From ed3d2e5095a8ffffa4bc17f48084068675bd25a2 Mon Sep 17 00:00:00 2001 From: Kendra Neil <53584728+TheRealAmazonKendra@users.noreply.github.com> Date: Tue, 13 Aug 2024 14:58:49 -0700 Subject: [PATCH] chore: remove apis and tests that were only published in v1 for pipelines --- .../PipelineSecurityStack.assets.json | 45 - .../PipelineSecurityStack.template.json | 3184 ----------- ...efaultTestDeployAssertEE246BCA.assets.json | 19 - ...aultTestDeployAssertEE246BCA.template.json | 36 - ...curityCheckMySafeStack7A4F8E95.assets.json | 19 - ...rityCheckMySafeStack7A4F8E95.template.json | 41 - .../cdk.out | 1 - .../manifest.json | 60 - ...leSecurityCheckMyStack0B9FE272.assets.json | 19 - ...SecurityCheckMyStack0B9FE272.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - ...NoSecurityCheckMyStack3484019E.assets.json | 19 - ...SecurityCheckMyStack3484019E.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - ...ckPreProductionMyStackDCCBB4EA.assets.json | 19 - ...PreProductionMyStackDCCBB4EA.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - ...eProductionMySafeStackC0D87904.assets.json | 19 - ...roductionMySafeStackC0D87904.template.json | 41 - .../cdk.out | 1 - .../manifest.json | 60 - ...tackSingleStageMyStack29962269.assets.json | 19 - ...ckSingleStageMyStack29962269.template.json | 82 - .../cdk.out | 1 - .../manifest.json | 66 - .../index.js | 1 - .../index.js | 1 - .../cdk.out | 1 - .../integ.json | 13 - .../manifest.json | 431 -- .../tree.json | 5039 ----------------- .../pipelines/test/integ.pipeline-security.ts | 115 - .../PipelineStack.assets.json | 32 - .../PipelineStack.template.json | 2148 ------- ...efaultTestDeployAssertBC780F98.assets.json | 19 - ...aultTestDeployAssertBC780F98.template.json | 36 - ...elineStackPreProdStack65A0AD1F.assets.json | 45 - ...ineStackPreProdStack65A0AD1F.template.json | 41 - .../assembly-PipelineStack-PreProd/cdk.out | 1 - .../manifest.json | 60 - .../index.js | 1 - ...99171adef5e1d8f6b88810e5fef75e6ca09ba5.txt | 1 - ...03f1ced72b4fc58c498dfd99c78fa77e721e0e.txt | 1 - ...pelineStack-Pipeline-Assets-FileAsset.yaml | 16 - .../cdk.out | 1 - .../integ.json | 13 - .../manifest.json | 318 -- .../tree.json | 2946 ---------- ...nteg.pipeline-with-assets-single-upload.ts | 107 - .../test/integ.pipeline-with-assets.ts | 106 - .../PipelineStack.assets.json | 32 - .../PipelineStack.template.json | 1910 ------- ...efaultTestDeployAssertBC780F98.assets.json | 19 - ...aultTestDeployAssertBC780F98.template.json | 36 - ...elineStackPreProdStack65A0AD1F.assets.json | 19 - ...ineStackPreProdStack65A0AD1F.template.json | 41 - .../assembly-PipelineStack-PreProd/cdk.out | 1 - .../manifest.json | 60 - .../index.js | 1 - .../test/integ.pipeline.js.snapshot/cdk.out | 1 - .../integ.pipeline.js.snapshot/integ.json | 13 - .../integ.pipeline.js.snapshot/manifest.json | 300 - .../test/integ.pipeline.js.snapshot/tree.json | 2564 --------- .../test/pipelines/test/integ.pipeline.ts | 97 - .../cli-lib-alpha/THIRD_PARTY_LICENSES | 97 +- packages/@aws-cdk/cx-api/FEATURE_FLAGS.md | 21 +- packages/aws-cdk-lib/pipelines/lib/index.ts | 1 - .../legacy/actions/deploy-cdk-stack-action.ts | 386 -- .../pipelines/lib/legacy/actions/index.ts | 3 - .../legacy/actions/publish-assets-action.ts | 228 - .../legacy/actions/update-pipeline-action.ts | 183 - .../aws-cdk-lib/pipelines/lib/legacy/index.ts | 5 - .../pipelines/lib/legacy/pipeline.ts | 624 -- .../aws-cdk-lib/pipelines/lib/legacy/stage.ts | 586 -- .../pipelines/lib/legacy/synths/_util.ts | 15 - .../pipelines/lib/legacy/synths/index.ts | 1 - .../lib/legacy/synths/simple-synth-action.ts | 591 -- .../pipelines/lib/legacy/validation/_files.ts | 97 - .../pipelines/lib/legacy/validation/index.ts | 1 - .../legacy/validation/shell-script-action.ts | 253 - .../codepipeline-existing.test.ts | 65 - .../pipelines/test/compliance/assets.test.ts | 1327 ++--- .../test/compliance/basic-behavior.test.ts | 290 +- .../compliance/docker-credentials.test.ts | 362 +- .../test/compliance/environments.test.ts | 651 +-- .../test/compliance/escape-hatching.test.ts | 284 +- .../test/compliance/security-check.test.ts | 563 +- .../test/compliance/self-mutation.test.ts | 392 +- .../test/compliance/stack-ordering.test.ts | 204 +- .../pipelines/test/compliance/synths.test.ts | 1654 +++--- .../test/compliance/validations.test.ts | 1072 ++-- .../pipelines/test/testhelpers/compliance.ts | 57 +- .../pipelines/test/testhelpers/index.ts | 1 - .../test/testhelpers/legacy-pipeline.ts | 47 - 97 files changed, 2567 insertions(+), 28279 deletions(-) delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/tree.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.ts delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json delete mode 100644 packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts delete mode 100644 packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts delete mode 100644 packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts delete mode 100644 packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json deleted file mode 100644 index f698f535c5907..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.assets.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6": { - "source": { - "path": "asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "e9491d10b7f496e4aa18e0f88da57dc8e342c62cbfbb5190f663fc8039981448": { - "source": { - "path": "PipelineSecurityStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e9491d10b7f496e4aa18e0f88da57dc8e342c62cbfbb5190f663fc8039981448.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json deleted file mode 100644 index a9a989ab4a39e..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityStack.template.json +++ /dev/null @@ -1,3184 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "TestPipelineArtifactsBucketEncryptionKey13258842": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "TestPipelineArtifactsBucketEncryptionKeyAliasE8D86DD3": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinesecuritystack-testpipeline-f7060861", - "TargetKeyId": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "TestPipelineArtifactsBucket026AF2F9": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "TestPipelineArtifactsBucketPolicyDF75C611": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "TestPipelineArtifactsBucket026AF2F9" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineRole63C35BBD": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineRoleDefaultPolicyFA69BF2D": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineRoleDefaultPolicyFA69BF2D", - "Roles": [ - { - "Ref": "TestPipelineRole63C35BBD" - } - ] - } - }, - "TestPipeline34ACDBF9": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "TestPipelineArtifactsBucket026AF2F9" - }, - "Type": "S3" - }, - "Name": "TestPipeline", - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineRole63C35BBD", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"8c69c5d954446d78352846c8ddc8ff911cec11c1f93f8aab1fac67556cf1a058\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/SingleStage\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"UnattachedStage\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"SingleStageManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in SingleStage\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SingleStageSecurityCheck", - "Namespace": "SingleStageSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2", - "Arn" - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{SingleStageSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{SingleStageSecurityCheck.LINK}" - }, - "Name": "SingleStageManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8", - "Arn" - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SingleStage-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SingleStage-MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SingleStage-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "SingleStage-MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 4 - } - ], - "Name": "UnattachedStage" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/PreProduction\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProduction\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProductionManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in PreProduction\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "PreProductionSecurityCheck", - "Namespace": "PreProductionSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194", - "Arn" - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{PreProductionSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{PreProductionSecurityCheck.LINK}" - }, - "Name": "PreProductionManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9", - "Arn" - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": { - "Fn::Join": [ - "", - [ - "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/SafeProduction\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"PreProduction\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"SafeProductionManualApproval\"},{\"name\":\"NOTIFICATION_ARN\",\"type\":\"PLAINTEXT\",\"value\":\"", - { - "Ref": "SecurityChangesTopic9762A9B3" - }, - "\"},{\"name\":\"NOTIFICATION_SUBJECT\",\"type\":\"PLAINTEXT\",\"value\":\"Confirm permission broadening in SafeProduction\"}]" - ] - ] - } - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SafeProductionSecurityCheck", - "Namespace": "SafeProductionSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6", - "Arn" - ] - }, - "RunOrder": 5 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{SafeProductionSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{SafeProductionSecurityCheck.LINK}" - }, - "Name": "SafeProductionManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9", - "Arn" - ] - }, - "RunOrder": 6 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProduction-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProduction-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 4 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SafeProduction-MySafeStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SafeProduction-MySafeStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 7 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "SafeProduction-MySafeStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "SafeProduction-MySafeStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 8 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "DisableSecurityCheck-MySafeStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "DisableSecurityCheck-MySafeStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 9 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "DisableSecurityCheck-MySafeStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "DisableSecurityCheck-MySafeStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 10 - } - ], - "Name": "PreProduction" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "EnvironmentVariables": "[{\"name\":\"STAGE_PATH\",\"type\":\"PLAINTEXT\",\"value\":\"PipelineSecurityStack/EnableSecurityCheck\"},{\"name\":\"STAGE_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"NoSecurityCheck\"},{\"name\":\"ACTION_NAME\",\"type\":\"PLAINTEXT\",\"value\":\"EnableSecurityCheckManualApproval\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "EnableSecurityCheckSecurityCheck", - "Namespace": "EnableSecurityCheckSecurityCheck", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D", - "Arn" - ] - }, - "RunOrder": 3 - }, - { - "ActionTypeId": { - "Category": "Approval", - "Owner": "AWS", - "Provider": "Manual", - "Version": "1" - }, - "Configuration": { - "CustomData": "#{EnableSecurityCheckSecurityCheck.MESSAGE}", - "ExternalEntityLink": "#{EnableSecurityCheckSecurityCheck.LINK}" - }, - "Name": "EnableSecurityCheckManualApproval", - "RoleArn": { - "Fn::GetAtt": [ - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015", - "Arn" - ] - }, - "RunOrder": 4 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "NoSecurityCheck-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "NoSecurityCheck-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "EnableSecurityCheck-MyStack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "EnableSecurityCheck-MyStack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 5 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "EnableSecurityCheck-MyStack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "EnableSecurityCheck-MyStack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 6 - } - ], - "Name": "NoSecurityCheck" - } - ], - "Tags": [ - { - "Key": "SECURITY_CHECK", - "Value": "ALLOW_APPROVE" - } - ] - }, - "DependsOn": [ - "TestPipelineRoleDefaultPolicyFA69BF2D", - "TestPipelineRole63C35BBD" - ] - }, - "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineSourceS3CodePipelineActionRoleDefaultPolicy8B0350FD", - "Roles": [ - { - "Ref": "TestPipelineSourceS3CodePipelineActionRoleEF21D3A0" - } - ] - } - }, - "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineBuildSynthCodePipelineActionRoleDefaultPolicy65DF5C76": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCdkBuildProject755D4B01", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineBuildSynthCodePipelineActionRoleDefaultPolicy65DF5C76", - "Roles": [ - { - "Ref": "TestPipelineBuildSynthCodePipelineActionRoleF7BF5926" - } - ] - } - }, - "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineBuildSynthCdkBuildProjectRoleDefaultPolicy73DC4481": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "TestPipelineBuildSynthCdkBuildProject755D4B01" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineBuildSynthCdkBuildProjectRoleDefaultPolicy73DC4481", - "Roles": [ - { - "Ref": "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729" - } - ] - } - }, - "TestPipelineBuildSynthCdkBuildProject755D4B01": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "TestPipelineBuildSynthCdkBuildProjectRole4C6E5729", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"yarn install --frozen-lockfile\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"yarn build\",\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleDefaultPolicyFC737D71": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleDefaultPolicyFC737D71", - "Roles": [ - { - "Ref": "TestPipelineUnattachedStageSingleStageSecurityCheckCodePipelineActionRoleFF6E43E2" - } - ] - } - }, - "TestPipelineUnattachedStageSingleStageManualApprovalCodePipelineActionRoleF7A614C8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRoleDefaultPolicy10D0864F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRoleDefaultPolicy10D0864F", - "Roles": [ - { - "Ref": "TestPipelinePreProductionPreProductionSecurityCheckCodePipelineActionRole4E54C194" - } - ] - } - }, - "TestPipelinePreProductionPreProductionManualApprovalCodePipelineActionRole81B9C4F9": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRoleDefaultPolicyB836B566": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRoleDefaultPolicyB836B566", - "Roles": [ - { - "Ref": "TestPipelinePreProductionSafeProductionSecurityCheckCodePipelineActionRole399C68A6" - } - ] - } - }, - "TestPipelinePreProductionSafeProductionManualApprovalCodePipelineActionRole4F30C0D9": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRoleDefaultPolicyE83A2CA1": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRoleDefaultPolicyE83A2CA1", - "Roles": [ - { - "Ref": "TestPipelineNoSecurityCheckEnableSecurityCheckSecurityCheckCodePipelineActionRole8D10AA6D" - } - ] - } - }, - "TestPipelineNoSecurityCheckEnableSecurityCheckManualApprovalCodePipelineActionRole27FC4015": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codepipeline:GetPipelineState", - "codepipeline:PutApprovalResult" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/SECURITY_CHECK": "ALLOW_APPROVE" - } - }, - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F", - "Roles": [ - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D" - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Timeout": 300 - }, - "DependsOn": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicyE47AE90F", - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole7594919D" - ] - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicyF2137052": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81", - "Arn" - ] - }, - ":*" - ] - ] - } - ] - }, - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "SecurityChangesTopic9762A9B3" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicyF2137052", - "Roles": [ - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050" - } - ] - } - }, - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckBEE4547C": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "TestPipelinePipelineApplicationSecurityCheckCDKSecurityCheckRoleA54CF050", - "Arn" - ] - }, - "Source": { - "BuildSpec": { - "Fn::Join": [ - "", - [ - "{\n \"version\": 0.2,\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"npm install -g aws-cdk\",\n \"export PIPELINE_NAME=\\\"$(node -pe '`${process.env.CODEBUILD_INITIATOR}`.split(\\\"/\\\")[1]')\\\"\",\n \"payload=\\\"$(node -pe 'JSON.stringify({ \\\"PipelineName\\\": process.env.PIPELINE_NAME, \\\"StageName\\\": process.env.STAGE_NAME, \\\"ActionName\\\": process.env.ACTION_NAME })' )\\\"\",\n \"ARN=$CODEBUILD_BUILD_ARN\",\n \"REGION=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[3]')\\\"\",\n \"ACCOUNT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[4]')\\\"\",\n \"PROJECT_NAME=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[5].split(\\\"/\\\")[1]')\\\"\",\n \"PROJECT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[6]')\\\"\",\n \"export LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codebuild/$ACCOUNT_ID/projects/$PROJECT_NAME/build/$PROJECT_NAME:$PROJECT_ID/?region=$REGION\\\"\",\n \"export PIPELINE_LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codepipeline/pipelines/$PIPELINE_NAME/view?region=$REGION\\\"\",\n \"if cdk diff -a . --security-only --fail $STAGE_PATH/\\\\*; then aws lambda invoke --function-name ", - { - "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81" - }, - " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" - ] - ] - }, - "Type": "NO_SOURCE" - } - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - ] - ] - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codepipeline:GetPipelineState", - "codepipeline:PutApprovalResult" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/SECURITY_CHECK": "ALLOW_APPROVE" - } - }, - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3", - "Roles": [ - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A" - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6.zip" - }, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Timeout": 300 - }, - "DependsOn": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRoleDefaultPolicy5AF69BD3", - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApproveServiceRole1358574A" - ] - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicy6F6EA2A6": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9", - "Arn" - ] - }, - ":*" - ] - ] - } - ] - }, - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "SecurityChangesTopic9762A9B3" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucket026AF2F9", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleDefaultPolicy6F6EA2A6", - "Roles": [ - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0" - } - ] - } - }, - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "NO_ARTIFACTS" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "TestPipelineArtifactsBucketEncryptionKey13258842", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckRoleD3505CF0", - "Arn" - ] - }, - "Source": { - "BuildSpec": { - "Fn::Join": [ - "", - [ - "{\n \"version\": 0.2,\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"npm install -g aws-cdk\",\n \"export PIPELINE_NAME=\\\"$(node -pe '`${process.env.CODEBUILD_INITIATOR}`.split(\\\"/\\\")[1]')\\\"\",\n \"payload=\\\"$(node -pe 'JSON.stringify({ \\\"PipelineName\\\": process.env.PIPELINE_NAME, \\\"StageName\\\": process.env.STAGE_NAME, \\\"ActionName\\\": process.env.ACTION_NAME })' )\\\"\",\n \"ARN=$CODEBUILD_BUILD_ARN\",\n \"REGION=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[3]')\\\"\",\n \"ACCOUNT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[4]')\\\"\",\n \"PROJECT_NAME=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[5].split(\\\"/\\\")[1]')\\\"\",\n \"PROJECT_ID=\\\"$(node -pe '`${process.env.ARN}`.split(\\\":\\\")[6]')\\\"\",\n \"export LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codebuild/$ACCOUNT_ID/projects/$PROJECT_NAME/build/$PROJECT_NAME:$PROJECT_ID/?region=$REGION\\\"\",\n \"export PIPELINE_LINK=\\\"https://$REGION.console.aws.amazon.com/codesuite/codepipeline/pipelines/$PIPELINE_NAME/view?region=$REGION\\\"\",\n \"if cdk diff -a . --security-only --fail $STAGE_PATH/\\\\*; then aws lambda invoke --function-name ", - { - "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9" - }, - " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" - ] - ] - }, - "Type": "NO_SOURCE" - } - } - }, - "SecurityChangesTopic9762A9B3": { - "Type": "AWS::SNS::Topic" - }, - "SecurityChangesTopictestemailcom7C32D452": { - "Type": "AWS::SNS::Subscription", - "Properties": { - "Endpoint": "test@email.com", - "Protocol": "email", - "TopicArn": { - "Ref": "SecurityChangesTopic9762A9B3" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json deleted file mode 100644 index 2e1ece3c7c7a2..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json deleted file mode 100644 index 56bf2e32c37ca..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50": { - "source": { - "path": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json deleted file mode 100644 index 25024d7cb74b1..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "MySafeTopicCC243D11": { - "Type": "AWS::SNS::Topic" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json deleted file mode 100644 index 5c2441812122d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-DisableSecurityCheck/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "DisableSecurityCheck-MySafeStack" - }, - "dependencies": [ - "PipelineSecurityStackDisableSecurityCheckMySafeStack7A4F8E95.assets" - ], - "metadata": { - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/MySafeTopic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MySafeTopicCC243D11" - } - ], - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/DisableSecurityCheck/MySafeStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/DisableSecurityCheck/MySafeStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json deleted file mode 100644 index 07f739c5f5923..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json deleted file mode 100644 index 9f723f7ccb5fa..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-EnableSecurityCheck/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "EnableSecurityCheck-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackEnableSecurityCheckMyStack0B9FE272.assets" - ], - "metadata": { - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/EnableSecurityCheck/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/EnableSecurityCheck/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json deleted file mode 100644 index ff06078cec81f..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json deleted file mode 100644 index 2122aeedd21b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-NoSecurityCheck/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackNoSecurityCheckMyStack3484019E": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackNoSecurityCheckMyStack3484019E.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "NoSecurityCheck-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackNoSecurityCheckMyStack3484019E.assets" - ], - "metadata": { - "/PipelineSecurityStack/NoSecurityCheck/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/NoSecurityCheck/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/NoSecurityCheck/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json deleted file mode 100644 index 06bf236bec53b..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json deleted file mode 100644 index 9175443047e81..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-PreProduction/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackPreProductionMyStackDCCBB4EA": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackPreProductionMyStackDCCBB4EA.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProduction-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackPreProductionMyStackDCCBB4EA.assets" - ], - "metadata": { - "/PipelineSecurityStack/PreProduction/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/PreProduction/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/PreProduction/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json deleted file mode 100644 index 8fb0d8df01aa2..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50": { - "source": { - "path": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json deleted file mode 100644 index 25024d7cb74b1..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "MySafeTopicCC243D11": { - "Type": "AWS::SNS::Topic" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json deleted file mode 100644 index 25c091b2d6bdc..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SafeProduction/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackSafeProductionMySafeStackC0D87904": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackSafeProductionMySafeStackC0D87904.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/438cc177ec016e131365f2b864849c84dcb371e8e7ed718c21cc27d6569faf50.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "SafeProduction-MySafeStack" - }, - "dependencies": [ - "PipelineSecurityStackSafeProductionMySafeStackC0D87904.assets" - ], - "metadata": { - "/PipelineSecurityStack/SafeProduction/MySafeStack/MySafeTopic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "MySafeTopicCC243D11" - } - ], - "/PipelineSecurityStack/SafeProduction/MySafeStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/SafeProduction/MySafeStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/SafeProduction/MySafeStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json deleted file mode 100644 index 8451cee8dc082..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298": { - "source": { - "path": "PipelineSecurityStackSingleStageMyStack29962269.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json deleted file mode 100644 index ed0acd6607770..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/PipelineSecurityStackSingleStageMyStack29962269.template.json +++ /dev/null @@ -1,82 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "TopicPolicyA1747468": { - "Type": "AWS::SNS::TopicPolicy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": { - "Ref": "TopicBFC7AF6E" - }, - "Sid": "0" - } - ], - "Version": "2012-10-17" - }, - "Topics": [ - { - "Ref": "TopicBFC7AF6E" - } - ] - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json deleted file mode 100644 index dbe924b8efbae..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/assembly-PipelineSecurityStack-SingleStage/manifest.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineSecurityStackSingleStageMyStack29962269.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineSecurityStackSingleStageMyStack29962269.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineSecurityStackSingleStageMyStack29962269": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineSecurityStackSingleStageMyStack29962269.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ffc5fc9cc4b8adb9a7f48881c59bb3fd49df23a11ccdd37bec21c8ca47cbf298.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineSecurityStackSingleStageMyStack29962269.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "SingleStage-MyStack" - }, - "dependencies": [ - "PipelineSecurityStackSingleStageMyStack29962269.assets" - ], - "metadata": { - "/PipelineSecurityStack/SingleStage/MyStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/Topic/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicPolicyA1747468" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineSecurityStack/SingleStage/MyStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineSecurityStack/SingleStage/MyStack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js deleted file mode 100644 index c9fe4b293ebbf..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.js.snapshot/asset.c2adac8ea3baf51ce56c33ef5da361ea693f7ed128ddbc9777c557e9e7c741a6/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var l=Object.defineProperty;var y=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var w=Object.prototype.hasOwnProperty;var S=(t,e)=>{for(var n in e)l(t,n,{get:e[n],enumerable:!0})},v=(t,e,n,s)=>{if(e&&typeof e=="object"||typeof e=="function")for(let a of f(e))!w.call(t,a)&&a!==n&&l(t,a,{get:()=>e[a],enumerable:!(s=y(e,a))||s.enumerable});return t};var h=t=>v(l({},"__esModule",{value:!0}),t);var b={};S(b,{handler:()=>T});module.exports=h(b);var d=require("@aws-sdk/client-codepipeline"),u=new d.CodePipeline,A=5,P=t=>new Promise(e=>setTimeout(e,t*1e3));async function T(t,e){let{PipelineName:n,StageName:s,ActionName:a}=t;function g(o){let m=o.stageStates?.filter(r=>r.stageName===s),c=m.length&&m[0].actionStates.filter(r=>r.actionName===a),p=c&&c.length&&c[0].latestExecution;return p?p.token:void 0}let N=Date.now()+A*6e4;for(;Date.now() undefined, - stackOutputArtifact: () => undefined, - }, - }); - - const topic = new sns.Topic(this, 'SecurityChangesTopic'); - topic.addSubscription(new subscriptions.EmailSubscription('test@email.com')); - - unattachedStage.addApplication(new MyStage(this, 'SingleStage', { - }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); - - const stage1 = pipeline.addApplicationStage(new MyStage(this, 'PreProduction', { - }), { confirmBroadeningPermissions: true, securityNotificationTopic: topic }); - - stage1.addApplication(new MySafeStage(this, 'SafeProduction', { - })); - - stage1.addApplication(new MySafeStage(this, 'DisableSecurityCheck', { - }), { confirmBroadeningPermissions: false }); - - const stage2 = pipeline.addApplicationStage(new MyStage(this, 'NoSecurityCheck', { - })); - - stage2.addApplication(new MyStage(this, 'EnableSecurityCheck', { }), { confirmBroadeningPermissions: true }); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new TestCdkStack(app, 'PipelineSecurityStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new integ.IntegTest(app, 'PipelineSecurityTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json deleted file mode 100644 index 2c35bdd4a6304..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.assets.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5": { - "source": { - "path": "PipelineStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json deleted file mode 100644 index 3b4d32b92b138..