From a8b072c5e621b695ecf6bec6aa54053f8f3f5cc2 Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Wed, 14 Aug 2024 11:25:19 -0700 Subject: [PATCH] chore: remove apis and tests that were only published in v1 for pipelines (#31098) DELETED All of this code and the associated tests were for CDK Pipelines V1, which was never released to cdk v2. All of the APIs are stripped from the distribution before publishing so this is just code cleanup and this will contain no breaking changes. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../PipelineSecurityStack.assets.json | 45 - .../PipelineSecurityStack.template.json | 3184 ----------- ...efaultTestDeployAssertEE246BCA.assets.json | 19 - ...aultTestDeployAssertEE246BCA.template.json | 36 - ...curityCheckMySafeStack7A4F8E95.assets.json | 19 - ...rityCheckMySafeStack7A4F8E95.template.json | 41 - .../cdk.out | 1 - .../manifest.json | 60 - ...leSecurityCheckMyStack0B9FE272.assets.json | 19 - ...SecurityCheckMyStack0B9FE272.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - ...NoSecurityCheckMyStack3484019E.assets.json | 19 - ...SecurityCheckMyStack3484019E.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - ...ckPreProductionMyStackDCCBB4EA.assets.json | 19 - ...PreProductionMyStackDCCBB4EA.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - ...eProductionMySafeStackC0D87904.assets.json | 19 - ...roductionMySafeStackC0D87904.template.json | 41 - .../cdk.out | 1 - .../manifest.json | 60 - ...tackSingleStageMyStack29962269.assets.json | 19 - ...ckSingleStageMyStack29962269.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - .../index.js | 1 - .../index.js | 1 - .../cdk.out | 1 - .../integ.json | 13 - .../manifest.json | 431 -- .../tree.json | 5039 ----------------- .../pipelines/test/integ.pipeline-security.ts | 115 - .../PipelineStack.assets.json | 32 - .../PipelineStack.template.json | 2148 ------- ...efaultTestDeployAssertBC780F98.assets.json | 19 - ...aultTestDeployAssertBC780F98.template.json | 36 - ...elineStackPreProdStack65A0AD1F.assets.json | 45 - ...ineStackPreProdStack65A0AD1F.template.json | 41 - .../assembly-PipelineStack-PreProd/cdk.out | 1 - .../manifest.json | 60 - .../index.js | 1 - ...99171adef5e1d8f6b88810e5fef75e6ca09ba5.txt | 1 - ...03f1ced72b4fc58c498dfd99c78fa77e721e0e.txt | 1 - ...pelineStack-Pipeline-Assets-FileAsset.yaml | 16 - .../cdk.out | 1 - .../integ.json | 13 - .../manifest.json | 318 -- .../tree.json | 2946 ---------- ...nteg.pipeline-with-assets-single-upload.ts | 107 - .../test/integ.pipeline-with-assets.ts | 106 - .../PipelineStack.assets.json | 32 - .../PipelineStack.template.json | 1910 ------- ...efaultTestDeployAssertBC780F98.assets.json | 19 - ...aultTestDeployAssertBC780F98.template.json | 36 - ...elineStackPreProdStack65A0AD1F.assets.json | 19 - ...ineStackPreProdStack65A0AD1F.template.json | 41 - .../assembly-PipelineStack-PreProd/cdk.out | 1 - .../manifest.json | 60 - .../index.js | 1 - .../test/integ.pipeline.js.snapshot/cdk.out | 1 - .../integ.pipeline.js.snapshot/integ.json | 13 - .../integ.pipeline.js.snapshot/manifest.json | 300 - .../test/integ.pipeline.js.snapshot/tree.json | 2564 --------- .../test/pipelines/test/integ.pipeline.ts | 97 - packages/@aws-cdk/cx-api/FEATURE_FLAGS.md | 21 +- packages/aws-cdk-lib/pipelines/README.md | 526 +- packages/aws-cdk-lib/pipelines/lib/index.ts | 1 - .../legacy/actions/deploy-cdk-stack-action.ts | 386 -- .../pipelines/lib/legacy/actions/index.ts | 3 - .../legacy/actions/publish-assets-action.ts | 228 - .../legacy/actions/update-pipeline-action.ts | 183 - .../aws-cdk-lib/pipelines/lib/legacy/index.ts | 5 - .../pipelines/lib/legacy/pipeline.ts | 624 -- .../aws-cdk-lib/pipelines/lib/legacy/stage.ts | 586 -- .../pipelines/lib/legacy/synths/_util.ts | 15 - .../pipelines/lib/legacy/synths/index.ts | 1 - .../lib/legacy/synths/simple-synth-action.ts | 591 -- .../pipelines/lib/legacy/validation/_files.ts | 97 - .../pipelines/lib/legacy/validation/index.ts | 1 - .../legacy/validation/shell-script-action.ts | 253 - .../blueprint/logicalid-stability.test.ts | 126 - .../codepipeline-existing.test.ts | 65 - .../pipelines/test/compliance/assets.test.ts | 1351 ++--- .../test/compliance/basic-behavior.test.ts | 280 +- .../compliance/docker-credentials.test.ts | 355 +- .../test/compliance/environments.test.ts | 649 +-- .../test/compliance/escape-hatching.test.ts | 283 +- .../test/compliance/security-check.test.ts | 547 +- .../test/compliance/self-mutation.test.ts | 378 +- .../test/compliance/stack-ordering.test.ts | 196 +- .../pipelines/test/compliance/synths.test.ts | 1615 ++---- .../test/compliance/validations.test.ts | 1058 ++-- .../pipelines/test/{legacy => }/fs.test.ts | 2 +- .../pipelines/test/testhelpers/compliance.ts | 57 +- .../pipelines/test/testhelpers/index.ts | 1 - .../test/testhelpers/legacy-pipeline.ts | 47 - 99 files changed, 2731 insertions(+), 28585 deletions(-) delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/tree.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.ts delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/test/blueprint/logicalid-stability.test.ts delete mode 100644 packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts rename packages/aws-cdk-lib/pipelines/test/{legacy => }/fs.test.ts (85%) delete mode 100644 packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json deleted file mode 100644 index f698f535c5907..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6": { - "source": { - "path": "asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "e9491d10b7f496e4aa18e0f88da57dc8e342c62cbfbb5190f663fc8039981448": { - "source": { - "path": "PipelineSecurityStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e9491d10b7f496e4aa18e0f88da57dc8e342c62cbfbb5190f663fc8039981448.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json deleted file mode 100644 index a9a989ab4a39e..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json +++ /dev/null @@ -1,3184 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "TestPipelineArtifactsBucketEncryptionKey13258842": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "TestPipelineArtifactsBucketEncryptionKeyAliasE8D86DD3": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinesecuritystack-testpipeline-f7060861", - "TargetKeyId": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "TestPipelineArtifactsBucket026AF2F9": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "TestPipelineArtifactsBucketPolicyDF75C611": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "TestPipelineArtifactsBucket026AF2F9" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineRole63C35BBD": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineRoleDefaultPolicyFA69BF2D": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineRoleDefaultPolicyFA69BF2D", - "Roles": [ - { - "Ref": "TestPipelineRole63C35BBD" - } - ] - } - }, - "TestPipeline34ACDBF9": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "TestPipelineArtifactsBucket026AF2F9" - }, - "Type": "S3" - }, - "Name": "TestPipeline", - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineRole63C35BBD", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"8c69c5d954446d78352846c8ddc8ff911cec11c1f93f8aab1fac67556cf1a058\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/SingleStage\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"UnattachedStage\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"SingleStageManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in SingleStage\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SingleStageSecurityCheck", - "Namespace": "SingleStageSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2", - "Arn" - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{SingleStageSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{SingleStageSecurityCheck.LINK}" - }, - "Name": "SingleStageManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8", - "Arn" - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SingleStage-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SingleStage-MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SingleStage-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "SingleStage-MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 4 - } - ], - "Name": "UnattachedStage" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/PreProduction\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProduction\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProductionManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in PreProduction\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "PreProductionSecurityCheck", - "Namespace": "PreProductionSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194", - "Arn" - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{PreProductionSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{PreProductionSecurityCheck.LINK}" - }, - "Name": "PreProductionManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9", - "Arn" - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/SafeProduction\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProduction\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"SafeProductionManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in SafeProduction\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SafeProductionSecurityCheck", - "Namespace": "SafeProductionSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6", - "Arn" - ] - }, - "RunOrder": 5 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{SafeProductionSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{SafeProductionSecurityCheck.LINK}" - }, - "Name": "SafeProductionManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9", - "Arn" - ] - }, - "RunOrder": 6 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProduction-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProduction-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 4 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SafeProduction-MySafeStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SafeProduction-MySafeStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 7 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SafeProduction-MySafeStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "SafeProduction-MySafeStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 8 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "DisableSecurityCheck-MySafeStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "DisableSecurityCheck-MySafeStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 9 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "DisableSecurityCheck-MySafeStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "DisableSecurityCheck-MySafeStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 10 - } - ], - "Name": "PreProduction" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/EnableSecurityCheck\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"NoSecurityCheck\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"EnableSecurityCheckManualApproval\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "EnableSecurityCheckSecurityCheck", - "Namespace": "EnableSecurityCheckSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D", - "Arn" - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{EnableSecurityCheckSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{EnableSecurityCheckSecurityCheck.LINK}" - }, - "Name": "EnableSecurityCheckManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015", - "Arn" - ] - }, - "RunOrder": 4 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "NoSecurityCheck-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "NoSecurityCheck-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "EnableSecurityCheck-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "EnableSecurityCheck-MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 5 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "EnableSecurityCheck-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "EnableSecurityCheck-MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 6 - } - ], - "Name": "NoSecurityCheck" - } - ], - "Tags": [ - { - "Key": "SECURITY_CHECK", - "Value": "ALLOW_APPROVE" - } - ] - }, - "DependsOn": [ - "TestPipelineRoleDefaultPolicyFA69BF2D", - "TestPipelineRole63C35BBD" - ] - }, - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD", - "Roles": [ - { - "Ref": "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0" - } - ] - } - }, - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineBuildSynthCodePipelineActionRoleDefaultPolicy65DF5C76": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCdkBuildProject755D4B01", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineBuildSynthCodePipelineActionRoleDefaultPolicy65DF5C76", - "Roles": [ - { - "Ref": "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926" - } - ] - } - }, - "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineBuildSynthCdkBuildProjectRoleDefaultPolicy73DC4481": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineBuildSynthCdkBuildProjectRoleDefaultPolicy73DC4481", - "Roles": [ - { - "Ref": "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729" - } - ] - } - }, - "TestPipelineBuildSynthCdkBuildProject755D4B01": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"yarn install --frozen-lockfile\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"yarn build\",\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleDefaultPolicyFC737D71": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleDefaultPolicyFC737D71", - "Roles": [ - { - "Ref": "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2" - } - ] - } - }, - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRoleDefaultPolicy10D0864F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRoleDefaultPolicy10D0864F", - "Roles": [ - { - "Ref": "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194" - } - ] - } - }, - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRoleDefaultPolicyB836B566": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRoleDefaultPolicyB836B566", - "Roles": [ - { - "Ref": "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6" - } - ] - } - }, - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRoleDefaultPolicyE83A2CA1": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRoleDefaultPolicyE83A2CA1", - "Roles": [ - { - "Ref": "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D" - } - ] - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codepipeline:GetPipelineState", - "codepipeline:PutApprovalResult" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/SECURITY_CHECK": "ALLOW_APPROVE" - } - }, - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F", - "Roles": [ - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D" - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Timeout": 300 - }, - "DependsOn": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F", - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D" - ] - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicyF2137052": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - }, - ":*" - ] - ] - } - ] - }, - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "SecurityChangesTopic9762A9B3" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicyF2137052", - "Roles": [ - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050" - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050", - "Arn" - ] - }, - "Source": { - "BuildSpec": { - "Fn::Join": [ - "", - [ - "{\n \"version\": 0.2,\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"npm install -g aws-cdk\",\n \"export PIPELINE_NAME=\\\"$(node -pe '`${process.env.CODEBUILD_INITIATOR}`.split(\\\"/\\\")[1]')\\\"\",\n \"payload=\\\"$(node -pe 'JSON.stringify({ \\\"PipelineName\\\": process.env.PIPELINE_NAME, \\\"StageName\\\": process.env.STAGE_NAME, \\\"ActionName\\\": process.env.ACTION_NAME })' )\\\"\",\n \"ARN=$CODEBUILD_BUILD_ARN\",\n \"REGION=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[3]')\\\"\",\n \"ACCOUNT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[4]')\\\"\",\n \"PROJECT_NAME=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[5].split(\\\"/\\\")[1]')\\\"\",\n \"PROJECT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[6]')\\\"\",\n \"export LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codebuild/$ACCOUNT_ID/projects/$PROJECT_NAME/build/$PROJECT_NAME:$PROJECT_ID/?region=$REGION\\\"\",\n \"export PIPELINE_LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codepipeline/pipelines/$PIPELINE_NAME/view?region=$REGION\\\"\",\n \"if cdk diff -a . --security-only --fail $STAGE_PATH/\\\\*; then aws lambda invoke --function-name ", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81" - }, - " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" - ] - ] - }, - "Type": "NO_SOURCE" - } - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codepipeline:GetPipelineState", - "codepipeline:PutApprovalResult" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/SECURITY_CHECK": "ALLOW_APPROVE" - } - }, - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3", - "Roles": [ - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A" - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Timeout": 300 - }, - "DependsOn": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3", - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A" - ] - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicy6F6EA2A6": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - }, - ":*" - ] - ] - } - ] - }, - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "SecurityChangesTopic9762A9B3" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicy6F6EA2A6", - "Roles": [ - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0" - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0", - "Arn" - ] - }, - "Source": { - "BuildSpec": { - "Fn::Join": [ - "", - [ - "{\n \"version\": 0.2,\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"npm install -g aws-cdk\",\n \"export PIPELINE_NAME=\\\"$(node -pe '`${process.env.CODEBUILD_INITIATOR}`.split(\\\"/\\\")[1]')\\\"\",\n \"payload=\\\"$(node -pe 'JSON.stringify({ \\\"PipelineName\\\": process.env.PIPELINE_NAME, \\\"StageName\\\": process.env.STAGE_NAME, \\\"ActionName\\\": process.env.ACTION_NAME })' )\\\"\",\n \"ARN=$CODEBUILD_BUILD_ARN\",\n \"REGION=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[3]')\\\"\",\n \"ACCOUNT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[4]')\\\"\",\n \"PROJECT_NAME=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[5].split(\\\"/\\\")[1]')\\\"\",\n \"PROJECT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[6]')\\\"\",\n \"export LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codebuild/$ACCOUNT_ID/projects/$PROJECT_NAME/build/$PROJECT_NAME:$PROJECT_ID/?region=$REGION\\\"\",\n \"export PIPELINE_LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codepipeline/pipelines/$PIPELINE_NAME/view?region=$REGION\\\"\",\n \"if cdk diff -a . --security-only --fail $STAGE_PATH/\\\\*; then aws lambda invoke --function-name ", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9" - }, - " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" - ] - ] - }, - "Type": "NO_SOURCE" - } - } - }, - "SecurityChangesTopic9762A9B3": { - "Type": "AWS::SNS::Topic" - }, - "SecurityChangesTopictestemailcom7C32D452": { - "Type": "AWS::SNS::Subscription", - "Properties": { - "Endpoint": "test@email.com", - "Protocol": "email", - "TopicArn": { - "Ref": "SecurityChangesTopic9762A9B3" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json deleted file mode 100644 index 2e1ece3c7c7a2..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json deleted file mode 100644 index 56bf2e32c37ca..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50": { - "source": { - "path": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json deleted file mode 100644 index 25024d7cb74b1..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "MySafeTopicCC243D11": { - "Type": "AWS::SNS::Topic" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json deleted file mode 100644 index 5c2441812122d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "DisableSecurityCheck-MySafeStack" - }, - "dependencies": [ - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets" - ], - "metadata": { - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/MySafeTopic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MySafeTopicCC243D11" - } - ], - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/DisableSecurityCheck/MySafeStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json deleted file mode 100644 index 07f739c5f5923..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json deleted file mode 100644 index 9f723f7ccb5fa..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "EnableSecurityCheck-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets" - ], - "metadata": { - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/EnableSecurityCheck/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json deleted file mode 100644 index ff06078cec81f..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json deleted file mode 100644 index 2122aeedd21b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackNoSecurityCheckMyStack3484019E": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "NoSecurityCheck-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets" - ], - "metadata": { - "/PipelineSecurityStack/NoSecurityCheck/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/NoSecurityCheck/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json deleted file mode 100644 index 06bf236bec53b..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json deleted file mode 100644 index 9175443047e81..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackPreProductionMyStackDCCBB4EA": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProduction-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets" - ], - "metadata": { - "/PipelineSecurityStack/PreProduction/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/PreProduction/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json deleted file mode 100644 index 8fb0d8df01aa2..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50": { - "source": { - "path": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json deleted file mode 100644 index 25024d7cb74b1..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "MySafeTopicCC243D11": { - "Type": "AWS::SNS::Topic" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json deleted file mode 100644 index 25c091b2d6bdc..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackSafeProductionMySafeStackC0D87904": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "SafeProduction-MySafeStack" - }, - "dependencies": [ - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets" - ], - "metadata": { - "/PipelineSecurityStack/SafeProduction/MySafeStack/MySafeTopic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MySafeTopicCC243D11" - } - ], - "/PipelineSecurityStack/SafeProduction/MySafeStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/SafeProduction/MySafeStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/SafeProduction/MySafeStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json deleted file mode 100644 index 8451cee8dc082..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackSingleStageMyStack29962269.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json deleted file mode 100644 index dbe924b8efbae..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackSingleStageMyStack29962269.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackSingleStageMyStack29962269.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackSingleStageMyStack29962269": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackSingleStageMyStack29962269.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackSingleStageMyStack29962269.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "SingleStage-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackSingleStageMyStack29962269.assets" - ], - "metadata": { - "/PipelineSecurityStack/SingleStage/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/SingleStage/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js deleted file mode 100644 index c9fe4b293ebbf..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var l=Object.defineProperty;var y=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var w=Object.prototype.hasOwnProperty;var S=(t,e)=>{for(var n in e)l(t,n,{get:e[n],enumerable:!0})},v=(t,e,n,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let a of f(e))!w.call(t,a)&&a!==n&&l(t,a,{get:()=>e[a],enumerable:!(s=y(e,a))||s.enumerable});return t};var h=t=>v(l({},"__esModule",{value:!0}),t);var b={};S(b,{handler:()=>T});module.exports=h(b);var d=require("@aws-sdk/client-codepipeline"),u=new d.CodePipeline,A=5,P=t=>new Promise(e=>setTimeout(e,t*1e3));async function T(t,e){let{PipelineName:n,StageName:s,ActionName:a}=t;function g(o){let m=o.stageStates?.filter(r=>r.stageName===s),c=m.length&&m[0].actionStates.filter(r=>r.actionName===a),p=c&&c.length&&c[0].latestExecution;return p?p.token:void 0}let N=Date.now()+A*6e4;for(;Date.now() undefined, - stackOutputArtifact: () => undefined, - }, - }); - - const topic = new sns.Topic(this, 'SecurityChangesTopic'); - topic.addSubscription(new subscriptions.EmailSubscription('test@email.com')); - - unattachedStage.addApplication(new MyStage(this, 'SingleStage', { - }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); - - const stage1 = pipeline.addApplicationStage(new MyStage(this, 'PreProduction', { - }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); - - stage1.addApplication(new MySafeStage(this, 'SafeProduction', { - })); - - stage1.addApplication(new MySafeStage(this, 'DisableSecurityCheck', { - }), { confirmBroadeningPermissions: false }); - - const stage2 = pipeline.addApplicationStage(new MyStage(this, 'NoSecurityCheck', { - })); - - stage2.addApplication(new MyStage(this, 'EnableSecurityCheck', { }), { confirmBroadeningPermissions: true }); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new TestCdkStack(app, 'PipelineSecurityStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new integ.IntegTest(app, 'PipelineSecurityTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json deleted file mode 100644 index 2c35bdd4a6304..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5": { - "source": { - "path": "PipelineStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json deleted file mode 100644 index 3b4d32b92b138..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json +++ /dev/null @@ -1,2148 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "PipelineArtifactsBucketEncryptionKeyF5BF0670": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketEncryptionKeyAlias94A07392": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "TargetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketAEA9A052": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "PipelineArtifactsBucketPolicyF53CCC52": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleB27FAA37": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleDefaultPolicy7BDC1ABB": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "Roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "Pipeline9850B417": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "Type": "S3" - }, - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - }, - { - "Name": "IntegTests" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SelfMutate", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "UpdatePipeline" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineAssetsFileAsset5D8C5DA6" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "FileAsset", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Assets" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "UseSource", - "RoleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - "RunOrder": 100 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "Stack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "Stack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - } - ], - "Name": "PreProd" - } - ] - }, - "DependsOn": [ - "PipelineRoleDefaultPolicy7BDC1ABB", - "PipelineRoleB27FAA37" - ] - }, - "PipelineSourceS3CodePipelineActionRole83895A58": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "Roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "Roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "Roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProject6BEFA8E6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "Name": "MyServicePipeline-synth", - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "PipelinePreProdUseSourceProjectRole69B20A71": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "PipelinePreProdUseSourceProject2E711EB4": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutationRole57E559E8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "PipelineUpdatePipelineSelfMutationDAA41400": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineAssetsFileRole59943A77": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - }, - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineAssetsFileRoleDefaultPolicy14DB8755": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineAssetsFileRoleDefaultPolicy14DB8755", - "Roles": [ - { - "Ref": "PipelineAssetsFileRole59943A77" - } - ] - } - }, - "PipelineAssetsFileAsset5D8C5DA6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "Source": { - "BuildSpec": "buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml", - "Type": "CODEPIPELINE" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json deleted file mode 100644 index 8f0029884a021..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json deleted file mode 100644 index 6343ec9323d0c..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5": { - "source": { - "path": "../asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e": { - "source": { - "path": "../asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4": { - "source": { - "path": "PipelineStackPreProdStack65A0AD1F.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json deleted file mode 100644 index 5f37c46ccf4b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "Resource": { - "Type": "AWS::Test::SomeResource" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json deleted file mode 100644 index a85b758286df0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineStackPreProdStack65A0AD1F.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackPreProdStack65A0AD1F.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackPreProdStack65A0AD1F": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackPreProdStack65A0AD1F.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProd-Stack" - }, - "dependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "metadata": { - "/PipelineStack/PreProd/Stack/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Resource" - } - ], - "/PipelineStack/PreProd/Stack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/PreProd/Stack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack/PreProd/Stack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt deleted file mode 100644 index 95e9dcd2e3bf0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt +++ /dev/null @@ -1 +0,0 @@ -This is a file asset that's just here for kicks. \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt deleted file mode 100644 index 8b1c7231bf2f4..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt +++ /dev/null @@ -1 +0,0 @@ -Here's a second file asset. \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml deleted file mode 100644 index 06708bb7e14f9..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "0.2", - "phases": { - "install": { - "commands": [ - "npm install -g cdk-assets@2" - ] - }, - "build": { - "commands": [ - "cdk-assets --path \"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\" --verbose publish \"8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5:current_account-current_region\"", - "cdk-assets --path \"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\" --verbose publish \"ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e:current_account-current_region\"" - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json deleted file mode 100644 index 5315ad6d43743..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "PipelineStackTest/DefaultTest": { - "stacks": [ - "PipelineStack" - ], - "diffAssets": true, - "assertionStack": "PipelineStackTest/DefaultTest/DeployAssert", - "assertionStackName": "PipelineStackTestDefaultTestDeployAssertBC780F98" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json deleted file mode 100644 index e3dd3aa926f06..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json +++ /dev/null @@ -1,318 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "assembly-PipelineStack-PreProd": { - "type": "cdk:cloud-assembly", - "properties": { - "directoryName": "assembly-PipelineStack-PreProd", - "displayName": "PipelineStack/PreProd" - } - }, - "PipelineStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStack.assets" - ], - "metadata": { - "/PipelineStack/SourceBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketDDD2130A" - } - ], - "/PipelineStack/SourceBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketPolicy703DFBF9" - } - ], - "/PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketAutoDeleteObjectsCustomResourceC68FC040" - } - ], - "/PipelineStack/LatestNodeRuntimeMap": [ - { - "type": "aws:cdk:logicalId", - "data": "LatestNodeRuntimeMap" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" - } - ], - "/PipelineStack/Pipeline/Pipeline": [ - { - "type": "aws:cdk:warning", - "data": "V1 pipeline type is implicitly selected when `pipelineType` is not set. If you want to use V2 type, set `PipelineType.V2`. [ack: @aws-cdk/aws-codepipeline:unspecifiedPipelineType]" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyF5BF0670" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyAlias94A07392" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketAEA9A052" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketPolicyF53CCC52" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleB27FAA37" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleDefaultPolicy7BDC1ABB" - } - ], - "/PipelineStack/Pipeline/Pipeline/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Pipeline9850B417" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProject2E711EB4" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ], - "/PipelineStack/Pipeline/Assets/FileRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileRole59943A77" - } - ], - "/PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileRoleDefaultPolicy14DB8755" - } - ], - "/PipelineStack/Pipeline/Assets/FileAsset/Default/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileAsset5D8C5DA6" - } - ], - "/PipelineStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack" - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "metadata": { - "/PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStackTest/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json deleted file mode 100644 index 2f8c1da478a39..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json +++ /dev/null @@ -1,2946 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "PipelineStack": { - "id": "PipelineStack", - "path": "PipelineStack", - "children": { - "SourceBucket": { - "id": "SourceBucket", - "path": "PipelineStack/SourceBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "aws-cdk:auto-delete-objects", - "value": "true" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/SourceBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - }, - "AutoDeleteObjectsCustomResource": { - "id": "AutoDeleteObjectsCustomResource", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "LatestNodeRuntimeMap": { - "id": "LatestNodeRuntimeMap", - "path": "PipelineStack/LatestNodeRuntimeMap", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnMapping", - "version": "0.0.0" - } - }, - "Custom::S3AutoDeleteObjectsCustomResourceProvider": { - "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider", - "children": { - "Staging": { - "id": "Staging", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Handler": { - "id": "Handler", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" - } - }, - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline", - "children": { - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline/Pipeline", - "children": { - "ArtifactsBucketEncryptionKey": { - "id": "ArtifactsBucketEncryptionKey", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, - "ArtifactsBucketEncryptionKeyAlias": { - "id": "ArtifactsBucketEncryptionKeyAlias", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "targetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - }, - "ArtifactsBucket": { - "id": "ArtifactsBucket", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "bucketEncryption": { - "serverSideEncryptionConfiguration": [ - { - "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - } - ] - }, - "publicAccessBlockConfiguration": { - "blockPublicAcls": true, - "blockPublicPolicy": true, - "ignorePublicAcls": true, - "restrictPublicBuckets": true - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "policyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodePipeline::Pipeline", - "aws:cdk:cloudformation:props": { - "artifactStore": { - "type": "S3", - "location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "encryptionKey": { - "type": "KMS", - "id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "restartExecutionOnUpdate": true, - "roleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "stages": [ - { - "name": "Source", - "actions": [ - { - "name": "S3", - "outputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Source", - "version": "1", - "owner": "AWS", - "provider": "S3" - }, - "configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - } - } - ] - }, - { - "name": "Build", - "actions": [ - { - "name": "Synth", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "outputArtifacts": [ - { - "name": "CloudAsm" - }, - { - "name": "IntegTests" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - } - } - ] - }, - { - "name": "UpdatePipeline", - "actions": [ - { - "name": "SelfMutate", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - } - } - ] - }, - { - "name": "Assets", - "actions": [ - { - "name": "FileAsset", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineAssetsFileAsset5D8C5DA6" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - } - } - ] - }, - { - "name": "PreProd", - "actions": [ - { - "name": "UseSource", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "runOrder": 100, - "roleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - } - }, - { - "name": "Stack.Prepare", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "runOrder": 1, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - { - "name": "Stack.Deploy", - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "runOrder": 2, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - } - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.CfnPipeline", - "version": "0.0.0" - } - }, - "Source": { - "id": "Source", - "path": "PipelineStack/Pipeline/Pipeline/Source", - "children": { - "S3": { - "id": "S3", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Build": { - "id": "Build", - "path": "PipelineStack/Pipeline/Pipeline/Build", - "children": { - "Synth": { - "id": "Synth", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "CdkBuildProject": { - "id": "CdkBuildProject", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "NPM_CONFIG_UNSAFE_PERM", - "type": "PLAINTEXT", - "value": "true" - } - ] - }, - "name": "MyServicePipeline-synth", - "serviceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline", - "children": { - "SelfMutate": { - "id": "SelfMutate", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/Pipeline/PreProd", - "children": { - "UseSource": { - "id": "UseSource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Project": { - "id": "Project", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Deploy": { - "id": "Stack.Deploy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Deploy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Prepare": { - "id": "Stack.Prepare", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Prepare", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Pipeline/Assets", - "children": { - "FileAsset": { - "id": "FileAsset", - "path": "PipelineStack/Pipeline/Pipeline/Assets/FileAsset", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.Pipeline", - "version": "0.0.