fix(pipelines): self-mutating builds cannot be run in privileged mode (…

…#14655) Fixes #11425 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · May 18, 2021 · 73b9b4a · 73b9b4a
1 parent d81e06d
commit 73b9b4a
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 1 deletion.
diff --git a/packages/@aws-cdk/pipelines/lib/actions/update-pipeline-action.ts b/packages/@aws-cdk/pipelines/lib/actions/update-pipeline-action.ts
@@ -37,6 +37,13 @@ export interface UpdatePipelineActionProps {
    * @default - Automatically generated
    */
   readonly projectName?: string;
+
+  /**
+   * Whether the build step should run in privileged mode.
+   *
+   * @default - false
+   */
+  readonly privileged?: boolean
 }
 
 /**
@@ -58,7 +65,10 @@ export class UpdatePipelineAction extends CoreConstruct implements codepipeline.
 
     const selfMutationProject = new codebuild.PipelineProject(this, 'SelfMutation', {
       projectName: props.projectName,
-      environment: { buildImage: codebuild.LinuxBuildImage.STANDARD_5_0 },
+      environment: {
+        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
+        privileged: props.privileged ?? false,
+      },
       buildSpec: codebuild.BuildSpec.fromObject({
         version: '0.2',
         phases: {

diff --git a/packages/@aws-cdk/pipelines/lib/pipeline.ts b/packages/@aws-cdk/pipelines/lib/pipeline.ts
@@ -120,6 +120,22 @@ export interface CdkPipelineProps {
    * @default true
    */
   readonly selfMutating?: boolean;
+
+  /**
+   * Whether the pipeline needs to build Docker images in the UpdatePipeline stage.
+   *
+   * If the UpdatePipeline stage tries to build a Docker image and this flag is not
+   * set to `true`, the build step will run in non-privileged mode and consequently
+   * will fail with a message like:
+   *
+   * > Cannot connect to the Docker daemon at unix:///var/run/docker.sock.
+   * > Is the docker daemon running?
+   *
+   * This flag has an effect only if `selfMutating` is also `true`.
+   *
+   * @default - false
+   */
+  readonly supportDockerAssets?: boolean;
 }
 
 /**
@@ -201,6 +217,7 @@ export class CdkPipeline extends CoreConstruct {
           pipelineStackName: pipelineStack.stackName,
           cdkCliVersion: props.cdkCliVersion,
           projectName: maybeSuffix(props.pipelineName, '-selfupdate'),
+          privileged: props.supportDockerAssets,
         })],
       });
     }

diff --git a/packages/@aws-cdk/pipelines/test/pipeline.test.ts b/packages/@aws-cdk/pipelines/test/pipeline.test.ts
@@ -302,6 +302,7 @@ test('pipeline has self-mutation stage', () => {
   expect(pipelineStack).toHaveResourceLike('AWS::CodeBuild::Project', {
     Environment: {
       Image: 'aws/codebuild/standard:5.0',
+      PrivilegedMode: false,
     },
     Source: {
       BuildSpec: encodedJson(deepObjectLike({
@@ -358,6 +359,21 @@ test('selfmutation feature can be turned off', () => {
   });
 });
 
+test('generates CodeBuild project in privileged mode', () => {
+  // WHEN
+  const stack = new Stack(app, 'PrivilegedPipelineStack', { env: PIPELINE_ENV });
+  new TestGitHubNpmPipeline(stack, 'PrivilegedPipeline', {
+    supportDockerAssets: true,
+  });
+
+  // THEN
+  expect(stack).toHaveResourceLike('AWS::CodeBuild::Project', {
+    Environment: {
+      PrivilegedMode: true,
+    },
+  });
+});
+
 test('overridden stack names are respected', () => {
   // WHEN
   pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App1'));