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStack.template.json +++ /dev/null @@ -1,2148 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "PipelineArtifactsBucketEncryptionKeyF5BF0670": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketEncryptionKeyAlias94A07392": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "TargetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketAEA9A052": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "PipelineArtifactsBucketPolicyF53CCC52": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleB27FAA37": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleDefaultPolicy7BDC1ABB": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "Roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "Pipeline9850B417": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "Type": "S3" - }, - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - }, - { - "Name": "IntegTests" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SelfMutate", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "UpdatePipeline" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineAssetsFileAsset5D8C5DA6" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "FileAsset", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Assets" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "UseSource", - "RoleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - "RunOrder": 100 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "Stack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "Stack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - } - ], - "Name": "PreProd" - } - ] - }, - "DependsOn": [ - "PipelineRoleDefaultPolicy7BDC1ABB", - "PipelineRoleB27FAA37" - ] - }, - "PipelineSourceS3CodePipelineActionRole83895A58": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "Roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "Roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "Roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProject6BEFA8E6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "Name": "MyServicePipeline-synth", - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "PipelinePreProdUseSourceProjectRole69B20A71": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "PipelinePreProdUseSourceProject2E711EB4": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutationRole57E559E8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "PipelineUpdatePipelineSelfMutationDAA41400": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineAssetsFileRole59943A77": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - }, - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineAssetsFileRoleDefaultPolicy14DB8755": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineAssetsFileRoleDefaultPolicy14DB8755", - "Roles": [ - { - "Ref": "PipelineAssetsFileRole59943A77" - } - ] - } - }, - "PipelineAssetsFileAsset5D8C5DA6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "Source": { - "BuildSpec": "buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml", - "Type": "CODEPIPELINE" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json deleted file mode 100644 index 8f0029884a021..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json deleted file mode 100644 index 6343ec9323d0c..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5": { - "source": { - "path": "../asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e": { - "source": { - "path": "../asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4": { - "source": { - "path": "PipelineStackPreProdStack65A0AD1F.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json deleted file mode 100644 index 5f37c46ccf4b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "Resource": { - "Type": "AWS::Test::SomeResource" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json deleted file mode 100644 index a85b758286df0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/assembly-PipelineStack-PreProd/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineStackPreProdStack65A0AD1F.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackPreProdStack65A0AD1F.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackPreProdStack65A0AD1F": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackPreProdStack65A0AD1F.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProd-Stack" - }, - "dependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "metadata": { - "/PipelineStack/PreProd/Stack/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Resource" - } - ], - "/PipelineStack/PreProd/Stack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/PreProd/Stack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack/PreProd/Stack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt deleted file mode 100644 index 95e9dcd2e3bf0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5.txt +++ /dev/null @@ -1 +0,0 @@ -This is a file asset that's just here for kicks. \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt deleted file mode 100644 index 8b1c7231bf2f4..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/asset.ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e.txt +++ /dev/null @@ -1 +0,0 @@ -Here's a second file asset. \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml deleted file mode 100644 index 06708bb7e14f9..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{ - "version": "0.2", - "phases": { - "install": { - "commands": [ - "npm install -g cdk-assets@2" - ] - }, - "build": { - "commands": [ - "cdk-assets --path \"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\" --verbose publish \"8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5:current_account-current_region\"", - "cdk-assets --path \"assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json\" --verbose publish \"ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e:current_account-current_region\"" - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json deleted file mode 100644 index 5315ad6d43743..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/integ.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "PipelineStackTest/DefaultTest": { - "stacks": [ - "PipelineStack" - ], - "diffAssets": true, - "assertionStack": "PipelineStackTest/DefaultTest/DeployAssert", - "assertionStackName": "PipelineStackTestDefaultTestDeployAssertBC780F98" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json deleted file mode 100644 index e3dd3aa926f06..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/manifest.json +++ /dev/null @@ -1,318 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "assembly-PipelineStack-PreProd": { - "type": "cdk:cloud-assembly", - "properties": { - "directoryName": "assembly-PipelineStack-PreProd", - "displayName": "PipelineStack/PreProd" - } - }, - "PipelineStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d638ba18659142158a20f892d018e0ed7ea71928d1859cbece1b4d50f7f514f5.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStack.assets" - ], - "metadata": { - "/PipelineStack/SourceBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketDDD2130A" - } - ], - "/PipelineStack/SourceBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketPolicy703DFBF9" - } - ], - "/PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketAutoDeleteObjectsCustomResourceC68FC040" - } - ], - "/PipelineStack/LatestNodeRuntimeMap": [ - { - "type": "aws:cdk:logicalId", - "data": "LatestNodeRuntimeMap" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" - } - ], - "/PipelineStack/Pipeline/Pipeline": [ - { - "type": "aws:cdk:warning", - "data": "V1 pipeline type is implicitly selected when `pipelineType` is not set. If you want to use V2 type, set `PipelineType.V2`. [ack: @aws-cdk/aws-codepipeline:unspecifiedPipelineType]" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyF5BF0670" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyAlias94A07392" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketAEA9A052" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketPolicyF53CCC52" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleB27FAA37" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleDefaultPolicy7BDC1ABB" - } - ], - "/PipelineStack/Pipeline/Pipeline/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Pipeline9850B417" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProject2E711EB4" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ], - "/PipelineStack/Pipeline/Assets/FileRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileRole59943A77" - } - ], - "/PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileRoleDefaultPolicy14DB8755" - } - ], - "/PipelineStack/Pipeline/Assets/FileAsset/Default/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineAssetsFileAsset5D8C5DA6" - } - ], - "/PipelineStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack" - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "metadata": { - "/PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStackTest/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json deleted file mode 100644 index 2f8c1da478a39..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.js.snapshot/tree.json +++ /dev/null @@ -1,2946 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "PipelineStack": { - "id": "PipelineStack", - "path": "PipelineStack", - "children": { - "SourceBucket": { - "id": "SourceBucket", - "path": "PipelineStack/SourceBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "aws-cdk:auto-delete-objects", - "value": "true" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/SourceBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - }, - "AutoDeleteObjectsCustomResource": { - "id": "AutoDeleteObjectsCustomResource", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "LatestNodeRuntimeMap": { - "id": "LatestNodeRuntimeMap", - "path": "PipelineStack/LatestNodeRuntimeMap", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnMapping", - "version": "0.0.0" - } - }, - "Custom::S3AutoDeleteObjectsCustomResourceProvider": { - "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider", - "children": { - "Staging": { - "id": "Staging", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Handler": { - "id": "Handler", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" - } - }, - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline", - "children": { - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline/Pipeline", - "children": { - "ArtifactsBucketEncryptionKey": { - "id": "ArtifactsBucketEncryptionKey", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, - "ArtifactsBucketEncryptionKeyAlias": { - "id": "ArtifactsBucketEncryptionKeyAlias", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "targetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - }, - "ArtifactsBucket": { - "id": "ArtifactsBucket", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "bucketEncryption": { - "serverSideEncryptionConfiguration": [ - { - "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - } - ] - }, - "publicAccessBlockConfiguration": { - "blockPublicAcls": true, - "blockPublicPolicy": true, - "ignorePublicAcls": true, - "restrictPublicBuckets": true - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "policyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodePipeline::Pipeline", - "aws:cdk:cloudformation:props": { - "artifactStore": { - "type": "S3", - "location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "encryptionKey": { - "type": "KMS", - "id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "restartExecutionOnUpdate": true, - "roleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "stages": [ - { - "name": "Source", - "actions": [ - { - "name": "S3", - "outputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Source", - "version": "1", - "owner": "AWS", - "provider": "S3" - }, - "configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - } - } - ] - }, - { - "name": "Build", - "actions": [ - { - "name": "Synth", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "outputArtifacts": [ - { - "name": "CloudAsm" - }, - { - "name": "IntegTests" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - } - } - ] - }, - { - "name": "UpdatePipeline", - "actions": [ - { - "name": "SelfMutate", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - } - } - ] - }, - { - "name": "Assets", - "actions": [ - { - "name": "FileAsset", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineAssetsFileAsset5D8C5DA6" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - } - } - ] - }, - { - "name": "PreProd", - "actions": [ - { - "name": "UseSource", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "runOrder": 100, - "roleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - } - }, - { - "name": "Stack.Prepare", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "runOrder": 1, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - { - "name": "Stack.Deploy", - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "runOrder": 2, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - } - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.CfnPipeline", - "version": "0.0.0" - } - }, - "Source": { - "id": "Source", - "path": "PipelineStack/Pipeline/Pipeline/Source", - "children": { - "S3": { - "id": "S3", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Build": { - "id": "Build", - "path": "PipelineStack/Pipeline/Pipeline/Build", - "children": { - "Synth": { - "id": "Synth", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "CdkBuildProject": { - "id": "CdkBuildProject", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "NPM_CONFIG_UNSAFE_PERM", - "type": "PLAINTEXT", - "value": "true" - } - ] - }, - "name": "MyServicePipeline-synth", - "serviceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline", - "children": { - "SelfMutate": { - "id": "SelfMutate", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/Pipeline/PreProd", - "children": { - "UseSource": { - "id": "UseSource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Project": { - "id": "Project", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Deploy": { - "id": "Stack.Deploy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Deploy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Prepare": { - "id": "Stack.Prepare", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Prepare", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Pipeline/Assets", - "children": { - "FileAsset": { - "id": "FileAsset", - "path": "PipelineStack/Pipeline/Pipeline/Assets/FileAsset", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.Pipeline", - "version": "0.0.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/UpdatePipeline", - "children": { - "SelfMutation": { - "id": "SelfMutation", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.UpdatePipelineAction", - "version": "0.0.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Assets", - "children": { - "FileRole": { - "id": "FileRole", - "path": "PipelineStack/Pipeline/Assets/FileRole", - "children": { - "ImportFileRole": { - "id": "ImportFileRole", - "path": "PipelineStack/Pipeline/Assets/FileRole/ImportFileRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - }, - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/*" - ] - ] - } - }, - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineAssetsFileRoleDefaultPolicy14DB8755", - "roles": [ - { - "Ref": "PipelineAssetsFileRole59943A77" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "FileAsset": { - "id": "FileAsset", - "path": "PipelineStack/Pipeline/Assets/FileAsset", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/Pipeline/Assets/FileAsset/Default", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Assets/FileAsset/Default/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineAssetsFileRole59943A77", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "buildspec-assets-PipelineStack-Pipeline-Assets-FileAsset.yaml" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.PublishAssetsAction", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/PreProd", - "children": { - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "children": { - "8389e75f-0810-4838-bf64-d6f85a95cf83": { - "id": "8389e75f-0810-4838-bf64-d6f85a95cf83", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkStage", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkPipeline", - "version": "0.0.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/PreProd", - "children": { - "Stack": { - "id": "Stack", - "path": "PipelineStack/PreProd/Stack", - "children": { - "Asset": { - "id": "Asset", - "path": "PipelineStack/PreProd/Stack/Asset", - "children": { - "Stage": { - "id": "Stage", - "path": "PipelineStack/PreProd/Stack/Asset/Stage", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "AssetBucket": { - "id": "AssetBucket", - "path": "PipelineStack/PreProd/Stack/Asset/AssetBucket", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" - } - }, - "Asset2": { - "id": "Asset2", - "path": "PipelineStack/PreProd/Stack/Asset2", - "children": { - "Stage": { - "id": "Stage", - "path": "PipelineStack/PreProd/Stack/Asset2/Stage", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "AssetBucket": { - "id": "AssetBucket", - "path": "PipelineStack/PreProd/Stack/Asset2/AssetBucket", - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketBase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3_assets.Asset", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/PreProd/Stack/Resource", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/PreProd/Stack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/PreProd/Stack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stage", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "PipelineStackTest": { - "id": "PipelineStackTest", - "path": "PipelineStackTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "PipelineStackTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStackTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "PipelineStackTest/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts deleted file mode 100644 index c05a52e685eba..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts +++ /dev/null @@ -1,107 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as path from 'path'; -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import * as s3_assets from 'aws-cdk-lib/aws-s3-assets'; -import { App, CfnResource, RemovalPolicy, DefaultStackSynthesizer, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - - new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), - }); - new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), - }); - - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - singlePublisherPerType: true, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts deleted file mode 100644 index 3c71922e1e02d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts +++ /dev/null @@ -1,106 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as path from 'path'; -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import * as s3_assets from 'aws-cdk-lib/aws-s3-assets'; -import { App, CfnResource, DefaultStackSynthesizer, RemovalPolicy, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - - new s3_assets.Asset(stack, 'Asset', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset.txt'), - }); - new s3_assets.Asset(stack, 'Asset2', { - path: path.join(__dirname, 'testhelpers/assets/test-file-asset-two.txt'), - }); - - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json deleted file mode 100644 index d96305350050e..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.assets.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61": { - "source": { - "path": "asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61", - "packaging": "zip" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - }, - "e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9": { - "source": { - "path": "PipelineStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json deleted file mode 100644 index b95f0f452e79f..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStack.template.json +++ /dev/null @@ -1,1910 +0,0 @@ -{ - "Resources": { - "SourceBucketDDD2130A": { - "Type": "AWS::S3::Bucket", - "Properties": { - "Tags": [ - { - "Key": "aws-cdk:auto-delete-objects", - "Value": "true" - } - ] - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "SourceBucketPolicy703DFBF9": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "SourceBucketAutoDeleteObjectsCustomResourceC68FC040": { - "Type": "Custom::S3AutoDeleteObjects", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", - "Arn" - ] - }, - "BucketName": { - "Ref": "SourceBucketDDD2130A" - } - }, - "DependsOn": [ - "SourceBucketPolicy703DFBF9" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "lambda.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - { - "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" - } - ] - } - }, - "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { - "Type": "AWS::Lambda::Function", - "Properties": { - "Code": { - "S3Bucket": { - "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" - }, - "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" - }, - "Timeout": 900, - "MemorySize": 128, - "Handler": "index.handler", - "Role": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - }, - "Runtime": { - "Fn::FindInMap": [ - "LatestNodeRuntimeMap", - { - "Ref": "AWS::Region" - }, - "value" - ] - }, - "Description": { - "Fn::Join": [ - "", - [ - "Lambda function for auto-deleting objects in ", - { - "Ref": "SourceBucketDDD2130A" - }, - " S3 bucket." - ] - ] - } - }, - "DependsOn": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - ] - }, - "PipelineArtifactsBucketEncryptionKeyF5BF0670": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketEncryptionKeyAlias94A07392": { - "Type": "AWS::KMS::Alias", - "Properties": { - "AliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "TargetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" - }, - "PipelineArtifactsBucketAEA9A052": { - "Type": "AWS::S3::Bucket", - "Properties": { - "BucketEncryption": { - "ServerSideEncryptionConfiguration": [ - { - "ServerSideEncryptionByDefault": { - "KMSMasterKeyID": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "SSEAlgorithm": "aws:kms" - } - } - ] - }, - "PublicAccessBlockConfiguration": { - "BlockPublicAcls": true, - "BlockPublicPolicy": true, - "IgnorePublicAcls": true, - "RestrictPublicBuckets": true - } - }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain" - }, - "PipelineArtifactsBucketPolicyF53CCC52": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleB27FAA37": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineRoleDefaultPolicy7BDC1ABB": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "Roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "Pipeline9850B417": { - "Type": "AWS::CodePipeline::Pipeline", - "Properties": { - "ArtifactStore": { - "EncryptionKey": { - "Id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Type": "KMS" - }, - "Location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "Type": "S3" - }, - "RestartExecutionOnUpdate": true, - "RoleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "Stages": [ - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Source", - "Owner": "AWS", - "Provider": "S3", - "Version": "1" - }, - "Configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "Name": "S3", - "OutputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Source" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "Synth", - "OutputArtifacts": [ - { - "Name": "CloudAsm" - }, - { - "Name": "IntegTests" - } - ], - "RoleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "Build" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "SelfMutate", - "RoleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - "RunOrder": 1 - } - ], - "Name": "UpdatePipeline" - }, - { - "Actions": [ - { - "ActionTypeId": { - "Category": "Build", - "Owner": "AWS", - "Provider": "CodeBuild", - "Version": "1" - }, - "Configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "InputArtifacts": [ - { - "Name": "Artifact_Source_S3" - } - ], - "Name": "UseSource", - "RoleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - "RunOrder": 100 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "InputArtifacts": [ - { - "Name": "CloudAsm" - } - ], - "Name": "Stack.Prepare", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 1 - }, - { - "ActionTypeId": { - "Category": "Deploy", - "Owner": "AWS", - "Provider": "CloudFormation", - "Version": "1" - }, - "Configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "Name": "Stack.Deploy", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "RunOrder": 2 - } - ], - "Name": "PreProd" - } - ] - }, - "DependsOn": [ - "PipelineRoleDefaultPolicy7BDC1ABB", - "PipelineRoleB27FAA37" - ] - }, - "PipelineSourceS3CodePipelineActionRole83895A58": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "Roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "PipelineBuildSynthCodePipelineActionRole4E7A6C97": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "Roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProjectRole231EEA2A": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "Roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "PipelineBuildSynthCdkBuildProject6BEFA8E6": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "EnvironmentVariables": [ - { - "Name": "NPM_CONFIG_UNSAFE_PERM", - "Type": "PLAINTEXT", - "Value": "true" - } - ], - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "Name": "MyServicePipeline-synth", - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "PipelinePreProdUseSourceProjectRole69B20A71": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "Roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "PipelinePreProdUseSourceProject2E711EB4": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - }, - "PipelineUpdatePipelineSelfMutationRole57E559E8": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E": { - "Type": "AWS::IAM::Policy", - "Properties": { - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "Roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "PipelineUpdatePipelineSelfMutationDAA41400": { - "Type": "AWS::CodeBuild::Project", - "Properties": { - "Artifacts": { - "Type": "CODEPIPELINE" - }, - "Cache": { - "Type": "NO_CACHE" - }, - "EncryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "Environment": { - "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:7.0", - "ImagePullCredentialsType": "CODEBUILD", - "PrivilegedMode": false, - "Type": "LINUX_CONTAINER" - }, - "ServiceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "Source": { - "BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}", - "Type": "CODEPIPELINE" - } - } - } - }, - "Mappings": { - "LatestNodeRuntimeMap": { - "af-south-1": { - "value": "nodejs20.x" - }, - "ap-east-1": { - "value": "nodejs20.x" - }, - "ap-northeast-1": { - "value": "nodejs20.x" - }, - "ap-northeast-2": { - "value": "nodejs20.x" - }, - "ap-northeast-3": { - "value": "nodejs20.x" - }, - "ap-south-1": { - "value": "nodejs20.x" - }, - "ap-south-2": { - "value": "nodejs20.x" - }, - "ap-southeast-1": { - "value": "nodejs20.x" - }, - "ap-southeast-2": { - "value": "nodejs20.x" - }, - "ap-southeast-3": { - "value": "nodejs20.x" - }, - "ap-southeast-4": { - "value": "nodejs20.x" - }, - "ap-southeast-5": { - "value": "nodejs20.x" - }, - "ap-southeast-7": { - "value": "nodejs20.x" - }, - "ca-central-1": { - "value": "nodejs20.x" - }, - "ca-west-1": { - "value": "nodejs20.x" - }, - "cn-north-1": { - "value": "nodejs18.x" - }, - "cn-northwest-1": { - "value": "nodejs18.x" - }, - "eu-central-1": { - "value": "nodejs20.x" - }, - "eu-central-2": { - "value": "nodejs20.x" - }, - "eu-isoe-west-1": { - "value": "nodejs18.x" - }, - "eu-north-1": { - "value": "nodejs20.x" - }, - "eu-south-1": { - "value": "nodejs20.x" - }, - "eu-south-2": { - "value": "nodejs20.x" - }, - "eu-west-1": { - "value": "nodejs20.x" - }, - "eu-west-2": { - "value": "nodejs20.x" - }, - "eu-west-3": { - "value": "nodejs20.x" - }, - "il-central-1": { - "value": "nodejs20.x" - }, - "me-central-1": { - "value": "nodejs20.x" - }, - "me-south-1": { - "value": "nodejs20.x" - }, - "mx-central-1": { - "value": "nodejs20.x" - }, - "sa-east-1": { - "value": "nodejs20.x" - }, - "us-east-1": { - "value": "nodejs20.x" - }, - "us-east-2": { - "value": "nodejs20.x" - }, - "us-gov-east-1": { - "value": "nodejs18.x" - }, - "us-gov-west-1": { - "value": "nodejs18.x" - }, - "us-iso-east-1": { - "value": "nodejs18.x" - }, - "us-iso-west-1": { - "value": "nodejs18.x" - }, - "us-isob-east-1": { - "value": "nodejs18.x" - }, - "us-west-1": { - "value": "nodejs20.x" - }, - "us-west-2": { - "value": "nodejs20.x" - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json deleted file mode 100644 index 8f0029884a021..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/PipelineStackTestDefaultTestDeployAssertBC780F98.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json deleted file mode 100644 index f4cee0d9b9779..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "36.0.0", - "files": { - "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4": { - "source": { - "path": "PipelineStackPreProdStack65A0AD1F.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json deleted file mode 100644 index 5f37c46ccf4b5..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "Resources": { - "Resource": { - "Type": "AWS::Test::SomeResource" - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json deleted file mode 100644 index a85b758286df0..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/assembly-PipelineStack-PreProd/manifest.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "PipelineStackPreProdStack65A0AD1F.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackPreProdStack65A0AD1F.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackPreProdStack65A0AD1F": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackPreProdStack65A0AD1F.template.json", - "terminationProtection": false, - "validateOnSynth": true, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/17b50ab4e61e5c19d1e2d14ccc136d8c1ae3b77a4236035ac6ac6273619764a4.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - }, - "stackName": "PreProd-Stack" - }, - "dependencies": [ - "PipelineStackPreProdStack65A0AD1F.assets" - ], - "metadata": { - "/PipelineStack/PreProd/Stack/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Resource" - } - ], - "/PipelineStack/PreProd/Stack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/PreProd/Stack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack/PreProd/Stack" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js deleted file mode 100644 index 1002ba018e9fb..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/asset.44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61/index.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e=="object"||typeof e=="function")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,"default",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},"__esModule",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require("@aws-sdk/client-s3");var y=l(require("https")),m=l(require("url")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:"./index"},p="AWSCDK::CustomResourceProviderFramework::CREATE_FAILED",L="AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID";function R(t){return async(e,o)=>{let r={...e,ResponseURL:"..."};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType==="Delete"&&e.PhysicalResourceId===p){a.log("ignoring DELETE event caused by a failed CREATE event"),await u("SUCCESS",e);return}try{let s=await t(r,o),n=k(e,s);await u("SUCCESS",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType==="Create"?(a.log("CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(e)}`)),await u("FAILED",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType==="Delete"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from "${t.PhysicalResourceId}" to "${e.PhysicalResourceId}" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log("submit response to cloudformation",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:"PUT",headers:{"content-type":"","content-length":Buffer.byteLength(n,"utf8")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on("error",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g="aws-cdk:auto-delete-objects",x=JSON.stringify({Version:"2012-10-17",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case"Create":return;case"Update":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case"Delete":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:"*",Effect:"Deny",Action:["s3:PutObject"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name==="NoSuchBucket")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error("No BucketName was provided.");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name==="NoSuchBucket"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value==="true")}0&&(module.exports={autoDeleteHandler,handler}); diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out deleted file mode 100644 index 1f0068d32659a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json deleted file mode 100644 index 5315ad6d43743..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/integ.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "version": "36.0.0", - "testCases": { - "PipelineStackTest/DefaultTest": { - "stacks": [ - "PipelineStack" - ], - "diffAssets": true, - "assertionStack": "PipelineStackTest/DefaultTest/DeployAssert", - "assertionStackName": "PipelineStackTestDefaultTestDeployAssertBC780F98" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json deleted file mode 100644 index 515495bbbc66a..