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/UpdatePipeline", - "children": { - "SelfMutation": { - "id": "SelfMutation", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.UpdatePipelineAction", - "version": "0.0.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Assets", - "children": { - "FileRole": { - "id": "FileRole", - "path": "PipelineStack/Pipeline/Assets/FileRole", - "children": { - "ImportFileRole": { - "id": "ImportFileRole", - "path": "PipelineStack/Pipeline/Assets/FileRole/ImportFileRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - }, - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineAssetsFileRoleDefaultPolicy14DB8755", - "roles": [ - { - "Ref": "PipelineAssetsFileRole59943A77" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "FileAsset": { - "id": "FileAsset", - "path": "PipelineStack/Pipeline/Assets/FileAsset", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/Pipeline/Assets/FileAsset/Default", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileAsset/Default/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.PublishAssetsAction", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/PreProd", - "children": { - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "children": { - "8389e75f-0810-4838-bf64-d6f85a95cf83": { - "id": "8389e75f-0810-4838-bf64-d6f85a95cf83", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkStage", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkPipeline", - "version": "0.0.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/PreProd", - "children": { - "Stack": { - "id": "Stack", - "path": "PipelineStack/PreProd/Stack", - "children": { - "Asset": { - "id": "Asset", - "path": "PipelineStack/PreProd/Stack/Asset", - "children": { - "Stage": { - "id": "Stage", - "path": "PipelineStack/PreProd/Stack/Asset/Stage", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "AssetBucket": { - "id": "AssetBucket", - "path": "PipelineStack/PreProd/Stack/Asset/AssetBucket", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" - } - }, - "Asset2": { - "id": "Asset2", - "path": "PipelineStack/PreProd/Stack/Asset2", - "children": { - "Stage": { - "id": "Stage", - "path": "PipelineStack/PreProd/Stack/Asset2/Stage", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "AssetBucket": { - "id": "AssetBucket", - "path": "PipelineStack/PreProd/Stack/Asset2/AssetBucket", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/PreProd/Stack/Resource", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/PreProd/Stack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/PreProd/Stack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stage", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "PipelineStackTest": { - "id": "PipelineStackTest", - "path": "PipelineStackTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "PipelineStackTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStackTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "PipelineStackTest/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts deleted file mode 100644 index c05a52e685eba..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts +++ /dev/null @@ -1,107 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as path from 'path'; -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import * as s3_assets from 'aws-cdk-lib/aws-s3-assets'; -import { App, CfnResource, RemovalPolicy, DefaultStackSynthesizer, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - - new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), - }); - new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), - }); - - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - singlePublisherPerType: true, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts deleted file mode 100644 index 3c71922e1e02d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts +++ /dev/null @@ -1,106 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as path from 'path'; -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import * as s3_assets from 'aws-cdk-lib/aws-s3-assets'; -import { App, CfnResource, DefaultStackSynthesizer, RemovalPolicy, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - - new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), - }); - new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), - }); - - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json deleted file mode 100644 index d96305350050e..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9": { - "source": { - "path": "PipelineStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json deleted file mode 100644 index b95f0f452e79f..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json +++ /dev/null @@ -1,1910 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "PipelineArtifactsBucketEncryptionKeyF5BF0670": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketEncryptionKeyAlias94A07392": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "TargetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketAEA9A052": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "PipelineArtifactsBucketPolicyF53CCC52": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleB27FAA37": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleDefaultPolicy7BDC1ABB": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "Roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "Pipeline9850B417": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "Type": "S3" - }, - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - }, - { - "Name": "IntegTests" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SelfMutate", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "UpdatePipeline" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "UseSource", - "RoleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - "RunOrder": 100 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "Stack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "Stack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - } - ], - "Name": "PreProd" - } - ] - }, - "DependsOn": [ - "PipelineRoleDefaultPolicy7BDC1ABB", - "PipelineRoleB27FAA37" - ] - }, - "PipelineSourceS3CodePipelineActionRole83895A58": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "Roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "Roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "Roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProject6BEFA8E6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "Name": "MyServicePipeline-synth", - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "PipelinePreProdUseSourceProjectRole69B20A71": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "PipelinePreProdUseSourceProject2E711EB4": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutationRole57E559E8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "PipelineUpdatePipelineSelfMutationDAA41400": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json deleted file mode 100644 index 8f0029884a021..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json deleted file mode 100644 index f4cee0d9b9779..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4": { - "source": { - "path": "PipelineStackPreProdStack65A0AD1F.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json deleted file mode 100644 index 5f37c46ccf4b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "Resource": { - "Type": "AWS::Test::SomeResource" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json deleted file mode 100644 index a85b758286df0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineStackPreProdStack65A0AD1F.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackPreProdStack65A0AD1F.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackPreProdStack65A0AD1F": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackPreProdStack65A0AD1F.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProd-Stack" - }, - "dependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "metadata": { - "/PipelineStack/PreProd/Stack/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Resource" - } - ], - "/PipelineStack/PreProd/Stack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/PreProd/Stack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack/PreProd/Stack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json deleted file mode 100644 index 5315ad6d43743..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "PipelineStackTest/DefaultTest": { - "stacks": [ - "PipelineStack" - ], - "diffAssets": true, - "assertionStack": "PipelineStackTest/DefaultTest/DeployAssert", - "assertionStackName": "PipelineStackTestDefaultTestDeployAssertBC780F98" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json deleted file mode 100644 index 515495bbbc66a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json +++ /dev/null @@ -1,300 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "assembly-PipelineStack-PreProd": { - "type": "cdk:cloud-assembly", - "properties": { - "directoryName": "assembly-PipelineStack-PreProd", - "displayName": "PipelineStack/PreProd" - } - }, - "PipelineStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStack.assets" - ], - "metadata": { - "/PipelineStack/SourceBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketDDD2130A" - } - ], - "/PipelineStack/SourceBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketPolicy703DFBF9" - } - ], - "/PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketAutoDeleteObjectsCustomResourceC68FC040" - } - ], - "/PipelineStack/LatestNodeRuntimeMap": [ - { - "type": "aws:cdk:logicalId", - "data": "LatestNodeRuntimeMap" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" - } - ], - "/PipelineStack/Pipeline/Pipeline": [ - { - "type": "aws:cdk:warning", - "data": "V1 pipeline type is implicitly selected when `pipelineType` is not set. If you want to use V2 type, set `PipelineType.V2`. [ack: @aws-cdk/aws-codepipeline:unspecifiedPipelineType]" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyF5BF0670" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyAlias94A07392" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketAEA9A052" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketPolicyF53CCC52" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleB27FAA37" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleDefaultPolicy7BDC1ABB" - } - ], - "/PipelineStack/Pipeline/Pipeline/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Pipeline9850B417" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProject2E711EB4" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ], - "/PipelineStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack" - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "metadata": { - "/PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStackTest/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json deleted file mode 100644 index ffb2d51e18c94..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json +++ /dev/null @@ -1,2564 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "PipelineStack": { - "id": "PipelineStack", - "path": "PipelineStack", - "children": { - "SourceBucket": { - "id": "SourceBucket", - "path": "PipelineStack/SourceBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "aws-cdk:auto-delete-objects", - "value": "true" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/SourceBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - }, - "AutoDeleteObjectsCustomResource": { - "id": "AutoDeleteObjectsCustomResource", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "LatestNodeRuntimeMap": { - "id": "LatestNodeRuntimeMap", - "path": "PipelineStack/LatestNodeRuntimeMap", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnMapping", - "version": "0.0.0" - } - }, - "Custom::S3AutoDeleteObjectsCustomResourceProvider": { - "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider", - "children": { - "Staging": { - "id": "Staging", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Handler": { - "id": "Handler", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" - } - }, - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline", - "children": { - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline/Pipeline", - "children": { - "ArtifactsBucketEncryptionKey": { - "id": "ArtifactsBucketEncryptionKey", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, - "ArtifactsBucketEncryptionKeyAlias": { - "id": "ArtifactsBucketEncryptionKeyAlias", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "targetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - }, - "ArtifactsBucket": { - "id": "ArtifactsBucket", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "bucketEncryption": { - "serverSideEncryptionConfiguration": [ - { - "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - } - ] - }, - "publicAccessBlockConfiguration": { - "blockPublicAcls": true, - "blockPublicPolicy": true, - "ignorePublicAcls": true, - "restrictPublicBuckets": true - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "policyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodePipeline::Pipeline", - "aws:cdk:cloudformation:props": { - "artifactStore": { - "type": "S3", - "location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "encryptionKey": { - "type": "KMS", - "id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "restartExecutionOnUpdate": true, - "roleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "stages": [ - { - "name": "Source", - "actions": [ - { - "name": "S3", - "outputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Source", - "version": "1", - "owner": "AWS", - "provider": "S3" - }, - "configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - } - } - ] - }, - { - "name": "Build", - "actions": [ - { - "name": "Synth", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "outputArtifacts": [ - { - "name": "CloudAsm" - }, - { - "name": "IntegTests" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - } - } - ] - }, - { - "name": "UpdatePipeline", - "actions": [ - { - "name": "SelfMutate", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - } - } - ] - }, - { - "name": "PreProd", - "actions": [ - { - "name": "UseSource", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "runOrder": 100, - "roleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - } - }, - { - "name": "Stack.Prepare", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "runOrder": 1, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - { - "name": "Stack.Deploy", - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "runOrder": 2, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - } - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.CfnPipeline", - "version": "0.0.0" - } - }, - "Source": { - "id": "Source", - "path": "PipelineStack/Pipeline/Pipeline/Source", - "children": { - "S3": { - "id": "S3", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Build": { - "id": "Build", - "path": "PipelineStack/Pipeline/Pipeline/Build", - "children": { - "Synth": { - "id": "Synth", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "CdkBuildProject": { - "id": "CdkBuildProject", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "NPM_CONFIG_UNSAFE_PERM", - "type": "PLAINTEXT", - "value": "true" - } - ] - }, - "name": "MyServicePipeline-synth", - "serviceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline", - "children": { - "SelfMutate": { - "id": "SelfMutate", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/Pipeline/PreProd", - "children": { - "UseSource": { - "id": "UseSource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Project": { - "id": "Project", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Deploy": { - "id": "Stack.Deploy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Deploy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Prepare": { - "id": "Stack.Prepare", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Prepare", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.Pipeline", - "version": "0.0.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/UpdatePipeline", - "children": { - "SelfMutation": { - "id": "SelfMutation", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.UpdatePipelineAction", - "version": "0.0.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Assets", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/PreProd", - "children": { - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "children": { - "8389e75f-0810-4838-bf64-d6f85a95cf83": { - "id": "8389e75f-0810-4838-bf64-d6f85a95cf83", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkStage", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkPipeline", - "version": "0.0.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/PreProd", - "children": { - "Stack": { - "id": "Stack", - "path": "PipelineStack/PreProd/Stack", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/PreProd/Stack/Resource", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/PreProd/Stack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/PreProd/Stack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stage", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "PipelineStackTest": { - "id": "PipelineStackTest", - "path": "PipelineStackTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "PipelineStackTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStackTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "PipelineStackTest/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts deleted file mode 100644 index b8afeedfc285d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts +++ /dev/null @@ -1,97 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import { App, CfnResource, DefaultStackSynthesizer, RemovalPolicy, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); - -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index aad87ef49fbde..9e980cc71faae 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -71,7 +71,6 @@ Flags come in three types: | [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) | | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) | | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) | -| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | 2.148.0 | (fix) | @@ -132,8 +131,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-eks:nodegroupNameAttribute": true, "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true, "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true, - "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false, - "@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions": true + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false } } ``` @@ -1340,19 +1338,4 @@ property from the event object. | 2.145.0 | `false` | `false` | -### @aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions - -*When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.* (fix) - -When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. -The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html -for more details. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.148.0 | `false` | `true` | - - - \ No newline at end of file + diff --git a/packages/aws-cdk-lib/pipelines/README.md b/packages/aws-cdk-lib/pipelines/README.md index 2eceefc9e5236..40c06136e9dea 100644 --- a/packages/aws-cdk-lib/pipelines/README.md +++ b/packages/aws-cdk-lib/pipelines/README.md @@ -1,11 +1,10 @@ # CDK Pipelines - A construct library for painless Continuous Delivery of CDK applications. -CDK Pipelines is an *opinionated construct library*. It is purpose-built to +CDK Pipelines is an _opinionated construct library_. It is purpose-built to deploy one or more copies of your CDK applications using CloudFormation with a -minimal amount of effort on your part. It is *not* intended to support arbitrary +minimal amount of effort on your part. It is _not_ intended to support arbitrary deployment pipelines, and very specifically it is not built to use CodeDeploy to deploy applications to instances, or deploy your custom-built ECR images to an ECS cluster directly: use CDK file assets with CloudFormation Init for instances, or @@ -13,12 +12,12 @@ CDK container assets for ECS clusters instead. Give the CDK Pipelines way of doing things a shot first: you might find it does everything you need. If you need more control, or if you need `v2` support from -`aws-codepipeline`, we recommend you drop down to using the `aws-codepipeline` +`aws-codepipeline`, we recommend you drop down to using the `aws-codepipeline` construct library directly. > This module contains two sets of APIs: an **original** and a **modern** version of -> CDK Pipelines. The *modern* API has been updated to be easier to work with and -> customize, and will be the preferred API going forward. The *original* version +> CDK Pipelines. The _modern_ API has been updated to be easier to work with and +> customize, and will be the preferred API going forward. The _original_ version > of the API is still available for backwards compatibility, but we recommend migrating > to the new version if possible. > @@ -40,28 +39,28 @@ You then define a `Pipeline`, instantiate as many instances of `MyApplicationStage` as you want for your test and production environments, with different parameters for each, and calling `pipeline.addStage()` for each of them. You can deploy to the same account and Region, or to a different one, -with the same amount of code. The *CDK Pipelines* library takes care of the +with the same amount of code. The _CDK Pipelines_ library takes care of the details. -CDK Pipelines supports multiple *deployment engines* (see +CDK Pipelines supports multiple _deployment engines_ (see [Using a different deployment engine](#using-a-different-deployment-engine)), and comes with a deployment engine that deploys CDK apps using AWS CodePipeline. -To use the CodePipeline engine, define a `CodePipeline` construct. The following +To use the CodePipeline engine, define a `CodePipeline` construct. The following example creates a CodePipeline that deploys an application from GitHub: ```ts /** The stacks for our app are minimally defined here. The internals of these - * stacks aren't important, except that DatabaseStack exposes an attribute - * "table" for a database table it defines, and ComputeStack accepts a reference - * to this table in its properties. - */ + * stacks aren't important, except that DatabaseStack exposes an attribute + * "table" for a database table it defines, and ComputeStack accepts a reference + * to this table in its properties. + */ class DatabaseStack extends Stack { public readonly table: dynamodb.TableV2; constructor(scope: Construct, id: string) { super(scope, id); this.table = new dynamodb.TableV2(this, 'Table', { - partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING } + partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING }, }); } } @@ -87,26 +86,29 @@ class MyPipelineStack extends Stack { synth: new pipelines.ShellStep('Synth', { // Use a connection created using the AWS console to authenticate to GitHub // Other sources are available. - input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', - }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + input: pipelines.CodePipelineSource.connection( + 'my-org/my-app', + 'main', + { + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + } + ), + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); // 'MyApplication' is defined below. Call `addStage` as many times as // necessary with any account and region (may be different from the // pipeline's). - pipeline.addStage(new MyApplication(this, 'Prod', { - env: { - account: '123456789012', - region: 'eu-west-1', - }, - })); + pipeline.addStage( + new MyApplication(this, 'Prod', { + env: { + account: '123456789012', + region: 'eu-west-1', + }, + }) + ); } } @@ -134,7 +136,7 @@ new MyPipelineStack(this, 'PipelineStack', { env: { account: '123456789012', region: 'eu-west-1', - } + }, }); ``` @@ -143,7 +145,7 @@ application stages in the source code, or new stacks to `MyApplication`, the pipeline will automatically reconfigure itself to deploy those new stages and stacks. -(Note that you have to *bootstrap* all environments before the above code +(Note that you have to _bootstrap_ all environments before the above code will work, and switch on "Modern synthesis" if you are using CDKv1. See the section **CDK Environment Bootstrapping** below for more information). @@ -152,7 +154,7 @@ more information). To provision the pipeline you have defined, make sure the target environment has been bootstrapped (see below), and then execute deploying the -`PipelineStack` *once*. Afterwards, the pipeline will keep itself up-to-date. +`PipelineStack` _once_. Afterwards, the pipeline will keep itself up-to-date. > **Important**: be sure to `git commit` and `git push` before deploying the > Pipeline stack using `cdk deploy`! @@ -183,27 +185,16 @@ To make the development more convenient, the self-mutation feature can be turned off temporarily, by passing `selfMutation: false` property, example: ```ts -// Modern API -const modernPipeline = new pipelines.CodePipeline(this, 'Pipeline', { +const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { selfMutation: false, synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); - -// Original API -const cloudAssemblyArtifact = new codepipeline.Artifact(); -const originalPipeline = new pipelines.CdkPipeline(this, 'Pipeline', { - selfMutating: false, - cloudAssemblyArtifact, -}); ``` ## Defining the pipeline @@ -232,11 +223,7 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -252,12 +239,7 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'cd mysubdir', - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['cd mysubdir', 'npm ci', 'npm run build', 'npx cdk synth'], primaryOutputDirectory: 'mysubdir/cdk.out', }), }); @@ -284,12 +266,8 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'yarn install --frozen-lockfile', - 'yarn build', - 'npx cdk synth', - ], - }) + commands: ['yarn install --frozen-lockfile', 'yarn build', 'npx cdk synth'], + }), }); ``` @@ -307,7 +285,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { 'npm install -g aws-cdk', 'cdk synth', ], - }) + }), }); ``` @@ -322,11 +300,8 @@ declare const source: pipelines.IFileSetProducer; // the repository source const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: source, - commands: [ - 'npm install -g aws-cdk', - 'cdk synth', - ], - }) + commands: ['npm install -g aws-cdk', 'cdk synth'], + }), }); ``` @@ -358,7 +333,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { // Abstract over doing the build './build.sh', ], - }) + }), }); ``` @@ -368,19 +343,20 @@ for developers at the same time. #### CodePipeline Sources -In CodePipeline, *Sources* define where the source of your application lives. +In CodePipeline, _Sources_ define where the source of your application lives. When a change to the source is detected, the pipeline will start executing. Source objects can be created by factory methods on the `CodePipelineSource` class: ##### GitHub, GitHub Enterprise, BitBucket using a connection -The recommended way of connecting to GitHub or BitBucket is by using a *connection*. +The recommended way of connecting to GitHub or BitBucket is by using a _connection_. You will first use the AWS Console to authenticate to the source control provider, and then use the connection ARN in your pipeline definition: ```ts pipelines.CodePipelineSource.connection('org/repo', 'branch', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', }); ``` @@ -406,7 +382,11 @@ that the CodeCommit repository and then use `CodePipelineSource.codeCommit` to reference it: ```ts -const repository = codecommit.Repository.fromRepositoryName(this, 'Repository', 'my-repository'); +const repository = codecommit.Repository.fromRepositoryName( + this, + 'Repository', + 'my-repository' +); pipelines.CodePipelineSource.codeCommit(repository, 'main'); ``` @@ -448,12 +428,12 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.gitHub('myorg/repo2', 'main'), additionalInputs: { - 'subdir': pipelines.CodePipelineSource.gitHub('myorg/repo3', 'main'), + subdir: pipelines.CodePipelineSource.gitHub('myorg/repo3', 'main'), '../siblingdir': prebuild, }, commands: ['./build.sh'], - }) + }), }); ``` @@ -467,12 +447,14 @@ so, call `pipeline.addStage()` on the Stage object: declare const pipeline: pipelines.CodePipeline; // Do this as many times as necessary with any account and region // Account and region may different from the pipeline's. -pipeline.addStage(new MyApplicationStage(this, 'Prod', { - env: { - account: '123456789012', - region: 'eu-west-1', - } -})); +pipeline.addStage( + new MyApplicationStage(this, 'Prod', { + env: { + account: '123456789012', + region: 'eu-west-1', + }, + }) +); ``` CDK Pipelines will automatically discover all `Stacks` in the given `Stage` @@ -491,7 +473,7 @@ correctly and any requisite replication Buckets are created. By default, all applications added to CDK Pipelines by calling `addStage()` will be deployed in sequence, one after the other. If you have a lot of stages, you can speed up the pipeline by choosing to deploy some stages in parallel. You do this -by calling `addWave()` instead of `addStage()`: a *wave* is a set of stages that +by calling `addWave()` instead of `addStage()`: a _wave_ is a set of stages that are all deployed in parallel instead of sequentially. Waves themselves are still deployed in sequence. For example, the following will deploy two copies of your application to `eu-west-1` and `eu-central-1` in parallel: @@ -499,19 +481,23 @@ application to `eu-west-1` and `eu-central-1` in parallel: ```ts declare const pipeline: pipelines.CodePipeline; const europeWave = pipeline.addWave('Europe'); -europeWave.addStage(new MyApplicationStage(this, 'Ireland', { - env: { region: 'eu-west-1' } -})); -europeWave.addStage(new MyApplicationStage(this, 'Germany', { - env: { region: 'eu-central-1' } -})); +europeWave.addStage( + new MyApplicationStage(this, 'Ireland', { + env: { region: 'eu-west-1' }, + }) +); +europeWave.addStage( + new MyApplicationStage(this, 'Germany', { + env: { region: 'eu-central-1' }, + }) +); ``` #### Deploying to other accounts / encrypting the Artifact Bucket CDK Pipelines can transparently deploy to other Regions and other accounts (provided those target environments have been -[*bootstrapped*](https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)). +[_bootstrapped_](https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)). However, deploying to another account requires one additional piece of configuration: you need to enable `crossAccountKeys: true` when creating the pipeline. @@ -530,13 +516,10 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { enableKeyRotation: true, // optional synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -592,9 +575,7 @@ pipeline.addStage(preprod, { ], }); pipeline.addStage(prod, { - pre: [ - new pipelines.ManualApprovalStep('PromoteToProd'), - ], + pre: [new pipelines.ManualApprovalStep('PromoteToProd')], }); ``` @@ -616,15 +597,18 @@ declare const pipeline: pipelines.CodePipeline; const prod = new MyStacksStage(this, 'Prod'); pipeline.addStage(prod, { - stackSteps: [{ - stack: prod.stack1, - pre: [new pipelines.ManualApprovalStep('Pre-Stack Check')], // Executed before stack is prepared - changeSet: [new pipelines.ManualApprovalStep('ChangeSet Approval')], // Executed after stack is prepared but before the stack is deployed - post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed - }, { - stack: prod.stack2, - post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed - }], + stackSteps: [ + { + stack: prod.stack1, + pre: [new pipelines.ManualApprovalStep('Pre-Stack Check')], // Executed before stack is prepared + changeSet: [new pipelines.ManualApprovalStep('ChangeSet Approval')], // Executed after stack is prepared but before the stack is deployed + post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed + }, + { + stack: prod.stack2, + post: [new pipelines.ManualApprovalStep('Post-Deploy Check')], // Executed after stack is deployed + }, + ], }); ``` @@ -664,7 +648,9 @@ class MyOutputStage extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { super(scope, id, props); - this.loadBalancerAddress = new CfnOutput(this, 'Output', {value: 'value'}); + this.loadBalancerAddress = new CfnOutput(this, 'Output', { + value: 'value', + }); } } @@ -724,8 +710,12 @@ declare const vpc: ec2.Vpc; declare const mySecurityGroup: ec2.SecurityGroup; new pipelines.CodeBuildStep('Synth', { // ...standard ShellStep props... - commands: [/* ... */], - env: { /* ... */ }, + commands: [ + /* ... */ + ], + env: { + /* ... */ + }, // If you are using a CodeBuildStep explicitly, set the 'cdk.out' directory // to be the synth step's output. @@ -746,12 +736,14 @@ new pipelines.CodeBuildStep('Synth', { privileged: true, }, timeout: Duration.minutes(90), - fileSystemLocations: [codebuild.FileSystemLocation.efs({ - identifier: "myidentifier2", - location: "myclodation.mydnsroot.com:/loc", - mountPoint: "/media", - mountOptions: "opts", - })], + fileSystemLocations: [ + codebuild.FileSystemLocation.efs({ + identifier: 'myidentifier2', + location: 'myclodation.mydnsroot.com:/loc', + mountPoint: '/media', + mountOptions: 'opts', + }), + ], // Control Elastic Network Interface creation vpc: vpc, @@ -763,12 +755,14 @@ new pipelines.CodeBuildStep('Synth', { // Additional policy statements for the execution role rolePolicyStatements: [ - new iam.PolicyStatement({ /* ... */ }), + new iam.PolicyStatement({ + /* ... */ + }), ], }); ``` -You can also configure defaults for *all* CodeBuild projects by passing `codeBuildDefaults`, +You can also configure defaults for _all_ CodeBuild projects by passing `codeBuildDefaults`, or just for the synth, asset publishing, and self-mutation projects by passing `synthCodeBuildDefaults`, `assetPublishingCodeBuildDefaults`, or `selfMutationCodeBuildDefaults`: @@ -782,13 +776,10 @@ new pipelines.CodePipeline(this, 'Pipeline', { // Standard CodePipeline properties synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: [ - 'npm ci', - 'npm run build', - 'npx cdk synth', - ], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), // Defaults for all CodeBuild projects @@ -811,7 +802,9 @@ new pipelines.CodePipeline(this, 'Pipeline', { // Additional policy statements for the execution role rolePolicy: [ - new iam.PolicyStatement({ /* ... */ }), + new iam.PolicyStatement({ + /* ... */ + }), ], // Information about logs @@ -825,9 +818,15 @@ new pipelines.CodePipeline(this, 'Pipeline', { }, }, - synthCodeBuildDefaults: { /* ... */ }, - assetPublishingCodeBuildDefaults: { /* ... */ }, - selfMutationCodeBuildDefaults: { /* ... */ }, + synthCodeBuildDefaults: { + /* ... */ + }, + assetPublishingCodeBuildDefaults: { + /* ... */ + }, + selfMutationCodeBuildDefaults: { + /* ... */ + }, }); ``` @@ -840,10 +839,13 @@ doesn't have a matching class yet, you can define your own step class that exten Here's an example that adds a Jenkins step: ```ts -class MyJenkinsStep extends pipelines.Step implements pipelines.ICodePipelineActionFactory { +class MyJenkinsStep + extends pipelines.Step + implements pipelines.ICodePipelineActionFactory +{ constructor( private readonly provider: cpactions.JenkinsProvider, - private readonly input: pipelines.FileSet, + private readonly input: pipelines.FileSet ) { super('MyJenkinsStep'); @@ -851,27 +853,33 @@ class MyJenkinsStep extends pipelines.Step implements pipelines.ICodePipelineAct // that may contain outputs from other steps. It doesn't matter what the // structure is, as long as it contains the values that may contain outputs. this.discoverReferencedOutputs({ - env: { /* ... */ } + env: { + /* ... */ + }, }); } - public produceAction(stage: codepipeline.IStage, options: pipelines.ProduceActionOptions): pipelines.CodePipelineActionFactoryResult { - + public produceAction( + stage: codepipeline.IStage, + options: pipelines.ProduceActionOptions + ): pipelines.CodePipelineActionFactoryResult { // This is where you control what type of Action gets added to the // CodePipeline - stage.addAction(new cpactions.JenkinsAction({ - // Copy 'actionName' and 'runOrder' from the options - actionName: options.actionName, - runOrder: options.runOrder, - - // Jenkins-specific configuration - type: cpactions.JenkinsActionType.TEST, - jenkinsProvider: this.provider, - projectName: 'MyJenkinsProject', - - // Translate the FileSet into a codepipeline.Artifact - inputs: [options.artifacts.toCodePipeline(this.input)], - })); + stage.addAction( + new cpactions.JenkinsAction({ + // Copy 'actionName' and 'runOrder' from the options + actionName: options.actionName, + runOrder: options.runOrder, + + // Jenkins-specific configuration + type: cpactions.JenkinsActionType.TEST, + jenkinsProvider: this.provider, + projectName: 'MyJenkinsProject', + + // Translate the FileSet into a codepipeline.Artifact + inputs: [options.artifacts.toCodePipeline(this.input)], + }) + ); return { runOrdersConsumed: 1 }; } @@ -881,26 +889,35 @@ class MyJenkinsStep extends pipelines.Step implements pipelines.ICodePipelineAct Another example, adding a lambda step referencing outputs from a stack: ```ts -class MyLambdaStep extends pipelines.Step implements pipelines.ICodePipelineActionFactory { - private stackOutputReference: pipelines.StackOutputReference +class MyLambdaStep + extends pipelines.Step + implements pipelines.ICodePipelineActionFactory +{ + private stackOutputReference: pipelines.StackOutputReference; - constructor( - private readonly fn: lambda.Function, - stackOutput: CfnOutput, - ) { + constructor(private readonly fn: lambda.Function, stackOutput: CfnOutput) { super('MyLambdaStep'); - this.stackOutputReference = pipelines.StackOutputReference.fromCfnOutput(stackOutput); + this.stackOutputReference = + pipelines.StackOutputReference.fromCfnOutput(stackOutput); } - public produceAction(stage: codepipeline.IStage, options: pipelines.ProduceActionOptions): pipelines.CodePipelineActionFactoryResult { - - stage.addAction(new cpactions.LambdaInvokeAction({ - actionName: options.actionName, - runOrder: options.runOrder, - // Map the reference to the variable name the CDK has generated for you. - userParameters: {stackOutput: options.stackOutputsMap.toCodePipeline(this.stackOutputReference)}, - lambda: this.fn, - })); + public produceAction( + stage: codepipeline.IStage, + options: pipelines.ProduceActionOptions + ): pipelines.CodePipelineActionFactoryResult { + stage.addAction( + new cpactions.LambdaInvokeAction({ + actionName: options.actionName, + runOrder: options.runOrder, + // Map the reference to the variable name the CDK has generated for you. + userParameters: { + stackOutput: options.stackOutputsMap.toCodePipeline( + this.stackOutputReference + ), + }, + lambda: this.fn, + }) + ); return { runOrdersConsumed: 1 }; } @@ -924,7 +941,7 @@ This also gives you more direct control over the underlying `CodePipeline.Pipeli if the way the modern API creates it doesn't allow for desired configurations. Use `CodePipelineFileset` to convert CodePipeline **artifacts** into CDK Pipelines **file sets**, that can be used everywhere a file set or file set producer is expected. -Here's an example of passing in an existing pipeline and using a *source* that's already +Here's an example of passing in an existing pipeline and using a _source_ that's already in the pipeline: ```ts @@ -936,7 +953,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { codePipeline: codePipeline, synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineFileSet.fromArtifact(sourceArtifact), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -970,7 +987,7 @@ Docker can be used in 3 different places in the pipeline: - If you are using Docker to bundle file assets anywhere in your project (for example, if you are using such construct libraries as `aws-cdk-lib/aws-lambda-nodejs`): Docker will run in the - *synth* project. + _synth_ project. For the first case, you don't need to do anything special. For the other two cases, you need to make sure that **privileged mode** is enabled on the correct CodeBuild @@ -991,9 +1008,10 @@ you need to pass `dockerEnabledForSelfMutation: true` to the pipeline. For examp const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), // Turn this on because the pipeline uses Docker image assets @@ -1017,7 +1035,7 @@ pipeline.addWave('MyWave', { ``` > **Important**: You must turn on the `dockerEnabledForSelfMutation` flag, -> commit and allow the pipeline to self-update *before* adding the actual +> commit and allow the pipeline to self-update _before_ adding the actual > Docker asset. ### Using bundled file assets @@ -1030,9 +1048,10 @@ if you add a construct like `aws-cdk-lib/aws-lambda-nodejs`), you need to pass const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), // Turn this on because the application uses bundled file assets @@ -1041,7 +1060,7 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { ``` > **Important**: You must turn on the `dockerEnabledForSynth` flag, -> commit and allow the pipeline to self-update *before* adding the actual +> commit and allow the pipeline to self-update _before_ adding the actual > Docker asset. ### Authenticating to Docker registries @@ -1052,22 +1071,42 @@ any of the application stages — require authentication, either due to being in different environment (e.g., ECR repo) or to avoid throttling (e.g., DockerHub). ```ts -const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'DHSecret', 'arn:aws:...'); -const customRegSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'CRSecret', 'arn:aws:...'); -const repo1 = ecr.Repository.fromRepositoryArn(this, 'Repo', 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo1'); -const repo2 = ecr.Repository.fromRepositoryArn(this, 'Repo', 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo2'); +const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn( + this, + 'DHSecret', + 'arn:aws:...' +); +const customRegSecret = secretsmanager.Secret.fromSecretCompleteArn( + this, + 'CRSecret', + 'arn:aws:...' +); +const repo1 = ecr.Repository.fromRepositoryArn( + this, + 'Repo', + 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo1' +); +const repo2 = ecr.Repository.fromRepositoryArn( + this, + 'Repo', + 'arn:aws:ecr:eu-west-1:0123456789012:repository/Repo2' +); const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { dockerCredentials: [ pipelines.DockerCredential.dockerHub(dockerHubSecret), - pipelines.DockerCredential.customRegistry('dockerregistry.example.com', customRegSecret), + pipelines.DockerCredential.customRegistry( + 'dockerregistry.example.com', + customRegSecret + ), pipelines.DockerCredential.ecr([repo1, repo2]), ], synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), - commands: ['npm ci','npm run build','npx cdk synth'], + commands: ['npm ci', 'npm run build', 'npx cdk synth'], }), }); ``` @@ -1082,17 +1121,23 @@ optional role to assume before requesting the credentials. By default, the Docker credentials provided to the pipeline will be available to the **Synth**, **Self-Update**, and **Asset Publishing** actions within the -*pipeline. The scope of the credentials can be limited via the `DockerCredentialUsage` option. +\*pipeline. The scope of the credentials can be limited via the `DockerCredentialUsage` option. ```ts -const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn(this, 'DHSecret', 'arn:aws:...'); +const dockerHubSecret = secretsmanager.Secret.fromSecretCompleteArn( + this, + 'DHSecret', + 'arn:aws:...' +); // Only the image asset publishing actions will be granted read access to the secret. -const creds = pipelines.DockerCredential.dockerHub(dockerHubSecret, { usages: [pipelines.DockerCredentialUsage.ASSET_PUBLISHING] }); +const creds = pipelines.DockerCredential.dockerHub(dockerHubSecret, { + usages: [pipelines.DockerCredentialUsage.ASSET_PUBLISHING], +}); ``` ## CDK Environment Bootstrapping -An *environment* is an *(account, region)* pair where you want to deploy a +An _environment_ is an _(account, region)_ pair where you want to deploy a CDK stack (see [Environments](https://docs.aws.amazon.com/cdk/latest/guide/environments.html) in the CDK Developer Guide). In a Continuous Deployment pipeline, there are @@ -1102,16 +1147,16 @@ different stages of the application). These can be the same, though best practices recommend you isolate your different application stages from each other in different AWS accounts or regions. -Before you can provision the pipeline, you have to *bootstrap* the environment you want +Before you can provision the pipeline, you have to _bootstrap_ the environment you want to create it in. If you are deploying your application to different environments, you -also have to bootstrap those and be sure to add a *trust* relationship. +also have to bootstrap those and be sure to add a _trust_ relationship. After you have bootstrapped an environment and created a pipeline that deploys -to it, it's important that you don't delete the stack or change its *Qualifier*, +to it, it's important that you don't delete the stack or change its _Qualifier_, or future deployments to this environment will fail. If you want to upgrade the bootstrap stack to a newer version, do that by updating it in-place. -> This library requires the *modern* bootstrapping stack which has +> This library requires the _modern_ bootstrapping stack which has > been updated specifically to support cross-account continuous delivery. > > If you are using CDKv2, you do not need to do anything else. Modern @@ -1189,7 +1234,7 @@ These command lines explained: > Be aware that anyone who has access to the trusted Accounts **effectively has all > permissions conferred by the configured CloudFormation execution policies**, > allowing them to do things like read arbitrary S3 buckets and create arbitrary -> infrastructure in the bootstrapped account. Restrict the list of `--trust`ed Accounts, +> infrastructure in the bootstrapped account. Restrict the list of `--trust`ed Accounts, > or restrict the policies configured by `--cloudformation-execution-policies`.
