value: maple-dev
Metadata:
aws:cdk:path: PipelineDev/Pipeline/UpdatePipeline/SelfMutation/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/02Qyw6CMBBFv8X9MAou1KW6dEPwAwyUMRkoLaFUQ5r+u5RHcHXP3N5mHgleEjzs8q+JRFlHkgt0zz4XNYzWywldUsstSVaELl0I7m+1soe6MegeNAQ3yFVybkIxgQdzRHezoqY+mAvNkmrJYtjsufbAeYMu03LqNOmWXDNhtMKyLLe50k5XJKY2C3oPGRltO0Gw7mHwPn7932WNeFDjC1Zm/4nPGJ/Gw1SGOeqs6rkhzGb9ATHfVv40AQAA
Metadata:
aws:cdk:path: PipelineDev/CDKMetadata/Default
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
CheckBootstrapVersion:
Assertions:
- Assert:
Fn::Not:
- Fn::Contains:
- - "1"
- "2"
- "3"
- "4"
- "5"
- Ref: BootstrapVersion
AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the
CDK CLI.`
After synth it should invoke the below command in the "assetPublishingCodeBuildDefaults" step
cdk -a ./ deploy ImageBuilder --require-approval never and npx cdk -a ./ destroy -f ImageBuilderInstead its calling the below,
cdk -a . deploy PipelineDev --require-approval=never --verboseBeta Was this translation helpful? Give feedback.
All reactions