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/manifest.json +++ /dev/null @@ -1,300 +0,0 @@ -{ - "version": "36.0.0", - "artifacts": { - "assembly-PipelineStack-PreProd": { - "type": "cdk:cloud-assembly", - "properties": { - "directoryName": "assembly-PipelineStack-PreProd", - "displayName": "PipelineStack/PreProd" - } - }, - "PipelineStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/e7f81f8bda67ff3e586b06697af53694f5743a8e161a832b871afb6b753f90a9.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStack.assets" - ], - "metadata": { - "/PipelineStack/SourceBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketDDD2130A" - } - ], - "/PipelineStack/SourceBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketPolicy703DFBF9" - } - ], - "/PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "SourceBucketAutoDeleteObjectsCustomResourceC68FC040" - } - ], - "/PipelineStack/LatestNodeRuntimeMap": [ - { - "type": "aws:cdk:logicalId", - "data": "LatestNodeRuntimeMap" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" - } - ], - "/PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler": [ - { - "type": "aws:cdk:logicalId", - "data": "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F" - } - ], - "/PipelineStack/Pipeline/Pipeline": [ - { - "type": "aws:cdk:warning", - "data": "V1 pipeline type is implicitly selected when `pipelineType` is not set. If you want to use V2 type, set `PipelineType.V2`. [ack: @aws-cdk/aws-codepipeline:unspecifiedPipelineType]" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyF5BF0670" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketEncryptionKeyAlias94A07392" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketAEA9A052" - } - ], - "/PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineArtifactsBucketPolicyF53CCC52" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleB27FAA37" - } - ], - "/PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineRoleDefaultPolicy7BDC1ABB" - } - ], - "/PipelineStack/Pipeline/Pipeline/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "Pipeline9850B417" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ], - "/PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C" - } - ], - "/PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ], - "/PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3" - } - ], - "/PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelinePreProdUseSourceProject2E711EB4" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E" - } - ], - "/PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ], - "/PipelineStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStack" - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "PipelineStackTestDefaultTestDeployAssertBC780F98.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "PipelineStackTestDefaultTestDeployAssertBC780F98": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "PipelineStackTestDefaultTestDeployAssertBC780F98.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "PipelineStackTestDefaultTestDeployAssertBC780F98.assets" - ], - "metadata": { - "/PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "PipelineStackTest/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json deleted file mode 100644 index ffb2d51e18c94..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.js.snapshot/tree.json +++ /dev/null @@ -1,2564 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "PipelineStack": { - "id": "PipelineStack", - "path": "PipelineStack", - "children": { - "SourceBucket": { - "id": "SourceBucket", - "path": "PipelineStack/SourceBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "tags": [ - { - "key": "aws-cdk:auto-delete-objects", - "value": "true" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/SourceBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/SourceBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:List*", - "s3:PutBucketPolicy" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::GetAtt": [ - "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", - "Arn" - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - }, - "AutoDeleteObjectsCustomResource": { - "id": "AutoDeleteObjectsCustomResource", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStack/SourceBucket/AutoDeleteObjectsCustomResource/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "LatestNodeRuntimeMap": { - "id": "LatestNodeRuntimeMap", - "path": "PipelineStack/LatestNodeRuntimeMap", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnMapping", - "version": "0.0.0" - } - }, - "Custom::S3AutoDeleteObjectsCustomResourceProvider": { - "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider", - "children": { - "Staging": { - "id": "Staging", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Staging", - "constructInfo": { - "fqn": "aws-cdk-lib.AssetStaging", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Role", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "Handler": { - "id": "Handler", - "path": "PipelineStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResourceProviderBase", - "version": "0.0.0" - } - }, - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline", - "children": { - "Pipeline": { - "id": "Pipeline", - "path": "PipelineStack/Pipeline/Pipeline", - "children": { - "ArtifactsBucketEncryptionKey": { - "id": "ArtifactsBucketEncryptionKey", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKey/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Key", - "aws:cdk:cloudformation:props": { - "keyPolicy": { - "Statement": [ - { - "Action": "kms:*", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - }, - "Resource": "*" - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": "*" - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnKey", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Key", - "version": "0.0.0" - } - }, - "ArtifactsBucketEncryptionKeyAlias": { - "id": "ArtifactsBucketEncryptionKeyAlias", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucketEncryptionKeyAlias/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::KMS::Alias", - "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinestack-pipeline-e95eedaa", - "targetKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.CfnAlias", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_kms.Alias", - "version": "0.0.0" - } - }, - "ArtifactsBucket": { - "id": "ArtifactsBucket", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::Bucket", - "aws:cdk:cloudformation:props": { - "bucketEncryption": { - "serverSideEncryptionConfiguration": [ - { - "serverSideEncryptionByDefault": { - "sseAlgorithm": "aws:kms", - "kmsMasterKeyId": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - } - ] - }, - "publicAccessBlockConfiguration": { - "blockPublicAcls": true, - "blockPublicPolicy": true, - "ignorePublicAcls": true, - "restrictPublicBuckets": true - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucket", - "version": "0.0.0" - } - }, - "Policy": { - "id": "Policy", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/ArtifactsBucket/Policy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::S3::BucketPolicy", - "aws:cdk:cloudformation:props": { - "bucket": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "policyDocument": { - "Statement": [ - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": "false" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.CfnBucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.BucketPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" - } - }, - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codepipeline.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - }, - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - }, - { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - ] - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineRoleDefaultPolicy7BDC1ABB", - "roles": [ - { - "Ref": "PipelineRoleB27FAA37" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodePipeline::Pipeline", - "aws:cdk:cloudformation:props": { - "artifactStore": { - "type": "S3", - "location": { - "Ref": "PipelineArtifactsBucketAEA9A052" - }, - "encryptionKey": { - "type": "KMS", - "id": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - }, - "restartExecutionOnUpdate": true, - "roleArn": { - "Fn::GetAtt": [ - "PipelineRoleB27FAA37", - "Arn" - ] - }, - "stages": [ - { - "name": "Source", - "actions": [ - { - "name": "S3", - "outputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Source", - "version": "1", - "owner": "AWS", - "provider": "S3" - }, - "configuration": { - "S3Bucket": { - "Ref": "SourceBucketDDD2130A" - }, - "S3ObjectKey": "key" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineSourceS3CodePipelineActionRole83895A58", - "Arn" - ] - } - } - ] - }, - { - "name": "Build", - "actions": [ - { - "name": "Synth", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "outputArtifacts": [ - { - "name": "CloudAsm" - }, - { - "name": "IntegTests" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "EnvironmentVariables": "[{\"name\":\"_PROJECT_CONFIG_HASH\",\"type\":\"PLAINTEXT\",\"value\":\"7f66814704b7757367a6ec706823d271fb9c6fceda866eee4260d1e76b73967b\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineBuildSynthCodePipelineActionRole4E7A6C97", - "Arn" - ] - } - } - ] - }, - { - "name": "UpdatePipeline", - "actions": [ - { - "name": "SelfMutate", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "EnvironmentVariables": "[{\"name\":\"CDK_CLI_VERSION\",\"type\":\"PLAINTEXT\",\"value\":\"2\"}]" - }, - "runOrder": 1, - "roleArn": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF", - "Arn" - ] - } - } - ] - }, - { - "name": "PreProd", - "actions": [ - { - "name": "UseSource", - "inputArtifacts": [ - { - "name": "Artifact_Source_S3" - } - ], - "actionTypeId": { - "category": "Build", - "version": "1", - "owner": "AWS", - "provider": "CodeBuild" - }, - "configuration": { - "ProjectName": { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - }, - "runOrder": 100, - "roleArn": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA", - "Arn" - ] - } - }, - { - "name": "Stack.Prepare", - "inputArtifacts": [ - { - "name": "CloudAsm" - } - ], - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", - "RoleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-cfn-exec-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - }, - "ActionMode": "CHANGE_SET_REPLACE", - "ChangeSetName": "PipelineChange", - "TemplatePath": "CloudAsm::assembly-PipelineStack-PreProd/PipelineStackPreProdStack65A0AD1F.template.json" - }, - "runOrder": 1, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - }, - { - "name": "Stack.Deploy", - "actionTypeId": { - "category": "Deploy", - "version": "1", - "owner": "AWS", - "provider": "CloudFormation" - }, - "configuration": { - "StackName": "PreProd-Stack", - "ActionMode": "CHANGE_SET_EXECUTE", - "ChangeSetName": "PipelineChange" - }, - "runOrder": 2, - "roleArn": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/cdk-hnb659fds-deploy-role-", - { - "Ref": "AWS::AccountId" - }, - "-", - { - "Ref": "AWS::Region" - } - ] - ] - } - } - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.CfnPipeline", - "version": "0.0.0" - } - }, - "Source": { - "id": "Source", - "path": "PipelineStack/Pipeline/Pipeline/Source", - "children": { - "S3": { - "id": "S3", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Source/S3/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "SourceBucketDDD2130A", - "Arn" - ] - }, - "/key" - ] - ] - } - ] - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineSourceS3CodePipelineActionRoleDefaultPolicyB176A07F", - "roles": [ - { - "Ref": "PipelineSourceS3CodePipelineActionRole83895A58" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Build": { - "id": "Build", - "path": "PipelineStack/Pipeline/Pipeline/Build", - "children": { - "Synth": { - "id": "Synth", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProject6BEFA8E6", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCodePipelineActionRoleDefaultPolicy92C90290", - "roles": [ - { - "Ref": "PipelineBuildSynthCodePipelineActionRole4E7A6C97" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "CdkBuildProject": { - "id": "CdkBuildProject", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineBuildSynthCdkBuildProject6BEFA8E6" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:Abort*", - "s3:DeleteObject*", - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*", - "s3:PutObject", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineBuildSynthCdkBuildProjectRoleDefaultPolicyFB6C941C", - "roles": [ - { - "Ref": "PipelineBuildSynthCdkBuildProjectRole231EEA2A" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/Build/Synth/CdkBuildProject/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "NPM_CONFIG_UNSAFE_PERM", - "type": "PLAINTEXT", - "value": "true" - } - ] - }, - "name": "MyServicePipeline-synth", - "serviceRole": { - "Fn::GetAtt": [ - "PipelineBuildSynthCdkBuildProjectRole231EEA2A", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"pre_build\": {\n \"commands\": [\n \"npm ci\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"npx cdk synth\"\n ]\n }\n },\n \"artifacts\": {\n \"secondary-artifacts\": {\n \"CloudAsm\": {\n \"base-directory\": \"cdk.out\",\n \"files\": \"**/*\"\n },\n \"IntegTests\": {\n \"base-directory\": \"test\",\n \"files\": \"**/*\"\n }\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline", - "children": { - "SelfMutate": { - "id": "SelfMutate", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/UpdatePipeline/SelfMutate/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationDAA41400", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleDefaultPolicyE626265B", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutateCodePipelineActionRoleD6D4E5CF" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/Pipeline/PreProd", - "children": { - "UseSource": { - "id": "UseSource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource", - "children": { - "CodePipelineActionRole": { - "id": "CodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole", - "children": { - "ImportCodePipelineActionRole": { - "id": "ImportCodePipelineActionRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/ImportCodePipelineActionRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/CodePipelineActionRole/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "codebuild:BatchGetBuilds", - "codebuild:StartBuild", - "codebuild:StopBuild" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProject2E711EB4", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceCodePipelineActionRoleDefaultPolicy9BE325AD", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceCodePipelineActionRoleA2043BDA" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Project": { - "id": "Project", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelinePreProdUseSourceProject2E711EB4" - }, - "-*" - ] - ] - } - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelinePreProdUseSourceProjectRoleDefaultPolicy50F68DF3", - "roles": [ - { - "Ref": "PipelinePreProdUseSourceProjectRole69B20A71" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/UseSource/Project/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelinePreProdUseSourceProjectRole69B20A71", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"set -eu\",\n \"cat README.md\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Deploy": { - "id": "Stack.Deploy", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Deploy", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Stack.Prepare": { - "id": "Stack.Prepare", - "path": "PipelineStack/Pipeline/Pipeline/PreProd/Stack.Prepare", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codepipeline.Pipeline", - "version": "0.0.0" - } - }, - "UpdatePipeline": { - "id": "UpdatePipeline", - "path": "PipelineStack/Pipeline/UpdatePipeline", - "children": { - "SelfMutation": { - "id": "SelfMutation", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation", - "children": { - "Role": { - "id": "Role", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/ImportRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "codebuild.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":logs:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":log-group:/aws/codebuild/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - } - ] - ] - } - ] - }, - { - "Action": [ - "codebuild:BatchPutCodeCoverages", - "codebuild:BatchPutTestCases", - "codebuild:CreateReport", - "codebuild:CreateReportGroup", - "codebuild:UpdateReport" - ], - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":codebuild:", - { - "Ref": "AWS::Region" - }, - ":", - { - "Ref": "AWS::AccountId" - }, - ":report-group/", - { - "Ref": "PipelineUpdatePipelineSelfMutationDAA41400" - }, - "-*" - ] - ] - } - }, - { - "Action": "sts:AssumeRole", - "Condition": { - "ForAnyValue:StringEquals": { - "iam:ResourceTag/aws-cdk:bootstrap-role": [ - "image-publishing", - "file-publishing", - "deploy" - ] - } - }, - "Effect": "Allow", - "Resource": { - "Fn::Join": [ - "", - [ - "arn:*:iam::", - { - "Ref": "AWS::AccountId" - }, - ":role/*" - ] - ] - } - }, - { - "Action": [ - "cloudformation:DescribeStacks", - "s3:ListBucket" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Action": [ - "s3:GetBucket*", - "s3:GetObject*", - "s3:List*" - ], - "Effect": "Allow", - "Resource": [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "PipelineArtifactsBucketAEA9A052", - "Arn" - ] - }, - "/*" - ] - ] - } - ] - }, - { - "Action": [ - "kms:Decrypt", - "kms:DescribeKey", - "kms:Encrypt", - "kms:GenerateDataKey*", - "kms:ReEncrypt*" - ], - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "PipelineUpdatePipelineSelfMutationRoleDefaultPolicyA225DA4E", - "roles": [ - { - "Ref": "PipelineUpdatePipelineSelfMutationRole57E559E8" - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "PipelineStack/Pipeline/UpdatePipeline/SelfMutation/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::CodeBuild::Project", - "aws:cdk:cloudformation:props": { - "artifacts": { - "type": "CODEPIPELINE" - }, - "cache": { - "type": "NO_CACHE" - }, - "encryptionKey": { - "Fn::GetAtt": [ - "PipelineArtifactsBucketEncryptionKeyF5BF0670", - "Arn" - ] - }, - "environment": { - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:7.0", - "imagePullCredentialsType": "CODEBUILD", - "privilegedMode": false, - "computeType": "BUILD_GENERAL1_SMALL" - }, - "serviceRole": { - "Fn::GetAtt": [ - "PipelineUpdatePipelineSelfMutationRole57E559E8", - "Arn" - ] - }, - "source": { - "type": "CODEPIPELINE", - "buildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"install\": {\n \"commands\": [\n \"npm install -g aws-cdk@2\"\n ]\n },\n \"build\": {\n \"commands\": [\n \"cdk -a . deploy PipelineStack --require-approval=never --verbose\"\n ]\n }\n }\n}" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.CfnProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_codebuild.PipelineProject", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.UpdatePipelineAction", - "version": "0.0.0" - } - }, - "Assets": { - "id": "Assets", - "path": "PipelineStack/Pipeline/Assets", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/Pipeline/PreProd", - "children": { - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "children": { - "8389e75f-0810-4838-bf64-d6f85a95cf83": { - "id": "8389e75f-0810-4838-bf64-d6f85a95cf83", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}": { - "id": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "path": "PipelineStack/Pipeline/PreProd/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkStage", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.pipelines.CdkPipeline", - "version": "0.0.0" - } - }, - "PreProd": { - "id": "PreProd", - "path": "PipelineStack/PreProd", - "children": { - "Stack": { - "id": "Stack", - "path": "PipelineStack/PreProd/Stack", - "children": { - "Resource": { - "id": "Resource", - "path": "PipelineStack/PreProd/Stack/Resource", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/PreProd/Stack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/PreProd/Stack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stage", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStack/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - }, - "PipelineStackTest": { - "id": "PipelineStackTest", - "path": "PipelineStackTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "PipelineStackTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "PipelineStackTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "PipelineStackTest/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "PipelineStackTest/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts deleted file mode 100644 index b8afeedfc285d..0000000000000 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts +++ /dev/null @@ -1,97 +0,0 @@ -/// !cdk-integ PipelineStack pragma:set-context:@aws-cdk/core:newStyleStackSynthesis=true -import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; -import * as codepipeline_actions from 'aws-cdk-lib/aws-codepipeline-actions'; -import * as s3 from 'aws-cdk-lib/aws-s3'; -import { App, CfnResource, DefaultStackSynthesizer, RemovalPolicy, Stack, StackProps, Stage, StageProps } from 'aws-cdk-lib'; -import { Construct } from 'constructs'; -import * as cdkp from 'aws-cdk-lib/pipelines'; -import { IntegTest } from '@aws-cdk/integ-tests-alpha'; - -class MyStage extends Stage { - constructor(scope: Construct, id: string, props?: StageProps) { - super(scope, id, props); - - const stack = new Stack(this, 'Stack', { - ...props, - synthesizer: new DefaultStackSynthesizer(), - }); - new CfnResource(stack, 'Resource', { - type: 'AWS::Test::SomeResource', - }); - } -} - -/** - * The stack that defines the application pipeline - */ -class CdkpipelinesDemoPipelineStack extends Stack { - constructor(scope: Construct, id: string, props?: StackProps) { - super(scope, id, props); - - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - - const sourceBucket = new s3.Bucket(this, 'SourceBucket', { - removalPolicy: RemovalPolicy.DESTROY, - autoDeleteObjects: true, - }); - const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { - crossAccountKeys: true, - cloudAssemblyArtifact, - - // Where the source can be found - sourceAction: new codepipeline_actions.S3SourceAction({ - bucket: sourceBucket, - output: sourceArtifact, - bucketKey: 'key', - actionName: 'S3', - }), - - // How it will be built - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - projectName: 'MyServicePipeline-synth', - additionalArtifacts: [ - { - directory: 'test', - artifact: integTestArtifact, - }, - ], - }), - }); - - // This is where we add the application stages - // ... - const stage = pipeline.addApplicationStage(new MyStage(this, 'PreProd')); - stage.addActions( - new cdkp.ShellScriptAction({ - actionName: 'UseSource', - commands: [ - // Comes from source - 'cat README.md', - ], - additionalArtifacts: [sourceArtifact], - }), - ); - } -} - -const app = new App({ - postCliContext: { - '@aws-cdk/core:newStyleStackSynthesis': 'true', - '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': false, - }, -}); - -const stack = new CdkpipelinesDemoPipelineStack(app, 'PipelineStack', { - synthesizer: new DefaultStackSynthesizer(), -}); - -new IntegTest(app, 'PipelineStackTest', { - testCases: [stack], - diffAssets: true, -}); - -app.synth(); diff --git a/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES b/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES index 30c90c16203a6..7eba508ea0df5 100644 --- a/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES +++ b/packages/@aws-cdk/cli-lib-alpha/THIRD_PARTY_LICENSES @@ -207,7 +207,7 @@ The @aws-cdk/cli-lib-alpha package includes the following third-party software/l ---------------- -** @jsii/check-node@1.97.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.97.0 | Apache-2.0 +** @jsii/check-node@1.101.0 - https://www.npmjs.com/package/@jsii/check-node/v/1.101.0 | Apache-2.0 jsii Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. @@ -266,7 +266,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** ajv@8.12.0 - https://www.npmjs.com/package/ajv/v/8.12.0 | MIT +** ajv@8.16.0 - https://www.npmjs.com/package/ajv/v/8.16.0 | MIT The MIT License (MIT) Copyright (c) 2015-2021 Evgeny Poberezkin @@ -493,7 +493,7 @@ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH RE ---------------- -** aws-sdk@2.1596.0 - https://www.npmjs.com/package/aws-sdk/v/2.1596.0 | Apache-2.0 +** aws-sdk@2.1653.0 - https://www.npmjs.com/package/aws-sdk/v/2.1653.0 | Apache-2.0 AWS SDK for JavaScript Copyright 2012-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. @@ -601,10 +601,10 @@ SOFTWARE. ---------------- -** braces@3.0.2 - https://www.npmjs.com/package/braces/v/3.0.2 | MIT +** braces@3.0.3 - https://www.npmjs.com/package/braces/v/3.0.3 | MIT The MIT License (MIT) -Copyright (c) 2014-2018, Jon Schlinkert. +Copyright (c) 2014-present, Jon Schlinkert. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -691,7 +691,7 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI ---------------- -** cdk-from-cfn@0.156.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.156.0 | MIT OR Apache-2.0 +** cdk-from-cfn@0.162.0 - https://www.npmjs.com/package/cdk-from-cfn/v/0.162.0 | MIT OR Apache-2.0 ---------------- @@ -1123,7 +1123,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** debug@4.3.4 - https://www.npmjs.com/package/debug/v/4.3.4 | MIT +** debug@4.3.5 - https://www.npmjs.com/package/debug/v/4.3.5 | MIT (The MIT License) Copyright (c) 2014-2017 TJ Holowaychuk @@ -1390,7 +1390,7 @@ SOFTWARE. ---------------- -** fill-range@7.0.1 - https://www.npmjs.com/package/fill-range/v/7.0.1 | MIT +** fill-range@7.1.1 - https://www.npmjs.com/package/fill-range/v/7.1.1 | MIT The MIT License (MIT) Copyright (c) 2014-present, Jon Schlinkert. @@ -1667,7 +1667,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** https-proxy-agent@7.0.4 - https://www.npmjs.com/package/https-proxy-agent/v/7.0.4 | MIT +** https-proxy-agent@7.0.5 - https://www.npmjs.com/package/https-proxy-agent/v/7.0.5 | MIT (The MIT License) Copyright (c) 2013 Nathan Rajlich @@ -2315,26 +2315,6 @@ licenses; we recommend you read them, as their terms may differ from the terms above. ----------------- - -** lru-cache@6.0.0 - https://www.npmjs.com/package/lru-cache/v/6.0.0 | ISC -The ISC License - -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - - ---------------- ** lru-cache@7.18.3 - https://www.npmjs.com/package/lru-cache/v/7.18.3 | ISC @@ -2497,7 +2477,30 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ---------------- -** pac-proxy-agent@7.0.1 - https://www.npmjs.com/package/pac-proxy-agent/v/7.0.1 | MIT +** pac-proxy-agent@7.0.2 - https://www.npmjs.com/package/pac-proxy-agent/v/7.0.2 | MIT +(The MIT License) + +Copyright (c) 2014 Nathan Rajlich + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +'Software'), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + ---------------- @@ -3094,10 +3097,10 @@ THE SOFTWARE. ---------------- -** sax@1.3.0 - https://www.npmjs.com/package/sax/v/1.3.0 | ISC +** sax@1.4.1 - https://www.npmjs.com/package/sax/v/1.4.1 | ISC The ISC License -Copyright (c) 2010-2022 Isaac Z. Schlueter and Contributors +Copyright (c) 2010-2024 Isaac Z. Schlueter and Contributors Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -3116,7 +3119,7 @@ IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. `String.fromCodePoint` by Mathias Bynens used according to terms of MIT License, as follows: -Copyright (c) 2010-2022 Mathias Bynens +Copyright (c) 2010-2024 Mathias Bynens Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the @@ -3140,7 +3143,7 @@ Copyright (c) 2010-2022 Mathias Bynens ---------------- -** semver@7.6.0 - https://www.npmjs.com/package/semver/v/7.6.0 | ISC +** semver@7.6.2 - https://www.npmjs.com/package/semver/v/7.6.2 | ISC The ISC License Copyright (c) Isaac Z. Schlueter and Contributors @@ -3200,7 +3203,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ---------------- -** socks-proxy-agent@8.0.3 - https://www.npmjs.com/package/socks-proxy-agent/v/8.0.3 | MIT +** socks-proxy-agent@8.0.4 - https://www.npmjs.com/package/socks-proxy-agent/v/8.0.4 | MIT (The MIT License) Copyright (c) 2013 Nathan Rajlich @@ -3545,7 +3548,7 @@ THE SOFTWARE. ---------------- -** tslib@2.6.2 - https://www.npmjs.com/package/tslib/v/2.6.2 | 0BSD +** tslib@2.6.3 - https://www.npmjs.com/package/tslib/v/2.6.3 | 0BSD Copyright (c) Microsoft Corporation. Permission to use, copy, modify, and/or distribute this software for any @@ -3723,26 +3726,6 @@ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ----------------- - -** yallist@4.0.0 - https://www.npmjs.com/package/yallist/v/4.0.0 | ISC -The ISC License - -Copyright (c) Isaac Z. Schlueter and Contributors - -Permission to use, copy, modify, and/or distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies. - -THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - - ---------------- ** yaml@1.10.2 - https://www.npmjs.com/package/yaml/v/1.10.2 | ISC @@ -3832,4 +3815,4 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ----------------- \ No newline at end of file +---------------- diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index aad87ef49fbde..9e980cc71faae 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -71,7 +71,6 @@ Flags come in three types: | [@aws-cdk/pipelines:reduceAssetRoleTrustScope](#aws-cdkpipelinesreduceassetroletrustscope) | Remove the root account principal from PipelineAssetsFileRole trust policy | 2.141.0 | (default) | | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) | | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) | -| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | 2.148.0 | (fix) | @@ -132,8 +131,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-eks:nodegroupNameAttribute": true, "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true, "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true, - "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false, - "@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions": true + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false } } ``` @@ -1340,19 +1338,4 @@ property from the event object. | 2.145.0 | `false` | `false` | -### @aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions - -*When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.* (fix) - -When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. -The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html -for more details. - - -| Since | Default | Recommended | -| ----- | ----- | ----- | -| (not in v1) | | | -| 2.148.0 | `false` | `true` | - - - \ No newline at end of file + diff --git a/packages/aws-cdk-lib/pipelines/lib/index.ts b/packages/aws-cdk-lib/pipelines/lib/index.ts index 5f469e9fd5ce6..e26c394c027cb 100644 --- a/packages/aws-cdk-lib/pipelines/lib/index.ts +++ b/packages/aws-cdk-lib/pipelines/lib/index.ts @@ -1,4 +1,3 @@ -export * from './legacy'; export * from './blueprint'; export * from './codepipeline'; export * from './main'; diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts deleted file mode 100644 index 3de0c99c3de23..