@@ -1223,7 +1268,7 @@ The "new" bootstrap stack (obtained by running `cdk bootstrap` with contains: - An S3 bucket and ECR repository with predictable names, so that we can reference - assets in these storage locations *without* the use of CloudFormation template + assets in these storage locations _without_ the use of CloudFormation template parameters. - A set of roles with permissions to access these asset locations and to execute CloudFormation, assumable from whatever accounts you specify under `--trust`. @@ -1256,30 +1301,40 @@ declare const sharedXRegionUsWest2KeyArn: string; const usWest1Bucket = s3.Bucket.fromBucketAttributes(scope, 'UsEast1Bucket', { bucketArn: sharedXRegionUsWest1BucketArn, - encryptionKey: kms.Key.fromKeyArn(scope, 'UsEast1BucketKeyArn', sharedXRegionUsWest1BucketArn), + encryptionKey: kms.Key.fromKeyArn( + scope, + 'UsEast1BucketKeyArn', + sharedXRegionUsWest1BucketArn + ), }); const usWest2Bucket = s3.Bucket.fromBucketAttributes(scope, 'UsWest2Bucket', { bucketArn: sharedXRegionUsWest2BucketArn, - encryptionKey: kms.Key.fromKeyArn(scope, 'UsWest2BucketKeyArn', sharedXRegionUsWest2KeyArn), + encryptionKey: kms.Key.fromKeyArn( + scope, + 'UsWest2BucketKeyArn', + sharedXRegionUsWest2KeyArn + ), }); const crossRegionReplicationBuckets: Record = { 'us-west-1': usWest1Bucket, 'us-west-2': usWest2Bucket, // Support for additional regions. -} +}; const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.ShellStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', }), - commands: ['npm ci','npm run build','npx cdk synth'], - }), // Use shared buckets. + commands: ['npm ci', 'npm run build', 'npx cdk synth'], + }), // Use shared buckets. crossRegionReplicationBuckets, }); ``` + ## Context Lookups You might be using CDK constructs that need to look up [runtime @@ -1299,7 +1354,7 @@ contains the results of the context lookups. This will make sure your synthesized infrastructure is consistent and repeatable. If you do not commit `cdk.context.json`, the results of the lookups may suddenly be different in unexpected ways, and even produce results that cannot be deployed or will cause -data loss. To give an account permissions to perform lookups against an +data loss. To give an account permissions to perform lookups against an environment, without being able to deploy to it and make changes, run `cdk bootstrap --trust-for-lookup=`. @@ -1313,7 +1368,8 @@ lookup roles. As an example, doing so would look like this: new pipelines.CodePipeline(this, 'Pipeline', { synth: new pipelines.CodeBuildStep('Synth', { input: pipelines.CodePipelineSource.connection('my-org/my-app', 'main', { - connectionArn: 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', + connectionArn: + 'arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41', // Created using the AWS console * });', }), commands: [ // Commands to load cdk.context.json from somewhere here @@ -1405,9 +1461,7 @@ You can insert the security check by using a `ConfirmPermissionsBroadening` step declare const pipeline: pipelines.CodePipeline; const stage = new MyApplicationStage(this, 'MyApplication'); pipeline.addStage(stage, { - pre: [ - new pipelines.ConfirmPermissionsBroadening('Check', { stage }), - ], + pre: [new pipelines.ConfirmPermissionsBroadening('Check', { stage })], }); ``` @@ -1436,7 +1490,7 @@ check enabled. ## Using a different deployment engine -CDK Pipelines supports multiple *deployment engines*, but this module vends a +CDK Pipelines supports multiple _deployment engines_, but this module vends a construct for only one such engine: AWS CodePipeline. It is also possible to use CDK Pipelines to build pipelines backed by other deployment engines. @@ -1490,7 +1544,7 @@ but the directory wasn't there. There are two common causes for this: ### is in ROLLBACK_COMPLETE state and can not be updated -If you see the following error during execution of your pipeline: +If you see the following error during execution of your pipeline: ```plaintext Stack ... is in ROLLBACK_COMPLETE state and can not be updated. (Service: @@ -1520,7 +1574,7 @@ project that uses the AWS SDK for JavaScript, without the target application having been installed yet. For example, it can be triggered by `npx cdk synth` if `aws-cdk` is not in your `package.json`. -Work around this by either installing the target application using NPM *before* +Work around this by either installing the target application using NPM _before_ running `npx`, or set the environment variable `NPM_CONFIG_UNSAFE_PERM=true`. ### Cannot connect to the Docker daemon at unix:///var/run/docker.sock @@ -1539,21 +1593,6 @@ that bundles asset using tools run via Docker, like `aws-lambda-nodejs`, `aws-la Make sure you set the `privileged` environment variable to `true` in the synth definition: -```ts -const sourceArtifact = new codepipeline.Artifact(); -const cloudAssemblyArtifact = new codepipeline.Artifact(); -const pipeline = new pipelines.CdkPipeline(this, 'MyPipeline', { - cloudAssemblyArtifact, - synthAction: pipelines.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - environment: { - privileged: true, - }, - }), -}); -``` - After turning on `privilegedMode: true`, you will need to do a one-time manual cdk deploy of your pipeline to get it going again (as with a broken 'synth' the pipeline will not be able to self update to the right state). @@ -1606,27 +1645,6 @@ An "S3 Access Denied" error can have two causes: - Asset hashes have changed, but self-mutation has been disabled in the pipeline. - You have deleted and recreated the bootstrap stack, or changed its qualifier. -#### Self-mutation step has been removed - -Some constructs, such as EKS clusters, generate nested stacks. When CloudFormation tries -to deploy those stacks, it may fail with this error: - -```console -S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html -``` - -This happens because the pipeline is not self-mutating and, as a consequence, the `FileAssetX` -build projects get out-of-sync with the generated templates. To fix this, make sure the -`selfMutating` property is set to `true`: - -```ts -const cloudAssemblyArtifact = new codepipeline.Artifact(); -const pipeline = new pipelines.CdkPipeline(this, 'MyPipeline', { - selfMutating: true, - cloudAssemblyArtifact, -}); -``` - #### Bootstrap roles have been renamed or recreated While attempting to deploy an application stage, the "Prepare" or "Deploy" stage may fail with a cryptic error like: @@ -1656,7 +1674,7 @@ $ env CDK_NEW_BOOTSTRAP=1 npx cdk bootstrap \ ``` - Update all impacted stacks in the pipeline to use this new qualifier. -See https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html for more info. + See https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html for more info. ```ts new Stack(this, 'MyStack', { @@ -1681,13 +1699,13 @@ encryption key policy for the artifacts bucket may have a statement that looks l ```json { - "Effect" : "Allow", - "Principal" : { + "Effect": "Allow", + "Principal": { // "AWS" : "AROAYBRETNYCYV6ZF2R93" // Indicates this issue; replace this value - "AWS": "arn:aws:iam::0123456789012:role/cdk-hnb659fds-deploy-role-0123456789012-eu-west-1", // Correct value + "AWS": "arn:aws:iam::0123456789012:role/cdk-hnb659fds-deploy-role-0123456789012-eu-west-1" // Correct value }, - "Action" : [ "kms:Decrypt", "kms:DescribeKey" ], - "Resource" : "*" + "Action": ["kms:Decrypt", "kms:DescribeKey"], + "Resource": "*" } ``` @@ -1704,7 +1722,7 @@ framework version that your application uses. You either forgot to change the `cliVersion` parameter, or changed the `cliVersion` in the same commit in which you changed the framework version. Because a change to the pipeline settings needs a successful run of the `SelfMutate` step to be applied, the next iteration of the -`SelfMutate` step still executes with the *old* CLI version, and that old CLI version +`SelfMutate` step still executes with the _old_ CLI version, and that old CLI version is not able to read the cloud assembly produced by the new framework version. Solution: change the `cliVersion` first, commit, push and deploy, and only then @@ -1751,8 +1769,8 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { // Add the shell commands to install your drop-in Docker // replacement to the CodeBuild enviromment. commands: installCommands, - } - } + }, + }, }), buildEnvironment: { environmentVariables: { @@ -1760,8 +1778,8 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { // `docker` when building / publishing docker images. // e.g., `drop-in-replacement build . -f path/to/Dockerfile` CDK_DOCKER: { value: 'drop-in-replacement' }, - } - } + }, + }, }, }); ``` @@ -1789,14 +1807,16 @@ const pipeline = new pipelines.CodePipeline(this, 'Pipeline', { buildEnvironment: { // Provide a custom build image containing your toolchain and the // pre-installed replacement for the `docker` command. - buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('your-docker-registry'), + buildImage: codebuild.LinuxBuildImage.fromDockerRegistry( + 'your-docker-registry' + ), environmentVariables: { // If you haven't provided an `ENV` in your Dockerfile that overrides // `CDK_DOCKER`, then you must provide the name of the command that // the AWS CDK should run instead of `docker` here. CDK_DOCKER: { value: 'drop-in-replacement' }, - } - } + }, + }, }, }); ``` diff --git a/packages/aws-cdk-lib/pipelines/lib/index.ts b/packages/aws-cdk-lib/pipelines/lib/index.ts index 5f469e9fd5ce6..e26c394c027cb 100644 --- a/packages/aws-cdk-lib/pipelines/lib/index.ts +++ b/packages/aws-cdk-lib/pipelines/lib/index.ts @@ -1,4 +1,3 @@ -export * from './legacy'; export * from './blueprint'; export * from './codepipeline'; export * from './main'; diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts deleted file mode 100644 index 3de0c99c3de23..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts +++ /dev/null @@ -1,386 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { Construct, Node } from 'constructs'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as cpactions from '../../../../aws-codepipeline-actions'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Aws, CfnCapabilities, Stack } from '../../../../core'; -import * as cxapi from '../../../../cx-api'; -import { appOf, assemblyBuilderOf } from '../../private/construct-internals'; -import { toPosixPath } from '../../private/fs'; - -/** - * Customization options for a DeployCdkStackAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface DeployCdkStackActionOptions { - /** - * Base name of the action - * - * @default stackName - */ - readonly baseActionName?: string; - - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Run order for the Prepare action - * - * @default 1 - */ - readonly prepareRunOrder?: number; - - /** - * Run order for the Execute action - * - * @default - prepareRunOrder + 1 - */ - readonly executeRunOrder?: number; - - /** - * Artifact to write Stack Outputs to - * - * @default - No outputs - */ - readonly output?: codepipeline.Artifact; - - /** - * Filename in output to write Stack outputs to - * - * @default - Required when 'output' is set - */ - readonly outputFileName?: string; - - /** - * Name of the change set to create and deploy - * - * @default 'PipelineChange' - */ - readonly changeSetName?: string; -} - -/** - * Properties for a DeployCdkStackAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface DeployCdkStackActionProps extends DeployCdkStackActionOptions { - /** - * Relative path of template in the input artifact - */ - readonly templatePath: string; - - /** - * Role for the action to assume - * - * This controls the account to deploy into - */ - readonly actionRole: iam.IRole; - - /** - * The name of the stack that should be created/updated - */ - readonly stackName: string; - - /** - * Role to execute CloudFormation under - * - * @default - Execute CloudFormation using the action role - */ - readonly cloudFormationExecutionRole?: iam.IRole; - - /** - * Region to deploy into - * - * @default - Same region as pipeline - */ - readonly region?: string; - - /** - * Artifact ID for the stack deployed here - * - * Used for pipeline order checking. - * - * @default - Order will not be checked - */ - readonly stackArtifactId?: string; - - /** - * Artifact ID for the stacks this stack depends on - * - * Used for pipeline order checking. - * - * @default - No dependencies - */ - readonly dependencyStackArtifactIds?: string[]; - - /** - * Template configuration path relative to the input artifact - * - * @default - No template configuration - */ - readonly templateConfigurationPath?: string; -} - -/** - * Options for the 'fromStackArtifact' operation - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkStackActionFromArtifactOptions extends DeployCdkStackActionOptions { - /** - * The name of the stack that should be created/updated - * - * @default - Same as stack artifact - */ - readonly stackName?: string; -} - -/** - * Action to deploy a CDK Stack - * - * Adds two CodePipeline Actions to the pipeline: one to create a ChangeSet - * and one to execute it. - * - * You do not need to instantiate this action yourself -- it will automatically - * be added by the pipeline when you add stack artifacts or entire stages. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class DeployCdkStackAction implements codepipeline.IAction { - /** - * Construct a DeployCdkStackAction from a Stack artifact - */ - public static fromStackArtifact(scope: Construct, artifact: cxapi.CloudFormationStackArtifact, options: CdkStackActionFromArtifactOptions) { - if (!artifact.assumeRoleArn) { - throw new Error(`Stack '${artifact.stackName}' does not have deployment role information; use the 'DefaultStackSynthesizer' synthesizer, or set the '@aws-cdk/core:newStyleStackSynthesis' context key.`); - } - - const artRegion = artifact.environment.region; - const region = artRegion === Stack.of(scope).region || artRegion === cxapi.UNKNOWN_REGION ? undefined : artRegion; - const artAccount = artifact.environment.account; - const account = artAccount === Stack.of(scope).account || artAccount === cxapi.UNKNOWN_ACCOUNT ? undefined : artAccount; - - const actionRole = roleFromPlaceholderArn(scope, region, account, artifact.assumeRoleArn); - const cloudFormationExecutionRole = roleFromPlaceholderArn(scope, region, account, artifact.cloudFormationExecutionRoleArn); - - // We need the path of the template relative to the root Cloud Assembly - // It should be easier to get this, but for now it is what it is. - const appAsmRoot = assemblyBuilderOf(appOf(scope)).outdir; - const fullTemplatePath = path.join(artifact.assembly.directory, artifact.templateFile); - - let fullConfigPath; - if (Object.keys(artifact.tags).length > 0) { - fullConfigPath = `${fullTemplatePath}.config.json`; - - // Write the template configuration file (for parameters into CreateChangeSet call that - // cannot be configured any other way). They must come from a file, and there's unfortunately - // no better hook to write this file (`construct.onSynthesize()` would have been the prime candidate - // but that is being deprecated--and DeployCdkStackAction isn't even a construct). - writeTemplateConfiguration(fullConfigPath, { - Tags: artifact.tags, - }); - } - - return new DeployCdkStackAction({ - actionRole, - cloudFormationExecutionRole, - templatePath: toPosixPath(path.relative(appAsmRoot, fullTemplatePath)), - templateConfigurationPath: fullConfigPath ? toPosixPath(path.relative(appAsmRoot, fullConfigPath)) : undefined, - region, - stackArtifactId: artifact.id, - dependencyStackArtifactIds: artifact.dependencies.filter(isStackArtifact).map(s => s.id), - stackName: options.stackName ?? artifact.stackName, - ...options, - }); - } - - /** - * The runorder for the prepare action - */ - public readonly prepareRunOrder: number; - - /** - * The runorder for the execute action - */ - public readonly executeRunOrder: number; - - /** - * Name of the deployed stack - */ - public readonly stackName: string; - - /** - * Artifact id of the artifact this action was based on - */ - public readonly stackArtifactId?: string; - - /** - * Artifact ids of the artifact this stack artifact depends on - */ - public readonly dependencyStackArtifactIds: string[]; - - private readonly prepareChangeSetAction: cpactions.CloudFormationCreateReplaceChangeSetAction; - private readonly executeChangeSetAction: cpactions.CloudFormationExecuteChangeSetAction; - - constructor(props: DeployCdkStackActionProps) { - if (props.output && !props.outputFileName) { - throw new Error('If \'output\' is set, \'outputFileName\' is also required'); - } - - this.stackArtifactId = props.stackArtifactId; - this.dependencyStackArtifactIds = props.dependencyStackArtifactIds ?? []; - - this.prepareRunOrder = props.prepareRunOrder ?? 1; - this.executeRunOrder = props.executeRunOrder ?? this.prepareRunOrder + 1; - this.stackName = props.stackName; - const baseActionName = props.baseActionName ?? this.stackName; - const changeSetName = props.changeSetName ?? 'PipelineChange'; - - this.prepareChangeSetAction = new cpactions.CloudFormationCreateReplaceChangeSetAction({ - actionName: `${baseActionName}.Prepare`, - changeSetName, - runOrder: this.prepareRunOrder, - stackName: this.stackName, - templatePath: props.cloudAssemblyInput.atPath(props.templatePath), - adminPermissions: false, - role: props.actionRole, - deploymentRole: props.cloudFormationExecutionRole, - region: props.region, - cfnCapabilities: [CfnCapabilities.NAMED_IAM, CfnCapabilities.AUTO_EXPAND], - templateConfiguration: props.templateConfigurationPath ? props.cloudAssemblyInput.atPath(props.templateConfigurationPath) : undefined, - }); - this.executeChangeSetAction = new cpactions.CloudFormationExecuteChangeSetAction({ - actionName: `${baseActionName}.Deploy`, - changeSetName, - runOrder: this.executeRunOrder, - stackName: this.stackName, - role: props.actionRole, - region: props.region, - outputFileName: props.outputFileName, - output: props.output, - }); - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): - codepipeline.ActionConfig { - stage.addAction(this.prepareChangeSetAction); - - return this.executeChangeSetAction.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.executeChangeSetAction.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this.executeChangeSetAction.actionProperties; - } -} - -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string): iam.IRole; -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string | undefined): iam.IRole | undefined; -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string | undefined): iam.IRole | undefined { - - if (!arn) { return undefined; } - - // Use placeholdered arn as construct ID. - const id = arn; - - // https://github.com/aws/aws-cdk/issues/7255 - let existingRole = Node.of(scope).tryFindChild(`ImmutableRole${id}`) as iam.IRole; - if (existingRole) { return existingRole; } - // For when #7255 is fixed. - existingRole = Node.of(scope).tryFindChild(id) as iam.IRole; - if (existingRole) { return existingRole; } - - const arnToImport = cxapi.EnvironmentPlaceholders.replace(arn, { - region: region ?? Aws.REGION, - accountId: account ?? Aws.ACCOUNT_ID, - partition: Aws.PARTITION, - }); - return iam.Role.fromRoleArn(scope, id, arnToImport, { mutable: false, addGrantsToResources: true }); -} - -/** - * Options for CdkDeployAction.fromStackArtifact - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface FromStackArtifactOptions { - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Run order for the 2 actions that will be created - * - * @default 1 - */ - readonly prepareRunOrder?: number; - - /** - * Run order for the Execute action - * - * @default - prepareRunOrder + 1 - */ - readonly executeRunOrder?: number; - - /** - * Artifact to write Stack Outputs to - * - * @default - No outputs - */ - readonly output?: codepipeline.Artifact; - - /** - * Filename in output to write Stack outputs to - * - * @default - Required when 'output' is set - */ - readonly outputFileName?: string; -} - -function isStackArtifact(a: cxapi.CloudArtifact): a is cxapi.CloudFormationStackArtifact { - // instanceof is too risky, and we're at a too late stage to properly fix. - // return a instanceof cxapi.CloudFormationStackArtifact; - return a.constructor.name === 'CloudFormationStackArtifact'; -} - -/** - * Template configuration in a CodePipeline - * - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c13c17c15 - */ -interface TemplateConfiguration { - readonly Parameters?: Record; - readonly Tags?: Record; - readonly StackPolicy?: { - readonly Statements: Array>; - }; -} - -/** - * Write template configuration to the given file - */ -function writeTemplateConfiguration(filename: string, config: TemplateConfiguration) { - fs.writeFileSync(filename, JSON.stringify(config, undefined, 2), { encoding: 'utf-8' }); -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts deleted file mode 100644 index 834ded93472f2..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts +++ /dev/null @@ -1,3 +0,0 @@ -export * from './deploy-cdk-stack-action'; -export * from './publish-assets-action'; -export * from './update-pipeline-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts deleted file mode 100644 index 89bd087101972..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts +++ /dev/null @@ -1,228 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { IDependable, Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { ISynthesisSession, Lazy, Stack, attachCustomSynthesis } from '../../../../core'; -import { AssetType } from '../../blueprint/asset-type'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { toPosixPath } from '../../private/fs'; - -/** - * Props for a PublishAssetsAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface PublishAssetsActionProps { - /** - * Name of publishing action - */ - readonly actionName: string; - - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * AssetType we're publishing - */ - readonly assetType: AssetType; - - /** - * Version of CDK CLI to 'npm install'. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Role to use for CodePipeline and CodeBuild to build and publish the assets. - * - * @default - Automatically generated - */ - readonly role?: iam.IRole; - - /** - * Any Dependable construct that the CodeBuild project needs to take a dependency on. - * - * @default - none - */ - readonly dependable?: IDependable; - - /** - * The VPC where to execute the PublishAssetsAction. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Custom BuildSpec that is merged with generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; - - /** - * Use a file buildspec written to the cloud assembly instead of an inline buildspec. - * This prevents size limitation errors as inline specs have a max length of 25600 characters - * - * @default false - */ - readonly createBuildspecFile?: boolean; - - /** - * Additional commands to run before installing cdk-assert - * Use this to setup proxies or npm mirrors - * - * @default - - */ - readonly preInstallCommands?: string[]; -} - -/** - * Action to publish an asset in the pipeline - * - * Creates a CodeBuild project which will use the CDK CLI - * to prepare and publish the asset. - * - * You do not need to instantiate this action -- it will automatically - * be added by the pipeline when you add stacks that use assets. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class PublishAssetsAction extends Construct implements codepipeline.IAction { - private readonly action: codepipeline.IAction; - private readonly commands = new Array(); - - private readonly buildSpec: codebuild.BuildSpec; - - constructor(scope: Construct, id: string, private readonly props: PublishAssetsActionProps) { - super(scope, id); - - const installSuffix = props.cdkCliVersion ? `@${props.cdkCliVersion}` : ''; - const installCommand = `npm install -g cdk-assets${installSuffix}`; - - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - install: { - commands: props.preInstallCommands ? [...props.preInstallCommands, installCommand] : installCommand, - }, - build: { - commands: Lazy.list({ produce: () => this.commands }), - }, - }, - }); - this.buildSpec = props.buildSpec ? codebuild.mergeBuildSpecs(props.buildSpec, buildSpec) : buildSpec; - - const project = new codebuild.PipelineProject(this, 'Default', { - projectName: this.props.projectName, - environment: { - buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, - privileged: (props.assetType === AssetType.DOCKER_IMAGE) ? true : undefined, - }, - vpc: props.vpc, - subnetSelection: props.subnetSelection, - buildSpec: props.createBuildspecFile ? codebuild.BuildSpec.fromSourceFilename(this.getBuildSpecFileName()) : this.buildSpec, - role: props.role, - }); - - if (props.dependable) { - project.node.addDependency(props.dependable); - } - - this.action = new codepipeline_actions.CodeBuildAction({ - actionName: props.actionName, - project, - input: this.props.cloudAssemblyInput, - role: props.role, - // Add this purely so that the pipeline will selfupdate if the CLI version changes - environmentVariables: props.cdkCliVersion ? { - CDK_CLI_VERSION: { value: props.cdkCliVersion }, - } : undefined, - }); - - attachCustomSynthesis(this, { - onSynthesize: this._onSynth.bind(this), - }); - } - - private getBuildSpecFileName(): string { - return `buildspec-assets-${this.node.path.replace(new RegExp('/', 'g'), '-')}.yaml`; - } - - private _onSynth(session: ISynthesisSession): void { - if (this.props.createBuildspecFile) { - const specFile = path.join(session.outdir, this.getBuildSpecFileName()); - fs.writeFileSync(specFile, Stack.of(this).resolve(this.buildSpec.toBuildSpec()), { encoding: 'utf-8' }); - } - } - - /** - * Add a single publishing command - * - * Manifest path should be relative to the root Cloud Assembly. - */ - public addPublishCommand(relativeManifestPath: string, assetSelector: string) { - const command = `cdk-assets --path "${toPosixPath(relativeManifestPath)}" --verbose publish "${assetSelector}"`; - if (!this.commands.includes(command)) { - this.commands.push(command); - } - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): - codepipeline.ActionConfig { - return this.action.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.action.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - // FIXME: I have had to make this class a Construct, because: - // - // - It needs access to the Construct tree, because it is going to add a `PipelineProject`. - // - I would have liked to have done that in bind(), however, - // - `actionProperties` (this method) is called BEFORE bind() is called, and by that point I - // don't have the "inner" Action yet to forward the call to. - // - // I've therefore had to construct the inner CodeBuildAction in the constructor, which requires making this - // Action a Construct. - // - // Combined with how non-intuitive it is to make the "StackDeployAction", I feel there is something - // wrong with the Action abstraction here. - return this.action.actionProperties; - } -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts deleted file mode 100644 index 85672ab4a849f..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts +++ /dev/null @@ -1,183 +0,0 @@ -import { Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as cpactions from '../../../../aws-codepipeline-actions'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Stack } from '../../../../core'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; -import { embeddedAsmPath } from '../../private/construct-internals'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; - -/** - * Props for the UpdatePipelineAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface UpdatePipelineActionProps { - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Name of the pipeline stack - * - * @deprecated - Use `pipelineStackHierarchicalId` instead. - * @default - none - */ - readonly pipelineStackName?: string; - - /** - * Hierarchical id of the pipeline stack - */ - readonly pipelineStackHierarchicalId: string; - - /** - * Version of CDK CLI to 'npm install'. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Whether the build step should run in privileged mode. - * - * @default - false - */ - readonly privileged?: boolean; - - /** - * Docker registries and associated credentials necessary during the pipeline - * self-update stage. - * - * @default [] - */ - readonly dockerCredentials?: DockerCredential[]; - - /** - * Custom BuildSpec that is merged with generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; -} - -/** - * Action to self-mutate the pipeline - * - * Creates a CodeBuild project which will use the CDK CLI - * to deploy the pipeline stack. - * - * You do not need to instantiate this action -- it will automatically - * be added by the pipeline. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class UpdatePipelineAction extends Construct implements codepipeline.IAction { - private readonly action: codepipeline.IAction; - - constructor(scope: Construct, id: string, props: UpdatePipelineActionProps) { - super(scope, id); - - const installSuffix = props.cdkCliVersion ? `@${props.cdkCliVersion}` : ''; - - const stackIdentifier = props.pipelineStackHierarchicalId ?? props.pipelineStackName; - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - install: { - commands: [ - `npm install -g aws-cdk${installSuffix}`, - ...dockerCredentialsInstallCommands(DockerCredentialUsage.SELF_UPDATE, props.dockerCredentials), - ], - }, - build: { - commands: [ - // Cloud Assembly is in *current* directory. - `cdk -a ${embeddedAsmPath(scope)} deploy ${stackIdentifier} --require-approval=never --verbose`, - ], - }, - }, - }); - const selfMutationProject = new codebuild.PipelineProject(this, 'SelfMutation', { - projectName: props.projectName, - environment: { - buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, - privileged: props.privileged ?? false, - }, - buildSpec: props.buildSpec ? codebuild.mergeBuildSpecs(props.buildSpec, buildSpec) : buildSpec, - }); - - // allow the self-mutating project permissions to assume the bootstrap Action role - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['sts:AssumeRole'], - resources: [`arn:*:iam::${Stack.of(this).account}:role/*`], - conditions: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], - }, - }, - })); - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['cloudformation:DescribeStacks'], - resources: ['*'], // this is needed to check the status of the bootstrap stack when doing `cdk deploy` - })); - // S3 checks for the presence of the ListBucket permission - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['s3:ListBucket'], - resources: ['*'], - })); - (props.dockerCredentials ?? []).forEach(reg => reg.grantRead(selfMutationProject, DockerCredentialUsage.SELF_UPDATE)); - - this.action = new cpactions.CodeBuildAction({ - actionName: 'SelfMutate', - input: props.cloudAssemblyInput, - project: selfMutationProject, - // Add this purely so that the pipeline will selfupdate if the CLI version changes - environmentVariables: props.cdkCliVersion ? { - CDK_CLI_VERSION: { value: props.cdkCliVersion }, - } : undefined, - }); - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - return this.action.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.action.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - // FIXME: I have had to make this class a Construct, because: - // - // - It needs access to the Construct tree, because it is going to add a `PipelineProject`. - // - I would have liked to have done that in bind(), however, - // - `actionProperties` (this method) is called BEFORE bind() is called, and by that point I - // don't have the "inner" Action yet to forward the call to. - // - // I've therefore had to construct the inner CodeBuildAction in the constructor, which requires making this - // Action a Construct. - // - // Combined with how non-intuitive it is to make the "StackDeployAction", I feel there is something - // wrong with the Action abstraction here. - return this.action.actionProperties; - } -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts deleted file mode 100644 index ca2b108fcb0d8..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts +++ /dev/null @@ -1,5 +0,0 @@ -export * from './pipeline'; -export * from './stage'; -export * from './synths'; -export * from './actions'; -export * from './validation'; diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts deleted file mode 100644 index ea87b74b2f4de..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts +++ /dev/null @@ -1,624 +0,0 @@ -import * as path from 'path'; -import { Construct } from 'constructs'; -import { DeployCdkStackAction, PublishAssetsAction, UpdatePipelineAction } from './actions'; -import { AddStageOptions, AssetPublishingCommand, BaseStageOptions, CdkStage, StackOutput } from './stage'; -import { SimpleSynthAction } from './synths'; -import * as codebuild from '../../../aws-codebuild'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as ec2 from '../../../aws-ec2'; -import * as iam from '../../../aws-iam'; -import { Annotations, App, CfnOutput, PhysicalName, Stack, Stage } from '../../../core'; -import { AssetType } from '../blueprint/asset-type'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../docker-credentials'; -import { ApplicationSecurityCheck } from '../private/application-security-check'; -import { AssetSingletonRole } from '../private/asset-singleton-role'; -import { CachedFnSub } from '../private/cached-fnsub'; -import { preferredCliVersion } from '../private/cli-version'; -import { appOf, assemblyBuilderOf } from '../private/construct-internals'; - -const CODE_BUILD_LENGTH_LIMIT = 100; -/** - * Properties for a CdkPipeline - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkPipelineProps { - /** - * The CodePipeline action used to retrieve the CDK app's source - * - * @default - Required unless `codePipeline` is given - */ - readonly sourceAction?: codepipeline.IAction; - - /** - * The CodePipeline action build and synthesis step of the CDK app - * - * @default - Required unless `codePipeline` or `sourceAction` is given - */ - readonly synthAction?: codepipeline.IAction; - - /** - * The artifact you have defined to be the artifact to hold the cloudAssemblyArtifact for the synth action - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Existing CodePipeline to add deployment stages to - * - * Use this if you want more control over the CodePipeline that gets created. - * You can choose to not pass this value, in which case a new CodePipeline is - * created with default settings. - * - * If you pass an existing CodePipeline, it should have been created - * with `restartExecutionOnUpdate: true`. - * - * [disable-awslint:ref-via-interface] - * - * @default - A new CodePipeline is automatically generated - */ - readonly codePipeline?: codepipeline.Pipeline; - - /** - * Name of the pipeline - * - * Can only be set if `codePipeline` is not set. - * - * @default - A name is automatically generated - */ - readonly pipelineName?: string; - - /** - * Create KMS keys for cross-account deployments - * - * This controls whether the pipeline is enabled for cross-account deployments. - * - * Can only be set if `codePipeline` is not set. - * - * By default cross-account deployments are enabled, but this feature requires - * that KMS Customer Master Keys are created which have a cost of $1/month. - * - * If you do not need cross-account deployments, you can set this to `false` to - * not create those keys and save on that cost (the artifact bucket will be - * encrypted with an AWS-managed key). However, cross-account deployments will - * no longer be possible. - * - * @default true - */ - readonly crossAccountKeys?: boolean; - // @deprecated(v2): switch to default false - - /** - * Enables KMS key rotation for cross-account keys. - * - * Cannot be set if `crossAccountKeys` was set to `false`. - * - * Key rotation costs $1/month when enabled. - * - * @default - false (key rotation is disabled) - */ - readonly enableKeyRotation?: boolean; - - /** - * CDK CLI version to use in pipeline - * - * Some Actions in the pipeline will download and run a version of the CDK - * CLI. Specify the version here. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * The VPC where to execute the CdkPipeline actions. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Whether the pipeline will update itself - * - * This needs to be set to `true` to allow the pipeline to reconfigure - * itself when assets or stages are being added to it, and `true` is the - * recommended setting. - * - * You can temporarily set this to `false` while you are iterating - * on the pipeline itself and prefer to deploy changes using `cdk deploy`. - * - * @default true - */ - readonly selfMutating?: boolean; - - /** - * Custom BuildSpec that is merged with generated one (for self-mutation stage) - * - * @default - none - */ - readonly selfMutationBuildSpec?: codebuild.BuildSpec; - - /** - * Whether this pipeline creates one asset upload action per asset type or one asset upload per asset - * - * @default false - */ - readonly singlePublisherPerType?: boolean; - - /** - * Additional commands to run before installing cdk-assets during the asset publishing step - * Use this to setup proxies or npm mirrors - * - * @default - - */ - readonly assetPreInstallCommands?: string[]; - - /** - * Custom BuildSpec that is merged with generated one (for asset publishing actions) - * - * @default - none - */ - readonly assetBuildSpec?: codebuild.BuildSpec; - - /** - * Whether the pipeline needs to build Docker images in the UpdatePipeline stage. - * - * If the UpdatePipeline stage tries to build a Docker image and this flag is not - * set to `true`, the build step will run in non-privileged mode and consequently - * will fail with a message like: - * - * > Cannot connect to the Docker daemon at unix:///var/run/docker.sock. - * > Is the docker daemon running? - * - * This flag has an effect only if `selfMutating` is also `true`. - * - * @default - false - */ - readonly supportDockerAssets?: boolean; - - /** - * A list of credentials used to authenticate to Docker registries. - * - * Specify any credentials necessary within the pipeline to build, synth, update, or publish assets. - * - * @default [] - */ - readonly dockerCredentials?: DockerCredential[]; -} - -/** - * A Pipeline to deploy CDK apps - * - * Defines an AWS CodePipeline-based Pipeline to deploy CDK applications. - * - * Automatically manages the following: - * - * - Stack dependency order. - * - Asset publishing. - * - Keeping the pipeline up-to-date as the CDK apps change. - * - Using stack outputs later on in the pipeline. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class CdkPipeline extends Construct { - private readonly _pipeline: codepipeline.Pipeline; - private readonly _assets: AssetPublishing; - private readonly _stages: CdkStage[] = []; - private readonly _outputArtifacts: Record = {}; - private readonly _cloudAssemblyArtifact: codepipeline.Artifact; - private readonly _dockerCredentials: DockerCredential[]; - private _applicationSecurityCheck?: ApplicationSecurityCheck; - private readonly cliVersion?: string; - - constructor(scope: Construct, id: string, props: CdkPipelineProps) { - super(scope, id); - this.cliVersion = props.cdkCliVersion ?? preferredCliVersion(); - - if (!App.isApp(this.node.root)) { - throw new Error('CdkPipeline must be created under an App'); - } - - this._cloudAssemblyArtifact = props.cloudAssemblyArtifact; - this._dockerCredentials = props.dockerCredentials ?? []; - const pipelineStack = Stack.of(this); - - if (props.codePipeline) { - if (props.pipelineName) { - throw new Error('Cannot set \'pipelineName\' if an existing CodePipeline is given using \'codePipeline\''); - } - if (props.crossAccountKeys !== undefined) { - throw new Error('Cannot set \'crossAccountKeys\' if an existing CodePipeline is given using \'codePipeline\''); - } - if (props.enableKeyRotation !== undefined) { - throw new Error('Cannot set \'enableKeyRotation\' if an existing CodePipeline is given using \'codePipeline\''); - } - - this._pipeline = props.codePipeline; - } else { - this._pipeline = new codepipeline.Pipeline(this, 'Pipeline', { - pipelineName: props.pipelineName, - crossAccountKeys: props.crossAccountKeys, - enableKeyRotation: props.enableKeyRotation, - restartExecutionOnUpdate: true, - }); - } - - if (props.sourceAction && !props.synthAction) { - // Because of ordering limitations, you can: bring your own Source, bring your own - // Both, or bring your own Nothing. You cannot bring your own Build (which because of the - // current CodePipeline API must go BEFORE what we're adding) and then having us add a - // Source after it. That doesn't make any sense. - throw new Error('When passing a \'sourceAction\' you must also pass a \'synthAction\' (or a \'codePipeline\' that already has both)'); - } - if (!props.sourceAction && (!props.codePipeline || props.codePipeline.stages.length < 1)) { - throw new Error('You must pass a \'sourceAction\' (or a \'codePipeline\' that already has a Source stage)'); - } - - if (props.sourceAction) { - this._pipeline.addStage({ - stageName: 'Source', - actions: [props.sourceAction], - }); - } - - if (props.synthAction) { - if (props.synthAction instanceof SimpleSynthAction && this._dockerCredentials.length > 0) { - props.synthAction._addDockerCredentials(this._dockerCredentials); - } - - this._pipeline.addStage({ - stageName: 'Build', - actions: [props.synthAction], - }); - } - - if (props.selfMutating ?? true) { - this._pipeline.addStage({ - stageName: 'UpdatePipeline', - actions: [new UpdatePipelineAction(this, 'UpdatePipeline', { - cloudAssemblyInput: this._cloudAssemblyArtifact, - pipelineStackHierarchicalId: pipelineStack.node.path, - cdkCliVersion: this.cliVersion, - projectName: maybeSuffix(props.pipelineName, '-selfupdate'), - privileged: props.supportDockerAssets, - dockerCredentials: this._dockerCredentials, - buildSpec: props.selfMutationBuildSpec, - })], - }); - } - - this._assets = new AssetPublishing(this, 'Assets', { - cloudAssemblyInput: this._cloudAssemblyArtifact, - cdkCliVersion: this.cliVersion, - pipeline: this._pipeline, - projectName: maybeSuffix(props.pipelineName, '-publish'), - vpc: props.vpc, - subnetSelection: props.subnetSelection, - singlePublisherPerType: props.singlePublisherPerType, - preInstallCommands: props.assetPreInstallCommands, - buildSpec: props.assetBuildSpec, - dockerCredentials: this._dockerCredentials, - }); - - this.node.addValidation({ validate: () => this.validatePipeline() }); - } - - /** - * The underlying CodePipeline object - * - * You can use this to add more Stages to the pipeline, or Actions - * to Stages. - */ - public get codePipeline(): codepipeline.Pipeline { - return this._pipeline; - } - - /** - * Access one of the pipeline's stages by stage name - * - * You can use this to add more Actions to a stage. - */ - public stage(stageName: string): codepipeline.IStage { - return this._pipeline.stage(stageName); - } - - /** - * Get a cached version of an Application Security Check, which consists of: - * - CodeBuild Project to check for security changes in a stage - * - Lambda Function that approves the manual approval if no security changes are detected - * - * @internal - */ - public _getApplicationSecurityCheck(): ApplicationSecurityCheck { - if (!this._applicationSecurityCheck) { - this._applicationSecurityCheck = new ApplicationSecurityCheck(this, 'PipelineApplicationSecurityCheck', { - codePipeline: this._pipeline, - }); - } - return this._applicationSecurityCheck; - } - - /** - * Add pipeline stage that will deploy the given application stage - * - * The application construct should subclass `Stage` and can contain any - * number of `Stacks` inside it that may have dependency relationships - * on one another. - * - * All stacks in the application will be deployed in the appropriate order, - * and all assets found in the application will be added to the asset - * publishing stage. - */ - public addApplicationStage(appStage: Stage, options: AddStageOptions = {}): CdkStage { - const stage = this.addStage(appStage.stageName, options); - stage.addApplication(appStage, options); - return stage; - } - - /** - * Add a new, empty stage to the pipeline - * - * Prefer to use `addApplicationStage` if you are intended to deploy a CDK - * application, but you can use this method if you want to add other kinds of - * Actions to a pipeline. - */ - public addStage(stageName: string, options?: BaseStageOptions) { - const pipelineStage = this._pipeline.addStage({ - stageName, - }); - - const stage = new CdkStage(this, stageName, { - cloudAssemblyArtifact: this._cloudAssemblyArtifact, - pipelineStage, - stageName, - host: { - publishAsset: this._assets.addPublishAssetAction.bind(this._assets), - stackOutputArtifact: (artifactId) => this._outputArtifacts[artifactId], - }, - ...options, - }); - this._stages.push(stage); - return stage; - } - - /** - * Get the StackOutput object that holds this CfnOutput's value in this pipeline - * - * `StackOutput` can be used in validation actions later in the pipeline. - */ - public stackOutput(cfnOutput: CfnOutput): StackOutput { - const stack = Stack.of(cfnOutput); - - if (!this._outputArtifacts[stack.artifactId]) { - // We should have stored the ArtifactPath in the map, but its Artifact - // property isn't publicly readable... - const artifactName = `${stack.artifactId}_Outputs`; - const compactName = artifactName.slice(artifactName.length - Math.min(artifactName.length, CODE_BUILD_LENGTH_LIMIT)); - this._outputArtifacts[stack.artifactId] = new codepipeline.Artifact(compactName); - } - - return new StackOutput(this._outputArtifacts[stack.artifactId].atPath('outputs.json'), cfnOutput.logicalId); - } - - /** - * Validate that we don't have any stacks violating dependency order in the pipeline - * - * Our own convenience methods will never generate a pipeline that does that (although - * this is a nice verification), but a user can also add the stacks by hand. - */ - private validatePipeline(): string[] { - const ret = new Array(); - - ret.push(...this.validateDeployOrder()); - ret.push(...this.validateRequestedOutputs()); - - return ret; - } - - /** - * Return all StackDeployActions in an ordered list - */ - private get stackActions(): DeployCdkStackAction[] { - return flatMap(this._pipeline.stages, s => s.actions.filter(isDeployAction)); - } - - private * validateDeployOrder(): IterableIterator { - const stackActions = this.stackActions; - for (const stackAction of stackActions) { - // For every dependency, it must be executed in an action before this one is prepared. - for (const depId of stackAction.dependencyStackArtifactIds) { - const depAction = stackActions.find(s => s.stackArtifactId === depId); - - if (depAction === undefined) { - Annotations.of(this).addWarningV2('@aws-cdk/pipelines:dependencyOnNonPipelineStack', `Stack '${stackAction.stackName}' depends on stack ` + - `'${depId}', but that dependency is not deployed through the pipeline!`); - } else if (!(depAction.executeRunOrder < stackAction.prepareRunOrder)) { - yield `Stack '${stackAction.stackName}' depends on stack ` + - `'${depAction.stackName}', but is deployed before it in the pipeline!`; - } - } - } - } - - private * validateRequestedOutputs(): IterableIterator { - const artifactIds = this.stackActions.map(s => s.stackArtifactId); - - for (const artifactId of Object.keys(this._outputArtifacts)) { - if (!artifactIds.includes(artifactId)) { - yield `Trying to use outputs for Stack '${artifactId}', but Stack is not deployed in this pipeline. Add it to the pipeline.`; - } - } - } -} - -function isDeployAction(a: codepipeline.IAction): a is DeployCdkStackAction { - return a instanceof DeployCdkStackAction; -} - -function flatMap(xs: A[], f: (x: A) => B[]): B[] { - return Array.prototype.concat([], ...xs.map(f)); -} - -interface AssetPublishingProps { - readonly cloudAssemblyInput: codepipeline.Artifact; - readonly pipeline: codepipeline.Pipeline; - readonly cdkCliVersion?: string; - readonly projectName?: string; - readonly vpc?: ec2.IVpc; - readonly subnetSelection?: ec2.SubnetSelection; - readonly singlePublisherPerType?: boolean; - readonly preInstallCommands?: string[]; - readonly buildSpec?: codebuild.BuildSpec; - readonly dockerCredentials: DockerCredential[]; -} - -/** - * Add appropriate publishing actions to the asset publishing stage - */ -class AssetPublishing extends Construct { - // CodePipelines has a hard limit of 50 actions per stage. See https://github.com/aws/aws-cdk/issues/9353 - private readonly MAX_PUBLISHERS_PER_STAGE = 50; - - private readonly publishers: Record = {}; - private readonly assetRoles: Map = new Map(); - private readonly assetAttachedPolicies: Record = {}; - private readonly myCxAsmRoot: string; - private readonly cachedFnSub = new CachedFnSub(); - - private readonly lastStageBeforePublishing?: codepipeline.IStage; - private readonly stages: codepipeline.IStage[] = []; - private readonly pipeline: codepipeline.Pipeline; - private readonly dockerCredentials: DockerCredential[]; - - private _fileAssetCtr = 0; - private _dockerAssetCtr = 0; - - constructor(scope: Construct, id: string, private readonly props: AssetPublishingProps) { - super(scope, id); - this.myCxAsmRoot = path.resolve(assemblyBuilderOf(appOf(this)).outdir); - - this.pipeline = this.props.pipeline; - // Hacks to get access to the innards of Pipeline - const stages: codepipeline.IStage[] = (this.props.pipeline as any)._stages; - // Any asset publishing stages will be added directly after the last stage that currently exists. - this.lastStageBeforePublishing = stages.slice(-1)[0]; - - this.dockerCredentials = props.dockerCredentials; - } - - /** - * Make sure there is an action in the stage to publish the given asset - * - * Assets are grouped by asset ID (which represent individual assets) so all assets - * are published in parallel. For each assets, all destinations are published sequentially - * so that we can reuse expensive operations between them (mostly: building a Docker image). - */ - public addPublishAssetAction(command: AssetPublishingCommand) { - // FIXME: this is silly, we need the relative path here but no easy way to get it - const relativePath = path.relative(this.myCxAsmRoot, command.assetManifestPath); - - // The path cannot be outside the asm root. I don't really understand how this could ever - // come to pass, but apparently it has (see https://github.com/aws/aws-cdk/issues/9766). - // Add a sanity check here so we can catch it more quickly next time. - if (relativePath.startsWith(`..${path.sep}`)) { - throw new Error(`The asset manifest (${command.assetManifestPath}) cannot be outside the Cloud Assembly directory (${this.myCxAsmRoot}). Please report this error at https://github.com/aws/aws-cdk/issues to help us debug why this is happening.`); - } - - // Late-binding here (rather than in the constructor) to prevent creating the role in cases where no asset actions are created. - const assetRole = this.generateAssetRole(command.assetType); - // The ARNs include raw AWS pseudo parameters (e.g., ${AWS::Partition}), which need to be substituted. - assetRole.addAssumeRole(this.cachedFnSub.fnSub(command.assetPublishingRoleArn)); - const publisherKey = this.props.singlePublisherPerType ? command.assetType.toString() : command.assetId; - - let action = this.publishers[publisherKey]; - if (!action) { - // Dynamically create new stages as needed, with `MAX_PUBLISHERS_PER_STAGE` assets per stage. - const stageIndex = this.props.singlePublisherPerType ? 0 : - Math.floor((this._fileAssetCtr + this._dockerAssetCtr) / this.MAX_PUBLISHERS_PER_STAGE); - - if (!this.props.singlePublisherPerType && stageIndex >= this.stages.length) { - const previousStage = this.stages.slice(-1)[0] ?? this.lastStageBeforePublishing; - this.stages.push(this.pipeline.addStage({ - stageName: `Assets${stageIndex > 0 ? stageIndex + 1 : ''}`, - placement: { justAfter: previousStage }, - })); - } else if (this.props.singlePublisherPerType && this.stages.length == 0) { - this.stages.push(this.pipeline.addStage({ - stageName: 'Assets', - placement: { justAfter: this.lastStageBeforePublishing }, - })); - } - - // The asset ID would be a logical candidate for the construct path and project names, but if the asset - // changes it leads to recreation of a number of Role/Policy/Project resources which is slower than - // necessary. Number sequentially instead. - // - // FIXME: The ultimate best solution is probably to generate a single Project per asset type - // and reuse that for all assets. - const id = this.props.singlePublisherPerType ? - command.assetType === AssetType.FILE ? 'FileAsset' : 'DockerAsset' : - command.assetType === AssetType.FILE ? `FileAsset${++this._fileAssetCtr}` : `DockerAsset${++this._dockerAssetCtr}`; - - const credsInstallCommands = dockerCredentialsInstallCommands(DockerCredentialUsage.ASSET_PUBLISHING, this.dockerCredentials); - - // NOTE: It's important that asset changes don't force a pipeline self-mutation. - // This can cause an infinite loop of updates (see https://github.com/aws/aws-cdk/issues/9080). - // For that reason, we use the id as the actionName below, rather than the asset hash. - action = this.publishers[publisherKey] = new PublishAssetsAction(this, id, { - actionName: id, - cloudAssemblyInput: this.props.cloudAssemblyInput, - cdkCliVersion: this.props.cdkCliVersion, - assetType: command.assetType, - role: this.assetRoles.get(command.assetType), - dependable: this.assetAttachedPolicies[command.assetType], - vpc: this.props.vpc, - subnetSelection: this.props.subnetSelection, - buildSpec: this.props.buildSpec, - createBuildspecFile: this.props.singlePublisherPerType, - preInstallCommands: [...(this.props.preInstallCommands ?? []), ...credsInstallCommands], - }); - this.stages[stageIndex].addAction(action); - } - - action.addPublishCommand(relativePath, command.assetSelector); - } - - /** - * This role is used by both the CodePipeline build action and related CodeBuild project. Consolidating these two - * roles into one, and re-using across all assets, saves significant size of the final synthesized output. - * Modeled after the CodePipeline role and 'CodePipelineActionRole' roles. - * Generates one role per asset type to separate file and Docker/image-based permissions. - */ - private generateAssetRole(assetType: AssetType) { - const existing = this.assetRoles.get(assetType); - if (existing) { - return existing; - } - - const rolePrefix = assetType === AssetType.DOCKER_IMAGE ? 'Docker' : 'File'; - const assetRole = new AssetSingletonRole(this, `${rolePrefix}Role`, { - roleName: PhysicalName.GENERATE_IF_NEEDED, - assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal('codebuild.amazonaws.com'), new iam.AccountPrincipal(Stack.of(this).account)), - }); - - // Grant pull access for any ECR registries and secrets that exist - if (assetType === AssetType.DOCKER_IMAGE) { - this.dockerCredentials.forEach(reg => reg.grantRead(assetRole, DockerCredentialUsage.ASSET_PUBLISHING)); - } - - this.assetRoles.set(assetType, assetRole); - return assetRole; - } -} - -function maybeSuffix(x: string | undefined, suffix: string): string | undefined { - if (x === undefined) { return undefined; } - return `${x}${suffix}`; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts deleted file mode 100644 index 79f224b87e583..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts +++ /dev/null @@ -1,586 +0,0 @@ -import { Construct, Node } from 'constructs'; -import { DeployCdkStackAction } from './actions'; -import { CdkPipeline } from './pipeline'; -import * as codebuild from '../../../aws-codebuild'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as cpactions from '../../../aws-codepipeline-actions'; -import { CodeBuildAction } from '../../../aws-codepipeline-actions'; -import * as sns from '../../../aws-sns'; -import { Stage, Aspects } from '../../../core'; -import * as cxapi from '../../../cx-api'; -import { AssetType } from '../blueprint/asset-type'; -import { ApplicationSecurityCheck } from '../private/application-security-check'; -import { AssetManifestReader, DockerImageManifestEntry, FileManifestEntry } from '../private/asset-manifest'; -import { pipelineSynth } from '../private/construct-internals'; -import { topologicalSort } from '../private/toposort'; - -/** - * Construction properties for a CdkStage - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkStageProps { - /** - * Name of the stage that should be created - */ - readonly stageName: string; - - /** - * The underlying Pipeline Stage associated with thisCdkStage - */ - readonly pipelineStage: codepipeline.IStage; - - /** - * The CodePipeline Artifact with the Cloud Assembly - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Features the Stage needs from its environment - */ - readonly host: IStageHost; - - /** - * Run a security check before every application prepare/deploy actions. - * - * Note: Stage level security check can be overriden per application as follows: - * `stage.addApplication(app, { confirmBroadeningPermissions: false })` - * - * @default false - */ - readonly confirmBroadeningPermissions?: boolean; - - /** - * Optional SNS topic to send notifications to when any security check registers - * changes within a application. - * - * Note: The Stage Notification Topic can be overriden per application as follows: - * `stage.addApplication(app, { securityNotificationTopic: newTopic })` - * - * @default undefined no stage level notification topic - */ - readonly securityNotificationTopic?: sns.ITopic; -} - -/** - * Stage in a CdkPipeline - * - * You don't need to instantiate this class directly. Use - * `cdkPipeline.addStage()` instead. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class CdkStage extends Construct { - private _nextSequentialRunOrder = 1; // Must start at 1 eh - private _manualApprovalCounter = 1; - private readonly pipelineStage: codepipeline.IStage; - private readonly cloudAssemblyArtifact: codepipeline.Artifact; - private readonly stacksToDeploy = new Array(); - private readonly stageName: string; - private readonly host: IStageHost; - private readonly confirmBroadeningPermissions: boolean; - private readonly pipeline?: CdkPipeline; - private readonly securityNotificationTopic?: sns.ITopic; - private _applicationSecurityCheck?: ApplicationSecurityCheck; - private _prepared = false; - - constructor(scope: Construct, id: string, props: CdkStageProps) { - super(scope, id); - - if (scope instanceof CdkPipeline) { - this.pipeline = scope; - } - - this.stageName = props.stageName; - this.pipelineStage = props.pipelineStage; - this.cloudAssemblyArtifact = props.cloudAssemblyArtifact; - this.host = props.host; - this.confirmBroadeningPermissions = props.confirmBroadeningPermissions ?? false; - this.securityNotificationTopic = props.securityNotificationTopic; - - Aspects.of(this).add({ visit: () => this.prepareStage() }); - } - - /** - * Add all stacks in the application Stage to this stage - * - * The application construct should subclass `Stage` and can contain any - * number of `Stacks` inside it that may have dependency relationships - * on one another. - * - * All stacks in the application will be deployed in the appropriate order, - * and all assets found in the application will be added to the asset - * publishing stage. - */ - public addApplication(appStage: Stage, options: AddStageOptions = {}) { - const asm = pipelineSynth(appStage); - const extraRunOrderSpace = options.extraRunOrderSpace ?? 0; - - if (options.confirmBroadeningPermissions ?? this.confirmBroadeningPermissions) { - this.addSecurityCheck(appStage, options); - } - - if (asm.stacks.length === 0) { - // If we don't check here, a more puzzling "stage contains no actions" - // error will be thrown come deployment time. - throw new Error(`The given Stage construct ('${appStage.node.path}') should contain at least one Stack`); - } - - const sortedTranches = topologicalSort(asm.stacks, - stack => stack.id, - stack => stack.dependencies.map(d => d.id)); - - for (const stacks of sortedTranches) { - const runOrder = this.nextSequentialRunOrder(extraRunOrderSpace + 2); // 2 actions for Prepare/Execute ChangeSet - let executeRunOrder = runOrder + extraRunOrderSpace + 1; - - // If we need to insert a manual approval action, then what's the executeRunOrder - // now is where we add a manual approval step, and we allocate 1 more runOrder - // for the execute. - if (options.manualApprovals) { - this.addManualApprovalAction({ runOrder: runOrder + 1 }); - executeRunOrder = this.nextSequentialRunOrder(); - } - - // These don't have a dependency on each other, so can all be added in parallel - for (const stack of stacks) { - this.addStackArtifactDeployment(stack, { runOrder, executeRunOrder }); - } - } - } - - /** - * Get a cached version of an ApplicationSecurityCheck, which consists of: - * - CodeBuild Project to check for security changes in a stage - * - Lambda Function that approves the manual approval if no security changes are detected - * - * The ApplicationSecurityCheck is cached from the pipeline **if** this stage is scoped - * to a CDK Pipeline. If this stage **is not** scoped to a pipeline, create an ApplicationSecurityCheck - * scoped to the stage itself. - * - * @internal - */ - private getApplicationSecurityCheck(): ApplicationSecurityCheck { - if (this._applicationSecurityCheck) { - return this._applicationSecurityCheck; - } - - this._applicationSecurityCheck = this.pipeline - ? this.pipeline._getApplicationSecurityCheck() - : new ApplicationSecurityCheck(this, 'StageApplicationSecurityCheck', { - codePipeline: this.pipelineStage.pipeline as codepipeline.Pipeline, - }); - return this._applicationSecurityCheck; - } - - /** - * Add a deployment action based on a stack artifact - */ - public addStackArtifactDeployment(stackArtifact: cxapi.CloudFormationStackArtifact, options: AddStackOptions = {}) { - // Get all assets manifests and add the assets in 'em to the asset publishing stage. - this.publishAssetDependencies(stackArtifact); - - // Remember for later, see 'prepare()' - // We know that deploying a stack is going to take up 2 runorder slots later on. - const runOrder = options.runOrder ?? this.nextSequentialRunOrder(2); - const executeRunOrder = options.executeRunOrder ?? runOrder + 1; - this.stacksToDeploy.push({ - prepareRunOrder: runOrder, - executeRunOrder, - stackArtifact, - }); - - this.advanceRunOrderPast(runOrder); - this.advanceRunOrderPast(executeRunOrder); - } - - /** - * Add a manual approval action - * - * If you need more flexibility than what this method offers, - * use `addAction` with a `ManualApprovalAction`. - */ - public addManualApprovalAction(options: AddManualApprovalOptions = {}) { - let actionName = options.actionName; - if (!actionName) { - actionName = `ManualApproval${this._manualApprovalCounter > 1 ? this._manualApprovalCounter : ''}`; - this._manualApprovalCounter += 1; - } - - this.addActions(new cpactions.ManualApprovalAction({ - actionName, - runOrder: options.runOrder ?? this.nextSequentialRunOrder(), - })); - } - - /** - * Add one or more CodePipeline Actions - * - * You need to make sure it is created with the right runOrder. Call `nextSequentialRunOrder()` - * for every action to get actions to execute in sequence. - */ - public addActions(...actions: codepipeline.IAction[]) { - for (const action of actions) { - this.pipelineStage.addAction(action); - } - } - - /** - * Return the runOrder number necessary to run the next Action in sequence with the rest - * - * FIXME: This is here because Actions are immutable and can't be reordered - * after creation, nor is there a way to specify relative priorities, which - * is a limitation that we should take away in the base library. - */ - public nextSequentialRunOrder(count: number = 1): number { - const ret = this._nextSequentialRunOrder; - this._nextSequentialRunOrder += count; - return ret; - } - - /** - * Whether this Stage contains an action to deploy the given stack, identified by its artifact ID - */ - public deploysStack(artifactId: string) { - return this.stacksToDeploy.map(s => s.stackArtifact.id).includes(artifactId); - } - - /** - * Actually add all the DeployStack actions to the stage. - * - * We do this late because before we can render the actual DeployActions, - * we need to know whether or not we need to capture the stack outputs. - * - * FIXME: This is here because Actions are immutable and can't be reordered - * after creation, nor is there a way to specify relative priorities, which - * is a limitation that we should take away in the base library. - */ - private prepareStage() { - // FIXME: Make sure this only gets run once. There seems to be an issue in the reconciliation - // loop that may trigger this more than once if it throws an error somewhere, and the exception - // that gets thrown here will then override the actual failure. - if (this._prepared) { return; } - this._prepared = true; - - for (const { prepareRunOrder, stackArtifact, executeRunOrder } of this.stacksToDeploy) { - const artifact = this.host.stackOutputArtifact(stackArtifact.id); - - this.pipelineStage.addAction(DeployCdkStackAction.fromStackArtifact(this, stackArtifact, { - baseActionName: this.simplifyStackName(stackArtifact.stackName), - cloudAssemblyInput: this.cloudAssemblyArtifact, - output: artifact, - outputFileName: artifact ? 'outputs.json' : undefined, - prepareRunOrder, - executeRunOrder, - })); - } - } - - /** - * Advance the runorder counter so that the next sequential number is higher than the given one - */ - private advanceRunOrderPast(lastUsed: number) { - this._nextSequentialRunOrder = Math.max(lastUsed + 1, this._nextSequentialRunOrder); - } - - /** - * Simplify the stack name by removing the `Stage-` prefix if it exists. - */ - private simplifyStackName(s: string) { - return stripPrefix(s, `${this.stageName}-`); - } - - /** - * Add a security check before the prepare/deploy actions of an CDK stage. - * The security check consists of two actions: - * - CodeBuild Action to check for security changes in a stage - * - Manual Approval Action that is auto approved via a Lambda if no security changes detected - */ - private addSecurityCheck(appStage: Stage, options?: BaseStageOptions) { - const { cdkDiffProject } = this.getApplicationSecurityCheck(); - const notificationTopic: sns.ITopic | undefined = options?.securityNotificationTopic ?? this.securityNotificationTopic; - notificationTopic?.grantPublish(cdkDiffProject); - - const appStageName = appStage.stageName; - const approveActionName = `${appStageName}ManualApproval`; - const diffAction = new CodeBuildAction({ - runOrder: this.nextSequentialRunOrder(), - actionName: `${appStageName}SecurityCheck`, - input: this.cloudAssemblyArtifact, - project: cdkDiffProject, - variablesNamespace: `${appStageName}SecurityCheck`, - environmentVariables: { - STAGE_PATH: { - value: Node.of(appStage).path, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - STAGE_NAME: { - value: this.stageName, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - ACTION_NAME: { - value: approveActionName, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - ...notificationTopic ? { - NOTIFICATION_ARN: { - value: notificationTopic.topicArn, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - NOTIFICATION_SUBJECT: { - value: `Confirm permission broadening in ${appStageName}`, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - } : {}, - }, - }); - - const approve = new cpactions.ManualApprovalAction({ - actionName: approveActionName, - runOrder: this.nextSequentialRunOrder(), - additionalInformation: `#{${appStageName}SecurityCheck.MESSAGE}`, - externalEntityLink: `#{${appStageName}SecurityCheck.LINK}`, - }); - - this.addActions(diffAction, approve); - } - - /** - * Make sure all assets depended on by this stack are published in this pipeline - * - * Taking care to exclude the stack template itself -- it is being published - * as an asset because the CLI needs to know the asset publishing role when - * pushing the template to S3, but in the case of CodePipeline we always - * reference the template from the artifact bucket. - * - * (NOTE: this is only true for top-level stacks, not nested stacks. Nested - * Stack templates are always published as assets). - */ - private publishAssetDependencies(stackArtifact: cxapi.CloudFormationStackArtifact) { - const assetManifests = stackArtifact.dependencies.filter(isAssetManifest); - - for (const manifestArtifact of assetManifests) { - const manifest = AssetManifestReader.fromFile(manifestArtifact.file); - - for (const entry of manifest.entries) { - let assetType: AssetType; - if (entry instanceof DockerImageManifestEntry) { - assetType = AssetType.DOCKER_IMAGE; - } else if (entry instanceof FileManifestEntry) { - // Don't publish the template for this stack - if (entry.source.packaging === 'file' && entry.source.path === stackArtifact.templateFile) { - continue; - } - - assetType = AssetType.FILE; - } else { - throw new Error(`Unrecognized asset type: ${entry.type}`); - } - - if (!entry.destination.assumeRoleArn) { - throw new Error('assumeRoleArn is missing on asset and required'); - } - - this.host.publishAsset({ - assetManifestPath: manifestArtifact.file, - assetId: entry.id.assetId, - assetSelector: entry.id.toString(), - assetType, - assetPublishingRoleArn: entry.destination.assumeRoleArn, - }); - } - } - } -} - -/** - * Additional options for adding a stack deployment - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddStackOptions { - /** - * Base runorder - * - * @default - Next sequential runorder - */ - readonly runOrder?: number; - - /** - * Base runorder - * - * @default - runOrder + 1 - */ - readonly executeRunOrder?: number; -} - -/** - * A single output of a Stack - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class StackOutput { - /** - * The artifact and file the output is stored in - */ - public readonly artifactFile: codepipeline.ArtifactPath; - - /** - * The name of the output in the JSON object in the file - */ - public readonly outputName: string; - - /** - * Build a StackOutput from a known artifact and an output name - */ - constructor(artifactFile: codepipeline.ArtifactPath, outputName: string) { - this.artifactFile = artifactFile; - this.outputName = outputName; - } -} - -function stripPrefix(s: string, prefix: string) { - return s.startsWith(prefix) ? s.slice(prefix.length) : s; -} - -function isAssetManifest(s: cxapi.CloudArtifact): s is cxapi.AssetManifestArtifact { - // instanceof is too risky, and we're at a too late stage to properly fix. - // return s instanceof cxapi.AssetManifestArtifact; - return s.constructor.name === 'AssetManifestArtifact'; -} - -/** - * Features that the Stage needs from its environment - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface IStageHost { - /** - * Make sure all the assets from the given manifest are published - */ - publishAsset(command: AssetPublishingCommand): void; - - /** - * Return the Artifact the given stack has to emit its outputs into, if any - */ - stackOutputArtifact(stackArtifactId: string): codepipeline.Artifact | undefined; -} - -/** - * Instructions to publish certain assets - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AssetPublishingCommand { - /** - * Asset manifest path - */ - readonly assetManifestPath: string; - - /** - * Asset identifier - */ - readonly assetId: string; - - /** - * Asset selector to pass to `cdk-assets`. - */ - readonly assetSelector: string; - - /** - * Type of asset to publish - */ - readonly assetType: AssetType; - - /** - * ARN of the IAM Role used to publish this asset. - */ - readonly assetPublishingRoleArn: string; -} - -/** - * Base options for a pipelines stage - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface BaseStageOptions { - /** - * Runs a `cdk diff --security-only --fail` to pause the pipeline if there - * are any security changes. - * - * If the stage is configured with `confirmBroadeningPermissions` enabled, you can use this - * property to override the stage configuration. For example, Pipeline Stage - * "Prod" has confirmBroadeningPermissions enabled, with applications "A", "B", "C". All three - * applications will run a security check, but if we want to disable the one for "C", - * we run `stage.addApplication(C, { confirmBroadeningPermissions: false })` to override the pipeline - * stage behavior. - * - * Adds 1 to the run order space. - * - * @default false - */ - readonly confirmBroadeningPermissions?: boolean; - /** - * Optional SNS topic to send notifications to when the security check registers - * changes within the application. - * - * @default undefined no notification topic for security check manual approval action - */ - readonly securityNotificationTopic?: sns.ITopic; -} - -/** - * Options for adding an application stage to a pipeline - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddStageOptions extends BaseStageOptions { - /** - * Add manual approvals before executing change sets - * - * This gives humans the opportunity to confirm the change set looks alright - * before deploying it. - * - * @default false - */ - readonly manualApprovals?: boolean; - /** - * Add room for extra actions - * - * You can use this to make extra room in the runOrder sequence between the - * changeset 'prepare' and 'execute' actions and insert your own actions there. - * - * @default 0 - */ - readonly extraRunOrderSpace?: number; -} - -/** - * Options for addManualApproval - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddManualApprovalOptions { - /** - * The name of the manual approval action - * - * @default 'ManualApproval' with a rolling counter - */ - readonly actionName?: string; - - /** - * The runOrder for this action - * - * @default - The next sequential runOrder - */ - readonly runOrder?: number; -} - -/** - * Queued "deploy stack" command that is reified during prepare() - */ -interface DeployStackCommand { - prepareRunOrder: number; - executeRunOrder: number; - stackArtifact: cxapi.CloudFormationStackArtifact; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts deleted file mode 100644 index 0a5a34c6f0eaa..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts +++ /dev/null @@ -1,15 +0,0 @@ -import * as codebuild from '../../../../aws-codebuild'; - -export function copyEnvironmentVariables(...names: string[]): Record { - const ret: Record = {}; - for (const name of names) { - if (process.env[name]) { - ret[name] = { value: process.env[name] }; - } - } - return ret; -} - -export function filterEmpty(xs: Array): string[] { - return xs.filter(x => x) as any; -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts deleted file mode 100644 index 4764f7d9647c6..