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/deploy-cdk-stack-action.ts +++ /dev/null @@ -1,386 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { Construct, Node } from 'constructs'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as cpactions from '../../../../aws-codepipeline-actions'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Aws, CfnCapabilities, Stack } from '../../../../core'; -import * as cxapi from '../../../../cx-api'; -import { appOf, assemblyBuilderOf } from '../../private/construct-internals'; -import { toPosixPath } from '../../private/fs'; - -/** - * Customization options for a DeployCdkStackAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface DeployCdkStackActionOptions { - /** - * Base name of the action - * - * @default stackName - */ - readonly baseActionName?: string; - - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Run order for the Prepare action - * - * @default 1 - */ - readonly prepareRunOrder?: number; - - /** - * Run order for the Execute action - * - * @default - prepareRunOrder + 1 - */ - readonly executeRunOrder?: number; - - /** - * Artifact to write Stack Outputs to - * - * @default - No outputs - */ - readonly output?: codepipeline.Artifact; - - /** - * Filename in output to write Stack outputs to - * - * @default - Required when 'output' is set - */ - readonly outputFileName?: string; - - /** - * Name of the change set to create and deploy - * - * @default 'PipelineChange' - */ - readonly changeSetName?: string; -} - -/** - * Properties for a DeployCdkStackAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface DeployCdkStackActionProps extends DeployCdkStackActionOptions { - /** - * Relative path of template in the input artifact - */ - readonly templatePath: string; - - /** - * Role for the action to assume - * - * This controls the account to deploy into - */ - readonly actionRole: iam.IRole; - - /** - * The name of the stack that should be created/updated - */ - readonly stackName: string; - - /** - * Role to execute CloudFormation under - * - * @default - Execute CloudFormation using the action role - */ - readonly cloudFormationExecutionRole?: iam.IRole; - - /** - * Region to deploy into - * - * @default - Same region as pipeline - */ - readonly region?: string; - - /** - * Artifact ID for the stack deployed here - * - * Used for pipeline order checking. - * - * @default - Order will not be checked - */ - readonly stackArtifactId?: string; - - /** - * Artifact ID for the stacks this stack depends on - * - * Used for pipeline order checking. - * - * @default - No dependencies - */ - readonly dependencyStackArtifactIds?: string[]; - - /** - * Template configuration path relative to the input artifact - * - * @default - No template configuration - */ - readonly templateConfigurationPath?: string; -} - -/** - * Options for the 'fromStackArtifact' operation - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkStackActionFromArtifactOptions extends DeployCdkStackActionOptions { - /** - * The name of the stack that should be created/updated - * - * @default - Same as stack artifact - */ - readonly stackName?: string; -} - -/** - * Action to deploy a CDK Stack - * - * Adds two CodePipeline Actions to the pipeline: one to create a ChangeSet - * and one to execute it. - * - * You do not need to instantiate this action yourself -- it will automatically - * be added by the pipeline when you add stack artifacts or entire stages. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class DeployCdkStackAction implements codepipeline.IAction { - /** - * Construct a DeployCdkStackAction from a Stack artifact - */ - public static fromStackArtifact(scope: Construct, artifact: cxapi.CloudFormationStackArtifact, options: CdkStackActionFromArtifactOptions) { - if (!artifact.assumeRoleArn) { - throw new Error(`Stack '${artifact.stackName}' does not have deployment role information; use the 'DefaultStackSynthesizer' synthesizer, or set the '@aws-cdk/core:newStyleStackSynthesis' context key.`); - } - - const artRegion = artifact.environment.region; - const region = artRegion === Stack.of(scope).region || artRegion === cxapi.UNKNOWN_REGION ? undefined : artRegion; - const artAccount = artifact.environment.account; - const account = artAccount === Stack.of(scope).account || artAccount === cxapi.UNKNOWN_ACCOUNT ? undefined : artAccount; - - const actionRole = roleFromPlaceholderArn(scope, region, account, artifact.assumeRoleArn); - const cloudFormationExecutionRole = roleFromPlaceholderArn(scope, region, account, artifact.cloudFormationExecutionRoleArn); - - // We need the path of the template relative to the root Cloud Assembly - // It should be easier to get this, but for now it is what it is. - const appAsmRoot = assemblyBuilderOf(appOf(scope)).outdir; - const fullTemplatePath = path.join(artifact.assembly.directory, artifact.templateFile); - - let fullConfigPath; - if (Object.keys(artifact.tags).length > 0) { - fullConfigPath = `${fullTemplatePath}.config.json`; - - // Write the template configuration file (for parameters into CreateChangeSet call that - // cannot be configured any other way). They must come from a file, and there's unfortunately - // no better hook to write this file (`construct.onSynthesize()` would have been the prime candidate - // but that is being deprecated--and DeployCdkStackAction isn't even a construct). - writeTemplateConfiguration(fullConfigPath, { - Tags: artifact.tags, - }); - } - - return new DeployCdkStackAction({ - actionRole, - cloudFormationExecutionRole, - templatePath: toPosixPath(path.relative(appAsmRoot, fullTemplatePath)), - templateConfigurationPath: fullConfigPath ? toPosixPath(path.relative(appAsmRoot, fullConfigPath)) : undefined, - region, - stackArtifactId: artifact.id, - dependencyStackArtifactIds: artifact.dependencies.filter(isStackArtifact).map(s => s.id), - stackName: options.stackName ?? artifact.stackName, - ...options, - }); - } - - /** - * The runorder for the prepare action - */ - public readonly prepareRunOrder: number; - - /** - * The runorder for the execute action - */ - public readonly executeRunOrder: number; - - /** - * Name of the deployed stack - */ - public readonly stackName: string; - - /** - * Artifact id of the artifact this action was based on - */ - public readonly stackArtifactId?: string; - - /** - * Artifact ids of the artifact this stack artifact depends on - */ - public readonly dependencyStackArtifactIds: string[]; - - private readonly prepareChangeSetAction: cpactions.CloudFormationCreateReplaceChangeSetAction; - private readonly executeChangeSetAction: cpactions.CloudFormationExecuteChangeSetAction; - - constructor(props: DeployCdkStackActionProps) { - if (props.output && !props.outputFileName) { - throw new Error('If \'output\' is set, \'outputFileName\' is also required'); - } - - this.stackArtifactId = props.stackArtifactId; - this.dependencyStackArtifactIds = props.dependencyStackArtifactIds ?? []; - - this.prepareRunOrder = props.prepareRunOrder ?? 1; - this.executeRunOrder = props.executeRunOrder ?? this.prepareRunOrder + 1; - this.stackName = props.stackName; - const baseActionName = props.baseActionName ?? this.stackName; - const changeSetName = props.changeSetName ?? 'PipelineChange'; - - this.prepareChangeSetAction = new cpactions.CloudFormationCreateReplaceChangeSetAction({ - actionName: `${baseActionName}.Prepare`, - changeSetName, - runOrder: this.prepareRunOrder, - stackName: this.stackName, - templatePath: props.cloudAssemblyInput.atPath(props.templatePath), - adminPermissions: false, - role: props.actionRole, - deploymentRole: props.cloudFormationExecutionRole, - region: props.region, - cfnCapabilities: [CfnCapabilities.NAMED_IAM, CfnCapabilities.AUTO_EXPAND], - templateConfiguration: props.templateConfigurationPath ? props.cloudAssemblyInput.atPath(props.templateConfigurationPath) : undefined, - }); - this.executeChangeSetAction = new cpactions.CloudFormationExecuteChangeSetAction({ - actionName: `${baseActionName}.Deploy`, - changeSetName, - runOrder: this.executeRunOrder, - stackName: this.stackName, - role: props.actionRole, - region: props.region, - outputFileName: props.outputFileName, - output: props.output, - }); - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): - codepipeline.ActionConfig { - stage.addAction(this.prepareChangeSetAction); - - return this.executeChangeSetAction.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.executeChangeSetAction.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this.executeChangeSetAction.actionProperties; - } -} - -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string): iam.IRole; -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string | undefined): iam.IRole | undefined; -function roleFromPlaceholderArn(scope: Construct, region: string | undefined, - account: string | undefined, arn: string | undefined): iam.IRole | undefined { - - if (!arn) { return undefined; } - - // Use placeholdered arn as construct ID. - const id = arn; - - // https://github.com/aws/aws-cdk/issues/7255 - let existingRole = Node.of(scope).tryFindChild(`ImmutableRole${id}`) as iam.IRole; - if (existingRole) { return existingRole; } - // For when #7255 is fixed. - existingRole = Node.of(scope).tryFindChild(id) as iam.IRole; - if (existingRole) { return existingRole; } - - const arnToImport = cxapi.EnvironmentPlaceholders.replace(arn, { - region: region ?? Aws.REGION, - accountId: account ?? Aws.ACCOUNT_ID, - partition: Aws.PARTITION, - }); - return iam.Role.fromRoleArn(scope, id, arnToImport, { mutable: false, addGrantsToResources: true }); -} - -/** - * Options for CdkDeployAction.fromStackArtifact - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface FromStackArtifactOptions { - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Run order for the 2 actions that will be created - * - * @default 1 - */ - readonly prepareRunOrder?: number; - - /** - * Run order for the Execute action - * - * @default - prepareRunOrder + 1 - */ - readonly executeRunOrder?: number; - - /** - * Artifact to write Stack Outputs to - * - * @default - No outputs - */ - readonly output?: codepipeline.Artifact; - - /** - * Filename in output to write Stack outputs to - * - * @default - Required when 'output' is set - */ - readonly outputFileName?: string; -} - -function isStackArtifact(a: cxapi.CloudArtifact): a is cxapi.CloudFormationStackArtifact { - // instanceof is too risky, and we're at a too late stage to properly fix. - // return a instanceof cxapi.CloudFormationStackArtifact; - return a.constructor.name === 'CloudFormationStackArtifact'; -} - -/** - * Template configuration in a CodePipeline - * - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-cfn-artifacts.html#w2ab1c13c17c15 - */ -interface TemplateConfiguration { - readonly Parameters?: Record; - readonly Tags?: Record; - readonly StackPolicy?: { - readonly Statements: Array>; - }; -} - -/** - * Write template configuration to the given file - */ -function writeTemplateConfiguration(filename: string, config: TemplateConfiguration) { - fs.writeFileSync(filename, JSON.stringify(config, undefined, 2), { encoding: 'utf-8' }); -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts deleted file mode 100644 index 834ded93472f2..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/index.ts +++ /dev/null @@ -1,3 +0,0 @@ -export * from './deploy-cdk-stack-action'; -export * from './publish-assets-action'; -export * from './update-pipeline-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts deleted file mode 100644 index 89bd087101972..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/publish-assets-action.ts +++ /dev/null @@ -1,228 +0,0 @@ -import * as fs from 'fs'; -import * as path from 'path'; -import { IDependable, Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { ISynthesisSession, Lazy, Stack, attachCustomSynthesis } from '../../../../core'; -import { AssetType } from '../../blueprint/asset-type'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { toPosixPath } from '../../private/fs'; - -/** - * Props for a PublishAssetsAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface PublishAssetsActionProps { - /** - * Name of publishing action - */ - readonly actionName: string; - - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * AssetType we're publishing - */ - readonly assetType: AssetType; - - /** - * Version of CDK CLI to 'npm install'. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Role to use for CodePipeline and CodeBuild to build and publish the assets. - * - * @default - Automatically generated - */ - readonly role?: iam.IRole; - - /** - * Any Dependable construct that the CodeBuild project needs to take a dependency on. - * - * @default - none - */ - readonly dependable?: IDependable; - - /** - * The VPC where to execute the PublishAssetsAction. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Custom BuildSpec that is merged with generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; - - /** - * Use a file buildspec written to the cloud assembly instead of an inline buildspec. - * This prevents size limitation errors as inline specs have a max length of 25600 characters - * - * @default false - */ - readonly createBuildspecFile?: boolean; - - /** - * Additional commands to run before installing cdk-assert - * Use this to setup proxies or npm mirrors - * - * @default - - */ - readonly preInstallCommands?: string[]; -} - -/** - * Action to publish an asset in the pipeline - * - * Creates a CodeBuild project which will use the CDK CLI - * to prepare and publish the asset. - * - * You do not need to instantiate this action -- it will automatically - * be added by the pipeline when you add stacks that use assets. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class PublishAssetsAction extends Construct implements codepipeline.IAction { - private readonly action: codepipeline.IAction; - private readonly commands = new Array(); - - private readonly buildSpec: codebuild.BuildSpec; - - constructor(scope: Construct, id: string, private readonly props: PublishAssetsActionProps) { - super(scope, id); - - const installSuffix = props.cdkCliVersion ? `@${props.cdkCliVersion}` : ''; - const installCommand = `npm install -g cdk-assets${installSuffix}`; - - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - install: { - commands: props.preInstallCommands ? [...props.preInstallCommands, installCommand] : installCommand, - }, - build: { - commands: Lazy.list({ produce: () => this.commands }), - }, - }, - }); - this.buildSpec = props.buildSpec ? codebuild.mergeBuildSpecs(props.buildSpec, buildSpec) : buildSpec; - - const project = new codebuild.PipelineProject(this, 'Default', { - projectName: this.props.projectName, - environment: { - buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, - privileged: (props.assetType === AssetType.DOCKER_IMAGE) ? true : undefined, - }, - vpc: props.vpc, - subnetSelection: props.subnetSelection, - buildSpec: props.createBuildspecFile ? codebuild.BuildSpec.fromSourceFilename(this.getBuildSpecFileName()) : this.buildSpec, - role: props.role, - }); - - if (props.dependable) { - project.node.addDependency(props.dependable); - } - - this.action = new codepipeline_actions.CodeBuildAction({ - actionName: props.actionName, - project, - input: this.props.cloudAssemblyInput, - role: props.role, - // Add this purely so that the pipeline will selfupdate if the CLI version changes - environmentVariables: props.cdkCliVersion ? { - CDK_CLI_VERSION: { value: props.cdkCliVersion }, - } : undefined, - }); - - attachCustomSynthesis(this, { - onSynthesize: this._onSynth.bind(this), - }); - } - - private getBuildSpecFileName(): string { - return `buildspec-assets-${this.node.path.replace(new RegExp('/', 'g'), '-')}.yaml`; - } - - private _onSynth(session: ISynthesisSession): void { - if (this.props.createBuildspecFile) { - const specFile = path.join(session.outdir, this.getBuildSpecFileName()); - fs.writeFileSync(specFile, Stack.of(this).resolve(this.buildSpec.toBuildSpec()), { encoding: 'utf-8' }); - } - } - - /** - * Add a single publishing command - * - * Manifest path should be relative to the root Cloud Assembly. - */ - public addPublishCommand(relativeManifestPath: string, assetSelector: string) { - const command = `cdk-assets --path "${toPosixPath(relativeManifestPath)}" --verbose publish "${assetSelector}"`; - if (!this.commands.includes(command)) { - this.commands.push(command); - } - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): - codepipeline.ActionConfig { - return this.action.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.action.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - // FIXME: I have had to make this class a Construct, because: - // - // - It needs access to the Construct tree, because it is going to add a `PipelineProject`. - // - I would have liked to have done that in bind(), however, - // - `actionProperties` (this method) is called BEFORE bind() is called, and by that point I - // don't have the "inner" Action yet to forward the call to. - // - // I've therefore had to construct the inner CodeBuildAction in the constructor, which requires making this - // Action a Construct. - // - // Combined with how non-intuitive it is to make the "StackDeployAction", I feel there is something - // wrong with the Action abstraction here. - return this.action.actionProperties; - } -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts deleted file mode 100644 index 85672ab4a849f..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/actions/update-pipeline-action.ts +++ /dev/null @@ -1,183 +0,0 @@ -import { Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as cpactions from '../../../../aws-codepipeline-actions'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Stack } from '../../../../core'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; -import { embeddedAsmPath } from '../../private/construct-internals'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; - -/** - * Props for the UpdatePipelineAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface UpdatePipelineActionProps { - /** - * The CodePipeline artifact that holds the Cloud Assembly. - */ - readonly cloudAssemblyInput: codepipeline.Artifact; - - /** - * Name of the pipeline stack - * - * @deprecated - Use `pipelineStackHierarchicalId` instead. - * @default - none - */ - readonly pipelineStackName?: string; - - /** - * Hierarchical id of the pipeline stack - */ - readonly pipelineStackHierarchicalId: string; - - /** - * Version of CDK CLI to 'npm install'. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Whether the build step should run in privileged mode. - * - * @default - false - */ - readonly privileged?: boolean; - - /** - * Docker registries and associated credentials necessary during the pipeline - * self-update stage. - * - * @default [] - */ - readonly dockerCredentials?: DockerCredential[]; - - /** - * Custom BuildSpec that is merged with generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; -} - -/** - * Action to self-mutate the pipeline - * - * Creates a CodeBuild project which will use the CDK CLI - * to deploy the pipeline stack. - * - * You do not need to instantiate this action -- it will automatically - * be added by the pipeline. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class UpdatePipelineAction extends Construct implements codepipeline.IAction { - private readonly action: codepipeline.IAction; - - constructor(scope: Construct, id: string, props: UpdatePipelineActionProps) { - super(scope, id); - - const installSuffix = props.cdkCliVersion ? `@${props.cdkCliVersion}` : ''; - - const stackIdentifier = props.pipelineStackHierarchicalId ?? props.pipelineStackName; - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - install: { - commands: [ - `npm install -g aws-cdk${installSuffix}`, - ...dockerCredentialsInstallCommands(DockerCredentialUsage.SELF_UPDATE, props.dockerCredentials), - ], - }, - build: { - commands: [ - // Cloud Assembly is in *current* directory. - `cdk -a ${embeddedAsmPath(scope)} deploy ${stackIdentifier} --require-approval=never --verbose`, - ], - }, - }, - }); - const selfMutationProject = new codebuild.PipelineProject(this, 'SelfMutation', { - projectName: props.projectName, - environment: { - buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, - privileged: props.privileged ?? false, - }, - buildSpec: props.buildSpec ? codebuild.mergeBuildSpecs(props.buildSpec, buildSpec) : buildSpec, - }); - - // allow the self-mutating project permissions to assume the bootstrap Action role - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['sts:AssumeRole'], - resources: [`arn:*:iam::${Stack.of(this).account}:role/*`], - conditions: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], - }, - }, - })); - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['cloudformation:DescribeStacks'], - resources: ['*'], // this is needed to check the status of the bootstrap stack when doing `cdk deploy` - })); - // S3 checks for the presence of the ListBucket permission - selfMutationProject.addToRolePolicy(new iam.PolicyStatement({ - actions: ['s3:ListBucket'], - resources: ['*'], - })); - (props.dockerCredentials ?? []).forEach(reg => reg.grantRead(selfMutationProject, DockerCredentialUsage.SELF_UPDATE)); - - this.action = new cpactions.CodeBuildAction({ - actionName: 'SelfMutate', - input: props.cloudAssemblyInput, - project: selfMutationProject, - // Add this purely so that the pipeline will selfupdate if the CLI version changes - environmentVariables: props.cdkCliVersion ? { - CDK_CLI_VERSION: { value: props.cdkCliVersion }, - } : undefined, - }); - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - return this.action.bind(scope, stage, options); - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - return this.action.onStateChange(name, target, options); - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - // FIXME: I have had to make this class a Construct, because: - // - // - It needs access to the Construct tree, because it is going to add a `PipelineProject`. - // - I would have liked to have done that in bind(), however, - // - `actionProperties` (this method) is called BEFORE bind() is called, and by that point I - // don't have the "inner" Action yet to forward the call to. - // - // I've therefore had to construct the inner CodeBuildAction in the constructor, which requires making this - // Action a Construct. - // - // Combined with how non-intuitive it is to make the "StackDeployAction", I feel there is something - // wrong with the Action abstraction here. - return this.action.actionProperties; - } -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts deleted file mode 100644 index ca2b108fcb0d8..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/index.ts +++ /dev/null @@ -1,5 +0,0 @@ -export * from './pipeline'; -export * from './stage'; -export * from './synths'; -export * from './actions'; -export * from './validation'; diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts deleted file mode 100644 index ea87b74b2f4de..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/pipeline.ts +++ /dev/null @@ -1,624 +0,0 @@ -import * as path from 'path'; -import { Construct } from 'constructs'; -import { DeployCdkStackAction, PublishAssetsAction, UpdatePipelineAction } from './actions'; -import { AddStageOptions, AssetPublishingCommand, BaseStageOptions, CdkStage, StackOutput } from './stage'; -import { SimpleSynthAction } from './synths'; -import * as codebuild from '../../../aws-codebuild'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as ec2 from '../../../aws-ec2'; -import * as iam from '../../../aws-iam'; -import { Annotations, App, CfnOutput, PhysicalName, Stack, Stage } from '../../../core'; -import { AssetType } from '../blueprint/asset-type'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../docker-credentials'; -import { ApplicationSecurityCheck } from '../private/application-security-check'; -import { AssetSingletonRole } from '../private/asset-singleton-role'; -import { CachedFnSub } from '../private/cached-fnsub'; -import { preferredCliVersion } from '../private/cli-version'; -import { appOf, assemblyBuilderOf } from '../private/construct-internals'; - -const CODE_BUILD_LENGTH_LIMIT = 100; -/** - * Properties for a CdkPipeline - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkPipelineProps { - /** - * The CodePipeline action used to retrieve the CDK app's source - * - * @default - Required unless `codePipeline` is given - */ - readonly sourceAction?: codepipeline.IAction; - - /** - * The CodePipeline action build and synthesis step of the CDK app - * - * @default - Required unless `codePipeline` or `sourceAction` is given - */ - readonly synthAction?: codepipeline.IAction; - - /** - * The artifact you have defined to be the artifact to hold the cloudAssemblyArtifact for the synth action - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Existing CodePipeline to add deployment stages to - * - * Use this if you want more control over the CodePipeline that gets created. - * You can choose to not pass this value, in which case a new CodePipeline is - * created with default settings. - * - * If you pass an existing CodePipeline, it should have been created - * with `restartExecutionOnUpdate: true`. - * - * [disable-awslint:ref-via-interface] - * - * @default - A new CodePipeline is automatically generated - */ - readonly codePipeline?: codepipeline.Pipeline; - - /** - * Name of the pipeline - * - * Can only be set if `codePipeline` is not set. - * - * @default - A name is automatically generated - */ - readonly pipelineName?: string; - - /** - * Create KMS keys for cross-account deployments - * - * This controls whether the pipeline is enabled for cross-account deployments. - * - * Can only be set if `codePipeline` is not set. - * - * By default cross-account deployments are enabled, but this feature requires - * that KMS Customer Master Keys are created which have a cost of $1/month. - * - * If you do not need cross-account deployments, you can set this to `false` to - * not create those keys and save on that cost (the artifact bucket will be - * encrypted with an AWS-managed key). However, cross-account deployments will - * no longer be possible. - * - * @default true - */ - readonly crossAccountKeys?: boolean; - // @deprecated(v2): switch to default false - - /** - * Enables KMS key rotation for cross-account keys. - * - * Cannot be set if `crossAccountKeys` was set to `false`. - * - * Key rotation costs $1/month when enabled. - * - * @default - false (key rotation is disabled) - */ - readonly enableKeyRotation?: boolean; - - /** - * CDK CLI version to use in pipeline - * - * Some Actions in the pipeline will download and run a version of the CDK - * CLI. Specify the version here. - * - * @default - Latest version - */ - readonly cdkCliVersion?: string; - - /** - * The VPC where to execute the CdkPipeline actions. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Whether the pipeline will update itself - * - * This needs to be set to `true` to allow the pipeline to reconfigure - * itself when assets or stages are being added to it, and `true` is the - * recommended setting. - * - * You can temporarily set this to `false` while you are iterating - * on the pipeline itself and prefer to deploy changes using `cdk deploy`. - * - * @default true - */ - readonly selfMutating?: boolean; - - /** - * Custom BuildSpec that is merged with generated one (for self-mutation stage) - * - * @default - none - */ - readonly selfMutationBuildSpec?: codebuild.BuildSpec; - - /** - * Whether this pipeline creates one asset upload action per asset type or one asset upload per asset - * - * @default false - */ - readonly singlePublisherPerType?: boolean; - - /** - * Additional commands to run before installing cdk-assets during the asset publishing step - * Use this to setup proxies or npm mirrors - * - * @default - - */ - readonly assetPreInstallCommands?: string[]; - - /** - * Custom BuildSpec that is merged with generated one (for asset publishing actions) - * - * @default - none - */ - readonly assetBuildSpec?: codebuild.BuildSpec; - - /** - * Whether the pipeline needs to build Docker images in the UpdatePipeline stage. - * - * If the UpdatePipeline stage tries to build a Docker image and this flag is not - * set to `true`, the build step will run in non-privileged mode and consequently - * will fail with a message like: - * - * > Cannot connect to the Docker daemon at unix:///var/run/docker.sock. - * > Is the docker daemon running? - * - * This flag has an effect only if `selfMutating` is also `true`. - * - * @default - false - */ - readonly supportDockerAssets?: boolean; - - /** - * A list of credentials used to authenticate to Docker registries. - * - * Specify any credentials necessary within the pipeline to build, synth, update, or publish assets. - * - * @default [] - */ - readonly dockerCredentials?: DockerCredential[]; -} - -/** - * A Pipeline to deploy CDK apps - * - * Defines an AWS CodePipeline-based Pipeline to deploy CDK applications. - * - * Automatically manages the following: - * - * - Stack dependency order. - * - Asset publishing. - * - Keeping the pipeline up-to-date as the CDK apps change. - * - Using stack outputs later on in the pipeline. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class CdkPipeline extends Construct { - private readonly _pipeline: codepipeline.Pipeline; - private readonly _assets: AssetPublishing; - private readonly _stages: CdkStage[] = []; - private readonly _outputArtifacts: Record = {}; - private readonly _cloudAssemblyArtifact: codepipeline.Artifact; - private readonly _dockerCredentials: DockerCredential[]; - private _applicationSecurityCheck?: ApplicationSecurityCheck; - private readonly cliVersion?: string; - - constructor(scope: Construct, id: string, props: CdkPipelineProps) { - super(scope, id); - this.cliVersion = props.cdkCliVersion ?? preferredCliVersion(); - - if (!App.isApp(this.node.root)) { - throw new Error('CdkPipeline must be created under an App'); - } - - this._cloudAssemblyArtifact = props.cloudAssemblyArtifact; - this._dockerCredentials = props.dockerCredentials ?? []; - const pipelineStack = Stack.of(this); - - if (props.codePipeline) { - if (props.pipelineName) { - throw new Error('Cannot set \'pipelineName\' if an existing CodePipeline is given using \'codePipeline\''); - } - if (props.crossAccountKeys !== undefined) { - throw new Error('Cannot set \'crossAccountKeys\' if an existing CodePipeline is given using \'codePipeline\''); - } - if (props.enableKeyRotation !== undefined) { - throw new Error('Cannot set \'enableKeyRotation\' if an existing CodePipeline is given using \'codePipeline\''); - } - - this._pipeline = props.codePipeline; - } else { - this._pipeline = new codepipeline.Pipeline(this, 'Pipeline', { - pipelineName: props.pipelineName, - crossAccountKeys: props.crossAccountKeys, - enableKeyRotation: props.enableKeyRotation, - restartExecutionOnUpdate: true, - }); - } - - if (props.sourceAction && !props.synthAction) { - // Because of ordering limitations, you can: bring your own Source, bring your own - // Both, or bring your own Nothing. You cannot bring your own Build (which because of the - // current CodePipeline API must go BEFORE what we're adding) and then having us add a - // Source after it. That doesn't make any sense. - throw new Error('When passing a \'sourceAction\' you must also pass a \'synthAction\' (or a \'codePipeline\' that already has both)'); - } - if (!props.sourceAction && (!props.codePipeline || props.codePipeline.stages.length < 1)) { - throw new Error('You must pass a \'sourceAction\' (or a \'codePipeline\' that already has a Source stage)'); - } - - if (props.sourceAction) { - this._pipeline.addStage({ - stageName: 'Source', - actions: [props.sourceAction], - }); - } - - if (props.synthAction) { - if (props.synthAction instanceof SimpleSynthAction && this._dockerCredentials.length > 0) { - props.synthAction._addDockerCredentials(this._dockerCredentials); - } - - this._pipeline.addStage({ - stageName: 'Build', - actions: [props.synthAction], - }); - } - - if (props.selfMutating ?? true) { - this._pipeline.addStage({ - stageName: 'UpdatePipeline', - actions: [new UpdatePipelineAction(this, 'UpdatePipeline', { - cloudAssemblyInput: this._cloudAssemblyArtifact, - pipelineStackHierarchicalId: pipelineStack.node.path, - cdkCliVersion: this.cliVersion, - projectName: maybeSuffix(props.pipelineName, '-selfupdate'), - privileged: props.supportDockerAssets, - dockerCredentials: this._dockerCredentials, - buildSpec: props.selfMutationBuildSpec, - })], - }); - } - - this._assets = new AssetPublishing(this, 'Assets', { - cloudAssemblyInput: this._cloudAssemblyArtifact, - cdkCliVersion: this.cliVersion, - pipeline: this._pipeline, - projectName: maybeSuffix(props.pipelineName, '-publish'), - vpc: props.vpc, - subnetSelection: props.subnetSelection, - singlePublisherPerType: props.singlePublisherPerType, - preInstallCommands: props.assetPreInstallCommands, - buildSpec: props.assetBuildSpec, - dockerCredentials: this._dockerCredentials, - }); - - this.node.addValidation({ validate: () => this.validatePipeline() }); - } - - /** - * The underlying CodePipeline object - * - * You can use this to add more Stages to the pipeline, or Actions - * to Stages. - */ - public get codePipeline(): codepipeline.Pipeline { - return this._pipeline; - } - - /** - * Access one of the pipeline's stages by stage name - * - * You can use this to add more Actions to a stage. - */ - public stage(stageName: string): codepipeline.IStage { - return this._pipeline.stage(stageName); - } - - /** - * Get a cached version of an Application Security Check, which consists of: - * - CodeBuild Project to check for security changes in a stage - * - Lambda Function that approves the manual approval if no security changes are detected - * - * @internal - */ - public _getApplicationSecurityCheck(): ApplicationSecurityCheck { - if (!this._applicationSecurityCheck) { - this._applicationSecurityCheck = new ApplicationSecurityCheck(this, 'PipelineApplicationSecurityCheck', { - codePipeline: this._pipeline, - }); - } - return this._applicationSecurityCheck; - } - - /** - * Add pipeline stage that will deploy the given application stage - * - * The application construct should subclass `Stage` and can contain any - * number of `Stacks` inside it that may have dependency relationships - * on one another. - * - * All stacks in the application will be deployed in the appropriate order, - * and all assets found in the application will be added to the asset - * publishing stage. - */ - public addApplicationStage(appStage: Stage, options: AddStageOptions = {}): CdkStage { - const stage = this.addStage(appStage.stageName, options); - stage.addApplication(appStage, options); - return stage; - } - - /** - * Add a new, empty stage to the pipeline - * - * Prefer to use `addApplicationStage` if you are intended to deploy a CDK - * application, but you can use this method if you want to add other kinds of - * Actions to a pipeline. - */ - public addStage(stageName: string, options?: BaseStageOptions) { - const pipelineStage = this._pipeline.addStage({ - stageName, - }); - - const stage = new CdkStage(this, stageName, { - cloudAssemblyArtifact: this._cloudAssemblyArtifact, - pipelineStage, - stageName, - host: { - publishAsset: this._assets.addPublishAssetAction.bind(this._assets), - stackOutputArtifact: (artifactId) => this._outputArtifacts[artifactId], - }, - ...options, - }); - this._stages.push(stage); - return stage; - } - - /** - * Get the StackOutput object that holds this CfnOutput's value in this pipeline - * - * `StackOutput` can be used in validation actions later in the pipeline. - */ - public stackOutput(cfnOutput: CfnOutput): StackOutput { - const stack = Stack.of(cfnOutput); - - if (!this._outputArtifacts[stack.artifactId]) { - // We should have stored the ArtifactPath in the map, but its Artifact - // property isn't publicly readable... - const artifactName = `${stack.artifactId}_Outputs`; - const compactName = artifactName.slice(artifactName.length - Math.min(artifactName.length, CODE_BUILD_LENGTH_LIMIT)); - this._outputArtifacts[stack.artifactId] = new codepipeline.Artifact(compactName); - } - - return new StackOutput(this._outputArtifacts[stack.artifactId].atPath('outputs.json'), cfnOutput.logicalId); - } - - /** - * Validate that we don't have any stacks violating dependency order in the pipeline - * - * Our own convenience methods will never generate a pipeline that does that (although - * this is a nice verification), but a user can also add the stacks by hand. - */ - private validatePipeline(): string[] { - const ret = new Array(); - - ret.push(...this.validateDeployOrder()); - ret.push(...this.validateRequestedOutputs()); - - return ret; - } - - /** - * Return all StackDeployActions in an ordered list - */ - private get stackActions(): DeployCdkStackAction[] { - return flatMap(this._pipeline.stages, s => s.actions.filter(isDeployAction)); - } - - private * validateDeployOrder(): IterableIterator { - const stackActions = this.stackActions; - for (const stackAction of stackActions) { - // For every dependency, it must be executed in an action before this one is prepared. - for (const depId of stackAction.dependencyStackArtifactIds) { - const depAction = stackActions.find(s => s.stackArtifactId === depId); - - if (depAction === undefined) { - Annotations.of(this).addWarningV2('@aws-cdk/pipelines:dependencyOnNonPipelineStack', `Stack '${stackAction.stackName}' depends on stack ` + - `'${depId}', but that dependency is not deployed through the pipeline!`); - } else if (!(depAction.executeRunOrder < stackAction.prepareRunOrder)) { - yield `Stack '${stackAction.stackName}' depends on stack ` + - `'${depAction.stackName}', but is deployed before it in the pipeline!`; - } - } - } - } - - private * validateRequestedOutputs(): IterableIterator { - const artifactIds = this.stackActions.map(s => s.stackArtifactId); - - for (const artifactId of Object.keys(this._outputArtifacts)) { - if (!artifactIds.includes(artifactId)) { - yield `Trying to use outputs for Stack '${artifactId}', but Stack is not deployed in this pipeline. Add it to the pipeline.`; - } - } - } -} - -function isDeployAction(a: codepipeline.IAction): a is DeployCdkStackAction { - return a instanceof DeployCdkStackAction; -} - -function flatMap(xs: A[], f: (x: A) => B[]): B[] { - return Array.prototype.concat([], ...xs.map(f)); -} - -interface AssetPublishingProps { - readonly cloudAssemblyInput: codepipeline.Artifact; - readonly pipeline: codepipeline.Pipeline; - readonly cdkCliVersion?: string; - readonly projectName?: string; - readonly vpc?: ec2.IVpc; - readonly subnetSelection?: ec2.SubnetSelection; - readonly singlePublisherPerType?: boolean; - readonly preInstallCommands?: string[]; - readonly buildSpec?: codebuild.BuildSpec; - readonly dockerCredentials: DockerCredential[]; -} - -/** - * Add appropriate publishing actions to the asset publishing stage - */ -class AssetPublishing extends Construct { - // CodePipelines has a hard limit of 50 actions per stage. See https://github.com/aws/aws-cdk/issues/9353 - private readonly MAX_PUBLISHERS_PER_STAGE = 50; - - private readonly publishers: Record = {}; - private readonly assetRoles: Map = new Map(); - private readonly assetAttachedPolicies: Record = {}; - private readonly myCxAsmRoot: string; - private readonly cachedFnSub = new CachedFnSub(); - - private readonly lastStageBeforePublishing?: codepipeline.IStage; - private readonly stages: codepipeline.IStage[] = []; - private readonly pipeline: codepipeline.Pipeline; - private readonly dockerCredentials: DockerCredential[]; - - private _fileAssetCtr = 0; - private _dockerAssetCtr = 0; - - constructor(scope: Construct, id: string, private readonly props: AssetPublishingProps) { - super(scope, id); - this.myCxAsmRoot = path.resolve(assemblyBuilderOf(appOf(this)).outdir); - - this.pipeline = this.props.pipeline; - // Hacks to get access to the innards of Pipeline - const stages: codepipeline.IStage[] = (this.props.pipeline as any)._stages; - // Any asset publishing stages will be added directly after the last stage that currently exists. - this.lastStageBeforePublishing = stages.slice(-1)[0]; - - this.dockerCredentials = props.dockerCredentials; - } - - /** - * Make sure there is an action in the stage to publish the given asset - * - * Assets are grouped by asset ID (which represent individual assets) so all assets - * are published in parallel. For each assets, all destinations are published sequentially - * so that we can reuse expensive operations between them (mostly: building a Docker image). - */ - public addPublishAssetAction(command: AssetPublishingCommand) { - // FIXME: this is silly, we need the relative path here but no easy way to get it - const relativePath = path.relative(this.myCxAsmRoot, command.assetManifestPath); - - // The path cannot be outside the asm root. I don't really understand how this could ever - // come to pass, but apparently it has (see https://github.com/aws/aws-cdk/issues/9766). - // Add a sanity check here so we can catch it more quickly next time. - if (relativePath.startsWith(`..${path.sep}`)) { - throw new Error(`The asset manifest (${command.assetManifestPath}) cannot be outside the Cloud Assembly directory (${this.myCxAsmRoot}). Please report this error at https://github.com/aws/aws-cdk/issues to help us debug why this is happening.`); - } - - // Late-binding here (rather than in the constructor) to prevent creating the role in cases where no asset actions are created. - const assetRole = this.generateAssetRole(command.assetType); - // The ARNs include raw AWS pseudo parameters (e.g., ${AWS::Partition}), which need to be substituted. - assetRole.addAssumeRole(this.cachedFnSub.fnSub(command.assetPublishingRoleArn)); - const publisherKey = this.props.singlePublisherPerType ? command.assetType.toString() : command.assetId; - - let action = this.publishers[publisherKey]; - if (!action) { - // Dynamically create new stages as needed, with `MAX_PUBLISHERS_PER_STAGE` assets per stage. - const stageIndex = this.props.singlePublisherPerType ? 0 : - Math.floor((this._fileAssetCtr + this._dockerAssetCtr) / this.MAX_PUBLISHERS_PER_STAGE); - - if (!this.props.singlePublisherPerType && stageIndex >= this.stages.length) { - const previousStage = this.stages.slice(-1)[0] ?? this.lastStageBeforePublishing; - this.stages.push(this.pipeline.addStage({ - stageName: `Assets${stageIndex > 0 ? stageIndex + 1 : ''}`, - placement: { justAfter: previousStage }, - })); - } else if (this.props.singlePublisherPerType && this.stages.length == 0) { - this.stages.push(this.pipeline.addStage({ - stageName: 'Assets', - placement: { justAfter: this.lastStageBeforePublishing }, - })); - } - - // The asset ID would be a logical candidate for the construct path and project names, but if the asset - // changes it leads to recreation of a number of Role/Policy/Project resources which is slower than - // necessary. Number sequentially instead. - // - // FIXME: The ultimate best solution is probably to generate a single Project per asset type - // and reuse that for all assets. - const id = this.props.singlePublisherPerType ? - command.assetType === AssetType.FILE ? 'FileAsset' : 'DockerAsset' : - command.assetType === AssetType.FILE ? `FileAsset${++this._fileAssetCtr}` : `DockerAsset${++this._dockerAssetCtr}`; - - const credsInstallCommands = dockerCredentialsInstallCommands(DockerCredentialUsage.ASSET_PUBLISHING, this.dockerCredentials); - - // NOTE: It's important that asset changes don't force a pipeline self-mutation. - // This can cause an infinite loop of updates (see https://github.com/aws/aws-cdk/issues/9080). - // For that reason, we use the id as the actionName below, rather than the asset hash. - action = this.publishers[publisherKey] = new PublishAssetsAction(this, id, { - actionName: id, - cloudAssemblyInput: this.props.cloudAssemblyInput, - cdkCliVersion: this.props.cdkCliVersion, - assetType: command.assetType, - role: this.assetRoles.get(command.assetType), - dependable: this.assetAttachedPolicies[command.assetType], - vpc: this.props.vpc, - subnetSelection: this.props.subnetSelection, - buildSpec: this.props.buildSpec, - createBuildspecFile: this.props.singlePublisherPerType, - preInstallCommands: [...(this.props.preInstallCommands ?? []), ...credsInstallCommands], - }); - this.stages[stageIndex].addAction(action); - } - - action.addPublishCommand(relativePath, command.assetSelector); - } - - /** - * This role is used by both the CodePipeline build action and related CodeBuild project. Consolidating these two - * roles into one, and re-using across all assets, saves significant size of the final synthesized output. - * Modeled after the CodePipeline role and 'CodePipelineActionRole' roles. - * Generates one role per asset type to separate file and Docker/image-based permissions. - */ - private generateAssetRole(assetType: AssetType) { - const existing = this.assetRoles.get(assetType); - if (existing) { - return existing; - } - - const rolePrefix = assetType === AssetType.DOCKER_IMAGE ? 'Docker' : 'File'; - const assetRole = new AssetSingletonRole(this, `${rolePrefix}Role`, { - roleName: PhysicalName.GENERATE_IF_NEEDED, - assumedBy: new iam.CompositePrincipal(new iam.ServicePrincipal('codebuild.amazonaws.com'), new iam.AccountPrincipal(Stack.of(this).account)), - }); - - // Grant pull access for any ECR registries and secrets that exist - if (assetType === AssetType.DOCKER_IMAGE) { - this.dockerCredentials.forEach(reg => reg.grantRead(assetRole, DockerCredentialUsage.ASSET_PUBLISHING)); - } - - this.assetRoles.set(assetType, assetRole); - return assetRole; - } -} - -function maybeSuffix(x: string | undefined, suffix: string): string | undefined { - if (x === undefined) { return undefined; } - return `${x}${suffix}`; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts deleted file mode 100644 index 79f224b87e583..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/stage.ts +++ /dev/null @@ -1,586 +0,0 @@ -import { Construct, Node } from 'constructs'; -import { DeployCdkStackAction } from './actions'; -import { CdkPipeline } from './pipeline'; -import * as codebuild from '../../../aws-codebuild'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as cpactions from '../../../aws-codepipeline-actions'; -import { CodeBuildAction } from '../../../aws-codepipeline-actions'; -import * as sns from '../../../aws-sns'; -import { Stage, Aspects } from '../../../core'; -import * as cxapi from '../../../cx-api'; -import { AssetType } from '../blueprint/asset-type'; -import { ApplicationSecurityCheck } from '../private/application-security-check'; -import { AssetManifestReader, DockerImageManifestEntry, FileManifestEntry } from '../private/asset-manifest'; -import { pipelineSynth } from '../private/construct-internals'; -import { topologicalSort } from '../private/toposort'; - -/** - * Construction properties for a CdkStage - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface CdkStageProps { - /** - * Name of the stage that should be created - */ - readonly stageName: string; - - /** - * The underlying Pipeline Stage associated with thisCdkStage - */ - readonly pipelineStage: codepipeline.IStage; - - /** - * The CodePipeline Artifact with the Cloud Assembly - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Features the Stage needs from its environment - */ - readonly host: IStageHost; - - /** - * Run a security check before every application prepare/deploy actions. - * - * Note: Stage level security check can be overriden per application as follows: - * `stage.addApplication(app, { confirmBroadeningPermissions: false })` - * - * @default false - */ - readonly confirmBroadeningPermissions?: boolean; - - /** - * Optional SNS topic to send notifications to when any security check registers - * changes within a application. - * - * Note: The Stage Notification Topic can be overriden per application as follows: - * `stage.addApplication(app, { securityNotificationTopic: newTopic })` - * - * @default undefined no stage level notification topic - */ - readonly securityNotificationTopic?: sns.ITopic; -} - -/** - * Stage in a CdkPipeline - * - * You don't need to instantiate this class directly. Use - * `cdkPipeline.addStage()` instead. - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class CdkStage extends Construct { - private _nextSequentialRunOrder = 1; // Must start at 1 eh - private _manualApprovalCounter = 1; - private readonly pipelineStage: codepipeline.IStage; - private readonly cloudAssemblyArtifact: codepipeline.Artifact; - private readonly stacksToDeploy = new Array(); - private readonly stageName: string; - private readonly host: IStageHost; - private readonly confirmBroadeningPermissions: boolean; - private readonly pipeline?: CdkPipeline; - private readonly securityNotificationTopic?: sns.ITopic; - private _applicationSecurityCheck?: ApplicationSecurityCheck; - private _prepared = false; - - constructor(scope: Construct, id: string, props: CdkStageProps) { - super(scope, id); - - if (scope instanceof CdkPipeline) { - this.pipeline = scope; - } - - this.stageName = props.stageName; - this.pipelineStage = props.pipelineStage; - this.cloudAssemblyArtifact = props.cloudAssemblyArtifact; - this.host = props.host; - this.confirmBroadeningPermissions = props.confirmBroadeningPermissions ?? false; - this.securityNotificationTopic = props.securityNotificationTopic; - - Aspects.of(this).add({ visit: () => this.prepareStage() }); - } - - /** - * Add all stacks in the application Stage to this stage - * - * The application construct should subclass `Stage` and can contain any - * number of `Stacks` inside it that may have dependency relationships - * on one another. - * - * All stacks in the application will be deployed in the appropriate order, - * and all assets found in the application will be added to the asset - * publishing stage. - */ - public addApplication(appStage: Stage, options: AddStageOptions = {}) { - const asm = pipelineSynth(appStage); - const extraRunOrderSpace = options.extraRunOrderSpace ?? 0; - - if (options.confirmBroadeningPermissions ?? this.confirmBroadeningPermissions) { - this.addSecurityCheck(appStage, options); - } - - if (asm.stacks.length === 0) { - // If we don't check here, a more puzzling "stage contains no actions" - // error will be thrown come deployment time. - throw new Error(`The given Stage construct ('${appStage.node.path}') should contain at least one Stack`); - } - - const sortedTranches = topologicalSort(asm.stacks, - stack => stack.id, - stack => stack.dependencies.map(d => d.id)); - - for (const stacks of sortedTranches) { - const runOrder = this.nextSequentialRunOrder(extraRunOrderSpace + 2); // 2 actions for Prepare/Execute ChangeSet - let executeRunOrder = runOrder + extraRunOrderSpace + 1; - - // If we need to insert a manual approval action, then what's the executeRunOrder - // now is where we add a manual approval step, and we allocate 1 more runOrder - // for the execute. - if (options.manualApprovals) { - this.addManualApprovalAction({ runOrder: runOrder + 1 }); - executeRunOrder = this.nextSequentialRunOrder(); - } - - // These don't have a dependency on each other, so can all be added in parallel - for (const stack of stacks) { - this.addStackArtifactDeployment(stack, { runOrder, executeRunOrder }); - } - } - } - - /** - * Get a cached version of an ApplicationSecurityCheck, which consists of: - * - CodeBuild Project to check for security changes in a stage - * - Lambda Function that approves the manual approval if no security changes are detected - * - * The ApplicationSecurityCheck is cached from the pipeline **if** this stage is scoped - * to a CDK Pipeline. If this stage **is not** scoped to a pipeline, create an ApplicationSecurityCheck - * scoped to the stage itself. - * - * @internal - */ - private getApplicationSecurityCheck(): ApplicationSecurityCheck { - if (this._applicationSecurityCheck) { - return this._applicationSecurityCheck; - } - - this._applicationSecurityCheck = this.pipeline - ? this.pipeline._getApplicationSecurityCheck() - : new ApplicationSecurityCheck(this, 'StageApplicationSecurityCheck', { - codePipeline: this.pipelineStage.pipeline as codepipeline.Pipeline, - }); - return this._applicationSecurityCheck; - } - - /** - * Add a deployment action based on a stack artifact - */ - public addStackArtifactDeployment(stackArtifact: cxapi.CloudFormationStackArtifact, options: AddStackOptions = {}) { - // Get all assets manifests and add the assets in 'em to the asset publishing stage. - this.publishAssetDependencies(stackArtifact); - - // Remember for later, see 'prepare()' - // We know that deploying a stack is going to take up 2 runorder slots later on. - const runOrder = options.runOrder ?? this.nextSequentialRunOrder(2); - const executeRunOrder = options.executeRunOrder ?? runOrder + 1; - this.stacksToDeploy.push({ - prepareRunOrder: runOrder, - executeRunOrder, - stackArtifact, - }); - - this.advanceRunOrderPast(runOrder); - this.advanceRunOrderPast(executeRunOrder); - } - - /** - * Add a manual approval action - * - * If you need more flexibility than what this method offers, - * use `addAction` with a `ManualApprovalAction`. - */ - public addManualApprovalAction(options: AddManualApprovalOptions = {}) { - let actionName = options.actionName; - if (!actionName) { - actionName = `ManualApproval${this._manualApprovalCounter > 1 ? this._manualApprovalCounter : ''}`; - this._manualApprovalCounter += 1; - } - - this.addActions(new cpactions.ManualApprovalAction({ - actionName, - runOrder: options.runOrder ?? this.nextSequentialRunOrder(), - })); - } - - /** - * Add one or more CodePipeline Actions - * - * You need to make sure it is created with the right runOrder. Call `nextSequentialRunOrder()` - * for every action to get actions to execute in sequence. - */ - public addActions(...actions: codepipeline.IAction[]) { - for (const action of actions) { - this.pipelineStage.addAction(action); - } - } - - /** - * Return the runOrder number necessary to run the next Action in sequence with the rest - * - * FIXME: This is here because Actions are immutable and can't be reordered - * after creation, nor is there a way to specify relative priorities, which - * is a limitation that we should take away in the base library. - */ - public nextSequentialRunOrder(count: number = 1): number { - const ret = this._nextSequentialRunOrder; - this._nextSequentialRunOrder += count; - return ret; - } - - /** - * Whether this Stage contains an action to deploy the given stack, identified by its artifact ID - */ - public deploysStack(artifactId: string) { - return this.stacksToDeploy.map(s => s.stackArtifact.id).includes(artifactId); - } - - /** - * Actually add all the DeployStack actions to the stage. - * - * We do this late because before we can render the actual DeployActions, - * we need to know whether or not we need to capture the stack outputs. - * - * FIXME: This is here because Actions are immutable and can't be reordered - * after creation, nor is there a way to specify relative priorities, which - * is a limitation that we should take away in the base library. - */ - private prepareStage() { - // FIXME: Make sure this only gets run once. There seems to be an issue in the reconciliation - // loop that may trigger this more than once if it throws an error somewhere, and the exception - // that gets thrown here will then override the actual failure. - if (this._prepared) { return; } - this._prepared = true; - - for (const { prepareRunOrder, stackArtifact, executeRunOrder } of this.stacksToDeploy) { - const artifact = this.host.stackOutputArtifact(stackArtifact.id); - - this.pipelineStage.addAction(DeployCdkStackAction.fromStackArtifact(this, stackArtifact, { - baseActionName: this.simplifyStackName(stackArtifact.stackName), - cloudAssemblyInput: this.cloudAssemblyArtifact, - output: artifact, - outputFileName: artifact ? 'outputs.json' : undefined, - prepareRunOrder, - executeRunOrder, - })); - } - } - - /** - * Advance the runorder counter so that the next sequential number is higher than the given one - */ - private advanceRunOrderPast(lastUsed: number) { - this._nextSequentialRunOrder = Math.max(lastUsed + 1, this._nextSequentialRunOrder); - } - - /** - * Simplify the stack name by removing the `Stage-` prefix if it exists. - */ - private simplifyStackName(s: string) { - return stripPrefix(s, `${this.stageName}-`); - } - - /** - * Add a security check before the prepare/deploy actions of an CDK stage. - * The security check consists of two actions: - * - CodeBuild Action to check for security changes in a stage - * - Manual Approval Action that is auto approved via a Lambda if no security changes detected - */ - private addSecurityCheck(appStage: Stage, options?: BaseStageOptions) { - const { cdkDiffProject } = this.getApplicationSecurityCheck(); - const notificationTopic: sns.ITopic | undefined = options?.securityNotificationTopic ?? this.securityNotificationTopic; - notificationTopic?.grantPublish(cdkDiffProject); - - const appStageName = appStage.stageName; - const approveActionName = `${appStageName}ManualApproval`; - const diffAction = new CodeBuildAction({ - runOrder: this.nextSequentialRunOrder(), - actionName: `${appStageName}SecurityCheck`, - input: this.cloudAssemblyArtifact, - project: cdkDiffProject, - variablesNamespace: `${appStageName}SecurityCheck`, - environmentVariables: { - STAGE_PATH: { - value: Node.of(appStage).path, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - STAGE_NAME: { - value: this.stageName, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - ACTION_NAME: { - value: approveActionName, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - ...notificationTopic ? { - NOTIFICATION_ARN: { - value: notificationTopic.topicArn, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - NOTIFICATION_SUBJECT: { - value: `Confirm permission broadening in ${appStageName}`, - type: codebuild.BuildEnvironmentVariableType.PLAINTEXT, - }, - } : {}, - }, - }); - - const approve = new cpactions.ManualApprovalAction({ - actionName: approveActionName, - runOrder: this.nextSequentialRunOrder(), - additionalInformation: `#{${appStageName}SecurityCheck.MESSAGE}`, - externalEntityLink: `#{${appStageName}SecurityCheck.LINK}`, - }); - - this.addActions(diffAction, approve); - } - - /** - * Make sure all assets depended on by this stack are published in this pipeline - * - * Taking care to exclude the stack template itself -- it is being published - * as an asset because the CLI needs to know the asset publishing role when - * pushing the template to S3, but in the case of CodePipeline we always - * reference the template from the artifact bucket. - * - * (NOTE: this is only true for top-level stacks, not nested stacks. Nested - * Stack templates are always published as assets). - */ - private publishAssetDependencies(stackArtifact: cxapi.CloudFormationStackArtifact) { - const assetManifests = stackArtifact.dependencies.filter(isAssetManifest); - - for (const manifestArtifact of assetManifests) { - const manifest = AssetManifestReader.fromFile(manifestArtifact.file); - - for (const entry of manifest.entries) { - let assetType: AssetType; - if (entry instanceof DockerImageManifestEntry) { - assetType = AssetType.DOCKER_IMAGE; - } else if (entry instanceof FileManifestEntry) { - // Don't publish the template for this stack - if (entry.source.packaging === 'file' && entry.source.path === stackArtifact.templateFile) { - continue; - } - - assetType = AssetType.FILE; - } else { - throw new Error(`Unrecognized asset type: ${entry.type}`); - } - - if (!entry.destination.assumeRoleArn) { - throw new Error('assumeRoleArn is missing on asset and required'); - } - - this.host.publishAsset({ - assetManifestPath: manifestArtifact.file, - assetId: entry.id.assetId, - assetSelector: entry.id.toString(), - assetType, - assetPublishingRoleArn: entry.destination.assumeRoleArn, - }); - } - } - } -} - -/** - * Additional options for adding a stack deployment - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddStackOptions { - /** - * Base runorder - * - * @default - Next sequential runorder - */ - readonly runOrder?: number; - - /** - * Base runorder - * - * @default - runOrder + 1 - */ - readonly executeRunOrder?: number; -} - -/** - * A single output of a Stack - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class StackOutput { - /** - * The artifact and file the output is stored in - */ - public readonly artifactFile: codepipeline.ArtifactPath; - - /** - * The name of the output in the JSON object in the file - */ - public readonly outputName: string; - - /** - * Build a StackOutput from a known artifact and an output name - */ - constructor(artifactFile: codepipeline.ArtifactPath, outputName: string) { - this.artifactFile = artifactFile; - this.outputName = outputName; - } -} - -function stripPrefix(s: string, prefix: string) { - return s.startsWith(prefix) ? s.slice(prefix.length) : s; -} - -function isAssetManifest(s: cxapi.CloudArtifact): s is cxapi.AssetManifestArtifact { - // instanceof is too risky, and we're at a too late stage to properly fix. - // return s instanceof cxapi.AssetManifestArtifact; - return s.constructor.name === 'AssetManifestArtifact'; -} - -/** - * Features that the Stage needs from its environment - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface IStageHost { - /** - * Make sure all the assets from the given manifest are published - */ - publishAsset(command: AssetPublishingCommand): void; - - /** - * Return the Artifact the given stack has to emit its outputs into, if any - */ - stackOutputArtifact(stackArtifactId: string): codepipeline.Artifact | undefined; -} - -/** - * Instructions to publish certain assets - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AssetPublishingCommand { - /** - * Asset manifest path - */ - readonly assetManifestPath: string; - - /** - * Asset identifier - */ - readonly assetId: string; - - /** - * Asset selector to pass to `cdk-assets`. - */ - readonly assetSelector: string; - - /** - * Type of asset to publish - */ - readonly assetType: AssetType; - - /** - * ARN of the IAM Role used to publish this asset. - */ - readonly assetPublishingRoleArn: string; -} - -/** - * Base options for a pipelines stage - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface BaseStageOptions { - /** - * Runs a `cdk diff --security-only --fail` to pause the pipeline if there - * are any security changes. - * - * If the stage is configured with `confirmBroadeningPermissions` enabled, you can use this - * property to override the stage configuration. For example, Pipeline Stage - * "Prod" has confirmBroadeningPermissions enabled, with applications "A", "B", "C". All three - * applications will run a security check, but if we want to disable the one for "C", - * we run `stage.addApplication(C, { confirmBroadeningPermissions: false })` to override the pipeline - * stage behavior. - * - * Adds 1 to the run order space. - * - * @default false - */ - readonly confirmBroadeningPermissions?: boolean; - /** - * Optional SNS topic to send notifications to when the security check registers - * changes within the application. - * - * @default undefined no notification topic for security check manual approval action - */ - readonly securityNotificationTopic?: sns.ITopic; -} - -/** - * Options for adding an application stage to a pipeline - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddStageOptions extends BaseStageOptions { - /** - * Add manual approvals before executing change sets - * - * This gives humans the opportunity to confirm the change set looks alright - * before deploying it. - * - * @default false - */ - readonly manualApprovals?: boolean; - /** - * Add room for extra actions - * - * You can use this to make extra room in the runOrder sequence between the - * changeset 'prepare' and 'execute' actions and insert your own actions there. - * - * @default 0 - */ - readonly extraRunOrderSpace?: number; -} - -/** - * Options for addManualApproval - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AddManualApprovalOptions { - /** - * The name of the manual approval action - * - * @default 'ManualApproval' with a rolling counter - */ - readonly actionName?: string; - - /** - * The runOrder for this action - * - * @default - The next sequential runOrder - */ - readonly runOrder?: number; -} - -/** - * Queued "deploy stack" command that is reified during prepare() - */ -interface DeployStackCommand { - prepareRunOrder: number; - executeRunOrder: number; - stackArtifact: cxapi.CloudFormationStackArtifact; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts deleted file mode 100644 index 0a5a34c6f0eaa..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/_util.ts +++ /dev/null @@ -1,15 +0,0 @@ -import * as codebuild from '../../../../aws-codebuild'; - -export function copyEnvironmentVariables(...names: string[]): Record { - const ret: Record = {}; - for (const name of names) { - if (process.env[name]) { - ret[name] = { value: process.env[name] }; - } - } - return ret; -} - -export function filterEmpty(xs: Array): string[] { - return xs.filter(x => x) as any; -} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts deleted file mode 100644 index 4764f7d9647c6..