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts +++ /dev/null @@ -1 +0,0 @@ -export * from './simple-synth-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts deleted file mode 100644 index 8381668962d52..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts +++ /dev/null @@ -1,591 +0,0 @@ -import * as crypto from 'crypto'; -import * as path from 'path'; -import { Construct } from 'constructs'; -import { copyEnvironmentVariables, filterEmpty } from './_util'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Stack } from '../../../../core'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { toPosixPath } from '../../private/fs'; - -const DEFAULT_OUTPUT_DIR = 'cdk.out'; - -/** - * Configuration options for a SimpleSynth - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface SimpleSynthOptions { - /** - * The source artifact of the CodePipeline - */ - readonly sourceArtifact: codepipeline.Artifact; - - /** - * The artifact where the CloudAssembly should be emitted - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Environment variables to send into build - * - * NOTE: You may run into the 1000-character limit for the Action configuration if you have a large - * number of variables or if their names or values are very long. - * If you do, pass them to the underlying CodeBuild project directly in `environment` instead. - * However, you will not be able to use CodePipeline Variables in this case. - * - * @default - No additional environment variables - */ - readonly environmentVariables?: Record; - - /** - * Environment variables to copy over from parent env - * - * These are environment variables that are being used by the build. - * - * @default - No environment variables copied - */ - readonly copyEnvironmentVariables?: string[]; - - /** - * Name of the build action - * - * @default 'Synth' - */ - readonly actionName?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Build environment to use for CodeBuild job - * - * @default BuildEnvironment.LinuxBuildImage.STANDARD_6_0 - */ - readonly environment?: codebuild.BuildEnvironment; - - /** - * Directory inside the source where package.json and cdk.json are located - * - * @default - Repository root - */ - readonly subdirectory?: string; - - /** - * Produce additional output artifacts after the build based on the given directories - * - * Can be used to produce additional artifacts during the build step, - * separate from the cloud assembly, which can be used further on in the - * pipeline. - * - * Directories are evaluated with respect to `subdirectory`. - * - * @default - No additional artifacts generated - */ - readonly additionalArtifacts?: AdditionalArtifact[]; - - /** - * Policy statements to add to role used during the synth - * - * Can be used to add acces to a CodeArtifact repository etc. - * - * @default - No policy statements added to CodeBuild Project Role - */ - readonly rolePolicyStatements?: iam.PolicyStatement[]; - - /** - * The VPC where to execute the SimpleSynth. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * custom BuildSpec that is merged with the generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; -} - -/** - * Construction props for SimpleSynthAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface SimpleSynthActionProps extends SimpleSynthOptions { - /** - * The synth command - */ - readonly synthCommand: string; - - /** - * The install command - * - * If not provided by the build image or another dependency - * management tool, at least install the CDK CLI here using - * `npm install -g aws-cdk`. - * - * @default - No install required - * @deprecated Use `installCommands` instead - */ - readonly installCommand?: string; - - /** - * The build command - * - * If your programming language requires a compilation step, put the - * compilation command here. - * - * @default - No build required - * @deprecated Use `buildCommands` instead - */ - readonly buildCommand?: string; - - /** - * Install commands - * - * If not provided by the build image or another dependency - * management tool, at least install the CDK CLI here using - * `npm install -g aws-cdk`. - * - * @default - No install required - */ - readonly installCommands?: string[]; - - /** - * The build commands - * - * If your programming language requires a compilation step, put the - * compilation command here. - * - * @default - No build required - */ - readonly buildCommands?: string[]; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -/** - * Specification of an additional artifact to generate - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AdditionalArtifact { - /** - * Directory to be packaged - */ - readonly directory: string; - - /** - * Artifact to represent the build directory in the pipeline - */ - readonly artifact: codepipeline.Artifact; -} - -/** - * A standard synth with a generated buildspec - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class SimpleSynthAction implements codepipeline.IAction, iam.IGrantable { - - /** - * Create a standard NPM synth action - * - * Uses `npm ci` to install dependencies and `npx cdk synth` to synthesize. - * - * If you need a build step, add `buildCommand: 'npm run build'`. - */ - public static standardNpmSynth(options: StandardNpmSynthOptions) { - return new SimpleSynthAction({ - ...options, - installCommand: options.installCommand ?? 'npm ci', - synthCommand: options.synthCommand ?? 'npx cdk synth', - vpc: options.vpc, - subnetSelection: options.subnetSelection, - environment: { - ...options.environment, - environmentVariables: { - // Need this in case the CDK CLI is not in the 'package.json' of the project, - // and 'npx' is going to download it; without this setting, 'npx' will not properly - // install the package into the root user's home directory - NPM_CONFIG_UNSAFE_PERM: { value: 'true' }, - ...options.environment?.environmentVariables, - }, - }, - }); - } - - /** - * Create a standard Yarn synth action - * - * Uses `yarn install --frozen-lockfile` to install dependencies and `npx cdk synth` to synthesize. - * - * If you need a build step, add `buildCommand: 'yarn build'`. - */ - public static standardYarnSynth(options: StandardYarnSynthOptions) { - return new SimpleSynthAction({ - ...options, - installCommand: options.installCommand ?? 'yarn install --frozen-lockfile', - synthCommand: options.synthCommand ?? 'npx cdk synth', - vpc: options.vpc, - subnetSelection: options.subnetSelection, - environment: { - ...options.environment, - environmentVariables: { - // Need this in case the CDK CLI is not in the 'package.json' of the project, - // and 'npx' is going to download it; without this setting, 'npx' will not properly - // install the package into the root user's home directory - NPM_CONFIG_UNSAFE_PERM: { value: 'true' }, - ...options.environment?.environmentVariables, - }, - }, - }); - } - - private _action?: codepipeline_actions.CodeBuildAction; - private _actionProperties: codepipeline.ActionProperties; - private _project?: codebuild.IProject; - private _dockerCredentials?: DockerCredential[]; - - constructor(private readonly props: SimpleSynthActionProps) { - // A number of actionProperties get read before bind() is even called (so before we - // have made the Project and can construct the actual CodeBuildAction) - // - // - actionName - // - resource - // - region - // - category - // - role - // - owner - this._actionProperties = { - actionName: props.actionName ?? 'Synth', - category: codepipeline.ActionCategory.BUILD, - provider: 'CodeBuild', - artifactBounds: { minInputs: 0, maxInputs: 5, minOutputs: 0, maxOutputs: 5 }, - inputs: [props.sourceArtifact], - outputs: [props.cloudAssemblyArtifact, ...(props.additionalArtifacts ?? []).map(a => a.artifact)], - }; - - if (this.props.installCommand && this.props.installCommands) { - throw new Error('Pass either \'installCommand\' or \'installCommands\', but not both'); - } - - if (this.props.buildCommand && this.props.buildCommands) { - throw new Error('Pass either \'buildCommand\' or \'buildCommands\', but not both'); - } - - const addls = props.additionalArtifacts ?? []; - if (Object.keys(addls).length > 0) { - if (!props.cloudAssemblyArtifact.artifactName) { - throw new Error('You must give all output artifacts, including the \'cloudAssemblyArtifact\', names when using \'additionalArtifacts\''); - } - for (const addl of addls) { - if (!addl.artifact.artifactName) { - throw new Error('You must give all output artifacts passed to SimpleSynthAction names when using \'additionalArtifacts\''); - } - } - } - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this._actionProperties; - } - - /** - * Project generated to run the synth command - */ - public get project(): codebuild.IProject { - if (!this._project) { - throw new Error('Project becomes available after SimpleSynthAction has been bound to a stage'); - } - return this._project; - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - const buildCommands = this.props.buildCommands ?? [this.props.buildCommand]; - const installCommands = this.props.installCommands ?? [this.props.installCommand]; - const testCommands = this.props.testCommands ?? []; - const synthCommand = this.props.synthCommand; - - const environment = { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, ...this.props.environment }; - const osType = (environment.buildImage instanceof codebuild.WindowsBuildImage) - ? ec2.OperatingSystemType.WINDOWS - : ec2.OperatingSystemType.LINUX; - - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - pre_build: { - commands: filterEmpty([ - this.props.subdirectory ? `cd ${this.props.subdirectory}` : '', - ...installCommands, - ...dockerCredentialsInstallCommands(DockerCredentialUsage.SYNTH, this._dockerCredentials, osType), - ]), - }, - build: { - commands: filterEmpty([ - ...buildCommands, - ...testCommands, - synthCommand, - ]), - }, - }, - artifacts: renderArtifacts(this), - }); - - const environmentVariables = { - ...copyEnvironmentVariables(...this.props.copyEnvironmentVariables || []), - }; - - const mergedBuildSpec = this.props.buildSpec ? codebuild.mergeBuildSpecs(this.props.buildSpec, buildSpec) : buildSpec; - - // A hash over the values that make the CodeBuild Project unique (and necessary - // to restart the pipeline if one of them changes). projectName is not necessary to include - // here because the pipeline will definitely restart if projectName changes. - // (Resolve tokens) - const projectConfigHash = hash(Stack.of(scope).resolve({ - environment: serializeBuildEnvironment(environment), - buildSpecString: mergedBuildSpec.toBuildSpec(), - environmentVariables, - })); - - const project = new codebuild.PipelineProject(scope, 'CdkBuildProject', { - projectName: this.props.projectName, - environment, - vpc: this.props.vpc, - subnetSelection: this.props.subnetSelection, - buildSpec: mergedBuildSpec, - environmentVariables, - }); - - if (this.props.rolePolicyStatements !== undefined) { - this.props.rolePolicyStatements.forEach(policyStatement => { - project.addToRolePolicy(policyStatement); - }); - } - - this._project = project; - - this._dockerCredentials?.forEach(reg => reg.grantRead(project.grantPrincipal, DockerCredentialUsage.SYNTH)); - - this._action = new codepipeline_actions.CodeBuildAction({ - actionName: this.actionProperties.actionName, - input: this.props.sourceArtifact, - outputs: [this.props.cloudAssemblyArtifact, ...(this.props.additionalArtifacts ?? []).map(a => a.artifact)], - - // Inclusion of the hash here will lead to the pipeline structure for any changes - // made the config of the underlying CodeBuild Project. - // Hence, the pipeline will be restarted. This is necessary if the users - // adds (for example) build or test commands to the buildspec. - environmentVariables: { - ...this.props.environmentVariables, - _PROJECT_CONFIG_HASH: { value: projectConfigHash }, - }, - project, - }); - this._actionProperties = this._action.actionProperties; - - return this._action.bind(scope, stage, options); - - function renderArtifacts(self: SimpleSynthAction) { - // save the generated files in the output artifact - // This part of the buildspec has to look completely different depending on whether we're - // using secondary artifacts or not. - - const cloudAsmArtifactSpec = { - 'base-directory': toPosixPath(path.join(self.props.subdirectory ?? '.', DEFAULT_OUTPUT_DIR)), - 'files': '**/*', - }; - - if (self.props.additionalArtifacts) { - const secondary: Record = {}; - if (!self.props.cloudAssemblyArtifact.artifactName) { - throw new Error('When using additional output artifacts, you must also name the CloudAssembly artifact'); - } - secondary[self.props.cloudAssemblyArtifact.artifactName] = cloudAsmArtifactSpec; - self.props.additionalArtifacts.forEach((art) => { - if (!art.artifact.artifactName) { - throw new Error('You must give the output artifact a name'); - } - secondary[art.artifact.artifactName] = { - 'base-directory': toPosixPath(path.join(self.props.subdirectory ?? '.', art.directory)), - 'files': '**/*', - }; - }); - - return { 'secondary-artifacts': secondary }; - } - - return cloudAsmArtifactSpec; - } - } - - /** - * The CodeBuild Project's principal - */ - public get grantPrincipal(): iam.IPrincipal { - return this.project.grantPrincipal; - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - if (!this._action) { - throw new Error('Need bind() first'); - } - - return this._action.onStateChange(name, target, options); - } - - /** - * Associate one or more Docker registries and associated credentials with the synth action. - * This will be used to inject installation commands to set up `cdk-assets`, - * and grant read access to the credentials. - * @internal - */ - public _addDockerCredentials(dockerCredentials: DockerCredential[]) { - this._dockerCredentials = dockerCredentials; - } -} - -/** - * Options for a convention-based synth using NPM - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface StandardNpmSynthOptions extends SimpleSynthOptions { - /** - * The install command - * - * @default 'npm ci' - */ - readonly installCommand?: string; - - /** - * The build command - * - * By default, we assume NPM projects are either written in JavaScript or are - * using `ts-node`, so don't need a build command. - * - * Otherwise, put the build command here, for example `npm run build`. - * - * @default - No build required - */ - readonly buildCommand?: string; - - /** - * The synth command - * - * @default 'npx cdk synth' - */ - readonly synthCommand?: string; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -/** - * Options for a convention-based synth using Yarn - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface StandardYarnSynthOptions extends SimpleSynthOptions { - /** - * The install command - * - * @default 'yarn install --frozen-lockfile' - */ - readonly installCommand?: string; - - /** - * The build command - * - * By default, we assume NPM projects are either written in JavaScript or are - * using `ts-node`, so don't need a build command. - * - * Otherwise, put the build command here, for example `npm run build`. - * - * @default - No build required - */ - readonly buildCommand?: string; - - /** - * The synth command - * - * @default 'npx cdk synth' - */ - readonly synthCommand?: string; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -function hash(obj: A) { - const d = crypto.createHash('sha256'); - d.update(JSON.stringify(obj)); - return d.digest('hex'); -} - -/** - * Serialize a build environment to data (get rid of constructs & objects), so we can JSON.stringify it - */ -function serializeBuildEnvironment(env: codebuild.BuildEnvironment) { - return { - privileged: env.privileged, - environmentVariables: env.environmentVariables, - type: env.buildImage?.type, - imageId: env.buildImage?.imageId, - computeType: env.computeType, - imagePullPrincipalType: env.buildImage?.imagePullPrincipalType, - secretsManagerArn: env.buildImage?.secretsManagerCredentials?.secretArn, - }; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts deleted file mode 100644 index 20192332e3b78..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts +++ /dev/null @@ -1,97 +0,0 @@ -import { Construct } from 'constructs'; -import * as codepipeline from '../../../../aws-codepipeline'; -import { IGrantable } from '../../../../aws-iam'; -import * as s3assets from '../../../../aws-s3-assets'; - -/** - * Additional files to use in a shell script - */ -export abstract class Files { - /** - * Use the files from a CodePipeline artifact - */ - public static fromArtifact(artifact: codepipeline.Artifact): Files { - if (!artifact) { - // Typechecking may mess up - throw new Error('Files.fromArtifact(): input artifact is required, got undefined'); - } - - return { - bind: () => ({ artifact }), - grantRead: () => { /* Not necessary */ }, - }; - } - - /** - * Create a new asset to bundle up the files in a directory on disk - */ - public static fromDirectory(directoryPath: string): Files { - let realFiles: Files; - return { - bind(scope: Construct) { - realFiles = Files.fromAsset(new s3assets.Asset(scope, directoryPath, { - path: directoryPath, - })); - - return realFiles.bind(scope); - }, - grantRead(grantee: IGrantable) { - if (!realFiles) { - throw new Error('bind() must be called first'); - } - realFiles.grantRead(grantee); - }, - }; - } - - /** - * Use an existing asset as a file source - */ - public static fromAsset(asset: s3assets.Asset): Files { - return { - bind: () => ({ - commands: [ - `echo "Downloading additional files from ${asset.s3ObjectUrl}"`, - `aws s3 cp ${asset.s3ObjectUrl} /tmp/dl.zip`, - 'unzip /tmp/dl.zip -d .', - ], - }), - grantRead: (grantee) => asset.grantRead(grantee), - }; - } - - protected constructor() { - } - - /** - * Bind the Files to a usage location - */ - public abstract bind(scope: Construct): FilesConfig; - - /** - * Grant read permissions to the file set to the given grantable - * - * Must be called after bind(). - */ - - public abstract grantRead(grantee: IGrantable): void; -} - -/** - * Config for a Files source - */ -export interface FilesConfig { - /** - * CodePipeline artifact to add to the set of input artifacts for the project - * - * @default - No artifact - */ - readonly artifact?: codepipeline.Artifact; - - /** - * Commands to add to the set of commands for the project - * - * @default - No commands - */ - readonly commands?: string[]; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts deleted file mode 100644 index f2751fc92af49..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts +++ /dev/null @@ -1 +0,0 @@ -export * from './shell-script-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts deleted file mode 100644 index fa24517321942..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts +++ /dev/null @@ -1,253 +0,0 @@ -import { Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { StackOutput } from '../stage'; - -/** - * Properties for ShellScriptAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface ShellScriptActionProps { - /** - * Name of the validation action in the pipeline - */ - readonly actionName: string; - - /** - * Stack outputs to make available as environment variables - * - * @default - No outputs used - */ - readonly useOutputs?: Record; - - /** - * Commands to run - */ - readonly commands: string[]; - - /** - * Bash options to set at the start of the script - * - * @default '-eu' (errexit and nounset) - */ - readonly bashOptions?: string; - - /** - * Additional artifacts to use as input for the CodeBuild project - * - * You can use these files to load more complex test sets into the - * shellscript build environment. - * - * The files artifact given here will be unpacked into the current - * working directory, the other ones will be unpacked into directories - * which are available through the environment variables - * $CODEBUILD_SRC_DIR_. - * - * The CodeBuild job must have at least one input artifact, so you - * must provide either at least one additional artifact here or one - * stack output using `useOutput`. - * - * @default - No additional artifacts - */ - readonly additionalArtifacts?: codepipeline.Artifact[]; - - /** - * The CodeBuild environment where scripts are executed. - * - * @default LinuxBuildImage.STANDARD_7_0 - */ - readonly environment?: codebuild.BuildEnvironment; - - /** - * Environment variables to send into build - * - * @default - No additional environment variables - */ - readonly environmentVariables?: Record; - - /** - * RunOrder for this action - * - * Use this to sequence the shell script after the deployments. - * - * The default value is 100 so you don't have to supply the value if you just - * want to run this after the application stacks have been deployed, and you - * don't have more than 100 stacks. - * - * @default 100 - */ - readonly runOrder?: number; - - /** - * Additional policy statements to add to the execution role - * - * @default - No policy statements - */ - readonly rolePolicyStatements?: iam.PolicyStatement[]; - - /** - * The VPC where to execute the specified script. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Which security group to associate with the script's project network interfaces. - * If no security group is identified, one will be created automatically. - * - * Only used if 'vpc' is supplied. - * - * @default - Security group will be automatically created. - * - */ - readonly securityGroups?: ec2.ISecurityGroup[]; -} - -/** - * Validate a revision using shell commands - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class ShellScriptAction implements codepipeline.IAction, iam.IGrantable { - private _project?: codebuild.IProject; - - private _action?: codepipeline_actions.CodeBuildAction; - private _actionProperties: codepipeline.ActionProperties; - - constructor(private readonly props: ShellScriptActionProps) { - // A number of actionProperties get read before bind() is even called (so before we - // have made the Project and can construct the actual CodeBuildAction) - // - // - actionName - // - resource - // - region - // - category - // - role - // - owner - this._actionProperties = { - actionName: props.actionName, - category: codepipeline.ActionCategory.BUILD, - provider: 'CodeBuild', - artifactBounds: { minInputs: 0, maxInputs: 5, minOutputs: 0, maxOutputs: 5 }, - inputs: [], - outputs: [], - }; - - if (Object.keys(props.useOutputs ?? {}).length + (props.additionalArtifacts ?? []).length === 0) { - throw new Error('You must supply either \'useOutputs\' or \'additionalArtifacts\', since a CodeBuild Action must always have at least one input artifact.'); - } - } - - /** - * The CodeBuild Project's principal - */ - public get grantPrincipal(): iam.IPrincipal { - return this.project.grantPrincipal; - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this._actionProperties; - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - const inputs = new Array(); - inputs.push(...this.props.additionalArtifacts ?? []); - - const envVarCommands = new Array(); - - const bashOptions = this.props.bashOptions ?? '-eu'; - if (bashOptions) { - envVarCommands.push(`set ${bashOptions}`); - } - for (const [varName, output] of Object.entries(this.props.useOutputs ?? {})) { - const outputArtifact = output.artifactFile; - - // Add the artifact to the list of inputs, if it's not in there already. Determine - // the location where CodeBuild is going to stick it based on whether it's the first (primary) - // input or an 'extra input', then parse. - let artifactIndex = inputs.findIndex(a => a.artifactName === outputArtifact.artifact.artifactName); - if (artifactIndex === -1) { - artifactIndex = inputs.push(outputArtifact.artifact) - 1; - } - const dirEnv = artifactIndex === 0 ? 'CODEBUILD_SRC_DIR' : `CODEBUILD_SRC_DIR_${outputArtifact.artifact.artifactName}`; - envVarCommands.push(`export ${varName}="$(node -pe 'require(process.env.${dirEnv} + "/${outputArtifact.fileName}")["${output.outputName}"]')"`); - } - - this._project = new codebuild.PipelineProject(scope, 'Project', { - environment: this.props.environment || { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE }, - vpc: this.props.vpc, - securityGroups: this.props.securityGroups, - subnetSelection: this.props.subnetSelection, - buildSpec: codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - build: { - commands: [ - ...envVarCommands, - ...this.props.commands, - ], - }, - }, - }), - }); - for (const statement of this.props.rolePolicyStatements ?? []) { - this._project.addToRolePolicy(statement); - } - - this._action = new codepipeline_actions.CodeBuildAction({ - actionName: this.props.actionName, - input: inputs[0], - extraInputs: inputs.slice(1), - runOrder: this.props.runOrder ?? 100, - project: this._project, - environmentVariables: this.props.environmentVariables, - }); - // Replace the placeholder actionProperties at the last minute - this._actionProperties = this._action.actionProperties; - - return this._action.bind(scope, stage, options); - } - - /** - * Project generated to run the shell script in - */ - public get project(): codebuild.IProject { - if (!this._project) { - throw new Error('Project becomes available after ShellScriptAction has been bound to a stage'); - } - return this._project; - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - if (!this._action) { - throw new Error('Need bind() first'); - } - - return this._action.onStateChange(name, target, options); - } -} diff --git a/packages/aws-cdk-lib/pipelines/test/blueprint/logicalid-stability.test.ts b/packages/aws-cdk-lib/pipelines/test/blueprint/logicalid-stability.test.ts deleted file mode 100644 index cce5bd87ae81e..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/blueprint/logicalid-stability.test.ts +++ /dev/null @@ -1,126 +0,0 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; -import { Stack } from '../../../core'; -import { mkdict } from '../../lib/private/javascript'; -import { PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, MegaAssetsApp, stackTemplate } from '../testhelpers'; - -let legacyApp: TestApp; -let modernApp: TestApp; - -let legacyPipelineStack: Stack; -let modernPipelineStack: Stack; - -describeDeprecated('logical id stability', () => { - // this test suite verifies logical id between the new and old (deprecated) APIs. - // so it must be in a 'describeDeprecated' block - - beforeEach(() => { - legacyApp = new TestApp({ - context: { - '@aws-cdk/core:newStyleStackSynthesis': '1', - 'aws:cdk:enable-path-metadata': true, - }, - }); - modernApp = new TestApp({ - context: { - '@aws-cdk/core:newStyleStackSynthesis': '1', - 'aws:cdk:enable-path-metadata': true, - }, - }); - legacyPipelineStack = new Stack(legacyApp, 'PipelineStack', { env: PIPELINE_ENV }); - modernPipelineStack = new Stack(modernApp, 'PipelineStack', { env: PIPELINE_ENV }); - }); - - afterEach(() => { - legacyApp.cleanup(); - modernApp.cleanup(); - }); - - test('stateful or nameable resources have the same logicalID between old and new API', () => { - const legacyPipe = new LegacyTestGitHubNpmPipeline(legacyPipelineStack, 'Cdk'); - legacyPipe.addApplicationStage(new MegaAssetsApp(legacyPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const modernPipe = new ModernTestGitHubNpmPipeline(modernPipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - modernPipe.addStage(new MegaAssetsApp(modernPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const legacyTemplate = stackTemplate(legacyPipelineStack).template; - const modernTemplate = stackTemplate(modernPipelineStack).template; - - const legacyStateful = filterR(legacyTemplate.Resources, isStateful); - const modernStateful = filterR(modernTemplate.Resources, isStateful); - - expect(mapR(modernStateful, typeOfRes)).toEqual(mapR(legacyStateful, typeOfRes)); - }); - - test('nameable resources have the same names between old and new API', () => { - const legacyPipe = new LegacyTestGitHubNpmPipeline(legacyPipelineStack, 'Cdk', { - pipelineName: 'asdf', - }); - legacyPipe.addApplicationStage(new MegaAssetsApp(legacyPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const modernPipe = new ModernTestGitHubNpmPipeline(modernPipelineStack, 'Cdk', { - pipelineName: 'asdf', - crossAccountKeys: true, - }); - modernPipe.addStage(new MegaAssetsApp(modernPipelineStack, 'MyApp', { - numAssets: 2, - })); - - const legacyTemplate = stackTemplate(legacyPipelineStack).template; - const modernTemplate = stackTemplate(modernPipelineStack).template; - - const legacyNamed = filterR(legacyTemplate.Resources, hasName); - const modernNamed = filterR(modernTemplate.Resources, hasName); - - expect(mapR(modernNamed, nameProps)).toEqual(mapR(legacyNamed, nameProps)); - }); -}); - -const STATEFUL_TYPES = [ - // Holds state - 'AWS::S3::Bucket', - 'AWS::KMS::Key', - 'AWS::KMS::Alias', - // Can be physical-named so will be impossible to replace - 'AWS::CodePipeline::Pipeline', - 'AWS::CodeBuild::Project', -]; - -function filterR(resources: Record, fn: (x: Resource) => boolean): Record { - return mkdict(Object.entries(resources).filter(([, resource]) => fn(resource))); -} - -function mapR(resources: Record, fn: (x: Resource) => A): Record { - return mkdict(Object.entries(resources).map(([lid, resource]) => [lid, fn(resource)] as const)); -} - -function typeOfRes(r: Resource) { - return r.Type; -} - -function isStateful(r: Resource) { - return STATEFUL_TYPES.includes(r.Type); -} - -function nameProps(r: Resource) { - return Object.entries(r.Properties).filter(([prop, _]) => - // Don't care about policy names - prop.endsWith('Name') && prop !== 'PolicyName'); -} - -function hasName(r: Resource) { - return nameProps(r).length > 0; -} - -interface Resource { - readonly Type: string; - readonly Properties: Record; - readonly Metadata?: Record; -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts b/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts deleted file mode 100644 index 1da9b4ecfb71e..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts +++ /dev/null @@ -1,65 +0,0 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; -import * as codePipeline from '../../../aws-codepipeline'; -import * as cdk from '../../../core'; -import * as cdkp from '../../lib'; - -describeDeprecated('codepipeline existing', () => { - - test('Does not allow setting a pipelineName if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - pipelineName: 'CustomPipelineName', - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'pipelineName' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow enabling crossAccountKeys if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - crossAccountKeys: true, - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'crossAccountKeys' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow enabling key rotation if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - enableKeyRotation: true, - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'enableKeyRotation' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow setting crossRegionReplicationBuckets if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CodePipeline(stack, 'CDKPipeline', { - crossRegionReplicationBuckets: {}, // Even the empty set is forbidden. - codePipeline: existingCodePipeline, - synth: new cdkp.ShellStep('Synth', { - commands: ['echo hello'], - }), - }).buildPipeline(); - }).toThrow("Cannot set 'crossRegionReplicationBuckets' if an existing CodePipeline is given using 'codePipeline'"); - }); -}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts index 1f222fee6c439..87c1ace7e9515 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts @@ -5,7 +5,7 @@ import * as cb from '../../../aws-codebuild'; import * as ec2 from '../../../aws-ec2'; import { Stack, Stage } from '../../../core'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp, stringLike } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp, stringLike } from '../testhelpers'; const FILE_ASSET_SOURCE_HASH = '8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5'; const FILE_ASSET_SOURCE_HASH2 = 'ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e'; @@ -16,6 +16,61 @@ const IMAGE_PUBLISHING_ROLE = 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role let app: TestApp; let pipelineStack: Stack; +function expectedAssetRolePolicy(assumeRolePattern: string | string[], attachedRole: string) { + if (typeof assumeRolePattern === 'string') { assumeRolePattern = [assumeRolePattern]; } + + return { + PolicyDocument: { + Statement: [{ + Action: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:logs:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:log-group:/aws/codebuild/*`, + ]], + }, + }, + { + Action: ['codebuild:CreateReportGroup', 'codebuild:CreateReport', 'codebuild:UpdateReport', 'codebuild:BatchPutTestCases', 'codebuild:BatchPutCodeCoverages'], + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:codebuild:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:report-group/*`, + ]], + }, + }, + { + Action: ['codebuild:BatchGetBuilds', 'codebuild:StartBuild', 'codebuild:StopBuild'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Resource: unsingleton(assumeRolePattern.map(arn => { return { 'Fn::Sub': arn }; })), + }, + { + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Effect: 'Allow', + Resource: [ + { 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, '/*']] }, + ], + }, + { + Action: ['kms:Decrypt', 'kms:DescribeKey'], + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['CdkPipelineArtifactsBucketEncryptionKeyDDD3258C', 'Arn'] }, + }], + }, + Roles: [{ Ref: attachedRole }], + }; +} + beforeEach(() => { app = new TestApp(); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); @@ -26,550 +81,170 @@ afterEach(() => { }); describe('basic pipeline', () => { - behavior('no assets stage if the application has no assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new PlainStackApp(app, 'App')); - THEN_codePipelineExpectation(); - }); + test('no assets stage if the application has no assets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new PlainStackApp(app, 'App')); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new PlainStackApp(app, 'App')); - - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.not(Match.arrayWith([Match.objectLike({ + Name: 'Assets', + })])), }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.not(Match.arrayWith([Match.objectLike({ - Name: 'Assets', - })])), - }); - } }); - describe('asset stage placement', () => { - behavior('assets stage comes before any user-defined stages', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('up to 50 assets fit in a single stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('51 assets triggers a second stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: stringLike('Assets*') }), - Match.objectLike({ Name: stringLike('Assets*2') }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('101 assets triggers a third stage', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: stringLike('Assets*') }), // 'Assets' vs 'Assets.1' - Match.objectLike({ Name: stringLike('Assets*2') }), - Match.objectLike({ Name: stringLike('Assets*3') }), - Match.objectLike({ Name: 'App' }), - ], - }); - } + test('assets stage comes before any user-defined stages', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'App')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: 'Assets' }), + Match.objectLike({ Name: 'App' }), + ], }); }); - behavior('command line properly locates assets in subassembly', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); + test('up to 50 assets fit in a single stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: 'Assets' }), + Match.objectLike({ Name: 'App' }), + ], }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`]), - }, - }, - })), - }, - }); - } }); - behavior('multiple assets are published in parallel', (suite) => { - suite.legacy(() => { + describe('asset stage placement', () => { + test('51 assets triggers a second stage', () => { // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - Match.objectLike({ RunOrder: 1 }), - Match.objectLike({ RunOrder: 1 }), - ], - }]), + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: stringLike('Assets*') }), + Match.objectLike({ Name: stringLike('Assets*2') }), + Match.objectLike({ Name: 'App' }), + ], }); - } - }); - - behavior('assets are also published when using the lower-level addStackArtifactDeployment', (suite) => { - suite.legacy(() => { - // GIVEN - const asm = new FileAssetApp(app, 'FileAssetApp').synth(); + }, + ); - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage('SomeStage').addStackArtifactDeployment(asm.getStackByName('FileAssetApp-Stack')); + test('101 assets triggers a third stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - // THEN Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - Match.objectLike({ - Name: 'FileAsset1', - RunOrder: 1, - }), - ], - }]), + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: stringLike('Assets*') }), // 'Assets' vs 'Assets.1' + Match.objectLike({ Name: stringLike('Assets*2') }), + Match.objectLike({ Name: stringLike('Assets*3') }), + Match.objectLike({ Name: 'App' }), + ], }); - }); - - // This function does not exist in the modern API - suite.doesNotApply.modern(); + }, + ); }); - behavior('file image asset publishers do not use privilegedmode', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + test('command line properly locates assets in subassembly', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([stringLike('cdk-assets *')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith([`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`]), }, - })), - }, - Environment: Match.objectLike({ - PrivilegedMode: false, - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }), - }); - } - }); - - behavior('docker image asset publishers use privilegedmode', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); + }, + })), + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([stringLike('cdk-assets *')]), - }, - }, - })), - }, - Environment: Match.objectLike({ - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - PrivilegedMode: true, - }), - }); - } }); - behavior('can control fix/CLI version used in asset publishing', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cdkCliVersion: '1.2.3', - }); - pipeline.addApplicationStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cliVersion: '1.2.3', - }); - pipeline.addStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); + test('multiple assets are published in parallel', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + Match.objectLike({ RunOrder: 1 }), + Match.objectLike({ RunOrder: 1 }), + ], + }]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g cdk-assets@1.2.3'], - }, - }, - })), - }, - }); - } }); - describe('asset roles and policies', () => { - behavior('includes file publishing assets role for apps with file assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { - AssumeRolePolicyDocument: { - Statement: [ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Principal: { - Service: 'codebuild.amazonaws.com', - }, - }, - ], - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - } - }); - - behavior('publishing assets role may assume roles from multiple environments', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App2', { - env: { - account: '0123456789012', - region: 'eu-west-1', - }, - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new FileAssetApp(app, 'App2', { - env: { - account: '0123456789012', - region: 'eu-west-1', - }, - })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy([FILE_PUBLISHING_ROLE, 'arn:${AWS::Partition}:iam::0123456789012:role/cdk-hnb659fds-file-publishing-role-0123456789012-eu-west-1'], - 'CdkAssetsFileRole6BE17A07')); - } - }); - - behavior('publishing assets role de-dupes assumed roles', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App2')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App3')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new FileAssetApp(app, 'App2')); - pipeline.addStage(new FileAssetApp(app, 'App3')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - } - }); - - behavior('includes image publishing assets role for apps with Docker assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); + test('file image asset publishers do not use