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/index.ts +++ /dev/null @@ -1 +0,0 @@ -export * from './simple-synth-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts deleted file mode 100644 index 8381668962d52..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/synths/simple-synth-action.ts +++ /dev/null @@ -1,591 +0,0 @@ -import * as crypto from 'crypto'; -import * as path from 'path'; -import { Construct } from 'constructs'; -import { copyEnvironmentVariables, filterEmpty } from './_util'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { Stack } from '../../../../core'; -import { dockerCredentialsInstallCommands, DockerCredential, DockerCredentialUsage } from '../../docker-credentials'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { toPosixPath } from '../../private/fs'; - -const DEFAULT_OUTPUT_DIR = 'cdk.out'; - -/** - * Configuration options for a SimpleSynth - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface SimpleSynthOptions { - /** - * The source artifact of the CodePipeline - */ - readonly sourceArtifact: codepipeline.Artifact; - - /** - * The artifact where the CloudAssembly should be emitted - */ - readonly cloudAssemblyArtifact: codepipeline.Artifact; - - /** - * Environment variables to send into build - * - * NOTE: You may run into the 1000-character limit for the Action configuration if you have a large - * number of variables or if their names or values are very long. - * If you do, pass them to the underlying CodeBuild project directly in `environment` instead. - * However, you will not be able to use CodePipeline Variables in this case. - * - * @default - No additional environment variables - */ - readonly environmentVariables?: Record; - - /** - * Environment variables to copy over from parent env - * - * These are environment variables that are being used by the build. - * - * @default - No environment variables copied - */ - readonly copyEnvironmentVariables?: string[]; - - /** - * Name of the build action - * - * @default 'Synth' - */ - readonly actionName?: string; - - /** - * Name of the CodeBuild project - * - * @default - Automatically generated - */ - readonly projectName?: string; - - /** - * Build environment to use for CodeBuild job - * - * @default BuildEnvironment.LinuxBuildImage.STANDARD_6_0 - */ - readonly environment?: codebuild.BuildEnvironment; - - /** - * Directory inside the source where package.json and cdk.json are located - * - * @default - Repository root - */ - readonly subdirectory?: string; - - /** - * Produce additional output artifacts after the build based on the given directories - * - * Can be used to produce additional artifacts during the build step, - * separate from the cloud assembly, which can be used further on in the - * pipeline. - * - * Directories are evaluated with respect to `subdirectory`. - * - * @default - No additional artifacts generated - */ - readonly additionalArtifacts?: AdditionalArtifact[]; - - /** - * Policy statements to add to role used during the synth - * - * Can be used to add acces to a CodeArtifact repository etc. - * - * @default - No policy statements added to CodeBuild Project Role - */ - readonly rolePolicyStatements?: iam.PolicyStatement[]; - - /** - * The VPC where to execute the SimpleSynth. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * custom BuildSpec that is merged with the generated one - * - * @default - none - */ - readonly buildSpec?: codebuild.BuildSpec; -} - -/** - * Construction props for SimpleSynthAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface SimpleSynthActionProps extends SimpleSynthOptions { - /** - * The synth command - */ - readonly synthCommand: string; - - /** - * The install command - * - * If not provided by the build image or another dependency - * management tool, at least install the CDK CLI here using - * `npm install -g aws-cdk`. - * - * @default - No install required - * @deprecated Use `installCommands` instead - */ - readonly installCommand?: string; - - /** - * The build command - * - * If your programming language requires a compilation step, put the - * compilation command here. - * - * @default - No build required - * @deprecated Use `buildCommands` instead - */ - readonly buildCommand?: string; - - /** - * Install commands - * - * If not provided by the build image or another dependency - * management tool, at least install the CDK CLI here using - * `npm install -g aws-cdk`. - * - * @default - No install required - */ - readonly installCommands?: string[]; - - /** - * The build commands - * - * If your programming language requires a compilation step, put the - * compilation command here. - * - * @default - No build required - */ - readonly buildCommands?: string[]; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -/** - * Specification of an additional artifact to generate - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface AdditionalArtifact { - /** - * Directory to be packaged - */ - readonly directory: string; - - /** - * Artifact to represent the build directory in the pipeline - */ - readonly artifact: codepipeline.Artifact; -} - -/** - * A standard synth with a generated buildspec - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class SimpleSynthAction implements codepipeline.IAction, iam.IGrantable { - - /** - * Create a standard NPM synth action - * - * Uses `npm ci` to install dependencies and `npx cdk synth` to synthesize. - * - * If you need a build step, add `buildCommand: 'npm run build'`. - */ - public static standardNpmSynth(options: StandardNpmSynthOptions) { - return new SimpleSynthAction({ - ...options, - installCommand: options.installCommand ?? 'npm ci', - synthCommand: options.synthCommand ?? 'npx cdk synth', - vpc: options.vpc, - subnetSelection: options.subnetSelection, - environment: { - ...options.environment, - environmentVariables: { - // Need this in case the CDK CLI is not in the 'package.json' of the project, - // and 'npx' is going to download it; without this setting, 'npx' will not properly - // install the package into the root user's home directory - NPM_CONFIG_UNSAFE_PERM: { value: 'true' }, - ...options.environment?.environmentVariables, - }, - }, - }); - } - - /** - * Create a standard Yarn synth action - * - * Uses `yarn install --frozen-lockfile` to install dependencies and `npx cdk synth` to synthesize. - * - * If you need a build step, add `buildCommand: 'yarn build'`. - */ - public static standardYarnSynth(options: StandardYarnSynthOptions) { - return new SimpleSynthAction({ - ...options, - installCommand: options.installCommand ?? 'yarn install --frozen-lockfile', - synthCommand: options.synthCommand ?? 'npx cdk synth', - vpc: options.vpc, - subnetSelection: options.subnetSelection, - environment: { - ...options.environment, - environmentVariables: { - // Need this in case the CDK CLI is not in the 'package.json' of the project, - // and 'npx' is going to download it; without this setting, 'npx' will not properly - // install the package into the root user's home directory - NPM_CONFIG_UNSAFE_PERM: { value: 'true' }, - ...options.environment?.environmentVariables, - }, - }, - }); - } - - private _action?: codepipeline_actions.CodeBuildAction; - private _actionProperties: codepipeline.ActionProperties; - private _project?: codebuild.IProject; - private _dockerCredentials?: DockerCredential[]; - - constructor(private readonly props: SimpleSynthActionProps) { - // A number of actionProperties get read before bind() is even called (so before we - // have made the Project and can construct the actual CodeBuildAction) - // - // - actionName - // - resource - // - region - // - category - // - role - // - owner - this._actionProperties = { - actionName: props.actionName ?? 'Synth', - category: codepipeline.ActionCategory.BUILD, - provider: 'CodeBuild', - artifactBounds: { minInputs: 0, maxInputs: 5, minOutputs: 0, maxOutputs: 5 }, - inputs: [props.sourceArtifact], - outputs: [props.cloudAssemblyArtifact, ...(props.additionalArtifacts ?? []).map(a => a.artifact)], - }; - - if (this.props.installCommand && this.props.installCommands) { - throw new Error('Pass either \'installCommand\' or \'installCommands\', but not both'); - } - - if (this.props.buildCommand && this.props.buildCommands) { - throw new Error('Pass either \'buildCommand\' or \'buildCommands\', but not both'); - } - - const addls = props.additionalArtifacts ?? []; - if (Object.keys(addls).length > 0) { - if (!props.cloudAssemblyArtifact.artifactName) { - throw new Error('You must give all output artifacts, including the \'cloudAssemblyArtifact\', names when using \'additionalArtifacts\''); - } - for (const addl of addls) { - if (!addl.artifact.artifactName) { - throw new Error('You must give all output artifacts passed to SimpleSynthAction names when using \'additionalArtifacts\''); - } - } - } - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this._actionProperties; - } - - /** - * Project generated to run the synth command - */ - public get project(): codebuild.IProject { - if (!this._project) { - throw new Error('Project becomes available after SimpleSynthAction has been bound to a stage'); - } - return this._project; - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - const buildCommands = this.props.buildCommands ?? [this.props.buildCommand]; - const installCommands = this.props.installCommands ?? [this.props.installCommand]; - const testCommands = this.props.testCommands ?? []; - const synthCommand = this.props.synthCommand; - - const environment = { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE, ...this.props.environment }; - const osType = (environment.buildImage instanceof codebuild.WindowsBuildImage) - ? ec2.OperatingSystemType.WINDOWS - : ec2.OperatingSystemType.LINUX; - - const buildSpec = codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - pre_build: { - commands: filterEmpty([ - this.props.subdirectory ? `cd ${this.props.subdirectory}` : '', - ...installCommands, - ...dockerCredentialsInstallCommands(DockerCredentialUsage.SYNTH, this._dockerCredentials, osType), - ]), - }, - build: { - commands: filterEmpty([ - ...buildCommands, - ...testCommands, - synthCommand, - ]), - }, - }, - artifacts: renderArtifacts(this), - }); - - const environmentVariables = { - ...copyEnvironmentVariables(...this.props.copyEnvironmentVariables || []), - }; - - const mergedBuildSpec = this.props.buildSpec ? codebuild.mergeBuildSpecs(this.props.buildSpec, buildSpec) : buildSpec; - - // A hash over the values that make the CodeBuild Project unique (and necessary - // to restart the pipeline if one of them changes). projectName is not necessary to include - // here because the pipeline will definitely restart if projectName changes. - // (Resolve tokens) - const projectConfigHash = hash(Stack.of(scope).resolve({ - environment: serializeBuildEnvironment(environment), - buildSpecString: mergedBuildSpec.toBuildSpec(), - environmentVariables, - })); - - const project = new codebuild.PipelineProject(scope, 'CdkBuildProject', { - projectName: this.props.projectName, - environment, - vpc: this.props.vpc, - subnetSelection: this.props.subnetSelection, - buildSpec: mergedBuildSpec, - environmentVariables, - }); - - if (this.props.rolePolicyStatements !== undefined) { - this.props.rolePolicyStatements.forEach(policyStatement => { - project.addToRolePolicy(policyStatement); - }); - } - - this._project = project; - - this._dockerCredentials?.forEach(reg => reg.grantRead(project.grantPrincipal, DockerCredentialUsage.SYNTH)); - - this._action = new codepipeline_actions.CodeBuildAction({ - actionName: this.actionProperties.actionName, - input: this.props.sourceArtifact, - outputs: [this.props.cloudAssemblyArtifact, ...(this.props.additionalArtifacts ?? []).map(a => a.artifact)], - - // Inclusion of the hash here will lead to the pipeline structure for any changes - // made the config of the underlying CodeBuild Project. - // Hence, the pipeline will be restarted. This is necessary if the users - // adds (for example) build or test commands to the buildspec. - environmentVariables: { - ...this.props.environmentVariables, - _PROJECT_CONFIG_HASH: { value: projectConfigHash }, - }, - project, - }); - this._actionProperties = this._action.actionProperties; - - return this._action.bind(scope, stage, options); - - function renderArtifacts(self: SimpleSynthAction) { - // save the generated files in the output artifact - // This part of the buildspec has to look completely different depending on whether we're - // using secondary artifacts or not. - - const cloudAsmArtifactSpec = { - 'base-directory': toPosixPath(path.join(self.props.subdirectory ?? '.', DEFAULT_OUTPUT_DIR)), - 'files': '**/*', - }; - - if (self.props.additionalArtifacts) { - const secondary: Record = {}; - if (!self.props.cloudAssemblyArtifact.artifactName) { - throw new Error('When using additional output artifacts, you must also name the CloudAssembly artifact'); - } - secondary[self.props.cloudAssemblyArtifact.artifactName] = cloudAsmArtifactSpec; - self.props.additionalArtifacts.forEach((art) => { - if (!art.artifact.artifactName) { - throw new Error('You must give the output artifact a name'); - } - secondary[art.artifact.artifactName] = { - 'base-directory': toPosixPath(path.join(self.props.subdirectory ?? '.', art.directory)), - 'files': '**/*', - }; - }); - - return { 'secondary-artifacts': secondary }; - } - - return cloudAsmArtifactSpec; - } - } - - /** - * The CodeBuild Project's principal - */ - public get grantPrincipal(): iam.IPrincipal { - return this.project.grantPrincipal; - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - if (!this._action) { - throw new Error('Need bind() first'); - } - - return this._action.onStateChange(name, target, options); - } - - /** - * Associate one or more Docker registries and associated credentials with the synth action. - * This will be used to inject installation commands to set up `cdk-assets`, - * and grant read access to the credentials. - * @internal - */ - public _addDockerCredentials(dockerCredentials: DockerCredential[]) { - this._dockerCredentials = dockerCredentials; - } -} - -/** - * Options for a convention-based synth using NPM - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface StandardNpmSynthOptions extends SimpleSynthOptions { - /** - * The install command - * - * @default 'npm ci' - */ - readonly installCommand?: string; - - /** - * The build command - * - * By default, we assume NPM projects are either written in JavaScript or are - * using `ts-node`, so don't need a build command. - * - * Otherwise, put the build command here, for example `npm run build`. - * - * @default - No build required - */ - readonly buildCommand?: string; - - /** - * The synth command - * - * @default 'npx cdk synth' - */ - readonly synthCommand?: string; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -/** - * Options for a convention-based synth using Yarn - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface StandardYarnSynthOptions extends SimpleSynthOptions { - /** - * The install command - * - * @default 'yarn install --frozen-lockfile' - */ - readonly installCommand?: string; - - /** - * The build command - * - * By default, we assume NPM projects are either written in JavaScript or are - * using `ts-node`, so don't need a build command. - * - * Otherwise, put the build command here, for example `npm run build`. - * - * @default - No build required - */ - readonly buildCommand?: string; - - /** - * The synth command - * - * @default 'npx cdk synth' - */ - readonly synthCommand?: string; - - /** - * Test commands - * - * These commands are run after the build commands but before the - * synth command. - * - * @default - No test commands - */ - readonly testCommands?: string[]; -} - -function hash(obj: A) { - const d = crypto.createHash('sha256'); - d.update(JSON.stringify(obj)); - return d.digest('hex'); -} - -/** - * Serialize a build environment to data (get rid of constructs & objects), so we can JSON.stringify it - */ -function serializeBuildEnvironment(env: codebuild.BuildEnvironment) { - return { - privileged: env.privileged, - environmentVariables: env.environmentVariables, - type: env.buildImage?.type, - imageId: env.buildImage?.imageId, - computeType: env.computeType, - imagePullPrincipalType: env.buildImage?.imagePullPrincipalType, - secretsManagerArn: env.buildImage?.secretsManagerCredentials?.secretArn, - }; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts deleted file mode 100644 index 20192332e3b78..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/_files.ts +++ /dev/null @@ -1,97 +0,0 @@ -import { Construct } from 'constructs'; -import * as codepipeline from '../../../../aws-codepipeline'; -import { IGrantable } from '../../../../aws-iam'; -import * as s3assets from '../../../../aws-s3-assets'; - -/** - * Additional files to use in a shell script - */ -export abstract class Files { - /** - * Use the files from a CodePipeline artifact - */ - public static fromArtifact(artifact: codepipeline.Artifact): Files { - if (!artifact) { - // Typechecking may mess up - throw new Error('Files.fromArtifact(): input artifact is required, got undefined'); - } - - return { - bind: () => ({ artifact }), - grantRead: () => { /* Not necessary */ }, - }; - } - - /** - * Create a new asset to bundle up the files in a directory on disk - */ - public static fromDirectory(directoryPath: string): Files { - let realFiles: Files; - return { - bind(scope: Construct) { - realFiles = Files.fromAsset(new s3assets.Asset(scope, directoryPath, { - path: directoryPath, - })); - - return realFiles.bind(scope); - }, - grantRead(grantee: IGrantable) { - if (!realFiles) { - throw new Error('bind() must be called first'); - } - realFiles.grantRead(grantee); - }, - }; - } - - /** - * Use an existing asset as a file source - */ - public static fromAsset(asset: s3assets.Asset): Files { - return { - bind: () => ({ - commands: [ - `echo "Downloading additional files from ${asset.s3ObjectUrl}"`, - `aws s3 cp ${asset.s3ObjectUrl} /tmp/dl.zip`, - 'unzip /tmp/dl.zip -d .', - ], - }), - grantRead: (grantee) => asset.grantRead(grantee), - }; - } - - protected constructor() { - } - - /** - * Bind the Files to a usage location - */ - public abstract bind(scope: Construct): FilesConfig; - - /** - * Grant read permissions to the file set to the given grantable - * - * Must be called after bind(). - */ - - public abstract grantRead(grantee: IGrantable): void; -} - -/** - * Config for a Files source - */ -export interface FilesConfig { - /** - * CodePipeline artifact to add to the set of input artifacts for the project - * - * @default - No artifact - */ - readonly artifact?: codepipeline.Artifact; - - /** - * Commands to add to the set of commands for the project - * - * @default - No commands - */ - readonly commands?: string[]; -} diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts deleted file mode 100644 index f2751fc92af49..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/index.ts +++ /dev/null @@ -1 +0,0 @@ -export * from './shell-script-action'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts b/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts deleted file mode 100644 index fa24517321942..0000000000000 --- a/packages/aws-cdk-lib/pipelines/lib/legacy/validation/shell-script-action.ts +++ /dev/null @@ -1,253 +0,0 @@ -import { Construct } from 'constructs'; -import * as codebuild from '../../../../aws-codebuild'; -import * as codepipeline from '../../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../../aws-codepipeline-actions'; -import * as ec2 from '../../../../aws-ec2'; -import * as events from '../../../../aws-events'; -import * as iam from '../../../../aws-iam'; -import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../private/default-codebuild-image'; -import { StackOutput } from '../stage'; - -/** - * Properties for ShellScriptAction - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export interface ShellScriptActionProps { - /** - * Name of the validation action in the pipeline - */ - readonly actionName: string; - - /** - * Stack outputs to make available as environment variables - * - * @default - No outputs used - */ - readonly useOutputs?: Record; - - /** - * Commands to run - */ - readonly commands: string[]; - - /** - * Bash options to set at the start of the script - * - * @default '-eu' (errexit and nounset) - */ - readonly bashOptions?: string; - - /** - * Additional artifacts to use as input for the CodeBuild project - * - * You can use these files to load more complex test sets into the - * shellscript build environment. - * - * The files artifact given here will be unpacked into the current - * working directory, the other ones will be unpacked into directories - * which are available through the environment variables - * $CODEBUILD_SRC_DIR_. - * - * The CodeBuild job must have at least one input artifact, so you - * must provide either at least one additional artifact here or one - * stack output using `useOutput`. - * - * @default - No additional artifacts - */ - readonly additionalArtifacts?: codepipeline.Artifact[]; - - /** - * The CodeBuild environment where scripts are executed. - * - * @default LinuxBuildImage.STANDARD_7_0 - */ - readonly environment?: codebuild.BuildEnvironment; - - /** - * Environment variables to send into build - * - * @default - No additional environment variables - */ - readonly environmentVariables?: Record; - - /** - * RunOrder for this action - * - * Use this to sequence the shell script after the deployments. - * - * The default value is 100 so you don't have to supply the value if you just - * want to run this after the application stacks have been deployed, and you - * don't have more than 100 stacks. - * - * @default 100 - */ - readonly runOrder?: number; - - /** - * Additional policy statements to add to the execution role - * - * @default - No policy statements - */ - readonly rolePolicyStatements?: iam.PolicyStatement[]; - - /** - * The VPC where to execute the specified script. - * - * @default - No VPC - */ - readonly vpc?: ec2.IVpc; - - /** - * Which subnets to use. - * - * Only used if 'vpc' is supplied. - * - * @default - All private subnets. - */ - readonly subnetSelection?: ec2.SubnetSelection; - - /** - * Which security group to associate with the script's project network interfaces. - * If no security group is identified, one will be created automatically. - * - * Only used if 'vpc' is supplied. - * - * @default - Security group will be automatically created. - * - */ - readonly securityGroups?: ec2.ISecurityGroup[]; -} - -/** - * Validate a revision using shell commands - * - * @deprecated This class is part of the old API. Use the API based on the `CodePipeline` class instead - */ -export class ShellScriptAction implements codepipeline.IAction, iam.IGrantable { - private _project?: codebuild.IProject; - - private _action?: codepipeline_actions.CodeBuildAction; - private _actionProperties: codepipeline.ActionProperties; - - constructor(private readonly props: ShellScriptActionProps) { - // A number of actionProperties get read before bind() is even called (so before we - // have made the Project and can construct the actual CodeBuildAction) - // - // - actionName - // - resource - // - region - // - category - // - role - // - owner - this._actionProperties = { - actionName: props.actionName, - category: codepipeline.ActionCategory.BUILD, - provider: 'CodeBuild', - artifactBounds: { minInputs: 0, maxInputs: 5, minOutputs: 0, maxOutputs: 5 }, - inputs: [], - outputs: [], - }; - - if (Object.keys(props.useOutputs ?? {}).length + (props.additionalArtifacts ?? []).length === 0) { - throw new Error('You must supply either \'useOutputs\' or \'additionalArtifacts\', since a CodeBuild Action must always have at least one input artifact.'); - } - } - - /** - * The CodeBuild Project's principal - */ - public get grantPrincipal(): iam.IPrincipal { - return this.project.grantPrincipal; - } - - /** - * Exists to implement IAction - */ - public get actionProperties(): codepipeline.ActionProperties { - return this._actionProperties; - } - - /** - * Exists to implement IAction - */ - public bind(scope: Construct, stage: codepipeline.IStage, options: codepipeline.ActionBindOptions): codepipeline.ActionConfig { - const inputs = new Array(); - inputs.push(...this.props.additionalArtifacts ?? []); - - const envVarCommands = new Array(); - - const bashOptions = this.props.bashOptions ?? '-eu'; - if (bashOptions) { - envVarCommands.push(`set ${bashOptions}`); - } - for (const [varName, output] of Object.entries(this.props.useOutputs ?? {})) { - const outputArtifact = output.artifactFile; - - // Add the artifact to the list of inputs, if it's not in there already. Determine - // the location where CodeBuild is going to stick it based on whether it's the first (primary) - // input or an 'extra input', then parse. - let artifactIndex = inputs.findIndex(a => a.artifactName === outputArtifact.artifact.artifactName); - if (artifactIndex === -1) { - artifactIndex = inputs.push(outputArtifact.artifact) - 1; - } - const dirEnv = artifactIndex === 0 ? 'CODEBUILD_SRC_DIR' : `CODEBUILD_SRC_DIR_${outputArtifact.artifact.artifactName}`; - envVarCommands.push(`export ${varName}="$(node -pe 'require(process.env.${dirEnv} + "/${outputArtifact.fileName}")["${output.outputName}"]')"`); - } - - this._project = new codebuild.PipelineProject(scope, 'Project', { - environment: this.props.environment || { buildImage: CDKP_DEFAULT_CODEBUILD_IMAGE }, - vpc: this.props.vpc, - securityGroups: this.props.securityGroups, - subnetSelection: this.props.subnetSelection, - buildSpec: codebuild.BuildSpec.fromObject({ - version: '0.2', - phases: { - build: { - commands: [ - ...envVarCommands, - ...this.props.commands, - ], - }, - }, - }), - }); - for (const statement of this.props.rolePolicyStatements ?? []) { - this._project.addToRolePolicy(statement); - } - - this._action = new codepipeline_actions.CodeBuildAction({ - actionName: this.props.actionName, - input: inputs[0], - extraInputs: inputs.slice(1), - runOrder: this.props.runOrder ?? 100, - project: this._project, - environmentVariables: this.props.environmentVariables, - }); - // Replace the placeholder actionProperties at the last minute - this._actionProperties = this._action.actionProperties; - - return this._action.bind(scope, stage, options); - } - - /** - * Project generated to run the shell script in - */ - public get project(): codebuild.IProject { - if (!this._project) { - throw new Error('Project becomes available after ShellScriptAction has been bound to a stage'); - } - return this._project; - } - - /** - * Exists to implement IAction - */ - public onStateChange(name: string, target?: events.IRuleTarget, options?: events.RuleProps): events.Rule { - if (!this._action) { - throw new Error('Need bind() first'); - } - - return this._action.onStateChange(name, target, options); - } -} diff --git a/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts b/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts deleted file mode 100644 index 1da9b4ecfb71e..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/codepipeline/codepipeline-existing.test.ts +++ /dev/null @@ -1,65 +0,0 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; -import * as codePipeline from '../../../aws-codepipeline'; -import * as cdk from '../../../core'; -import * as cdkp from '../../lib'; - -describeDeprecated('codepipeline existing', () => { - - test('Does not allow setting a pipelineName if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - pipelineName: 'CustomPipelineName', - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'pipelineName' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow enabling crossAccountKeys if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - crossAccountKeys: true, - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'crossAccountKeys' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow enabling key rotation if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CdkPipeline(stack, 'CDKPipeline', { - enableKeyRotation: true, - codePipeline: existingCodePipeline, - cloudAssemblyArtifact: new codePipeline.Artifact(), - }); - }).toThrow("Cannot set 'enableKeyRotation' if an existing CodePipeline is given using 'codePipeline'"); - }); - - test('Does not allow setting crossRegionReplicationBuckets if an existing CodePipeline is given', () => { - const app = new cdk.App(); - const stack = new cdk.Stack(app, 'PipelineStack'); - const existingCodePipeline = new codePipeline.Pipeline(stack, 'CustomCodePipeline'); - - expect(() => { - new cdkp.CodePipeline(stack, 'CDKPipeline', { - crossRegionReplicationBuckets: {}, // Even the empty set is forbidden. - codePipeline: existingCodePipeline, - synth: new cdkp.ShellStep('Synth', { - commands: ['echo hello'], - }), - }).buildPipeline(); - }).toThrow("Cannot set 'crossRegionReplicationBuckets' if an existing CodePipeline is given using 'codePipeline'"); - }); -}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts index 1f222fee6c439..189f671764c5e 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/assets.test.ts @@ -5,7 +5,7 @@ import * as cb from '../../../aws-codebuild'; import * as ec2 from '../../../aws-ec2'; import { Stack, Stage } from '../../../core'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp, stringLike } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, FileAssetApp, MegaAssetsApp, TwoFileAssetsApp, DockerAssetApp, PlainStackApp, stringLike } from '../testhelpers'; const FILE_ASSET_SOURCE_HASH = '8289faf53c7da377bb2b90615999171adef5e1d8f6b88810e5fef75e6ca09ba5'; const FILE_ASSET_SOURCE_HASH2 = 'ac76997971c3f6ddf37120660003f1ced72b4fc58c498dfd99c78fa77e721e0e'; @@ -16,6 +16,61 @@ const IMAGE_PUBLISHING_ROLE = 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role let app: TestApp; let pipelineStack: Stack; +function expectedAssetRolePolicy(assumeRolePattern: string | string[], attachedRole: string) { + if (typeof assumeRolePattern === 'string') { assumeRolePattern = [assumeRolePattern]; } + + return { + PolicyDocument: { + Statement: [{ + Action: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:logs:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:log-group:/aws/codebuild/*`, + ]], + }, + }, + { + Action: ['codebuild:CreateReportGroup', 'codebuild:CreateReport', 'codebuild:UpdateReport', 'codebuild:BatchPutTestCases', 'codebuild:BatchPutCodeCoverages'], + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:codebuild:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:report-group/*`, + ]], + }, + }, + { + Action: ['codebuild:BatchGetBuilds', 'codebuild:StartBuild', 'codebuild:StopBuild'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Resource: unsingleton(assumeRolePattern.map(arn => { return { 'Fn::Sub': arn }; })), + }, + { + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Effect: 'Allow', + Resource: [ + { 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, + { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, '/*']] }, + ], + }, + { + Action: ['kms:Decrypt', 'kms:DescribeKey'], + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['CdkPipelineArtifactsBucketEncryptionKeyDDD3258C', 'Arn'] }, + }], + }, + Roles: [{ Ref: attachedRole }], + }; +} + beforeEach(() => { app = new TestApp(); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); @@ -26,550 +81,174 @@ afterEach(() => { }); describe('basic pipeline', () => { - behavior('no assets stage if the application has no assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new PlainStackApp(app, 'App')); - THEN_codePipelineExpectation(); - }); + test('no assets stage if the application has no assets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new PlainStackApp(app, 'App')); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new PlainStackApp(app, 'App')); - - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.not(Match.arrayWith([Match.objectLike({ + Name: 'Assets', + })])), }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.not(Match.arrayWith([Match.objectLike({ - Name: 'Assets', - })])), - }); - } }); - describe('asset stage placement', () => { - behavior('assets stage comes before any user-defined stages', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('up to 50 assets fit in a single stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('51 assets triggers a second stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: stringLike('Assets*') }), - Match.objectLike({ Name: stringLike('Assets*2') }), - Match.objectLike({ Name: 'App' }), - ], - }); - } - }); - - behavior('101 assets triggers a third stage', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - Match.objectLike({ Name: stringLike('Assets*') }), // 'Assets' vs 'Assets.1' - Match.objectLike({ Name: stringLike('Assets*2') }), - Match.objectLike({ Name: stringLike('Assets*3') }), - Match.objectLike({ Name: 'App' }), - ], - }); - } + test('assets stage comes before any user-defined stages', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'App')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: 'Assets' }), + Match.objectLike({ Name: 'App' }), + ], }); }); - behavior('command line properly locates assets in subassembly', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); + test('up to 50 assets fit in a single stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 50 })); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: 'Assets' }), + Match.objectLike({ Name: 'App' }), + ], }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`]), - }, - }, - })), - }, - }); - } }); - behavior('multiple assets are published in parallel', (suite) => { - suite.legacy(() => { + describe('asset stage placement', () => { + test('51 assets triggers a second stage', () => { // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 51 })); - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - Match.objectLike({ RunOrder: 1 }), - Match.objectLike({ RunOrder: 1 }), - ], - }]), - }); - } - }); - - behavior('assets are also published when using the lower-level addStackArtifactDeployment', (suite) => { - suite.legacy(() => { - // GIVEN - const asm = new FileAssetApp(app, 'FileAssetApp').synth(); - - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage('SomeStage').addStackArtifactDeployment(asm.getStackByName('FileAssetApp-Stack')); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - Match.objectLike({ - Name: 'FileAsset1', - RunOrder: 1, - }), - ], - }]), - }); - }); - - // This function does not exist in the modern API - suite.doesNotApply.modern(); - }); - - behavior('file image asset publishers do not use privilegedmode', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([stringLike('cdk-assets *')]), - }, - }, - })), - }, - Environment: Match.objectLike({ - PrivilegedMode: false, - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }), + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: stringLike('Assets*') }), + Match.objectLike({ Name: stringLike('Assets*2') }), + Match.objectLike({ Name: 'App' }), + ], }); - } - }); - - behavior('docker image asset publishers use privilegedmode', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); + }, + ); - suite.modern(() => { + test('101 assets triggers a third stage', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); + pipeline.addStage(new MegaAssetsApp(app, 'App', { numAssets: 101 })); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith([stringLike('cdk-assets *')]), - }, - }, - })), - }, - Environment: Match.objectLike({ - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - PrivilegedMode: true, - }), + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + Match.objectLike({ Name: stringLike('Assets*') }), // 'Assets' vs 'Assets.1' + Match.objectLike({ Name: stringLike('Assets*2') }), + Match.objectLike({ Name: stringLike('Assets*3') }), + Match.objectLike({ Name: 'App' }), + ], }); - } + }, + ); }); - behavior('can control fix/CLI version used in asset publishing', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cdkCliVersion: '1.2.3', - }); - pipeline.addApplicationStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cliVersion: '1.2.3', - }); - pipeline.addStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + test('command line properly locates assets in subassembly', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g cdk-assets@1.2.3'], - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith([`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`]), }, - })), - }, - }); - } - }); - - describe('asset roles and policies', () => { - behavior('includes file publishing assets role for apps with file assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { - AssumeRolePolicyDocument: { - Statement: [ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Principal: { - Service: 'codebuild.amazonaws.com', - }, - }, - ], }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - } - }); - - behavior('publishing assets role may assume roles from multiple environments', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App2', { - env: { - account: '0123456789012', - region: 'eu-west-1', - }, - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new FileAssetApp(app, 'App2', { - env: { - account: '0123456789012', - region: 'eu-west-1', - }, - })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy([FILE_PUBLISHING_ROLE, 'arn:${AWS::Partition}:iam::0123456789012:role/cdk-hnb659fds-file-publishing-role-0123456789012-eu-west-1'], - 'CdkAssetsFileRole6BE17A07')); - } + })), + }, }); + }, + ); - behavior('publishing assets role de-dupes assumed roles', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App2')); - pipeline.addApplicationStage(new FileAssetApp(app, 'App3')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new FileAssetApp(app, 'App2')); - pipeline.addStage(new FileAssetApp(app, 'App3')); + test('multiple assets are published in parallel', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - } + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + Match.objectLike({ RunOrder: 1 }), + Match.objectLike({ RunOrder: 1 }), + ], + }]), }); + }, + ); - behavior('includes image publishing assets role for apps with Docker assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); - }); + test('file image asset publishers do not use privilegedmode', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { - AssumeRolePolicyDocument: { - Statement: [ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Principal: { - Service: 'codebuild.amazonaws.com', - }, - }, - ], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith([stringLike('cdk-assets *')]), + }, }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - } - }); - - behavior('includes both roles for apps with both file and Docker assets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new FileAssetApp(app, 'App1')); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App2')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - // Expectation expects to see KMS key policy permissions - crossAccountKeys: true, - }); - pipeline.addStage(new FileAssetApp(app, 'App1')); - pipeline.addStage(new DockerAssetApp(app, 'App2')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', - expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); - } - }); - }); -}); - -behavior('can supply pre-install scripts to asset upload', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - assetPreInstallCommands: [ - 'npm config set registry https://registry.com', - ], + })), + }, + Environment: Match.objectLike({ + PrivilegedMode: false, + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }), }); - pipeline.addApplicationStage(new FileAssetApp(app, 'FileAssetApp')); + }, + ); - THEN_codePipelineExpectation(); - }); + test('docker image asset publishers use privilegedmode', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - assetPublishingCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - version: '0.2', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ phases: { - install: { - commands: [ - 'npm config set registry https://registry.com', - ], + build: { + commands: Match.arrayWith([stringLike('cdk-assets *')]), }, }, - }), + })), }, + Environment: Match.objectLike({ + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + PrivilegedMode: true, + }), }); - pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); + }, + ); - THEN_codePipelineExpectation(); - }); + test('can control fix/CLI version used in asset publishing', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + cliVersion: '1.2.3', + }); + pipeline.addStage(new FileAssetApp(pipelineStack, 'FileAssetApp')); - function THEN_codePipelineExpectation() { Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, @@ -578,268 +257,304 @@ behavior('can supply pre-install scripts to asset upload', (suite) => { BuildSpec: Match.serializedJson(Match.objectLike({ phases: { install: { - commands: ['npm config set registry https://registry.com', 'npm install -g cdk-assets@2'], + commands: ['npm install -g cdk-assets@1.2.3'], }, }, })), }, }); - } -}); + }, + ); -describe('pipeline with VPC', () => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'Vpc'); - }); - - behavior('asset CodeBuild Project uses VPC subnets', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: Match.objectLike({ - SecurityGroupIds: [ - { 'Fn::GetAtt': ['CdkAssetsDockerAsset1SecurityGroup078F5C66', 'GroupId'] }, - ], - Subnets: [ - { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, - { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, - { Ref: 'VpcPrivateSubnet3SubnetF258B56E' }, - ], - VpcId: { Ref: 'Vpc8378EB38' }, - }), + describe('asset roles and policies', () => { + test('includes file publishing assets role for apps with file assets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - } - }); + pipeline.addStage(new FileAssetApp(app, 'App1')); - behavior('Pipeline-generated CodeBuild Projects have appropriate execution role permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'codebuild.amazonaws.com', + }, + }, + ], + }, }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + }, + ); - suite.modern(() => { + test('publishing assets role may assume roles from multiple environments', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); - }); - function THEN_codePipelineExpectation() { - // Assets Project - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - Roles: [ - { Ref: 'CdkAssetsDockerRole484B6DD3' }, - ], - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), - Effect: 'Allow', - Resource: '*', - }]), + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2', { + env: { + account: '0123456789012', + region: 'eu-west-1', }, - }); - } - }); + })); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy([FILE_PUBLISHING_ROLE, 'arn:${AWS::Partition}:iam::0123456789012:role/cdk-hnb659fds-file-publishing-role-0123456789012-eu-west-1'], + 'CdkAssetsFileRole6BE17A07')); + }, + ); - behavior('Asset publishing CodeBuild Projects have correct VPC permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - vpc, + test('publishing assets role de-dupes assumed roles', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'DockerAssetApp')); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new FileAssetApp(app, 'App2')); + pipeline.addStage(new FileAssetApp(app, 'App3')); - THEN_codePipelineExpectation(); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + }, + ); - suite.modern(() => { + test('includes image publishing assets role for apps with Docker assets', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(); - }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - function THEN_codePipelineExpectation() { - // Assets Project - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { Statement: [ - Match.objectLike({ - Resource: '*', - Action: [ - 'ec2:CreateNetworkInterface', - 'ec2:DescribeNetworkInterfaces', - 'ec2:DeleteNetworkInterface', - 'ec2:DescribeSubnets', - 'ec2:DescribeSecurityGroups', - 'ec2:DescribeDhcpOptions', - 'ec2:DescribeVpcs', - ], - }), + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { + Service: 'codebuild.amazonaws.com', + }, + }, ], }, - Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], - }); - Template.fromStack(pipelineStack).hasResource('AWS::CodeBuild::Project', { - Properties: { - ServiceRole: { 'Fn::GetAtt': ['CdkAssetsDockerRole484B6DD3', 'Arn'] }, - }, - DependsOn: [ - 'CdkAssetsDockerAsset1PolicyDocument8DA96A22', - ], - }); - } - }); -}); - -describe('pipeline with single asset publisher', () => { - behavior('multiple assets are using the same job in singlePublisherMode', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - - THEN_codePipelineExpectation(); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); + }, + ); - suite.modern(() => { + test('includes both roles for apps with both file and Docker assets', () => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, + // Expectation expects to see KMS key policy permissions + crossAccountKeys: true, }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + pipeline.addStage(new FileAssetApp(app, 'App1')); + pipeline.addStage(new DockerAssetApp(app, 'App2')); - THEN_codePipelineExpectation(); - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(FILE_PUBLISHING_ROLE, 'CdkAssetsFileRole6BE17A07')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', + expectedAssetRolePolicy(IMAGE_PUBLISHING_ROLE, 'CdkAssetsDockerRole484B6DD3')); + }, + ); + }); +}); - function THEN_codePipelineExpectation() { - // THEN - const buildSpecName = new Capture(stringLike('buildspec-*.yaml')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Assets', - Actions: [ - // Only one file asset action - Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: buildSpecName, +test('can supply pre-install scripts to asset upload', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + assetPublishingCodeBuildDefaults: { + partialBuildSpec: cb.BuildSpec.fromObject({ + version: '0.2', + phases: { + install: { + commands: [ + 'npm config set registry https://registry.com', + ], + }, }, - }); - const assembly = synthesize(pipelineStack); - - const actualFileName = buildSpecName.asString(); + }), + }, + }); + pipeline.addStage(new FileAssetApp(app, 'FileAssetApp')); - const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, actualFileName), { encoding: 'utf-8' })); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); - expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); - } + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm config set registry https://registry.com', 'npm install -g cdk-assets@2'], + }, + }, + })), + }, }); +}, +); - behavior('other pipeline writes to separate assets build spec file', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); +describe('pipeline with VPC', () => { + let vpc: ec2.Vpc; + beforeEach(() => { + vpc = new ec2.Vpc(pipelineStack, 'Vpc'); + }); - const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); - const otherPipeline = new LegacyTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { - singlePublisherPerType: true, - }); - otherPipeline.addApplicationStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); + test('asset CodeBuild Project uses VPC subnets', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); - THEN_codePipelineExpectation(pipelineStack2); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: Match.objectLike({ + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkAssetsDockerAsset1SecurityGroup078F5C66', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'VpcPrivateSubnet1Subnet536B997A' }, + { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }, + { Ref: 'VpcPrivateSubnet3SubnetF258B56E' }, + ], + VpcId: { Ref: 'Vpc8378EB38' }, + }), }); + }, + ); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - publishAssetsInParallel: false, - }); - pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + test('Pipeline-generated CodeBuild Projects have appropriate execution role permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + // Assets Project + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkAssetsDockerRole484B6DD3' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); + }, + ); - const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); - const otherPipeline = new ModernTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { - publishAssetsInParallel: false, - }); - otherPipeline.addStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); + test('Asset publishing CodeBuild Projects have correct VPC permissions', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); + pipeline.addStage(new DockerAssetApp(app, 'DockerAssetApp')); + // Assets Project + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + Match.objectLike({ + Resource: '*', + Action: [ + 'ec2:CreateNetworkInterface', + 'ec2:DescribeNetworkInterfaces', + 'ec2:DeleteNetworkInterface', + 'ec2:DescribeSubnets', + 'ec2:DescribeSecurityGroups', + 'ec2:DescribeDhcpOptions', + 'ec2:DescribeVpcs', + ], + }), + ], + }, + Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], + }); + Template.fromStack(pipelineStack).hasResource('AWS::CodeBuild::Project', { + Properties: { + ServiceRole: { 'Fn::GetAtt': ['CdkAssetsDockerRole484B6DD3', 'Arn'] }, + }, + DependsOn: [ + 'CdkAssetsDockerAsset1PolicyDocument8DA96A22', + ], + }); + }, + ); +}); - THEN_codePipelineExpectation(pipelineStack2); +describe('pipeline with single asset publisher', () => { + test('multiple assets are using the same job in singlePublisherMode', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, + }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + + // THEN + const buildSpecName = new Capture(stringLike('buildspec-*.yaml')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Assets', + Actions: [ + // Only one file asset action + Match.objectLike({ RunOrder: 1, Name: 'FileAsset' }), + ], + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: buildSpecName, + }, }); + const assembly = synthesize(pipelineStack); - function THEN_codePipelineExpectation(pipelineStack2: Stack) { - // THEN - const buildSpecName1 = new Capture(stringLike('buildspec-*.yaml')); - const buildSpecName2 = new Capture(stringLike('buildspec-*.yaml')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: buildSpecName1, - }, - }); - Template.fromStack(pipelineStack2).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: buildSpecName2, - }, - }); + const actualFileName = buildSpecName.asString(); - expect(buildSpecName1.asString()).not.toEqual(buildSpecName2.asString()); - } + const buildSpec = JSON.parse(fs.readFileSync(path.join(assembly.directory, actualFileName), { encoding: 'utf-8' })); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH}:current_account-current_region"`); + expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); }); -}); - -describe('pipeline with custom asset publisher BuildSpec', () => { - behavior('custom buildspec is merged correctly', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - singlePublisherPerType: true, - assetBuildSpec: cb.BuildSpec.fromObject({ - phases: { - pre_install: { - commands: 'preinstall', - }, - }, - cache: { - paths: 'node_modules', - }, - }), - }); - pipeline.addApplicationStage(new TwoFileAssetsApp(app, 'FileAssetApp')); + test('other pipeline writes to separate assets build spec file', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + publishAssetsInParallel: false, + }); + pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - THEN_codePipelineExpectation(); + const pipelineStack2 = new Stack(app, 'PipelineStack2', { env: PIPELINE_ENV }); + const otherPipeline = new ModernTestGitHubNpmPipeline(pipelineStack2, 'Cdk', { + publishAssetsInParallel: false, + }); + otherPipeline.addStage(new TwoFileAssetsApp(app, 'OtherFileAssetApp')); + // THEN + const buildSpecName1 = new Capture(stringLike('buildspec-*.yaml')); + const buildSpecName2 = new Capture(stringLike('buildspec-*.yaml')); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: buildSpecName1, + }, + }); + Template.fromStack(pipelineStack2).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: buildSpecName2, + }, }); - suite.modern(() => { + expect(buildSpecName1.asString()).not.toEqual(buildSpecName2.asString()); + }, + ); + + describe('pipeline with custom asset publisher BuildSpec', () => { + test('custom buildspec is merged correctly', () => { // WHEN const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { publishAssetsInParallel: false, @@ -858,10 +573,6 @@ describe('pipeline with custom asset publisher BuildSpec', () => { }); pipeline.addStage(new TwoFileAssetsApp(app, 'FileAssetApp')); - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { const buildSpecName = new Capture(stringLike('buildspec-*')); Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { @@ -887,70 +598,11 @@ describe('pipeline with custom asset publisher BuildSpec', () => { expect(buildSpec.phases.build.commands).toContain(`cdk-assets --path "assembly-FileAssetApp/FileAssetAppStackEADD68C5.assets.json" --verbose publish "${FILE_ASSET_SOURCE_HASH2}:current_account-current_region"`); expect(buildSpec.phases.pre_install.commands).toContain('preinstall'); expect(buildSpec.cache.paths).toContain('node_modules'); - } - }); -}); - -function expectedAssetRolePolicy(assumeRolePattern: string | string[], attachedRole: string) { - if (typeof assumeRolePattern === 'string') { assumeRolePattern = [assumeRolePattern]; } - - return { - PolicyDocument: { - Statement: [{ - Action: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'], - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:logs:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:log-group:/aws/codebuild/*`, - ]], - }, - }, - { - Action: ['codebuild:CreateReportGroup', 'codebuild:CreateReport', 'codebuild:UpdateReport', 'codebuild:BatchPutTestCases', 'codebuild:BatchPutCodeCoverages'], - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:codebuild:${PIPELINE_ENV.region}:${PIPELINE_ENV.account}:report-group/*`, - ]], - }, - }, - { - Action: ['codebuild:BatchGetBuilds', 'codebuild:StartBuild', 'codebuild:StopBuild'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Resource: unsingleton(assumeRolePattern.map(arn => { return { 'Fn::Sub': arn }; })), - }, - { - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Effect: 'Allow', - Resource: [ - { 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, - { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['CdkPipelineArtifactsBucket7B46C7BF', 'Arn'] }, '/*']] }, - ], - }, - { - Action: ['kms:Decrypt', 'kms:DescribeKey'], - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['CdkPipelineArtifactsBucketEncryptionKeyDDD3258C', 'Arn'] }, - }], }, - Roles: [{ Ref: attachedRole }], - }; -} - -behavior('necessary secrets manager permissions get added to asset roles', suite => { - // Not possible to configure this for legacy pipelines - suite.doesNotApply.legacy(); + ); + }); - suite.modern(() => { + test('necessary secrets manager permissions get added to asset roles', suite => { const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { assetPublishingCodeBuildDefaults: { buildEnvironment: { @@ -965,70 +617,63 @@ behavior('necessary secrets manager permissions get added to asset roles', suite }); pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); - THEN_codePipelineExpectation(); }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: 'secretsmanager:GetSecretValue', - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', - ], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: 'secretsmanager:GetSecretValue', + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', ], - }, - }]), - }, - Roles: [ - { Ref: 'PipelineAssetsFileRole59943A77' }, - ], - }); - } -}); - -behavior('adding environment variable to assets job adds SecretsManager permissions', suite => { - // No way to manipulate buildEnvironment in legacy API - suite.doesNotApply.legacy(); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { - assetPublishingCodeBuildDefaults: { - buildEnvironment: { - environmentVariables: { - FOOBAR: { - value: 'FoobarSecret', - type: cb.BuildEnvironmentVariableType.SECRETS_MANAGER, - }, + ], + }, + }]), + }, + Roles: [ + { Ref: 'PipelineAssetsFileRole59943A77' }, + ], + }); +}, +); + +test('adding environment variable to assets job adds SecretsManager permissions', suite => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Pipeline', { + assetPublishingCodeBuildDefaults: { + buildEnvironment: { + environmentVariables: { + FOOBAR: { + value: 'FoobarSecret', + type: cb.BuildEnvironmentVariableType.SECRETS_MANAGER, }, }, }, - }); - pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); + }, + }); + pipeline.addStage(new FileAssetApp(pipelineStack, 'MyApp')); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - Match.objectLike({ - Action: 'secretsmanager:GetSecretValue', - Effect: 'Allow', - Resource: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', - ]], - }, - }), - ]), - }, - }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + Match.objectLike({ + Action: 'secretsmanager:GetSecretValue', + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':secretsmanager:us-pipeline:123pipeline:secret:FoobarSecret-??????', + ]], + }, + }), + ]), + }, }); }); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts index 75d58084dadfb..5b77f78d5614d 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/basic-behavior.test.ts @@ -4,7 +4,7 @@ import * as path from 'path'; import { Construct } from 'constructs'; import { Capture, Match, Template } from '../../../assertions'; import { Stack, Stage, StageProps, Tags } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, BucketStack, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; +import { OneStackApp, BucketStack, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,205 +18,137 @@ afterEach(() => { app.cleanup(); }); -behavior('stack templates in nested assemblies are correctly addressed', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Prepare'), - InputArtifacts: [Match.objectLike({})], - Configuration: Match.objectLike({ - StackName: 'App-Stack', - TemplatePath: stringLike('*::assembly-App/*.template.json'), - }), +test('stack templates in nested assemblies are correctly addressed', () => { + + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'App')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [Match.objectLike({})], + Configuration: Match.objectLike({ + StackName: 'App-Stack', + TemplatePath: stringLike('*::assembly-App/*.template.json'), }), - ]), - }]), - }); - } -}); - -behavior('obvious error is thrown when stage contains no stacks', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - // WHEN - expect(() => { - pipeline.addApplicationStage(new Stage(app, 'EmptyStage')); - }).toThrow(/should contain at least one Stack/); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - // WHEN - expect(() => { - pipeline.addStage(new Stage(app, 'EmptyStage')); - }).toThrow(/should contain at least one Stack/); - }); -}); - -behavior('overridden stack names are respected', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App1')); - pipeline.addApplicationStage(new OneStackAppWithCustomName(app, 'App2')); - - THEN_codePipelineExpectation(); + }), + ]), + }]), }); +}, +); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackAppWithCustomName(app, 'App1')); - pipeline.addStage(new OneStackAppWithCustomName(app, 'App2')); +test('obvious error is thrown when stage contains no stacks', () => { - THEN_codePipelineExpectation(); - }); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'App1', - Actions: Match.arrayWith([Match.objectLike({ - Name: stringLike('*Prepare'), - Configuration: Match.objectLike({ - StackName: 'MyFancyStack', - }), - })]), - }, - { - Name: 'App2', - Actions: Match.arrayWith([Match.objectLike({ - Name: stringLike('*Prepare'), - Configuration: Match.objectLike({ - StackName: 'MyFancyStack', - }), - })]), - }, - ]), - }); - } + // WHEN + expect(() => { + pipeline.addStage(new Stage(app, 'EmptyStage')); + }).toThrow(/should contain at least one Stack/); }); -behavior('changing CLI version leads to a different pipeline structure (restarting it)', (suite) => { - suite.legacy(() => { - // GIVEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); +test('overridden stack names are respected', () => { - // WHEN - new LegacyTestGitHubNpmPipeline(stack2, 'Cdk', { - cdkCliVersion: '1.2.3', - }); - new LegacyTestGitHubNpmPipeline(stack3, 'Cdk', { - cdkCliVersion: '4.5.6', - }); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App1')); + pipeline.addStage(new OneStackAppWithCustomName(app, 'App2')); - THEN_codePipelineExpectation(stack2, stack3); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'App1', + Actions: Match.arrayWith([Match.objectLike({ + Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'MyFancyStack', + }), + })]), + }, + { + Name: 'App2', + Actions: Match.arrayWith([Match.objectLike({ + Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'MyFancyStack', + }), + })]), + }, + ]), }); +}, +); - suite.modern(() => { - // GIVEN - const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); - const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); +test('changing CLI version leads to a different pipeline structure (restarting it)', () => { - // WHEN - new ModernTestGitHubNpmPipeline(stack2, 'Cdk', { - cliVersion: '1.2.3', - }); - new ModernTestGitHubNpmPipeline(stack3, 'Cdk', { - cliVersion: '4.5.6', - }); + // GIVEN + const stack2 = new Stack(app, 'Stack2', { env: PIPELINE_ENV }); + const stack3 = new Stack(app, 'Stack3', { env: PIPELINE_ENV }); - THEN_codePipelineExpectation(stack2, stack3); + // WHEN + new ModernTestGitHubNpmPipeline(stack2, 'Cdk', { + cliVersion: '1.2.3', + }); + new ModernTestGitHubNpmPipeline(stack3, 'Cdk', { + cliVersion: '4.5.6', }); - function THEN_codePipelineExpectation(stack2: Stack, stack3: Stack) { - // THEN - const structure2 = new Capture(); - const structure3 = new Capture(); - - Template.fromStack(stack2).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: structure2, - }); - Template.fromStack(stack3).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: structure3, - }); - - expect(JSON.stringify(structure2.asArray())).not.toEqual(JSON.stringify(structure3.asArray())); - } -}); - -behavior('tags get reflected in pipeline', (suite) => { - suite.legacy(() => { - // WHEN - const stage = new OneStackApp(app, 'App'); - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - Tags.of(stage).add('CostCenter', 'F00B4R'); - pipeline.addApplicationStage(stage); + // THEN + const structure2 = new Capture(); + const structure3 = new Capture(); - THEN_codePipelineExpectation(); + Template.fromStack(stack2).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: structure2, }); - - suite.modern(() => { - // WHEN - const stage = new OneStackApp(app, 'App'); - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - Tags.of(stage).add('CostCenter', 'F00B4R'); - pipeline.addStage(stage); - THEN_codePipelineExpectation(); + Template.fromStack(stack3).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: structure3, }); - function THEN_codePipelineExpectation() { - // THEN - const templateConfig = new Capture(); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Prepare'), - InputArtifacts: [Match.objectLike({})], - Configuration: Match.objectLike({ - StackName: 'App-Stack', - TemplateConfiguration: templateConfig, - }), + expect(JSON.stringify(structure2.asArray())).not.toEqual(JSON.stringify(structure3.asArray())); +}, +); + +test('tags get reflected in pipeline', () => { + + // WHEN + const stage = new OneStackApp(app, 'App'); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + Tags.of(stage).add('CostCenter', 'F00B4R'); + pipeline.addStage(stage); + + // THEN + const templateConfig = new Capture(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Prepare'), + InputArtifacts: [Match.objectLike({})], + Configuration: Match.objectLike({ + StackName: 'App-Stack', + TemplateConfiguration: templateConfig, }), - ]), - }]), - }); + }), + ]), + }]), + }); - expect(templateConfig.asString()).toMatch(/::assembly-App\/.*\.template\..*json/); - const [, relConfigFile] = templateConfig.asString().split('::'); - const absConfigFile = path.join(app.outdir, relConfigFile); - const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); - expect(configFile).toEqual(expect.objectContaining({ - Tags: { - CostCenter: 'F00B4R', - }, - })); - } -}); + expect(templateConfig.asString()).toMatch(/::assembly-App\/.