privilegedmode', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { - AssumeRolePolicyDocument: { - Statement: [ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Principal: { - Service: 'codebuild.amazonaws.com', - }, - }, - ], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith([stringLike('cdk-assets *')]), + }, }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - } - }); - - behavior('includes both roles for apps with both file and Docker assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App2')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new DockerAssetApp(app, 'App2')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - } + })), + }, + Environment: Match.objectLike({ + PrivilegedMode: false, + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }), }); }); -}); -behavior('can supply pre-install scripts to asset upload', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - assetPreInstallCommands: [ - 'npm config set registry https://registry.com', - ], - }); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + test('docker image asset publishers use privilegedmode', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - assetPublishingCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - version: '0.2', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ phases: { - install: { - commands: [ - 'npm config set registry https://registry.com', - ], + build: { + commands: Match.arrayWith([stringLike('cdk-assets *')]), }, }, - }), + })), }, + Environment: Match.objectLike({ + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + PrivilegedMode: true, + }), }); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); }); - function THEN_codePipelineExpectation() { + test('can control fix/CLI version used in asset publishing', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + cliVersion: '1.2.3', + }); + pipeline.addStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, @@ -578,379 +253,297 @@ behavior('can supply pre-install scripts to asset upload', (suite) => { BuildSpec: Match.serializedJson(Match.objectLike({ phases: { install: { - commands: ['npm config set registry https://registry.com', 'npm install -g cdk-assets@2'], + commands: ['npm install -g cdk-assets@1.2.3'], }, }, - })), - }, - }); - } -}); - -describe('pipeline with VPC', () => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'Vpc'); - }); - - behavior('asset CodeBuild Project uses VPC subnets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: Match.objectLike({ - SecurityGroupIds: [ - { 'Fn::GetAtt': ['CdkAssetsDockerAsset1SecurityGroup078F5C66', 'GroupId'] }, - ], - Subnets: [ - { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, - { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, - { Ref: 'VpcPrivateSubnet3SubnetF258B56E' }, - ], - VpcId: { Ref: 'Vpc8378EB38' }, - }), - }); - } - }); - - behavior('Pipeline-generated CodeBuild Projects have appropriate execution role permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); + })), + }, }); - - function THEN_codePipelineExpectation() { - // Assets Project - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - Roles: [ - { Ref: 'CdkAssetsDockerRole484B6DD3' }, - ], - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), - Effect: 'Allow', - Resource: '*', - }]), - }, - }); - } }); - behavior('Asset publishing CodeBuild Projects have correct VPC permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { + describe('asset roles and policies', () => { + test('includes file publishing assets role for apps with file assets', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); - }); + pipeline.addStage(new FileAssetApp(app, 'App1')); - function THEN_codePipelineExpectation() { - // Assets Project - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { Statement: [ - Match.objectLike({ - Resource: '*', - Action: [ - 'ec2:CreateNetworkInterface', - 'ec2:DescribeNetworkInterfaces', - 'ec2:DeleteNetworkInterface', - 'ec2:DescribeSubnets', - 'ec2:DescribeSecurityGroups', - 'ec2:DescribeDhcpOptions', - 'ec2:DescribeVpcs', - ], - }), + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'codebuild.amazonaws.com', + }, + }, ], }, - Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], }); - Template.fromStack(pipelineStack).hasResource('AWS::CodeBuild::Project', { - Properties: { - ServiceRole: { 'Fn::GetAtt': ['CdkAssetsDockerRole484B6DD3', 'Arn'] }, - }, - DependsOn: [ - 'CdkAssetsDockerAsset1PolicyDocument8DA96A22', - ], - }); - } - }); -}); - -describe('pipeline with single asset publisher', () => { - behavior('multiple assets are using the same job in singlePublisherMode', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + }, + ); - suite.modern(() => { + test('publishing assets role may assume roles from multiple environments', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - function THEN_codePipelineExpectation() { - // THEN - const buildSpecName = new Capture(stringLike('buildspec-*.yaml')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - // Only one file asset action - Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: buildSpecName, + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2', { + env: { + account: '0123456789012', + region: 'eu-west-1', }, - }); - const assembly = synthesize(pipelineStack); - - const actualFileName = buildSpecName.asString(); + })); - const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, actualFileName), { encoding: 'utf-8' })); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); - } - }); - - behavior('other pipeline writes to separate assets build spec file', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy([FILE_PUBLISHING_ROLE, 'arn:${AWS::Partition}:iam::0123456789012:role/cdk-hnb659fds-file-publishing-role-0123456789012-eu-west-1'], + 'CdkAssetsFileRole6BE17A07')); + }, + ); - const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); - const otherPipeline = new LegacyTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { - singlePublisherPerType: true, + test('publishing assets role de-dupes assumed roles', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - otherPipeline.addApplicationStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2')); + pipeline.addStage(new FileAssetApp(app, 'App3')); - THEN_codePipelineExpectation(pipelineStack2); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + }, + ); - suite.modern(() => { + test('includes image publishing assets role for apps with Docker assets', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, - }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); - const otherPipeline = new ModernTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { - publishAssetsInParallel: false, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - otherPipeline.addStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); - - THEN_codePipelineExpectation(pipelineStack2); - }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - function THEN_codePipelineExpectation(pipelineStack2: Stack) { - // THEN - const buildSpecName1 = new Capture(stringLike('buildspec-*.yaml')); - const buildSpecName2 = new Capture(stringLike('buildspec-*.yaml')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: buildSpecName1, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'codebuild.amazonaws.com', + }, + }, + ], }, }); - Template.fromStack(pipelineStack2).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: buildSpecName2, - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); + }, + ); + + test('includes both roles for apps with both file and Docker assets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new DockerAssetApp(app, 'App2')); - expect(buildSpecName1.asString()).not.toEqual(buildSpecName2.asString()); - } + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); + }, + ); }); }); -describe('pipeline with custom asset publisher BuildSpec', () => { - - behavior('custom buildspec is merged correctly', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - assetBuildSpec: cb.BuildSpec.fromObject({ - phases: { - pre_install: { - commands: 'preinstall', - }, +test('can supply pre-install scripts to asset upload', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + assetPublishingCodeBuildDefaults: { + partialBuildSpec: cb.BuildSpec.fromObject({ + version: '0.2', + phases: { + install: { + commands: [ + 'npm config set registry https://registry.com', + ], }, - cache: { - paths: 'node_modules', + }, + }), + }, + }); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm config set registry https://registry.com', 'npm install -g cdk-assets@2'], }, - }), - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + }, + })), + }, + }); +}); + +describe('pipeline with VPC', () => { + let vpc: ec2.Vpc; + beforeEach(() => { + vpc = new ec2.Vpc(pipelineStack, 'Vpc'); + }); - THEN_codePipelineExpectation(); + test('asset CodeBuild Project uses VPC subnets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, - assetPublishingCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - phases: { - pre_install: { - commands: 'preinstall', - }, - }, - cache: { - paths: 'node_modules', - }, - }), - }, - }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: Match.objectLike({ + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkAssetsDockerAsset1SecurityGroup078F5C66', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, + { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, + { Ref: 'VpcPrivateSubnet3SubnetF258B56E' }, + ], + VpcId: { Ref: 'Vpc8378EB38' }, + }), + }); + }); - THEN_codePipelineExpectation(); + test('Pipeline-generated CodeBuild Projects have appropriate execution role permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + // Assets Project + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkAssetsDockerRole484B6DD3' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, }); + }); - function THEN_codePipelineExpectation() { - const buildSpecName = new Capture(stringLike('buildspec-*')); + test('Asset publishing CodeBuild Projects have correct VPC permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + // Assets Project + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + Match.objectLike({ + Resource: '*', + Action: [ + 'ec2:CreateNetworkInterface', + 'ec2:DescribeNetworkInterfaces', + 'ec2:DeleteNetworkInterface', + 'ec2:DescribeSubnets', + 'ec2:DescribeSecurityGroups', + 'ec2:DescribeDhcpOptions', + 'ec2:DescribeVpcs', + ], + }), + ], + }, + Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], + }); + Template.fromStack(pipelineStack).hasResource('AWS::CodeBuild::Project', { + Properties: { + ServiceRole: { 'Fn::GetAtt': ['CdkAssetsDockerRole484B6DD3', 'Arn'] }, + }, + DependsOn: [ + 'CdkAssetsDockerAsset1PolicyDocument8DA96A22', + ], + }); + }); +}); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - // Only one file asset action - Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: buildSpecName, +test('adding environment variable to assets job adds SecretsManager permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { + assetPublishingCodeBuildDefaults: { + buildEnvironment: { + environmentVariables: { + FOOBAR: { + value: 'FoobarSecret', + type: cb.BuildEnvironmentVariableType.SECRETS_MANAGER, + }, }, - }); - const assembly = synthesize(pipelineStack); - const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, buildSpecName.asString())).toString()); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); - expect(buildSpec.phases.pre_install.commands).toContain('preinstall'); - expect(buildSpec.cache.paths).toContain('node_modules'); - } + }, + }, + }); + pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + Match.objectLike({ + Action: 'secretsmanager:GetSecretValue', + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', + ]], + }, + }), + ]), + }, }); }); -function expectedAssetRolePolicy(assumeRolePattern: string | string[], attachedRole: string) { - if (typeof assumeRolePattern === 'string') { assumeRolePattern = [assumeRolePattern]; } +describe('pipeline with single asset publisher', () => { + test('other pipeline writes to separate assets build spec file', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + publishAssetsInParallel: false, + }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - return { - PolicyDocument: { - Statement: [{ - Action: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:logs:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:log-group:/aws/codebuild/*`, - ]], - }, - }, - { - Action: ['codebuild:CreateReportGroup', 'codebuild:CreateReport', 'codebuild:UpdateReport', 'codebuild:BatchPutTestCases', 'codebuild:BatchPutCodeCoverages'], - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:codebuild:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:report-group/*`, - ]], - }, - }, - { - Action: ['codebuild:BatchGetBuilds', 'codebuild:StartBuild', 'codebuild:StopBuild'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Resource: unsingleton(assumeRolePattern.map(arn => { return { 'Fn::Sub': arn }; })), + const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); + const otherPipeline = new ModernTestGitHubNpmPipeline(pipelineStack2, 'Cdk-2', { + publishAssetsInParallel: false, + }); + otherPipeline.addStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); + // THEN + const buildSpecName1 = new Capture(stringLike('buildspec-*.yaml')); + const buildSpecName2 = new Capture(stringLike('buildspec-*.yaml')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: buildSpecName1, }, - { - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Effect: 'Allow', - Resource: [ - { 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, - { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, '/*']] }, - ], + }); + Template.fromStack(pipelineStack2).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: buildSpecName2, }, - { - Action: ['kms:Decrypt', 'kms:DescribeKey'], - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['CdkPipelineArtifactsBucketEncryptionKeyDDD3258C', 'Arn'] }, - }], - }, - Roles: [{ Ref: attachedRole }], - }; -} + }); -behavior('necessary secrets manager permissions get added to asset roles', suite => { - // Not possible to configure this for legacy pipelines - suite.doesNotApply.legacy(); + expect(buildSpecName1.asString()).not.toEqual(buildSpecName2.asString()); + }); - suite.modern(() => { + test('necessary secrets manager permissions get added to asset roles', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { assetPublishingCodeBuildDefaults: { buildEnvironment: { @@ -965,10 +558,6 @@ behavior('necessary secrets manager permissions get added to asset roles', suite }); pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { PolicyDocument: { Statement: Match.arrayWith([{ @@ -990,50 +579,94 @@ behavior('necessary secrets manager permissions get added to asset roles', suite { Ref: 'PipelineAssetsFileRole59943A77' }, ], }); - } -}); + }); + + test('multiple assets are using the same job in singlePublisherMode', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, + }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + + // THEN + const buildSpecName = new Capture(stringLike('buildspec-*.yaml')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + // Only one file asset action + Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), + ], + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: buildSpecName, + }, + }); + const assembly = synthesize(pipelineStack); -behavior('adding environment variable to assets job adds SecretsManager permissions', suite => { - // No way to manipulate buildEnvironment in legacy API - suite.doesNotApply.legacy(); + const actualFileName = buildSpecName.asString(); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { + const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, actualFileName), { encoding: 'utf-8' })); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); + }); +}); + +describe('pipeline with custom asset publisher BuildSpec', () => { + test('custom buildspec is merged correctly', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, assetPublishingCodeBuildDefaults: { - buildEnvironment: { - environmentVariables: { - FOOBAR: { - value: 'FoobarSecret', - type: cb.BuildEnvironmentVariableType.SECRETS_MANAGER, + partialBuildSpec: cb.BuildSpec.fromObject({ + phases: { + pre_install: { + commands: 'preinstall', }, }, - }, + cache: { + paths: 'node_modules', + }, + }), }, }); - pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - Match.objectLike({ - Action: 'secretsmanager:GetSecretValue', - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', - ]], - }, - }), - ]), + const buildSpecName = new Capture(stringLike('buildspec-*')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + // Only one file asset action + Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), + ], + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: buildSpecName, }, }); + + const assembly = synthesize(pipelineStack); + const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, buildSpecName.asString())).toString()); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); + expect(buildSpec.phases.pre_install.commands).toContain('preinstall'); + expect(buildSpec.cache.paths).toContain('node_modules'); }); }); function synthesize(stack: Stack) { - const root = stack.node.root; + const root = Stage.of(stack); if (!Stage.isStage(root)) { throw new Error('unexpected: all stacks must be part of a Stage'); } diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts index 75d58084dadfb..8ca4d83650a8f 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts @@ -4,7 +4,7 @@ import * as path from 'path'; import { Construct } from 'constructs'; import { Capture, Match, Template } from '../../../assertions'; import { Stack, Stage, StageProps, Tags } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, BucketStack, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; +import { OneStackApp, BucketStack, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,204 +18,132 @@ afterEach(() => { app.cleanup(); }); -behavior('stack templates in nested assemblies are correctly addressed', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Prepare'), - InputArtifacts: [Match.objectLike({})], - Configuration: Match.objectLike({ - StackName: 'App-Stack', - TemplatePath: stringLike('*::assembly-App/*.template.json'), - }), +test('stack templates in nested assemblies are correctly addressed', () => { + + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'App')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [Match.objectLike({})], + Configuration: Match.objectLike({ + StackName: 'App-Stack', + TemplatePath: stringLike('*::assembly-App/*.template.json'), }), - ]), - }]), - }); - } + }), + ]), + }]), + }); }); -behavior('obvious error is thrown when stage contains no stacks', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - // WHEN - expect(() => { - pipeline.addApplicationStage(new Stage(app, 'EmptyStage')); - }).toThrow(/should contain at least one Stack/); - }); +test('obvious error is thrown when stage contains no stacks', () => { - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - // WHEN - expect(() => { - pipeline.addStage(new Stage(app, 'EmptyStage')); - }).toThrow(/should contain at least one Stack/); - }); + // WHEN + expect(() => { + pipeline.addStage(new Stage(app, 'EmptyStage')); + }).toThrow(/should contain at least one Stack/); }); -behavior('overridden stack names are respected', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App1')); - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App2')); - - THEN_codePipelineExpectation(); - }); +test('overridden stack names are respected', () => { - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackAppWithCustomName(app, 'App1')); - pipeline.addStage(new OneStackAppWithCustomName(app, 'App2')); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App1')); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App2')); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'App1', + Actions: Match.arrayWith([Match.objectLike({ + Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'MyFancyStack', + }), + })]), + }, + { + Name: 'App2', + Actions: Match.arrayWith([Match.objectLike({ + Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'MyFancyStack', + }), + })]), + }, + ]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'App1', - Actions: Match.arrayWith([Match.objectLike({ - Name: stringLike('*Prepare'), - Configuration: Match.objectLike({ - StackName: 'MyFancyStack', - }), - })]), - }, - { - Name: 'App2', - Actions: Match.arrayWith([Match.objectLike({ - Name: stringLike('*Prepare'), - Configuration: Match.objectLike({ - StackName: 'MyFancyStack', - }), - })]), - }, - ]), - }); - } }); -behavior('changing CLI version leads to a different pipeline structure (restarting it)', (suite) => { - suite.legacy(() => { - // GIVEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); +test('changing CLI version leads to a different pipeline structure (restarting it)', () => { - // WHEN - new LegacyTestGitHubNpmPipeline(stack2, 'Cdk', { - cdkCliVersion: '1.2.3', - }); - new LegacyTestGitHubNpmPipeline(stack3, 'Cdk', { - cdkCliVersion: '4.5.6', - }); + // GIVEN + const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); + const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); - THEN_codePipelineExpectation(stack2, stack3); + // WHEN + new ModernTestGitHubNpmPipeline(stack2, 'Cdk', { + cliVersion: '1.2.3', }); - - suite.modern(() => { - // GIVEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); - - // WHEN - new ModernTestGitHubNpmPipeline(stack2, 'Cdk', { - cliVersion: '1.2.3', - }); - new ModernTestGitHubNpmPipeline(stack3, 'Cdk', { - cliVersion: '4.5.6', - }); - - THEN_codePipelineExpectation(stack2, stack3); + new ModernTestGitHubNpmPipeline(stack3, 'Cdk', { + cliVersion: '4.5.6', }); - function THEN_codePipelineExpectation(stack2: Stack, stack3: Stack) { - // THEN - const structure2 = new Capture(); - const structure3 = new Capture(); - - Template.fromStack(stack2).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: structure2, - }); - Template.fromStack(stack3).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: structure3, - }); - - expect(JSON.stringify(structure2.asArray())).not.toEqual(JSON.stringify(structure3.asArray())); - } -}); - -behavior('tags get reflected in pipeline', (suite) => { - suite.legacy(() => { - // WHEN - const stage = new OneStackApp(app, 'App'); - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - Tags.of(stage).add('CostCenter', 'F00B4R'); - pipeline.addApplicationStage(stage); + // THEN + const structure2 = new Capture(); + const structure3 = new Capture(); - THEN_codePipelineExpectation(); + Template.fromStack(stack2).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: structure2, }); - - suite.modern(() => { - // WHEN - const stage = new OneStackApp(app, 'App'); - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - Tags.of(stage).add('CostCenter', 'F00B4R'); - pipeline.addStage(stage); - THEN_codePipelineExpectation(); + Template.fromStack(stack3).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: structure3, }); - function THEN_codePipelineExpectation() { - // THEN - const templateConfig = new Capture(); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Prepare'), - InputArtifacts: [Match.objectLike({})], - Configuration: Match.objectLike({ - StackName: 'App-Stack', - TemplateConfiguration: templateConfig, - }), + expect(JSON.stringify(structure2.asArray())).not.toEqual(JSON.stringify(structure3.asArray())); +}); + +test('tags get reflected in pipeline', () => { + + // WHEN + const stage = new OneStackApp(app, 'App'); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + Tags.of(stage).add('CostCenter', 'F00B4R'); + pipeline.addStage(stage); + + // THEN + const templateConfig = new Capture(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [Match.objectLike({})], + Configuration: Match.objectLike({ + StackName: 'App-Stack', + TemplateConfiguration: templateConfig, }), - ]), - }]), - }); + }), + ]), + }]), + }); - expect(templateConfig.asString()).toMatch(/::assembly-App\/.*\.template\..*json/); - const [, relConfigFile] = templateConfig.asString().split('::'); - const absConfigFile = path.join(app.outdir, relConfigFile); - const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); - expect(configFile).toEqual(expect.objectContaining({ - Tags: { - CostCenter: 'F00B4R', - }, - })); - } + expect(templateConfig.asString()).toMatch(/::assembly-App\/.*\.template\..*json/); + const [, relConfigFile] = templateConfig.asString().split('::'); + const absConfigFile = path.join(app.outdir, relConfigFile); + const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); + expect(configFile).toEqual(expect.objectContaining({ + Tags: { + CostCenter: 'F00B4R', + }, + })); }); class OneStackAppWithCustomName extends Stage { diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts index e0266239dff2d..60f38abc0bd49 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts @@ -6,7 +6,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodeBuildStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, DockerAssetApp, stringLike } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, DockerAssetApp, stringLike } from '../testhelpers'; const secretSynthArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:synth-012345'; const secretUpdateArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:update-012345'; @@ -30,248 +30,173 @@ afterEach(() => { app.cleanup(); }); -behavior('synth action receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); +test('synth action receives install commands and access to relevant credentials', () => { - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation(); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, }); - function THEN_codePipelineExpectation() { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Synth project - build: { - commands: Match.arrayWith([stringLike('*cdk*synth*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretSynthArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: stringLike('Cdk*BuildProjectRole*') }], - }); - } + // Prove we're looking at the Synth project + build: { + commands: Match.arrayWith([stringLike('*cdk*synth*')]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretSynthArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('Cdk*BuildProjectRole*') }], + }); }); -behavior('synth action receives Windows install commands if a Windows image is detected', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk2', { - npmSynthOptions: { - environment: { - buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, - }, +test('synth action receives Windows install commands if a Windows image is detected', () => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk2', { + synth: new CodeBuildStep('Synth', { + commands: ['cdk synth'], + primaryOutputDirectory: 'cdk.out', + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + buildEnvironment: { + buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, + computeType: cb.ComputeType.MEDIUM, }, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); + }), }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk2', { - synth: new CodeBuildStep('Synth', { - commands: ['cdk synth'], - primaryOutputDirectory: 'cdk.out', - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - buildEnvironment: { - buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, - computeType: cb.ComputeType.MEDIUM, - }, - }), - }); - pipeline.addStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, }); - function THEN_codePipelineExpectation() { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: 'aws/codebuild/windows-base:2.0' }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: Match.arrayWith([ - 'mkdir %USERPROFILE%\\.cdk', - `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Synth project - build: { - commands: Match.arrayWith([stringLike('*cdk*synth*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: 'aws/codebuild/windows-base:2.0' }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir %USERPROFILE%\\.cdk', + `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, + ]), }, - })), - }, - }); - } -}); - -behavior('self-update receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation('install'); + // Prove we're looking at the Synth project + build: { + commands: Match.arrayWith([stringLike('*cdk*synth*')]), + }, + }, + })), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); +test('self-update receives install commands and access to relevant credentials', () => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation('pre_build'); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, }); - function THEN_codePipelineExpectation(expectedPhase: string) { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [expectedPhase]: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the SelfMutate project - build: { - commands: Match.arrayWith([ - stringLike('cdk * deploy PipelineStack*'), - ]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretUpdateArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: stringLike('*SelfMutat*Role*') }], - }); - } + // Prove we're looking at the SelfMutate project + build: { + commands: Match.arrayWith([ + stringLike('cdk * deploy PipelineStack*'), + ]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretUpdateArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('*SelfMutat*Role*') }], + }); }); -behavior('asset publishing receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation('install'); - }); +test('asset publishing receives install commands and access to relevant credentials', () => { - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation('pre_build'); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, }); - function THEN_codePipelineExpectation(expectedPhase: string) { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [expectedPhase]: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Publishing project - build: { - commands: Match.arrayWith([stringLike('cdk-assets*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretPublishArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], - }); - } + // Prove we're looking at the Publishing project + build: { + commands: Match.arrayWith([stringLike('cdk-assets*')]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretPublishArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], + }); }); -class LegacyPipelineWithCreds extends LegacyTestGitHubNpmPipeline { - constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { - super(scope, id, { - dockerCredentials: [ - cdkp.DockerCredential.customRegistry('synth.example.com', secretSynth, { - usages: [cdkp.DockerCredentialUsage.SYNTH], - }), - cdkp.DockerCredential.customRegistry('selfupdate.example.com', secretUpdate, { - usages: [cdkp.DockerCredentialUsage.SELF_UPDATE], - }), - cdkp.DockerCredential.customRegistry('publish.example.com', secretPublish, { - usages: [cdkp.DockerCredentialUsage.ASSET_PUBLISHING], - }), - ], - ...props, - }); - } -} - class ModernPipelineWithCreds extends ModernTestGitHubNpmPipeline { constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { super(scope, id, { diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts index 777ffb83a0d2c..7af68c900ff43 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts @@ -1,7 +1,7 @@ /* eslint-disable import/no-extraneous-dependencies */ import { Match, Template } from '../../../assertions'; import { Stack } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; +import { OneStackApp, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -15,378 +15,387 @@ afterEach(() => { app.cleanup(); }); -behavior('action has right settings for same-env deployment', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'Same')); - - THEN_codePipelineExpection(agnosticRole); - }); - - suite.additional('legacy: even if env is specified but the same as the pipeline', () => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'Same', { - env: PIPELINE_ENV, - })); - - THEN_codePipelineExpection(pipelineEnvRole); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'Same')); - - THEN_codePipelineExpection(agnosticRole); - }); - - suite.additional('modern: even if env is specified but the same as the pipeline', () => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'Same', { - env: PIPELINE_ENV, - })); - - THEN_codePipelineExpection(pipelineEnvRole); - }); - - function THEN_codePipelineExpection(roleArn: (x: string) => any) { - // THEN: pipeline structure is correct - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Same', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), - RoleArn: roleArn('deploy-role'), - Configuration: Match.objectLike({ - StackName: 'Same-Stack', - RoleArn: roleArn('cfn-exec-role'), - }), - }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: roleArn('deploy-role'), - Configuration: Match.objectLike({ - StackName: 'Same-Stack', - }), - }), - ], - }]), - }); - - // THEN: artifact bucket can be read by deploy role - Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: roleArn('deploy-role'), +test('action has right settings for same-env deployment', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same')); + + // THEN: pipeline structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Same', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], }, - })]), - }, - }); - } -}); - -behavior('action has right settings for cross-account deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN: Pipelien structure is correct - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossAccount', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'Same-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-cfn-exec-role-', + { Ref: 'AWS::AccountId' }, + '-', { Ref: 'AWS::Region' }, ]], }, - Configuration: Match.objectLike({ - StackName: 'CrossAccount-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', - { Ref: 'AWS::Region' }, - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', + }), + }), + ], + }]), + }); + + // THEN: artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], + }, + }, + })]), + }, + }); +}); + +test('even if env is specified but the same as the pipeline', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same', { + env: PIPELINE_ENV, + })); + + // THEN: pipeline structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Same', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', - { Ref: 'AWS::Region' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-cfn-exec-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, ]], }, - Configuration: Match.objectLike({ - StackName: 'CrossAccount-Stack', - }), }), - ], - }]), - }); + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', + }), + }), + ], + }]), + }); + + // THEN: artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + }, + })]), + }, + }); +}); - // THEN: Artifact bucket can be read by deploy role - Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: { +test('action has right settings for cross-account deployment', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, + }); + pipeline.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); + + // THEN: Pipelien structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossAccount', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'CrossAccount-Stack', + RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', { Ref: 'AWS::Region' }, ]], }, + }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], }, - })]), - }, - }); - } -}); - -behavior('action has right settings for cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + Configuration: Match.objectLike({ + StackName: 'CrossAccount-Stack', + }), + }), + ], + }]), + }); - THEN_codePipelineExpectation(); + // THEN: Artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + { Ref: 'AWS::Region' }, + ]], + }, + }, + })]), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); +test('action has right settings for cross-region deployment', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossRegion', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + pipeline.addStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossRegion', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossRegion-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', + ':role/cdk-hnb659fds-cfn-exec-role-', { Ref: 'AWS::AccountId' }, '-elsewhere', ]], }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossRegion-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-cfn-exec-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossRegion-Stack', - }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossRegion-Stack', }), - ], - }]), - }); - } -}); - -behavior('action has right settings for cross-account/cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossBoth', { - env: { - account: 'you', - region: 'elsewhere', - }, - })); - - THEN_codePipelineExpectations(); + }), + ], + }]), }); +}); - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossBoth', { - env: { - account: 'you', - region: 'elsewhere', - }, - })); - - THEN_codePipelineExpectations(); +test('action has right settings for cross-account/cross-region deployment', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, }); - - function THEN_codePipelineExpectations() { - // THEN: pipeline structure must be correct - const stack = app.stackArtifact(pipelineStack); - expect(stack).toBeDefined(); - Template.fromStack(stack!).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossBoth', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + pipeline.addStage(new OneStackApp(app, 'CrossBoth', { + env: { + account: 'you', + region: 'elsewhere', + }, + })); + + // THEN: pipeline structure must be correct + const stack = app.stackArtifact(pipelineStack); + expect(stack).toBeDefined(); + Template.fromStack(stack!).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossBoth', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossBoth-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', ]], }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossBoth-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossBoth-Stack', - }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossBoth-Stack', }), - ], - }]), - }); + }), + ], + }]), + }); - // THEN: artifact bucket can be read by deploy role - const supportStack = app.stackArtifact('PipelineStack-support-elsewhere'); - expect(supportStack).toBeDefined(); - Template.fromStack(supportStack!).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: Match.arrayWith(['s3:GetObject*', 's3:GetBucket*', 's3:List*']), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, + // THEN: artifact bucket can be read by deploy role + const supportStack = app.stackArtifact('PipelineStack-support-elsewhere'); + expect(supportStack).toBeDefined(); + Template.fromStack(supportStack!).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: Match.arrayWith(['s3:GetObject*', 's3:GetBucket*', 's3:List*']), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], }, - })]), - }, - }); + }, + })]), + }, + }); - // And the key to go along with it - Template.fromStack(supportStack!).hasResourceProperties('AWS::KMS::Key', { - KeyPolicy: { - Statement: Match.arrayWith([Match.objectLike({ - Action: Match.arrayWith(['kms:Decrypt', 'kms:DescribeKey']), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, + // And the key to go along with it + Template.fromStack(supportStack!).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: Match.arrayWith([Match.objectLike({ + Action: Match.arrayWith(['kms:Decrypt', 'kms:DescribeKey']), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], }, - })]), - }, - }); - } -}); - -function agnosticRole(roleName: string) { - return { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - `:role/cdk-hnb659fds-${roleName}-`, - { Ref: 'AWS::AccountId' }, - '-', - { Ref: 'AWS::Region' }, - ]], - }; -} - -function pipelineEnvRole(roleName: string) { - return { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-${roleName}-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, - ]], - }; -} \ No newline at end of file + }, + })]), + }, + }); +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts index a6bf349aee638..8130e6d23cf95 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts @@ -1,23 +1,19 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; import { Match, Template } from '../../../assertions'; import * as cp from '../../../aws-codepipeline'; import * as cpa from '../../../aws-codepipeline-actions'; import { SecretValue, Stack } from '../../../core'; import * as cdkp from '../../lib'; -import { CodePipelineFileSet } from '../../lib'; -import { behavior, FileAssetApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, PIPELINE_ENV, TestApp, TestGitHubAction } from '../testhelpers'; +import { ModernTestGitHubNpmPipeline, PIPELINE_ENV, TestApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; let sourceArtifact: cp.Artifact; -let cloudAssemblyArtifact: cp.Artifact; let codePipeline: cp.Pipeline; beforeEach(() => { app = new TestApp(); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); sourceArtifact = new cp.Artifact(); - cloudAssemblyArtifact = new cp.Artifact(); }); afterEach(() => { @@ -29,247 +25,90 @@ describe('with empty existing CodePipeline', () => { codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline'); }); - behavior('both actions are required', (suite) => { - suite.legacy(() => { - // WHEN - expect(() => { - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { cloudAssemblyArtifact, codePipeline }); - }).toThrow(/You must pass a 'sourceAction'/); - }); - - // 'synth' is not optional so this doesn't apply - suite.doesNotApply.modern(); - }); + test('can give both actions', () => { - behavior('can give both actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - cloudAssemblyArtifact, - codePipeline, - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['true'], - }), - }); - - THEN_codePipelineExpectation(); + // WHEN + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['true'], + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); -}); - -describe('with custom Source stage in existing Pipeline', () => { - beforeEach(() => { - codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), ], }); - }); - - behavior('Work with synthAction', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineFileSet.fromArtifact(sourceArtifact), - commands: ['true'], - }), - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); + }, + ); }); -describeDeprecated('with Source and Build stages in existing Pipeline', () => { +describe('with custom Source stage in existing Pipeline', () => { beforeEach(() => { codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { stages: [ { stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], + actions: [new cpa.GitHubSourceAction({ + actionName: 'GitHub', + output: sourceArtifact, + oauthToken: SecretValue.unsafePlainText('$3kr1t'), + owner: 'test', + repo: 'test', + trigger: cpa.GitHubTrigger.POLL, + })], }, ], }); }); - behavior('can supply no actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - }); + test('Work with synthAction', () => { - THEN_codePipelineExpectation(); + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineFileSet.fromArtifact(sourceArtifact), + commands: ['true'], + }), }); - suite.modern(() => { - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: cdkp.CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'CustomBuild' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); -}); - -behavior('can add another action to an existing stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.stage('Source').addAction(new cpa.GitHubSourceAction({ - actionName: 'GitHub2', - oauthToken: SecretValue.unsafePlainText('oops'), - output: new cp.Artifact(), - owner: 'OWNER', - repo: 'REPO', - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.buildPipeline(); - - pipeline.pipeline.stages[0].addAction(new cpa.GitHubSourceAction({ - actionName: 'GitHub2', - oauthToken: SecretValue.unsafePlainText('oops'), - output: new cp.Artifact(), - owner: 'OWNER', - repo: 'REPO', - })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { + // THEN Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Source', - Actions: [ - Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }) }), - Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }), Name: 'GitHub2' }), - ], - }]), + Stages: [ + Match.objectLike({ Name: 'CustomSource' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + ], }); - } + }, + ); }); -behavior('assets stage inserted after existing pipeline actions', (suite) => { - let existingCodePipeline: cp.Pipeline; - beforeEach(() => { - existingCodePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], - }, +test('can add another action to an existing stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.buildPipeline(); + + pipeline.pipeline.stages[0].addAction(new cpa.GitHubSourceAction({ + actionName: 'GitHub2', + oauthToken: SecretValue.unsafePlainText('oops'), + output: new cp.Artifact(), + owner: 'OWNER', + repo: 'REPO', + })); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Source', + Actions: [ + Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }) }), + Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }), Name: 'GitHub2' }), ], - }); - }); - - suite.legacy(() => { - const pipeline = new cdkp.CdkPipeline(pipelineStack, 'CdkEmptyPipeline', { - cloudAssemblyArtifact: cloudAssemblyArtifact, - selfMutating: false, - codePipeline: existingCodePipeline, - // No source/build actions - }); - pipeline.addApplicationStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new cdkp.CodePipeline(pipelineStack, 'CdkEmptyPipeline', { - codePipeline: existingCodePipeline, - selfMutation: false, - synth: CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), - // No source/build actions - }); - pipeline.addStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); + }]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'CustomBuild' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } }); + diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts index 88138cb2b840f..a6d75ea6cdbd4 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts @@ -3,8 +3,7 @@ import { Topic } from '../../../aws-sns'; import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, stringLike } from '../testhelpers'; -import { behavior } from '../testhelpers/compliance'; +import { ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,417 +17,205 @@ afterEach(() => { app.cleanup(); }); -behavior('security check option generates lambda/codebuild at pipeline scope', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App'), { confirmBroadeningPermissions: true }); +test('security check option generates lambda/codebuild at pipeline scope', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(app, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(app, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), + const template = Template.fromStack(pipelineStack); + template.resourceCountIs('AWS::Lambda::Function', 1); + template.hasResourceProperties('AWS::Lambda::Function', { + Role: { + 'Fn::GetAtt': [ + stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), + 'Arn', ], - }); - - THEN_codePipelineExpectation(); + }, }); - - function THEN_codePipelineExpectation() { - const template = Template.fromStack(pipelineStack); - template.resourceCountIs('AWS::Lambda::Function', 1); - template.hasResourceProperties('AWS::Lambda::Function', { - Role: { - 'Fn::GetAtt': [ - stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), - 'Arn', - ], + // 1 for github build, 1 for synth stage, and 1 for the application security check + template.resourceCountIs('AWS::CodeBuild::Project', 3); + + // No CodeBuild project has a build image that is not the standard iamge + const projects = template.findResources('AWS::CodeBuild::Project', { + Properties: { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, }, - }); - // 1 for github build, 1 for synth stage, and 1 for the application security check - template.resourceCountIs('AWS::CodeBuild::Project', 3); - - // No CodeBuild project has a build image that is not the standard iamge - const projects = template.findResources('AWS::CodeBuild::Project', { - Properties: { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - }, - }); - expect(Object.keys(projects).length).toEqual(3); - } -}); - -behavior('security check option passes correct environment variables to check project', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(pipelineStack, 'App'), { confirmBroadeningPermissions: true }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(pipelineStack, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), - ], - }); - - THEN_codePipelineExpectation(); + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Check'), - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { name: 'STAGE_PATH', type: 'PLAINTEXT', value: 'PipelineSecurityStack/App' }, - { name: 'STAGE_NAME', type: 'PLAINTEXT', value: 'App' }, - { name: 'ACTION_NAME', type: 'PLAINTEXT', value: Match.anyValue() }, - ]), - }), - }), - ]), - }, - ]), - }); - } + expect(Object.keys(projects).length).toEqual(3); }); -behavior('pipeline created with auto approve tags and lambda/codebuild w/ valid permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App'), { confirmBroadeningPermissions: true }); +test('security check option passes correct environment variables to check project', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(pipelineStack, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(app, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), - ], - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // CodePipeline must be tagged as SECURITY_CHECK=ALLOW_APPROVE - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Tags: [ - { - Key: 'SECURITY_CHECK', - Value: 'ALLOW_APPROVE', - }, - ], - }); - // Lambda Function only has access to pipelines tagged SECURITY_CHECK=ALLOW_APPROVE - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: ['codepipeline:GetPipelineState', 'codepipeline:PutApprovalResult'], - Condition: { - StringEquals: { 'aws:ResourceTag/SECURITY_CHECK': 'ALLOW_APPROVE' }, - }, - Effect: 'Allow', - Resource: '*', - }, - ], - }, - }); - // CodeBuild must have access to the stacks and invoking the lambda function - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - { - Action: 'sts:AssumeRole', - Condition: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': [ - 'deploy', - ], - }, - }, - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'lambda:InvokeFunction', - Effect: 'Allow', - Resource: [ - { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, - { - 'Fn::Join': [ - '', - [ - { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, - ':*', - ], - ], - }, - ], - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Check'), + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { name: 'STAGE_PATH', type: 'PLAINTEXT', value: 'PipelineSecurityStack/App' }, + { name: 'STAGE_NAME', type: 'PLAINTEXT', value: 'App' }, + { name: 'ACTION_NAME', type: 'PLAINTEXT', value: Match.anyValue() }, + ]), + }), + }), ]), }, - }); - } + ]), + }); }); -behavior('confirmBroadeningPermissions option at addApplicationStage runs security check on all apps unless overriden', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const securityStage = pipeline.addApplicationStage(new OneStackApp(app, 'StageSecurityCheckStack'), { confirmBroadeningPermissions: true }); - securityStage.addApplication(new OneStackApp(app, 'AnotherStack')); - securityStage.addApplication(new OneStackApp(app, 'SkipCheckStack'), { confirmBroadeningPermissions: false }); +test('pipeline created with auto approve tags and lambda/codebuild w/ valid permissions', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(app, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - // For the modern API, there is no inheritance - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - { - Actions: [Match.objectLike({ Name: 'GitHub', RunOrder: 1 })], - Name: 'Source', - }, - { - Actions: [Match.objectLike({ Name: 'Synth', RunOrder: 1 })], - Name: 'Build', - }, - { - Actions: [Match.objectLike({ Name: 'SelfMutate', RunOrder: 1 })], - Name: 'UpdatePipeline', - }, + // CodePipeline must be tagged as SECURITY_CHECK=ALLOW_APPROVE + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Tags: [ + { + Key: 'SECURITY_CHECK', + Value: 'ALLOW_APPROVE', + }, + ], + }); + // Lambda Function only has access to pipelines tagged SECURITY_CHECK=ALLOW_APPROVE + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ { - Actions: [ - Match.objectLike({ Name: 'StageSecurityCheckStackSecurityCheck', RunOrder: 1 }), - Match.objectLike({ Name: 'StageSecurityCheckStackManualApproval', RunOrder: 2 }), - Match.objectLike({ Name: 'AnotherStackSecurityCheck', RunOrder: 5 }), - Match.objectLike({ Name: 'AnotherStackManualApproval', RunOrder: 6 }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - Match.objectLike({ Name: 'AnotherStack-Stack.Prepare', RunOrder: 7 }), - Match.objectLike({ Name: 'AnotherStack-Stack.Deploy', RunOrder: 8 }), - Match.objectLike({ Name: 'SkipCheckStack-Stack.Prepare', RunOrder: 9 }), - Match.objectLike({ Name: 'SkipCheckStack-Stack.Deploy', RunOrder: 10 }), - ], - Name: 'StageSecurityCheckStack', + Action: ['codepipeline:GetPipelineState', 'codepipeline:PutApprovalResult'], + Condition: { + StringEquals: { 'aws:ResourceTag/SECURITY_CHECK': 'ALLOW_APPROVE' }, + }, + Effect: 'Allow', + Resource: '*', }, ], - }); - } -}); - -behavior('confirmBroadeningPermissions option at addApplication runs security check only on selected application', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const noSecurityStage = pipeline.addApplicationStage(new OneStackApp(app, 'NoSecurityCheckStack')); - noSecurityStage.addApplication(new OneStackApp(app, 'EnableCheckStack'), { confirmBroadeningPermissions: true }); - - THEN_codePipelineExpectation(); + }, }); - - // For the modern API, there is no inheritance - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - { - Actions: [Match.objectLike({ Name: 'GitHub', RunOrder: 1 })], - Name: 'Source', - }, + // CodeBuild must have access to the stacks and invoking the lambda function + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ { - Actions: [Match.objectLike({ Name: 'Synth', RunOrder: 1 })], - Name: 'Build', - }, - { - Actions: [Match.objectLike({ Name: 'SelfMutate', RunOrder: 1 })], - Name: 'UpdatePipeline', + Action: 'sts:AssumeRole', + Condition: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': [ + 'deploy', + ], + }, + }, + Effect: 'Allow', + Resource: '*', }, { - Actions: [ - Match.objectLike({ Name: 'EnableCheckStackSecurityCheck', RunOrder: 3 }), - Match.objectLike({ Name: 'EnableCheckStackManualApproval', RunOrder: 4 }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 1 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 2 }), - Match.objectLike({ Name: 'EnableCheckStack-Stack.Prepare', RunOrder: 5 }), - Match.objectLike({ Name: 'EnableCheckStack-Stack.Deploy', RunOrder: 6 }), + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + ':*', + ], + ], + }, ], - Name: 'NoSecurityCheckStack', }, - ], - }); - } -}); - -behavior('confirmBroadeningPermissions and notification topic options generates the right resources', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const topic = new Topic(pipelineStack, 'NotificationTopic'); - pipeline.addApplicationStage(new OneStackApp(app, 'MyStack'), { - confirmBroadeningPermissions: true, - securityNotificationTopic: topic, - }); - - THEN_codePipelineExpectation(); + ]), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const topic = new Topic(pipelineStack, 'NotificationTopic'); - const stage = new OneStackApp(app, 'MyStack'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Approve', { - stage, - notificationTopic: topic, - }), - ], - }); - - THEN_codePipelineExpectation(); +test('confirmBroadeningPermissions and notification topic options generates the right resources', () => { + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const topic = new Topic(pipelineStack, 'NotificationTopic'); + const stage = new OneStackApp(app, 'MyStack'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Approve', { + stage, + notificationTopic: topic, + }), + ], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::SNS::Topic', 1); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'MyStack', - Actions: [ - Match.objectLike({ - Configuration: { - ProjectName: { Ref: stringLike('*SecurityCheck*') }, - EnvironmentVariables: { - 'Fn::Join': ['', [ - stringLike('*'), - { Ref: 'NotificationTopicEB7A0DF1' }, - stringLike('*'), - ]], - }, - }, - Name: stringLike('*Check'), - Namespace: stringLike('*'), - RunOrder: 1, - }), - Match.objectLike({ - Configuration: { - CustomData: stringLike('#{*.MESSAGE}'), - ExternalEntityLink: stringLike('#{*.LINK}'), + Template.fromStack(pipelineStack).resourceCountIs('AWS::SNS::Topic', 1); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'MyStack', + Actions: [ + Match.objectLike({ + Configuration: { + ProjectName: { Ref: stringLike('*SecurityCheck*') }, + EnvironmentVariables: { + 'Fn::Join': ['', [ + stringLike('*'), + { Ref: 'NotificationTopicEB7A0DF1' }, + stringLike('*'), + ]], }, - Name: stringLike('*Approv*'), - RunOrder: 2, - }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - ], - }, - ]), - }); - } -}); - -behavior('Stages declared outside the pipeline create their own ApplicationSecurityCheck', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const pipelineStage = pipeline.codePipeline.addStage({ - stageName: 'UnattachedStage', - }); - - const unattachedStage = new cdkp.CdkStage(pipelineStack, 'UnattachedStage', { - stageName: 'UnattachedStage', - pipelineStage, - cloudAssemblyArtifact: pipeline.cloudAssemblyArtifact, - host: { - publishAsset: () => undefined, - stackOutputArtifact: () => undefined, + }, + Name: stringLike('*Check'), + Namespace: stringLike('*'), + RunOrder: 1, + }), + Match.objectLike({ + Configuration: { + CustomData: stringLike('#{*.MESSAGE}'), + ExternalEntityLink: stringLike('#{*.LINK}'), + }, + Name: stringLike('*Approv*'), + RunOrder: 2, + }), + Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), + Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), + ], }, - }); - - unattachedStage.addApplication(new OneStackApp(app, 'UnattachedStage'), { - confirmBroadeningPermissions: true, - }); - - THEN_codePipelineExpectation(); + ]), }); - - // Not a valid use of the modern API - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::Lambda::Function', 1); - // 1 for github build, 1 for synth stage, and 1 for the application security check - Template.fromStack(pipelineStack).resourceCountIs('AWS::CodeBuild::Project', 3); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Tags: [ - { - Key: 'SECURITY_CHECK', - Value: 'ALLOW_APPROVE', - }, - ], - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - { - Actions: [ - Match.objectLike({ - Configuration: { - ProjectName: { Ref: 'UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B' }, - }, - Name: 'UnattachedStageSecurityCheck', - RunOrder: 1, - }), - Match.objectLike({ - Configuration: { - CustomData: '#{UnattachedStageSecurityCheck.MESSAGE}', - ExternalEntityLink: '#{UnattachedStageSecurityCheck.LINK}', - }, - Name: 'UnattachedStageManualApproval', - RunOrder: 2, - }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - ], - Name: 'UnattachedStage', - }, - ], - }); - } }); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts index 98828dc57eb47..6b62207ba9bc7 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts @@ -4,7 +4,7 @@ import * as cb from '../../../aws-codebuild'; import * as cp from '../../../aws-codepipeline'; import { Stack, Stage } from '../../../core'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, LegacyTestGitHubNpmPipeline, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,288 +18,186 @@ afterEach(() => { app.cleanup(); }); -behavior('CodePipeline has self-mutation stage', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); - }); +test('CodePipeline has self-mutation stage', () => { - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); - }); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'UpdatePipeline', - Actions: [ - Match.objectLike({ - Name: 'SelfMutate', - Configuration: Match.objectLike({ - ProjectName: { Ref: Match.anyValue() }, - }), + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'UpdatePipeline', + Actions: [ + Match.objectLike({ + Name: 'SelfMutate', + Configuration: Match.objectLike({ + ProjectName: { Ref: Match.anyValue() }, }), - ], - }]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk@2'], - }, - build: { - commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), - }, - }, - })), - Type: 'CODEPIPELINE', - }, - }); - } -}); - -behavior('selfmutation stage correctly identifies nested assembly of pipeline stack', (suite) => { - suite.legacy(() => { - const pipelineStage = new Stage(app, 'PipelineStage'); - const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); - new LegacyTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - - THEN_codePipelineExpectation(nestedPipelineStack); - }); - - suite.modern(() => { - const pipelineStage = new Stage(app, 'PipelineStage'); - const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); - new ModernTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - - THEN_codePipelineExpectation(nestedPipelineStack); + }), + ], + }]), }); - function THEN_codePipelineExpectation(nestedPipelineStack: Stack) { - Template.fromStack(nestedPipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith(['cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose']), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk@2'], + }, + build: { + commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), }, - })), - }, - }); - } + }, + })), + Type: 'CODEPIPELINE', + }, + }); }); -behavior('selfmutation feature can be turned off', (suite) => { - suite.legacy(() => { - const cloudAssemblyArtifact = new cp.Artifact(); - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cloudAssemblyArtifact, - selfMutating: false, - }); +test('selfmutation stage correctly identifies nested assembly of pipeline stack', () => { - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutation: false, - }); + const pipelineStage = new Stage(app, 'PipelineStage'); + const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); + new ModernTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); + Template.fromStack(nestedPipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith(['cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose']), + }, + }, + })), + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.not(Match.arrayWith([{ - Name: 'UpdatePipeline', - Actions: Match.anyValue(), - }])), - }); - } }); -behavior('can control fix/CLI version used in pipeline selfupdate', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - pipelineName: 'vpipe', - cdkCliVersion: '1.2.3', - }); +test('selfmutation feature can be turned off', () => { - THEN_codePipelineExpectation(); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + selfMutation: false, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - pipelineName: 'vpipe', - cliVersion: '1.2.3', - }); - - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.not(Match.arrayWith([{ + Name: 'UpdatePipeline', + Actions: Match.anyValue(), + }])), }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Name: 'vpipe-selfupdate', - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk@1.2.3'], - }, - }, - })), - }, - }); - } }); -behavior('Pipeline stack itself can use assets (has implications for selfupdate)', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { - supportDockerAssets: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - PrivilegedMode: true, - }, - }); +test('can control fix/CLI version used in pipeline selfupdate', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + pipelineName: 'vpipe', + cliVersion: '1.2.3', }); - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { - dockerEnabledForSelfMutation: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - PrivilegedMode: true, - }, - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Name: 'vpipe-selfupdate', + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk@1.2.3'], + }, + }, + })), + }, }); }); -behavior('self-update project role uses tagged bootstrap-role permissions', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); +test('Pipeline stack itself can use assets (has implications for selfupdate)', () => { - THEN_codePipelineExpectations(); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { + dockerEnabledForSelfMutation: true, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectations(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + PrivilegedMode: true, + }, }); +}); - function THEN_codePipelineExpectations() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Resource: 'arn:*:iam::123pipeline:role/*', - Condition: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], - }, +test('self-update project role uses tagged bootstrap-role permissions', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Resource: 'arn:*:iam::123pipeline:role/*', + Condition: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], }, }, - { - Action: 'cloudformation:DescribeStacks', - Effect: 'Allow', - Resource: '*', - }, - { - Action: 's3:ListBucket', - Effect: 'Allow', - Resource: '*', - }, - ]), - }, - }); - } + }, + { + Action: 'cloudformation:DescribeStacks', + Effect: 'Allow', + Resource: '*', + }, + { + Action: 's3:ListBucket', + Effect: 'Allow', + Resource: '*', + }, + ]), + }, + }); }); -behavior('self-mutation stage can be customized with BuildSpec', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutationBuildSpec: cb.BuildSpec.fromObject({ +test('self-mutation stage can be customized with BuildSpec', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + selfMutationCodeBuildDefaults: { + partialBuildSpec: cb.BuildSpec.fromObject({ phases: { install: { - commands: 'npm config set registry example.com', + commands: ['npm config set registry example.com'], }, }, cache: { - paths: 'node_modules', + paths: ['node_modules'], }, }), - }); - - THEN_codePipelineExpectation(); + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutationCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - phases: { - install: { - commands: ['npm config set registry example.com'], - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + PrivilegedMode: false, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm config set registry example.com', 'npm install -g aws-cdk@2'], }, - cache: { - paths: ['node_modules'], + build: { + commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), }, - }), - }, - }); - - THEN_codePipelineExpectation(); + }, + cache: { + paths: ['node_modules'], + }, + })), + Type: 'CODEPIPELINE', + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - PrivilegedMode: false, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm config set registry example.com', 'npm install -g aws-cdk@2'], - }, - build: { - commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), - }, - }, - cache: { - paths: ['node_modules'], - }, - })), - Type: 'CODEPIPELINE', - }, - }); - } }); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts index 827c2839a6462..489bd2a295289 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts @@ -1,6 +1,6 @@ import { Match, Template } from '../../../assertions'; import { App, Stack } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, TestApp, ThreeStackApp, TwoStackApp } from '../testhelpers'; +import { ModernTestGitHubNpmPipeline, PIPELINE_ENV, sortByRunOrder, TestApp, ThreeStackApp, TwoStackApp } from '../testhelpers'; let app: App; let pipelineStack: Stack; @@ -10,169 +10,41 @@ beforeEach(() => { pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); }); -behavior('interdependent stacks are in the right order', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); +test('interdependent stacks are in the right order', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp')); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + ]), + }]), }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - ]), - }]), - }); - } }); -behavior('multiple independent stacks go in parallel', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new ThreeStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); +test('multiple independent stacks go in parallel', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new ThreeStackApp(app, 'MyApp')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + // 1 and 2 in parallel + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + // Then 3 + Match.objectLike({ Name: 'Stack3.Prepare' }), + Match.objectLike({ Name: 'Stack3.Deploy' }), + ]), + }]), }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new ThreeStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - // 1 and 2 in parallel - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - // Then 3 - Match.objectLike({ Name: 'Stack3.Prepare' }), - Match.objectLike({ Name: 'Stack3.Deploy' }), - ]), - }]), - }); - } -}); - -behavior('user can request manual change set approvals', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { - manualApprovals: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'ManualApproval' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'ManualApproval2' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - ]), - }]), - }); - }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); -}); - -behavior('user can request extra runorder space between prepare and deploy', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { - extraRunOrderSpace: 1, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ - Name: 'Stack1.Prepare', - RunOrder: 1, - }), - Match.objectLike({ - Name: 'Stack1.Deploy', - RunOrder: 3, - }), - Match.objectLike({ - Name: 'Stack2.Prepare', - RunOrder: 4, - }), - Match.objectLike({ - Name: 'Stack2.Deploy', - RunOrder: 6, - }), - ]), - }]), - }); - }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); -}); - -behavior('user can request both manual change set approval and extraRunOrderSpace', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'MyApp'), { - extraRunOrderSpace: 1, - manualApprovals: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ - Name: 'Stack.Prepare', - RunOrder: 1, - }), - Match.objectLike({ - Name: 'ManualApproval', - RunOrder: 2, - }), - Match.objectLike({ - Name: 'Stack.Deploy', - RunOrder: 4, - }), - ]), - }]), - }); - }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); }); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts index 30cbed9db1faf..ce52f6a2df0a8 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts @@ -9,7 +9,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodeBuildStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, ModernTestGitHubNpmPipelineProps, OneStackApp } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, ModernTestGitHubNpmPipelineProps, OneStackApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -19,10 +19,6 @@ let cloudAssemblyArtifact: codepipeline.Artifact; // Must be unique across all test files, but preferably also consistent const OUTDIR = 'testcdk0.out'; -// What phase install commands get rendered to -const LEGACY_INSTALLS = 'pre_build'; -const MODERN_INSTALLS = 'install'; - beforeEach(() => { app = new TestApp({ outdir: OUTDIR }); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); @@ -34,1124 +30,737 @@ afterEach(() => { app.cleanup(); }); -behavior('synth takes arrays of commands', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['install1', 'install2'], - buildCommands: ['build1', 'build2'], - testCommands: ['test1', 'test2'], - synthCommand: 'cdk synth', - }), - }); - - THEN_codePipelineExpectation(LEGACY_INSTALLS); - }); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['install1', 'install2'], - commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], - }); - - THEN_codePipelineExpectation(MODERN_INSTALLS); - }); - - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: [ - 'install1', - 'install2', - ], - }, - build: { - commands: [ - 'build1', - 'build2', - 'test1', - 'test2', - 'cdk synth', - ], - }, +test('synth takes arrays of commands', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['install1', 'install2'], + commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: [ + 'install1', + 'install2', + ], }, - })), - }, - }); - } + build: { + commands: [ + 'build1', + 'build2', + 'test1', + 'test2', + 'cdk synth', + ], + }, + }, + })), + }, + }); }); -behavior('synth sets artifact base-directory to cdk.out', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - THEN_codePipelineExpectation(); - }); +test('synth sets artifact base-directory to cdk.out', () => { - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + artifacts: { + 'base-directory': 'cdk.out', + }, + })), + }, }); +}); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - artifacts: { - 'base-directory': 'cdk.out', +test('synth supports setting subdirectory', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['cd subdir'], + commands: ['true'], + primaryOutputDirectory: 'subdir/cdk.out', + }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: Match.arrayWith(['cd subdir']), }, - })), - }, - }); - } + }, + artifacts: { + 'base-directory': 'subdir/cdk.out', + }, + })), + }, + }); }); -behavior('synth supports setting subdirectory', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - subdirectory: 'subdir', - }), - }); +test('npm synth sets, or allows setting, UNSAFE_PERM=true', () => { - THEN_codePipelineExpectation(LEGACY_INSTALLS); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + NPM_CONFIG_UNSAFE_PERM: 'true', + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['cd subdir'], - commands: ['true'], - primaryOutputDirectory: 'subdir/cdk.out', - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + EnvironmentVariables: [ + { + Name: 'NPM_CONFIG_UNSAFE_PERM', + Type: 'PLAINTEXT', + Value: 'true', + }, + ], + }, }); - - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: Match.arrayWith(['cd subdir']), - }, - }, - artifacts: { - 'base-directory': 'subdir/cdk.out', - }, - })), - }, - }); - } }); -behavior('npm synth sets, or allows setting, UNSAFE_PERM=true', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - }), - }); - - THEN_codePipelineExpectation(); +test('Magic CodePipeline variables passed to synth envvars must be rendered in the action', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + VERSION: codepipeline.GlobalVariables.executionId, + }, + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson(Match.arrayWith([ + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + ])), + }), + }), + ], + }]), }); +}); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { +test('CodeBuild: environment variables specified in multiple places are correctly merged', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + synth: new CodeBuildStep('Synth', { env: { - NPM_CONFIG_UNSAFE_PERM: 'true', + SOME_ENV_VAR: 'SomeValue', }, - }); - - THEN_codePipelineExpectation(); + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + environmentVariables: { + INNER_VAR: { value: 'InnerValue' }, + }, + privileged: true, + }, + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - EnvironmentVariables: [ - { - Name: 'NPM_CONFIG_UNSAFE_PERM', - Type: 'PLAINTEXT', - Value: 'true', + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', + }, + { + Name: 'SOME_ENV_VAR', + Type: 'PLAINTEXT', + Value: 'SomeValue', + }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['install1', 'install2'], }, - ], - }, - }); - } -}); - -behavior('synth assumes a JavaScript project by default (no build, yes synth)', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: ['npm ci'], - }, - build: { - commands: ['npx cdk synth'], - }, + build: { + commands: ['synth'], }, - })), - }, - }); - }); - - // Modern pipeline does not assume anything anymore - suite.doesNotApply.modern(); -}); - -behavior('Magic CodePipeline variables passed to synth envvars must be rendered in the action', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, }, - synthCommand: 'synth', - }), - }); - THEN_codePipelineExpectation(); + })), + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-2', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', env: { - VERSION: codepipeline.GlobalVariables.executionId, + SOME_ENV_VAR: 'SomeValue', }, - }); - - THEN_codePipelineExpectation(); + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + buildEnvironment: { + environmentVariables: { + INNER_VAR: { value: 'InnerValue' }, + }, + privileged: true, + }, + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Build', - Actions: [ - Match.objectLike({ - Name: 'Synth', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson(Match.arrayWith([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - ])), - }), - }), - ], - }]), - }); - } -}); - -behavior('CodeBuild: environment variables specified in multiple places are correctly merged', (suite) => { - // We don't support merging environment variables in this way in the legacy API - suite.doesNotApply.legacy(); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new CodeBuildStep('Synth', { - env: { - SOME_ENV_VAR: 'SomeValue', + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + { + Name: 'SOME_ENV_VAR', + Type: 'PLAINTEXT', + Value: 'SomeValue', + }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['install1', 'install2'], + }, + build: { + commands: ['synth'], }, - privileged: true, }, - }), - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); + })), + }, }); +}); - suite.additional('modern2, using the specific CodeBuild action', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: '.', - env: { - SOME_ENV_VAR: 'SomeValue', - }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, +test('install command can be overridden/specified', () => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['/bin/true'], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['/bin/true'], }, - privileged: true, }, - }), - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); + })), + }, }); +}); - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - EnvironmentVariables: Match.arrayWith([ - { - Name: 'INNER_VAR', - Type: 'PLAINTEXT', - Value: 'InnerValue', - }, - { - Name: 'SOME_ENV_VAR', - Type: 'PLAINTEXT', - Value: 'SomeValue', - }, - ]), - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: ['install1', 'install2'], +test('Synth can output additional artifacts', () => { + + // WHEN + const synth = new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['cdk synth'], + }); + synth.addOutputDirectory('test'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: synth, + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + artifacts: { + 'secondary-artifacts': { + Synth_Output: { + 'base-directory': 'cdk.out', + 'files': '**/*', }, - build: { - commands: ['synth'], + Synth_test: { + 'base-directory': 'test', + 'files': '**/*', }, }, - })), - }, - }); - } + }, + })), + }, + }); }); -behavior('install command can be overridden/specified', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - }), - }); +test('Synth can be made to run in a VPC', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); - THEN_codePipelineExpectation(LEGACY_INSTALLS); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, }); - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['/bin/true'], - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); +}); - THEN_codePipelineExpectation(MODERN_INSTALLS); +test('Modern, using the synthCodeBuildDefaults', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synthCodeBuildDefaults: { vpc }, }); - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: ['/bin/true'], - }, - }, - })), - }, - }); - } + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); }); -behavior('synth can have its test commands set', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - testCommands: ['echo "Running tests"'], - }), - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: ['/bin/true'], - }, - build: { - commands: ['echo "Running tests"', 'npx cdk synth'], - }, - }, - })), +test('Modern, using CodeBuildStep', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, }, - }); + }), + codeBuildDefaults: { vpc }, }); - // There are no implicit commands in modern synth - suite.doesNotApply.modern(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); }); -behavior('Synth can output additional artifacts', (suite) => { - suite.legacy(() => { - // WHEN - const addlArtifact = new codepipeline.Artifact('IntegTest'); - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [ - { - artifact: addlArtifact, - directory: 'test', - }, - ], - }), - }); +test('Pipeline action contains a hash that changes as the buildspec changes', () => { + const hash1 = modernSynthWithAction(() => ({ commands: ['asdf'] })); - THEN_codePipelineExpectation('CloudAsm', 'IntegTest'); - }); + // To make sure the hash is not just random :) + const hash1prime = modernSynthWithAction(() => ({ commands: ['asdf'] })); - suite.modern(() => { - // WHEN - const synth = new cdkp.ShellStep('Synth', { + const hash2 = modernSynthWithAction(() => ({ + installCommands: ['do install'], + })); + const hash3 = modernSynthWithAction(() => ({ + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['cdk synth'], - }); - synth.addOutputDirectory('test'); - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: synth, - }); - - THEN_codePipelineExpectation('Synth_Output', 'Synth_test'); - }); - - function THEN_codePipelineExpectation(asmArtifact: string, testArtifact: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - artifacts: { - 'secondary-artifacts': { - [asmArtifact]: { - 'base-directory': 'cdk.out', - 'files': '**/*', - }, - [testArtifact]: { - 'base-directory': 'test', - 'files': '**/*', - }, - }, - }, - })), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, }, - }); - } + }), + })); + + const hash4 = modernSynthWithAction(() => ({ + env: { + xyz: 'SOME-VALUE', + }, + })); + + expect(hash1).toEqual(hash1prime); + + expect(hash1).not.toEqual(hash2); + expect(hash1).not.toEqual(hash3); + expect(hash1).not.toEqual(hash4); + expect(hash2).not.toEqual(hash3); + expect(hash2).not.toEqual(hash4); + expect(hash3).not.toEqual(hash4); }); -behavior('Synth can be made to run in a VPC', (suite) => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); +function modernSynthWithAction(cb: () => ModernTestGitHubNpmPipelineProps) { + const _app = new TestApp({ outdir: OUTDIR }); + const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); + + new ModernTestGitHubNpmPipeline(_pipelineStack, 'Cdk', cb()); + + return captureProjectConfigHash(_pipelineStack); +} + +function captureProjectConfigHash(_pipelineStack: Stack) { + const theHash = new Capture(); + Template.fromStack(_pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { + name: '_PROJECT_CONFIG_HASH', + type: 'PLAINTEXT', + value: theHash, + }, + ]), + }), + }), + ], + }]), }); - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - vpc, - sourceArtifact, - cloudAssemblyArtifact, - }), - }); + return theHash.asString(); +} - THEN_codePipelineExpectation(); - }); +test('Synth CodeBuild project role can be granted permissions', () => { + const bucket: s3.IBucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); + // GIVEN + const pipe = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipe.buildPipeline(); - THEN_codePipelineExpectation(); - }); + // WHEN + bucket.grantRead(pipe.synthProject); - suite.additional('Modern, using the synthCodeBuildDefaults', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synthCodeBuildDefaults: { vpc }, - }); - - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], + })]), + }, }); +}); - suite.additional('Modern, using CodeBuildStep', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new CodeBuildStep('Synth', { - commands: ['asdf'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - computeType: cbuild.ComputeType.LARGE, - }, - }), - codeBuildDefaults: { vpc }, - }); - - THEN_codePipelineExpectation(); - }); +test('Synth can reference an imported ECR repo', () => { - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, - ], - Subnets: [ - { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, - ], - VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + commands: ['build'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + buildImage: cbuild.LinuxBuildImage.fromEcrRepository( + ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), + ), }, - }); + }), + }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - Roles: [ - { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, - ], - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), - Effect: 'Allow', - Resource: '*', - }]), - }, - }); - } + // THEN -- no exception (necessary for linter) + expect(true).toBeTruthy(); }); -behavior('Pipeline action contains a hash that changes as the buildspec changes', (suite) => { - suite.legacy(() => { - const hash1 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - // To make sure the hash is not just random :) - const hash1prime = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - const hash2 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - installCommand: 'do install', - })); - const hash3 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - computeType: cbuild.ComputeType.LARGE, - }, - })); - const hash4 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - environmentVariables: { - xyz: { value: 'SOME-VALUE' }, - }, - }, - })); +test('CodeBuild: Can specify additional policy statements', () => { - expect(hash1).toEqual(hash1prime); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', + commands: ['synth'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], + resources: ['arn:my:arn'], + }), + ], + }), + }); - expect(hash1).not.toEqual(hash2); - expect(hash1).not.toEqual(hash3); - expect(hash1).not.toEqual(hash4); - expect(hash2).not.toEqual(hash3); - expect(hash2).not.toEqual(hash4); - expect(hash3).not.toEqual(hash4); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: [ + 'codeartifact:*', + 'sts:GetServiceBearerToken', + ], + Resource: 'arn:my:arn', + })]), + }, }); +}); - suite.modern(() => { - const hash1 = modernSynthWithAction(() => ({ commands: ['asdf'] })); - - // To make sure the hash is not just random :) - const hash1prime = modernSynthWithAction(() => ({ commands: ['asdf'] })); - - const hash2 = modernSynthWithAction(() => ({ - installCommands: ['do install'], - })); - const hash3 = modernSynthWithAction(() => ({ - synth: new CodeBuildStep('Synth', { - commands: ['asdf'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - computeType: cbuild.ComputeType.LARGE, - }, - }), - })); +test('Multiple input sources in side-by-side directories', () => { - const hash4 = modernSynthWithAction(() => ({ - env: { - xyz: 'SOME-VALUE', + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['false'], + additionalInputs: { + '../sibling': cdkp.CodePipelineSource.gitHub('foo/bar', 'main'), + 'sub': new cdkp.ShellStep('Prebuild', { + input: cdkp.CodePipelineSource.gitHub('pre/build', 'main'), + commands: ['true'], + primaryOutputDirectory: 'built', + }), }, - })); - - expect(hash1).toEqual(hash1prime); - - expect(hash1).not.toEqual(hash2); - expect(hash1).not.toEqual(hash3); - expect(hash1).not.toEqual(hash4); - expect(hash2).not.toEqual(hash3); - expect(hash2).not.toEqual(hash4); - expect(hash3).not.toEqual(hash4); + }), }); - // eslint-disable-next-line max-len - function legacySynthWithAction(cb: (sourceArtifact: codepipeline.Artifact, cloudAssemblyArtifact: codepipeline.Artifact) => codepipeline.IAction) { - const _app = new TestApp({ outdir: OUTDIR }); - const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); - const _sourceArtifact = new codepipeline.Artifact(); - const _cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - - new LegacyTestGitHubNpmPipeline(_pipelineStack, 'Cdk', { - sourceArtifact: _sourceArtifact, - cloudAssemblyArtifact: _cloudAssemblyArtifact, - synthAction: cb(_sourceArtifact, _cloudAssemblyArtifact), - }); - - return captureProjectConfigHash(_pipelineStack); - } - - function modernSynthWithAction(cb: () => ModernTestGitHubNpmPipelineProps) { - const _app = new TestApp({ outdir: OUTDIR }); - const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); - - new ModernTestGitHubNpmPipeline(_pipelineStack, 'Cdk', cb()); - - return captureProjectConfigHash(_pipelineStack); - } - - function captureProjectConfigHash(_pipelineStack: Stack) { - const theHash = new Capture(); - Template.fromStack(_pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'Source', + Actions: [ + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'bar' }) }), + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'build' }) }), + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'test' }) }), + ], + }, + { Name: 'Build', Actions: [ + Match.objectLike({ Name: 'Prebuild', RunOrder: 1 }), Match.objectLike({ Name: 'Synth', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { - name: '_PROJECT_CONFIG_HASH', - type: 'PLAINTEXT', - value: theHash, - }, - ]), - }), + RunOrder: 2, + InputArtifacts: [ + // 3 input artifacts + Match.anyValue(), + Match.anyValue(), + Match.anyValue(), + ], }), ], - }]), - }); - - return theHash.asString(); - } -}); - -behavior('Synth CodeBuild project role can be granted permissions', (suite) => { - let bucket: s3.IBucket; - beforeEach(() => { - bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - }); - - suite.legacy(() => { - // GIVEN - const synthAction = cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - }); - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction, - }); - - // WHEN - bucket.grantRead(synthAction); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // GIVEN - const pipe = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipe.buildPipeline(); - - // WHEN - bucket.grantRead(pipe.synthProject); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], - })]), }, - }); - } -}); - -behavior('Synth can reference an imported ECR repo', (suite) => { - // Repro from https://github.com/aws/aws-cdk/issues/10535 - - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - environment: { - buildImage: cbuild.LinuxBuildImage.fromEcrRepository( - ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), - ), - }, - }), - }); - - // THEN -- no exception (necessary for linter) - expect(true).toBeTruthy(); - }); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - commands: ['build'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - buildImage: cbuild.LinuxBuildImage.fromEcrRepository( - ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), - ), + ]), + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: [ + '[ ! -d "../sibling" ] || { echo \'additionalInputs: "../sibling" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_foo_bar_Source" "../sibling"', + '[ ! -d "sub" ] || { echo \'additionalInputs: "sub" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_Prebuild_Output" "sub"', + ], + }, + build: { + commands: [ + 'false', + ], + }, }, - }), - }); - - // THEN -- no exception (necessary for linter) - expect(true).toBeTruthy(); - }); -}); - -behavior('CodeBuild: Can specify additional policy statements', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:my:arn'], - }), - ], - }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: '.', - commands: ['synth'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:my:arn'], - }), - ], - }), - }); - - THEN_codePipelineExpectation(); + })), + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: [ - 'codeartifact:*', - 'sts:GetServiceBearerToken', - ], - Resource: 'arn:my:arn', - })]), - }, - }); - } }); -behavior('Multiple input sources in side-by-side directories', (suite) => { - // Legacy API does not support this - suite.doesNotApply.legacy(); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['false'], - additionalInputs: { - '../sibling': cdkp.CodePipelineSource.gitHub('foo/bar', 'main'), - 'sub': new cdkp.ShellStep('Prebuild', { - input: cdkp.CodePipelineSource.gitHub('pre/build', 'main'), - commands: ['true'], - primaryOutputDirectory: 'built', - }), - }, - }), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'Source', - Actions: [ - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'bar' }) }), - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'build' }) }), - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'test' }) }), - ], - }, - { - Name: 'Build', - Actions: [ - Match.objectLike({ Name: 'Prebuild', RunOrder: 1 }), - Match.objectLike({ - Name: 'Synth', - RunOrder: 2, - InputArtifacts: [ - // 3 input artifacts - Match.anyValue(), - Match.anyValue(), - Match.anyValue(), - ], - }), - ], - }, - ]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: [ - '[ ! -d "../sibling" ] || { echo \'additionalInputs: "../sibling" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_foo_bar_Source" "../sibling"', - '[ ! -d "sub" ] || { echo \'additionalInputs: "sub" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_Prebuild_Output" "sub"', - ], - }, - build: { - commands: [ - 'false', - ], - }, +test('Can easily switch on privileged mode for synth', () => { + + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + dockerEnabledForSynth: true, + commands: ['LookAtMe'], + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'LookAtMe', + ], }, - })), - }, - }); + }, + })), + }, }); }); -behavior('Can easily switch on privileged mode for synth', (suite) => { - // Legacy API does not support this - suite.doesNotApply.legacy(); +test('can provide custom BuildSpec that is merged with generated one', () => { - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - dockerEnabledForSynth: true, - commands: ['LookAtMe'], - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'LookAtMe', - ], - }, - }, - })), + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + env: { + SOME_ENV_VAR: 'SomeValue', }, - }); - }); -}); - -behavior('can provide custom BuildSpec that is merged with generated one', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, + buildEnvironment: { environmentVariables: { - SOME_ENV_VAR: { value: 'SomeValue' }, + INNER_VAR: { value: 'InnerValue' }, }, - environment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + privileged: true, + }, + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + partialBuildSpec: cbuild.BuildSpec.fromObject({ + env: { + variables: { + FOO: 'bar', }, - privileged: true, }, - installCommands: [ - 'install1', - 'install2', - ], - synthCommand: 'synth', - buildSpec: cbuild.BuildSpec.fromObject({ - env: { - variables: { - FOO: 'bar', - }, + phases: { + pre_build: { + commands: ['installCustom'], }, - phases: { - pre_build: { - commands: 'installCustom', - }, - }, - cache: { - paths: ['node_modules'], - }, - }), + }, + cache: { + paths: ['node_modules'], + }, }), - }); - - THEN_codePipelineExpectation(); + }), }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - env: { - SOME_ENV_VAR: 'SomeValue', + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', }, - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + env: { + variables: { + FOO: 'bar', }, - privileged: true, }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - partialBuildSpec: cbuild.BuildSpec.fromObject({ - env: { - variables: { - FOO: 'bar', - }, - }, - phases: { - pre_build: { - commands: ['installCustom'], - }, + phases: { + pre_build: { + commands: Match.arrayWith(['installCustom']), }, - cache: { - paths: ['node_modules'], + build: { + commands: ['synth'], }, - }), - }), - }); - - THEN_codePipelineExpectation(); + }, + cache: { + paths: ['node_modules'], + }, + })), + }, }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - EnvironmentVariables: Match.arrayWith([ - { - Name: 'INNER_VAR', - Type: 'PLAINTEXT', - Value: 'InnerValue', - }, - ]), - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - env: { - variables: { - FOO: 'bar', - }, - }, - phases: { - pre_build: { - commands: Match.arrayWith(['installCustom']), - }, - build: { - commands: ['synth'], - }, - }, - cache: { - paths: ['node_modules'], - }, - })), - }, - }); - } }); -behavior('stacks synthesized for pipeline will be checked during synth', (suite) => { - let stage: OneStackApp; - beforeEach(() => { - stage = new OneStackApp(pipelineStack, 'MyApp'); - }); - - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['install1', 'install2'], - buildCommands: ['build1', 'build2'], - testCommands: ['test1', 'test2'], - synthCommand: 'cdk synth', - }), - }); - pipeline.addApplicationStage(stage); - - THEN(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['install1', 'install2'], - commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], - }); - pipeline.addStage(stage); +test('stacks synthesized for pipeline will be checked during synth', () => { + let stage: OneStackApp = new OneStackApp(pipelineStack, 'MyApp'); - THEN(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['install1', 'install2'], + commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], }); + pipeline.addStage(stage); - function THEN() { - // All stacks in the ASM have been synthesized with 'validateOnSynth: true' - const asm = stage.synth(); - for (const stack of asm.stacks) { - expect(stack.validateOnSynth).toEqual(true); - } + // All stacks in the ASM have been synthesized with 'validateOnSynth: true' + const asm = stage.synth(); + for (const stack of asm.stacks) { + expect(stack.validateOnSynth).toEqual(true); } }); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts index f1a560fdae911..5af4eb5733394 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts @@ -9,7 +9,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodePipelineSource, ShellStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { AppWithOutput, behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, StageWithStackOutput, stringNoLongerThan, TestApp, TwoStackApp } from '../testhelpers'; +import { AppWithOutput, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, StageWithStackOutput, stringNoLongerThan, TestApp, TwoStackApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -23,775 +23,471 @@ afterEach(() => { app.cleanup(); }); -behavior('can add manual approval after app', (suite) => { - // No need to be backwards compatible - suite.doesNotApply.legacy(); +test('can add manual approval after app', () => { - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [ - new cdkp.ManualApprovalStep('Approve'), - ], - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - Match.objectLike({ Name: 'Approve' }), - ]), - }]), - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp'), { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + Match.objectLike({ Name: 'Approve' }), + ]), + }]), }); }); -behavior('can add steps to wave', (suite) => { - // No need to be backwards compatible - suite.doesNotApply.legacy(); +test('can add steps to wave', () => { - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const wave = pipeline.addWave('MyWave', { - post: [ - new cdkp.ManualApprovalStep('Approve'), - ], - }); - wave.addStage(new OneStackApp(pipelineStack, 'Stage1')); - wave.addStage(new OneStackApp(pipelineStack, 'Stage2')); - wave.addStage(new OneStackApp(pipelineStack, 'Stage3')); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyWave', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stage1.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage2.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage3.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage1.Stack.Deploy' }), - Match.objectLike({ Name: 'Stage2.Stack.Deploy' }), - Match.objectLike({ Name: 'Stage3.Stack.Deploy' }), - Match.objectLike({ Name: 'Approve' }), - ]), - }]), - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const wave = pipeline.addWave('MyWave', { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + wave.addStage(new OneStackApp(pipelineStack, 'Stage1')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage2')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage3')); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyWave', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stage1.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage2.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage3.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage1.Stack.Deploy' }), + Match.objectLike({ Name: 'Stage2.Stack.Deploy' }), + Match.objectLike({ Name: 'Stage3.Stack.Deploy' }), + Match.objectLike({ Name: 'Approve' }), + ]), + }]), }); }); -behavior('script validation steps can use stack outputs as environment variables', (suite) => { - suite.legacy(() => { - // GIVEN - const { pipeline } = legacySetup(); - const stage = new StageWithStackOutput(app, 'MyApp'); - - // WHEN - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: Match.arrayWith([ - Match.objectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: Match.anyValue(), - }, - InputArtifacts: [{ Name: Match.anyValue() }], - Name: 'TestOutput', - }), - Match.objectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: Match.anyValue() }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - ]), - }]), - }); +test('script validation steps can use stack outputs as environment variables', () => { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'export BUCKET_NAME="$(node -pe \'require(process.env.CODEBUILD_SRC_DIR + "/outputs.json")["BucketName"]\')"', - 'echo $BUCKET_NAME', - ], - }, - }, - })), - Type: 'CODEPIPELINE', - }, - }); - }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const myApp = new AppWithOutput(app, 'Alpha'); - pipeline.addStage(myApp, { - post: [ - new cdkp.ShellStep('Approve', { - commands: ['/bin/true'], - envFromCfnOutputs: { - THE_OUTPUT: myApp.theOutput, - }, - }), - ], - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Alpha', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'Stack.Deploy', - Namespace: 'AlphaStack6B3389FA', - }), - Match.objectLike({ - Name: 'Approve', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { name: 'THE_OUTPUT', value: '#{AlphaStack6B3389FA.MyOutput}', type: 'PLAINTEXT' }, - ]), - }), - }), - ]), - }]), - }); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const myApp = new AppWithOutput(app, 'Alpha'); + pipeline.addStage(myApp, { + post: [ + new cdkp.ShellStep('Approve', { + commands: ['/bin/true'], + envFromCfnOutputs: { + THE_OUTPUT: myApp.theOutput, + }, + }), + ], }); -}); -behavior('stackOutput generates names limited to 100 characters', (suite) => { - suite.legacy(() => { - const { pipeline } = legacySetup(); - const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', - Actions: Match.arrayWith([ - Match.objectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: Match.anyValue(), - }, - InputArtifacts: [{ Name: stringNoLongerThan(100) }], - Name: 'TestOutput', - }), - Match.objectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: stringNoLongerThan(100) }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - ]), - }]), - }); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); - pipeline.addStage(stage, { - post: [ - new cdkp.ShellStep('TestOutput', { - commands: ['echo $BUCKET_NAME'], - envFromCfnOutputs: { - BUCKET_NAME: stage.output, - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Alpha', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'Stack.Deploy', + Namespace: 'AlphaStack6B3389FA', }), - ], - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'Stack.Deploy', - Namespace: stringNoLongerThan(100), + Match.objectLike({ + Name: 'Approve', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { name: 'THE_OUTPUT', value: '#{AlphaStack6B3389FA.MyOutput}', type: 'PLAINTEXT' }, + ]), }), - ]), - }]), - }); + }), + ]), + }]), }); }); -behavior('validation step can run from scripts in source', (suite) => { - suite.legacy(() => { - const { pipeline, sourceArtifact } = legacySetup(); - - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseSources', - additionalArtifacts: [sourceArtifact], - commands: ['true'], - })); +test('stackOutput generates names limited to 100 characters', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); + pipeline.addStage(stage, { + post: [ + new cdkp.ShellStep('TestOutput', { + commands: ['echo $BUCKET_NAME'], + envFromCfnOutputs: { + BUCKET_NAME: stage.output, + }, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.ShellStep('UseSources', { - input: pipeline.gitHubSource, - commands: ['set -eu', 'true'], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'Stack.Deploy', + Namespace: stringNoLongerThan(100), }), - ], - }); - - THEN_codePipelineExpectation(); + ]), + }]), }); - - function THEN_codePipelineExpectation() { - const sourceArtifact = new Capture(); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Source', - Actions: [ - Match.objectLike({ - OutputArtifacts: [{ Name: sourceArtifact }], - }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'UseSources', - InputArtifacts: [{ Name: sourceArtifact.asString() }], - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, - }, - })), - }, - }); - } }); -behavior('can use additional output artifacts from build', (suite) => { - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseBuildArtifact', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); +test('validation step can run from scripts in source', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseSources', { + input: pipeline.gitHubSource, + commands: ['set -eu', 'true'], + }), + ], }); - suite.modern(() => { - const synth = new ShellStep('Synth', { - input: CodePipelineSource.gitHub('test/test', 'main'), - commands: ['synth'], - }); + const sourceArtifact = new Capture(); - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth, - }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.ShellStep('UseBuildArtifact', { - input: synth.addOutputDirectory('test'), - commands: ['set -eu', 'true'], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Source', + Actions: [ + Match.objectLike({ + OutputArtifacts: [{ Name: sourceArtifact }], }), ], - }); - - THEN_codePipelineExpectation(); + }]), }); - - function THEN_codePipelineExpectation() { - const integArtifact = new Capture(); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Build', - Actions: [ - Match.objectLike({ - Name: 'Synth', - OutputArtifacts: [ - { Name: Match.anyValue() }, // It's not the first output - { Name: integArtifact }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'UseSources', + InputArtifacts: [{ Name: sourceArtifact.asString() }], + }), + ]), + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', ], - }), - ], - }]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'UseBuildArtifact', - InputArtifacts: [{ Name: integArtifact.asString() }], - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, }, - })), - }, - }); - } + }, + })), + }, + }); }); -behavior('can add policy statements to shell script action', (suite) => { - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:Banana'], - resources: ['*'], - }), - ], - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.CodeBuildStep('Boop', { - commands: ['true'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:Banana'], - resources: ['*'], - }), +test('can use additional output artifacts from build', () => { + const synth = new ShellStep('Synth', { + input: CodePipelineSource.gitHub('test/test', 'main'), + commands: ['synth'], + }); + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth, + }); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseBuildArtifact', { + input: synth.addOutputDirectory('test'), + commands: ['set -eu', 'true'], + }), + ], + }); + + const integArtifact = new Capture(); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + OutputArtifacts: [ + { Name: Match.anyValue() }, // It's not the first output + { Name: integArtifact }, ], }), ], - }); - - THEN_codePipelineExpectation(); + }]), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: 's3:Banana', - Resource: '*', - })]), - }, - }); - } -}); - -behavior('can grant permissions to shell script action', (suite) => { - let bucket: s3.IBucket; - beforeEach(() => { - bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'UseBuildArtifact', + InputArtifacts: [{ Name: integArtifact.asString() }], + }), + ]), + }]), }); - - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); - const action = new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - }); - pipeline.addStage('Test').addActions(action); - - // WHEN - bucket.grantRead(action); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], + }, + }, + })), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); +test('can add policy statements to shell script action', () => { - const codeBuildStep = new cdkp.CodeBuildStep('Boop', { - commands: ['true'], - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.CodeBuildStep('Boop', { + commands: ['true'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['s3:Banana'], + resources: ['*'], + }), + ], + }), + ], + }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [codeBuildStep], - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: 's3:Banana', + Resource: '*', + })]), + }, + }); +}); - pipeline.buildPipeline(); +test('can grant permissions to shell script action', () => { + const bucket: s3.IBucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - // WHEN - bucket.grantRead(codeBuildStep.project); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); + const codeBuildStep = new cdkp.CodeBuildStep('Boop', { + commands: ['true'], }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], - })]), - }, - }); - } -}); - -behavior('can run shell script actions in a VPC', (suite) => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'VPC'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [codeBuildStep], }); - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); + pipeline.buildPipeline(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - vpc, - actionName: 'VpcAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); + // WHEN + bucket.grantRead(codeBuildStep.project); - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], + })]), + }, }); +}); - suite.modern(() => { - // All CodeBuild jobs automatically go into the VPC - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); +test('can run shell script actions in a VPC', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'VPC'); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [new cdkp.ShellStep('VpcAction', { - commands: ['set -eu', 'true'], - })], - }); - - THEN_codePipelineExpectation(); + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + codeBuildDefaults: { vpc }, }); - suite.additional('modern, alternate API', () => { - // Can also explicitly specify a VPC when going to the "full config" class - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp-1'), { + post: [new cdkp.ShellStep('VpcAction', { + commands: ['set -eu', 'true'], + })], + }); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [new cdkp.CodeBuildStep('VpcAction', { - commands: ['set -eu', 'true'], - vpc, - })], - }); + // Can also explicitly specify a VPC when going to the "full config" class + const pipeline2 = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-2'); - THEN_codePipelineExpectation(); + pipeline2.addStage(new TwoStackApp(app, 'MyApp-2'), { + post: [new cdkp.CodeBuildStep('VpcAction', { + commands: ['set -eu', 'true'], + vpc, + })], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - VpcConfig: { - Subnets: [ - { - Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', - }, - { - Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', - }, - { - Ref: 'VPCPrivateSubnet3Subnet3EDCD457', - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + VpcConfig: { + Subnets: [ + { + Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', }, + { + Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', + }, + { + Ref: 'VPCPrivateSubnet3Subnet3EDCD457', + }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], }, - })), - }, - }); - } + }, + })), + }, + }); }); -behavior('can run shell script actions with a specific SecurityGroup', (suite) => { - let vpc: ec2.Vpc; - let sg: ec2.SecurityGroup; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'VPC'); - sg = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); - }); +test('can run shell script actions with a specific SecurityGroup', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'VPC'); + const sg: ec2.SecurityGroup = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); + + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.CodeBuildStep('sgAction', { + commands: ['set -eu', 'true'], vpc, securityGroups: [sg], - actionName: 'sgAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); - - THEN_codePipelineExpectation(); + })], }); - suite.modern(() => { - // All CodeBuild jobs automatically go into the VPC - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.CodeBuildStep('sgAction', { - commands: ['set -eu', 'true'], - vpc, - securityGroups: [sg], - })], - }); - - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'sgAction', + }), + ]), + }]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'sgAction', - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { - 'Fn::GetAtt': [ - 'SGADB53937', - 'GroupId', - ], - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { + 'Fn::GetAtt': [ + 'SGADB53937', + 'GroupId', + ], }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', }, - }); - } + }, + }); }); -behavior('can run scripts with specified BuildEnvironment', (suite) => { - suite.legacy(() => { - let { pipeline, integTestArtifact } = legacySetup(); - - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - environment: { buildImage: codebuild.LinuxBuildImage.STANDARD_2_0 }, - })); - - THEN_codePipelineExpectation(); - }); +test('can run scripts with specified BuildEnvironment', () => { - suite.modern(() => { - // Run all Build jobs with the given image - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { - buildEnvironment: { - buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, - }, + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-1', { + codeBuildDefaults: { + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, }, - }); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.ShellStep('imageAction', { - commands: ['true'], - })], - }); - - THEN_codePipelineExpectation(); + }, }); - suite.additional('modern, alternative API', () => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test-1'), { + post: [new cdkp.ShellStep('imageAction', { + commands: ['true'], + })], + }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.CodeBuildStep('imageAction', { - commands: ['true'], - buildEnvironment: { - buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, - }, - })], - }); + const pipeline2 = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk-2'); - THEN_codePipelineExpectation(); + pipeline2.addStage(new TwoStackApp(app, 'Test-2'), { + post: [new cdkp.CodeBuildStep('imageAction', { + commands: ['true'], + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, + }, + })], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:2.0', - }, - }); - } + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:2.0', + }, + }); }); -behavior('can run scripts with magic environment variables', (suite) => { - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], +test('can run scripts with magic environment variables', () => { + + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.ShellStep('imageAction', { commands: ['true'], - environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, + env: { + VERSION: codepipeline.GlobalVariables.executionId, }, - })); - - THEN_codePipelineExpectation(); + })], }); - suite.modern(() => { - // Run all Build jobs with the given image - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.ShellStep('imageAction', { - commands: ['true'], - env: { - VERSION: codepipeline.GlobalVariables.executionId, - }, - })], - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'imageAction', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - ]), - }), + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'imageAction', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + ]), }), - ]), - }]), - }); - } -}); - -/** - * Some shared setup for legacy API tests - */ -function legacySetup() { - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [{ directory: 'test', artifact: integTestArtifact }], - }), - }); - - return { sourceArtifact, cloudAssemblyArtifact, integTestArtifact, pipeline }; -} \ No newline at end of file + }), + ]), + }]), + }); +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/legacy/fs.test.ts b/packages/aws-cdk-lib/pipelines/test/fs.test.ts similarity index 85% rename from packages/aws-cdk-lib/pipelines/test/legacy/fs.test.ts rename to packages/aws-cdk-lib/pipelines/test/fs.test.ts index da49fa9cf2986..49cbe2458e64a 100644 --- a/packages/aws-cdk-lib/pipelines/test/legacy/fs.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/fs.test.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { toPosixPath } from '../../lib/private/fs'; +import { toPosixPath } from '../lib/private/fs'; test('translate path.sep', () => { expect(toPosixPath(`a${path.sep}b${path.sep}c`)).toEqual('a/b/c'); diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts index 2d3c4ebed35ba..d50366234083f 100644 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts +++ b/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts @@ -1,68 +1,13 @@ import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; interface SkippedSuite { - legacy(reason?: string): void; - modern(reason?: string): void; } interface Suite { readonly doesNotApply: SkippedSuite; - legacy(fn: () => void): void; - modern(fn: () => void): void; additional(description: string, fn: () => void): void; -} - -// eslint-disable-next-line jest/no-export -export function behavior(name: string, cb: (suite: Suite) => void) { - // Since the goal of the compliance test suites is to compare modern and legacy (i.e. deprecated) APIs, - // use `describeDeprecated()` block here since usage of the legacy API is inevitable. - describeDeprecated(name, () => { - const unwritten = new Set(['modern', 'legacy']); - - function scratchOff(flavor: string) { - if (!unwritten.has(flavor)) { - throw new Error(`Already had test for ${flavor}. Use .additional() to add more tests.`); - } - unwritten.delete(flavor); - } - - cb({ - legacy: (testFn) => { - scratchOff('legacy'); - test('legacy', testFn); - }, - modern: (testFn) => { - scratchOff('modern'); - test('modern', testFn); - }, - additional: test, - doesNotApply: { - modern: (reason?: string) => { - scratchOff('modern'); - - if (reason != null) { - // eslint-disable-next-line jest/no-disabled-tests - test.skip(`modern - ${reason}`, () => {}); - } - }, - - legacy: (reason?: string) => { - scratchOff('legacy'); - - if (reason != null) { - // eslint-disable-next-line jest/no-disabled-tests - test.skip(`legacy - ${reason}`, () => {}); - } - }, - }, - }); - - for (const missing of unwritten) { - test.todo(missing); - } - }); -} +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts index fbc50d3b1a003..866d791e45856 100644 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts +++ b/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts @@ -1,5 +1,4 @@ export * from './compliance'; -export * from './legacy-pipeline'; export * from './modern-pipeline'; export * from './test-app'; export * from './matchers'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts deleted file mode 100644 index cc5340b74e7c8..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { Construct } from 'constructs'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../aws-codepipeline-actions'; -import { SecretValue } from '../../../core'; -import * as cdkp from '../../lib'; - -export interface LegacyTestGitHubNpmPipelineExtraProps { - readonly sourceArtifact?: codepipeline.Artifact; - readonly npmSynthOptions?: Partial; -} - -export class LegacyTestGitHubNpmPipeline extends cdkp.CdkPipeline { - public readonly sourceArtifact: codepipeline.Artifact; - public readonly cloudAssemblyArtifact: codepipeline.Artifact; - - constructor(scope: Construct, id: string, props?: Partial & LegacyTestGitHubNpmPipelineExtraProps) { - const sourceArtifact = props?.sourceArtifact ?? new codepipeline.Artifact(); - const cloudAssemblyArtifact = props?.cloudAssemblyArtifact ?? new codepipeline.Artifact(); - - super(scope, id, { - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - ...props?.npmSynthOptions, - }), - cloudAssemblyArtifact, - ...props, - }); - - this.sourceArtifact = sourceArtifact; - this.cloudAssemblyArtifact = cloudAssemblyArtifact; - } -} - -export class TestGitHubAction extends codepipeline_actions.GitHubSourceAction { - constructor(sourceArtifact: codepipeline.Artifact) { - super({ - actionName: 'GitHub', - output: sourceArtifact, - oauthToken: SecretValue.unsafePlainText('$3kr1t'), - owner: 'test', - repo: 'test', - trigger: codepipeline_actions.GitHubTrigger.POLL, - }); - } -}