*\.template\..*json/); + const [, relConfigFile] = templateConfig.asString().split('::'); + const absConfigFile = path.join(app.outdir, relConfigFile); + const configFile = JSON.parse(fs.readFileSync(absConfigFile, { encoding: 'utf-8' })); + expect(configFile).toEqual(expect.objectContaining({ + Tags: { + CostCenter: 'F00B4R', + }, + })); +}, +); class OneStackAppWithCustomName extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts index e0266239dff2d..8c71f8eeeb2ed 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/docker-credentials.test.ts @@ -6,7 +6,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodeBuildStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, DockerAssetApp, stringLike } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, DockerAssetApp, stringLike } from '../testhelpers'; const secretSynthArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:synth-012345'; const secretUpdateArn = 'arn:aws:secretsmanager:eu-west-1:0123456789012:secret:update-012345'; @@ -30,248 +30,176 @@ afterEach(() => { app.cleanup(); }); -behavior('synth action receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); +test('synth action receives install commands and access to relevant credentials', () => { - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation(); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, }); - function THEN_codePipelineExpectation() { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Synth project - build: { - commands: Match.arrayWith([stringLike('*cdk*synth*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), + }, + // Prove we're looking at the Synth project + build: { + commands: Match.arrayWith([stringLike('*cdk*synth*')]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretSynthArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: stringLike('Cdk*BuildProjectRole*') }], - }); - } -}); - -behavior('synth action receives Windows install commands if a Windows image is detected', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk2', { - npmSynthOptions: { - environment: { - buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretSynthArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('Cdk*BuildProjectRole*') }], + }); +}, +); + +test('synth action receives Windows install commands if a Windows image is detected', () => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk2', { + synth: new CodeBuildStep('Synth', { + commands: ['cdk synth'], + primaryOutputDirectory: 'cdk.out', + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + buildEnvironment: { + buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, + computeType: cb.ComputeType.MEDIUM, }, - }); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); + }), }); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk2', { - synth: new CodeBuildStep('Synth', { - commands: ['cdk synth'], - primaryOutputDirectory: 'cdk.out', - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - buildEnvironment: { - buildImage: cb.WindowsBuildImage.WINDOWS_BASE_2_0, - computeType: cb.ComputeType.MEDIUM, - }, - }), - }); - pipeline.addStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation(); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, }); - function THEN_codePipelineExpectation() { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'synth.example.com': { secretsManagerSecretId: secretSynthArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: 'aws/codebuild/windows-base:2.0' }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: Match.arrayWith([ - 'mkdir %USERPROFILE%\\.cdk', - `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Synth project - build: { - commands: Match.arrayWith([stringLike('*cdk*synth*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: 'aws/codebuild/windows-base:2.0' }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir %USERPROFILE%\\.cdk', + `echo '${expectedCredsConfig}' > %USERPROFILE%\\.cdk\\cdk-docker-creds.json`, + ]), }, - })), - }, - }); - } -}); - -behavior('self-update receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation('install'); + // Prove we're looking at the Synth project + build: { + commands: Match.arrayWith([stringLike('*cdk*synth*')]), + }, + }, + })), + }, }); +}, +); - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); +test('self-update receives install commands and access to relevant credentials', () => { + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - THEN_codePipelineExpectation('pre_build'); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, }); - function THEN_codePipelineExpectation(expectedPhase: string) { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'selfupdate.example.com': { secretsManagerSecretId: secretUpdateArn } }, - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [expectedPhase]: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the SelfMutate project - build: { - commands: Match.arrayWith([ - stringLike('cdk * deploy PipelineStack*'), - ]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretUpdateArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: stringLike('*SelfMutat*Role*') }], - }); - } -}); - -behavior('asset publishing receives install commands and access to relevant credentials', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new DockerAssetApp(app, 'App1')); - - THEN_codePipelineExpectation('install'); + // Prove we're looking at the SelfMutate project + build: { + commands: Match.arrayWith([ + stringLike('cdk * deploy PipelineStack*'), + ]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretUpdateArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: stringLike('*SelfMutat*Role*') }], }); +}, +); - suite.modern(() => { - const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); - pipeline.addStage(new DockerAssetApp(app, 'App1')); +test('asset publishing receives install commands and access to relevant credentials', () => { - THEN_codePipelineExpectation('pre_build'); - }); + const pipeline = new ModernPipelineWithCreds(pipelineStack, 'Cdk'); + pipeline.addStage(new DockerAssetApp(app, 'App1')); - function THEN_codePipelineExpectation(expectedPhase: string) { - const expectedCredsConfig = JSON.stringify({ - version: '1.0', - domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, - }); + const expectedCredsConfig = JSON.stringify({ + version: '1.0', + domainCredentials: { 'publish.example.com': { secretsManagerSecretId: secretPublishArn } }, + }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [expectedPhase]: { - commands: Match.arrayWith([ - 'mkdir $HOME/.cdk', - `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, - ]), - }, - // Prove we're looking at the Publishing project - build: { - commands: Match.arrayWith([stringLike('cdk-assets*')]), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + pre_build: { + commands: Match.arrayWith([ + 'mkdir $HOME/.cdk', + `echo '${expectedCredsConfig}' > $HOME/.cdk/cdk-docker-creds.json`, + ]), }, - })), - }, - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], - Effect: 'Allow', - Resource: secretPublishArn, - }]), - Version: '2012-10-17', - }, - Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], - }); - } + // Prove we're looking at the Publishing project + build: { + commands: Match.arrayWith([stringLike('cdk-assets*')]), + }, + }, + })), + }, + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'], + Effect: 'Allow', + Resource: secretPublishArn, + }]), + Version: '2012-10-17', + }, + Roles: [{ Ref: 'CdkAssetsDockerRole484B6DD3' }], + }); }); -class LegacyPipelineWithCreds extends LegacyTestGitHubNpmPipeline { - constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { - super(scope, id, { - dockerCredentials: [ - cdkp.DockerCredential.customRegistry('synth.example.com', secretSynth, { - usages: [cdkp.DockerCredentialUsage.SYNTH], - }), - cdkp.DockerCredential.customRegistry('selfupdate.example.com', secretUpdate, { - usages: [cdkp.DockerCredentialUsage.SELF_UPDATE], - }), - cdkp.DockerCredential.customRegistry('publish.example.com', secretPublish, { - usages: [cdkp.DockerCredentialUsage.ASSET_PUBLISHING], - }), - ], - ...props, - }); - } -} - class ModernPipelineWithCreds extends ModernTestGitHubNpmPipeline { constructor(scope: Construct, id: string, props?: ConstructorParameters[2]) { super(scope, id, { diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts index 777ffb83a0d2c..a401fba860488 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/environments.test.ts @@ -1,7 +1,7 @@ /* eslint-disable import/no-extraneous-dependencies */ import { Match, Template } from '../../../assertions'; import { Stack } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; +import { OneStackApp, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -15,378 +15,389 @@ afterEach(() => { app.cleanup(); }); -behavior('action has right settings for same-env deployment', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'Same')); - - THEN_codePipelineExpection(agnosticRole); - }); - - suite.additional('legacy: even if env is specified but the same as the pipeline', () => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'Same', { - env: PIPELINE_ENV, - })); - - THEN_codePipelineExpection(pipelineEnvRole); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'Same')); - - THEN_codePipelineExpection(agnosticRole); - }); - - suite.additional('modern: even if env is specified but the same as the pipeline', () => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new OneStackApp(app, 'Same', { - env: PIPELINE_ENV, - })); - - THEN_codePipelineExpection(pipelineEnvRole); - }); - - function THEN_codePipelineExpection(roleArn: (x: string) => any) { - // THEN: pipeline structure is correct - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Same', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), - RoleArn: roleArn('deploy-role'), - Configuration: Match.objectLike({ - StackName: 'Same-Stack', - RoleArn: roleArn('cfn-exec-role'), - }), - }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: roleArn('deploy-role'), - Configuration: Match.objectLike({ - StackName: 'Same-Stack', - }), - }), - ], - }]), - }); - - // THEN: artifact bucket can be read by deploy role - Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: roleArn('deploy-role'), +test('action has right settings for same-env deployment', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same')); + + // THEN: pipeline structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Same', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], }, - })]), - }, - }); - } -}); - -behavior('action has right settings for cross-account deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN: Pipelien structure is correct - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossAccount', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + Configuration: Match.objectLike({ + StackName: 'Same-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-cfn-exec-role-', + { Ref: 'AWS::AccountId' }, + '-', { Ref: 'AWS::Region' }, ]], }, - Configuration: Match.objectLike({ - StackName: 'CrossAccount-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', - { Ref: 'AWS::Region' }, - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', + }), + }), + ], + }]), + }); + + // THEN: artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-', + { Ref: 'AWS::Region' }, + ]], + }, + }, + })]), + }, + }); +}); + +test('even if env is specified but the same as the pipeline', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new OneStackApp(app, 'Same', { + env: PIPELINE_ENV, + })); + + // THEN: pipeline structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Same', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-', - { Ref: 'AWS::Region' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-cfn-exec-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, ]], }, - Configuration: Match.objectLike({ - StackName: 'CrossAccount-Stack', - }), }), - ], - }]), - }); + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'Same-Stack', + }), + }), + ], + }]), + }); + + // THEN: artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-deploy-role-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, + ]], + }, + }, + })]), + }, + }); +}); - // THEN: Artifact bucket can be read by deploy role - Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Principal: { - AWS: { +test('action has right settings for cross-account deployment', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, + }); + pipeline.addStage(new OneStackApp(app, 'CrossAccount', { env: { account: 'you' } })); + + // THEN: Pipelien structure is correct + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossAccount', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], + }, + Configuration: Match.objectLike({ + StackName: 'CrossAccount-Stack', + RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-', { Ref: 'AWS::Region' }, ]], }, + }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-', + { Ref: 'AWS::Region' }, + ]], }, - })]), - }, - }); - } -}); - -behavior('action has right settings for cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + Configuration: Match.objectLike({ + StackName: 'CrossAccount-Stack', + }), + }), + ], + }]), + }); - THEN_codePipelineExpectation(); + // THEN: Artifact bucket can be read by deploy role + Template.fromStack(pipelineStack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + { Ref: 'AWS::Region' }, + ]], + }, + }, + })]), + }, }); +}); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); +test('action has right settings for cross-region deployment', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossRegion', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + pipeline.addStage(new OneStackApp(app, 'CrossRegion', { env: { region: 'elsewhere' } })); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossRegion', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossRegion-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, ':iam::', { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', + ':role/cdk-hnb659fds-cfn-exec-role-', { Ref: 'AWS::AccountId' }, '-elsewhere', ]], }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossRegion-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-cfn-exec-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - ':role/cdk-hnb659fds-deploy-role-', - { Ref: 'AWS::AccountId' }, - '-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossRegion-Stack', - }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::', + { Ref: 'AWS::AccountId' }, + ':role/cdk-hnb659fds-deploy-role-', + { Ref: 'AWS::AccountId' }, + '-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossRegion-Stack', }), - ], - }]), - }); - } -}); - -behavior('action has right settings for cross-account/cross-region deployment', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'CrossBoth', { - env: { - account: 'you', - region: 'elsewhere', - }, - })); - - THEN_codePipelineExpectations(); + }), + ], + }]), }); +}, +); - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - crossAccountKeys: true, - }); - pipeline.addStage(new OneStackApp(app, 'CrossBoth', { - env: { - account: 'you', - region: 'elsewhere', - }, - })); - - THEN_codePipelineExpectations(); +test('action has right settings for cross-account/cross-region deployment', () => { + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + crossAccountKeys: true, }); - - function THEN_codePipelineExpectations() { - // THEN: pipeline structure must be correct - const stack = app.stackArtifact(pipelineStack); - expect(stack).toBeDefined(); - Template.fromStack(stack!).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'CrossBoth', - Actions: [ - Match.objectLike({ - Name: stringLike('*Prepare'), + pipeline.addStage(new OneStackApp(app, 'CrossBoth', { + env: { + account: 'you', + region: 'elsewhere', + }, + })); + + // THEN: pipeline structure must be correct + const stack = app.stackArtifact(pipelineStack); + expect(stack).toBeDefined(); + Template.fromStack(stack!).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'CrossBoth', + Actions: [ + Match.objectLike({ + Name: stringLike('*Prepare'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossBoth-Stack', RoleArn: { 'Fn::Join': ['', [ 'arn:', { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', ]], }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossBoth-Stack', - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-cfn-exec-role-you-elsewhere', - ]], - }, - }), }), - Match.objectLike({ - Name: stringLike('*Deploy'), - RoleArn: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', - ]], - }, - Region: 'elsewhere', - Configuration: Match.objectLike({ - StackName: 'CrossBoth-Stack', - }), + }), + Match.objectLike({ + Name: stringLike('*Deploy'), + RoleArn: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':iam::you:role/cdk-hnb659fds-deploy-role-you-elsewhere', + ]], + }, + Region: 'elsewhere', + Configuration: Match.objectLike({ + StackName: 'CrossBoth-Stack', }), - ], - }]), - }); + }), + ], + }]), + }); - // THEN: artifact bucket can be read by deploy role - const supportStack = app.stackArtifact('PipelineStack-support-elsewhere'); - expect(supportStack).toBeDefined(); - Template.fromStack(supportStack!).hasResourceProperties('AWS::S3::BucketPolicy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: Match.arrayWith(['s3:GetObject*', 's3:GetBucket*', 's3:List*']), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, + // THEN: artifact bucket can be read by deploy role + const supportStack = app.stackArtifact('PipelineStack-support-elsewhere'); + expect(supportStack).toBeDefined(); + Template.fromStack(supportStack!).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: Match.arrayWith(['s3:GetObject*', 's3:GetBucket*', 's3:List*']), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], }, - })]), - }, - }); + }, + })]), + }, + }); - // And the key to go along with it - Template.fromStack(supportStack!).hasResourceProperties('AWS::KMS::Key', { - KeyPolicy: { - Statement: Match.arrayWith([Match.objectLike({ - Action: Match.arrayWith(['kms:Decrypt', 'kms:DescribeKey']), - Principal: { - AWS: { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - stringLike('*-deploy-role-*'), - ]], - }, + // And the key to go along with it + Template.fromStack(supportStack!).hasResourceProperties('AWS::KMS::Key', { + KeyPolicy: { + Statement: Match.arrayWith([Match.objectLike({ + Action: Match.arrayWith(['kms:Decrypt', 'kms:DescribeKey']), + Principal: { + AWS: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + stringLike('*-deploy-role-*'), + ]], }, - })]), - }, - }); - } -}); - -function agnosticRole(roleName: string) { - return { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':iam::', - { Ref: 'AWS::AccountId' }, - `:role/cdk-hnb659fds-${roleName}-`, - { Ref: 'AWS::AccountId' }, - '-', - { Ref: 'AWS::Region' }, - ]], - }; -} - -function pipelineEnvRole(roleName: string) { - return { - 'Fn::Join': ['', [ - 'arn:', - { Ref: 'AWS::Partition' }, - `:iam::${PIPELINE_ENV.account}:role/cdk-hnb659fds-${roleName}-${PIPELINE_ENV.account}-${PIPELINE_ENV.region}`, - ]], - }; -} \ No newline at end of file + }, + })]), + }, + }); +}, +); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts index a6bf349aee638..6497e202a624c 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/escape-hatching.test.ts @@ -1,23 +1,19 @@ -import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; import { Match, Template } from '../../../assertions'; import * as cp from '../../../aws-codepipeline'; import * as cpa from '../../../aws-codepipeline-actions'; import { SecretValue, Stack } from '../../../core'; import * as cdkp from '../../lib'; -import { CodePipelineFileSet } from '../../lib'; -import { behavior, FileAssetApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, PIPELINE_ENV, TestApp, TestGitHubAction } from '../testhelpers'; +import { ModernTestGitHubNpmPipeline, PIPELINE_ENV, TestApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; let sourceArtifact: cp.Artifact; -let cloudAssemblyArtifact: cp.Artifact; let codePipeline: cp.Pipeline; beforeEach(() => { app = new TestApp(); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); sourceArtifact = new cp.Artifact(); - cloudAssemblyArtifact = new cp.Artifact(); }); afterEach(() => { @@ -29,247 +25,91 @@ describe('with empty existing CodePipeline', () => { codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline'); }); - behavior('both actions are required', (suite) => { - suite.legacy(() => { - // WHEN - expect(() => { - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { cloudAssemblyArtifact, codePipeline }); - }).toThrow(/You must pass a 'sourceAction'/); - }); - - // 'synth' is not optional so this doesn't apply - suite.doesNotApply.modern(); - }); + test('can give both actions', () => { - behavior('can give both actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - cloudAssemblyArtifact, - codePipeline, - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['true'], - }), - }); - - THEN_codePipelineExpectation(); + // WHEN + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['true'], + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); -}); - -describe('with custom Source stage in existing Pipeline', () => { - beforeEach(() => { - codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: [ + Match.objectLike({ Name: 'Source' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), ], }); - }); - - behavior('Work with synthAction', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineFileSet.fromArtifact(sourceArtifact), - commands: ['true'], - }), - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); + }, + ); }); -describeDeprecated('with Source and Build stages in existing Pipeline', () => { +describe('with custom Source stage in existing Pipeline', () => { beforeEach(() => { codePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { stages: [ { stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], + actions: [new cpa.GitHubSourceAction({ + actionName: 'GitHub', + output: sourceArtifact, + oauthToken: SecretValue.unsafePlainText('$3kr1t'), + owner: 'test', + repo: 'test', + trigger: cpa.GitHubTrigger.POLL, + })], }, ], }); }); - behavior('can supply no actions', (suite) => { - suite.legacy(() => { - // WHEN - new cdkp.CdkPipeline(pipelineStack, 'Cdk', { - codePipeline, - cloudAssemblyArtifact, - }); + test('Work with synthAction', () => { - THEN_codePipelineExpectation(); + new cdkp.CodePipeline(pipelineStack, 'Cdk', { + codePipeline, + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineFileSet.fromArtifact(sourceArtifact), + commands: ['true'], + }), }); - suite.modern(() => { - new cdkp.CodePipeline(pipelineStack, 'Cdk', { - codePipeline, - synth: cdkp.CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'CustomBuild' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - ], - }); - } - }); -}); - -behavior('can add another action to an existing stage', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.stage('Source').addAction(new cpa.GitHubSourceAction({ - actionName: 'GitHub2', - oauthToken: SecretValue.unsafePlainText('oops'), - output: new cp.Artifact(), - owner: 'OWNER', - repo: 'REPO', - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.buildPipeline(); - - pipeline.pipeline.stages[0].addAction(new cpa.GitHubSourceAction({ - actionName: 'GitHub2', - oauthToken: SecretValue.unsafePlainText('oops'), - output: new cp.Artifact(), - owner: 'OWNER', - repo: 'REPO', - })); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { + // THEN Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Source', - Actions: [ - Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }) }), - Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }), Name: 'GitHub2' }), - ], - }]), + Stages: [ + Match.objectLike({ Name: 'CustomSource' }), + Match.objectLike({ Name: 'Build' }), + Match.objectLike({ Name: 'UpdatePipeline' }), + ], }); - } + }, + ); }); -behavior('assets stage inserted after existing pipeline actions', (suite) => { - let existingCodePipeline: cp.Pipeline; - beforeEach(() => { - existingCodePipeline = new cp.Pipeline(pipelineStack, 'CodePipeline', { - stages: [ - { - stageName: 'CustomSource', - actions: [new TestGitHubAction(sourceArtifact)], - }, - { - stageName: 'CustomBuild', - actions: [cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact })], - }, +test('can add another action to an existing stage', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.buildPipeline(); + + pipeline.pipeline.stages[0].addAction(new cpa.GitHubSourceAction({ + actionName: 'GitHub2', + oauthToken: SecretValue.unsafePlainText('oops'), + output: new cp.Artifact(), + owner: 'OWNER', + repo: 'REPO', + })); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Source', + Actions: [ + Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }) }), + Match.objectLike({ ActionTypeId: Match.objectLike({ Provider: 'GitHub' }), Name: 'GitHub2' }), ], - }); + }]), }); +}, +); - suite.legacy(() => { - const pipeline = new cdkp.CdkPipeline(pipelineStack, 'CdkEmptyPipeline', { - cloudAssemblyArtifact: cloudAssemblyArtifact, - selfMutating: false, - codePipeline: existingCodePipeline, - // No source/build actions - }); - pipeline.addApplicationStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new cdkp.CodePipeline(pipelineStack, 'CdkEmptyPipeline', { - codePipeline: existingCodePipeline, - selfMutation: false, - synth: CodePipelineFileSet.fromArtifact(cloudAssemblyArtifact), - // No source/build actions - }); - pipeline.addStage(new FileAssetApp(app, 'App')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ - Match.objectLike({ Name: 'CustomSource' }), - Match.objectLike({ Name: 'CustomBuild' }), - Match.objectLike({ Name: 'Assets' }), - Match.objectLike({ Name: 'App' }), - ], - }); - } -}); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts index 88138cb2b840f..75935cccf9827 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/security-check.test.ts @@ -3,8 +3,7 @@ import { Topic } from '../../../aws-sns'; import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, stringLike } from '../testhelpers'; -import { behavior } from '../testhelpers/compliance'; +import { ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, TestApp, stringLike } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,417 +17,209 @@ afterEach(() => { app.cleanup(); }); -behavior('security check option generates lambda/codebuild at pipeline scope', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App'), { confirmBroadeningPermissions: true }); +test('security check option generates lambda/codebuild at pipeline scope', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(app, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(app, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), + const template = Template.fromStack(pipelineStack); + template.resourceCountIs('AWS::Lambda::Function', 1); + template.hasResourceProperties('AWS::Lambda::Function', { + Role: { + 'Fn::GetAtt': [ + stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), + 'Arn', ], - }); - - THEN_codePipelineExpectation(); + }, }); - - function THEN_codePipelineExpectation() { - const template = Template.fromStack(pipelineStack); - template.resourceCountIs('AWS::Lambda::Function', 1); - template.hasResourceProperties('AWS::Lambda::Function', { - Role: { - 'Fn::GetAtt': [ - stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), - 'Arn', - ], + // 1 for github build, 1 for synth stage, and 1 for the application security check + template.resourceCountIs('AWS::CodeBuild::Project', 3); + + // No CodeBuild project has a build image that is not the standard iamge + const projects = template.findResources('AWS::CodeBuild::Project', { + Properties: { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, }, - }); - // 1 for github build, 1 for synth stage, and 1 for the application security check - template.resourceCountIs('AWS::CodeBuild::Project', 3); - - // No CodeBuild project has a build image that is not the standard iamge - const projects = template.findResources('AWS::CodeBuild::Project', { - Properties: { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - }, - }); - expect(Object.keys(projects).length).toEqual(3); - } -}); - -behavior('security check option passes correct environment variables to check project', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(pipelineStack, 'App'), { confirmBroadeningPermissions: true }); - - THEN_codePipelineExpectation(); + }, }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(pipelineStack, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), - ], - }); - - THEN_codePipelineExpectation(); + expect(Object.keys(projects).length).toEqual(3); +}, +); + +test('security check option passes correct environment variables to check project', () => { + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(pipelineStack, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'App', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: stringLike('*Check'), - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { name: 'STAGE_PATH', type: 'PLAINTEXT', value: 'PipelineSecurityStack/App' }, - { name: 'STAGE_NAME', type: 'PLAINTEXT', value: 'App' }, - { name: 'ACTION_NAME', type: 'PLAINTEXT', value: Match.anyValue() }, - ]), - }), + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'App', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: stringLike('*Check'), + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { name: 'STAGE_PATH', type: 'PLAINTEXT', value: 'PipelineSecurityStack/App' }, + { name: 'STAGE_NAME', type: 'PLAINTEXT', value: 'App' }, + { name: 'ACTION_NAME', type: 'PLAINTEXT', value: Match.anyValue() }, + ]), }), - ]), - }, - ]), - }); - } -}); - -behavior('pipeline created with auto approve tags and lambda/codebuild w/ valid permissions', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'App'), { confirmBroadeningPermissions: true }); - - THEN_codePipelineExpectation(); + }), + ]), + }, + ]), }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new OneStackApp(app, 'App'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Check', { - stage, - }), - ], - }); - - THEN_codePipelineExpectation(); +}, +); + +test('pipeline created with auto approve tags and lambda/codebuild w/ valid permissions', () => { + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new OneStackApp(app, 'App'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Check', { + stage, + }), + ], }); - function THEN_codePipelineExpectation() { - // CodePipeline must be tagged as SECURITY_CHECK=ALLOW_APPROVE - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Tags: [ - { - Key: 'SECURITY_CHECK', - Value: 'ALLOW_APPROVE', - }, - ], - }); - // Lambda Function only has access to pipelines tagged SECURITY_CHECK=ALLOW_APPROVE - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: ['codepipeline:GetPipelineState', 'codepipeline:PutApprovalResult'], - Condition: { - StringEquals: { 'aws:ResourceTag/SECURITY_CHECK': 'ALLOW_APPROVE' }, - }, - Effect: 'Allow', - Resource: '*', - }, - ], - }, - }); - // CodeBuild must have access to the stacks and invoking the lambda function - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - { - Action: 'sts:AssumeRole', - Condition: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': [ - 'deploy', - ], - }, - }, - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'lambda:InvokeFunction', - Effect: 'Allow', - Resource: [ - { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, - { - 'Fn::Join': [ - '', - [ - { - 'Fn::GetAtt': [ - stringLike('*AutoApprove*'), - 'Arn', - ], - }, - ':*', - ], - ], - }, - ], - }, - ]), + // CodePipeline must be tagged as SECURITY_CHECK=ALLOW_APPROVE + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Tags: [ + { + Key: 'SECURITY_CHECK', + Value: 'ALLOW_APPROVE', }, - }); - } -}); - -behavior('confirmBroadeningPermissions option at addApplicationStage runs security check on all apps unless overriden', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const securityStage = pipeline.addApplicationStage(new OneStackApp(app, 'StageSecurityCheckStack'), { confirmBroadeningPermissions: true }); - securityStage.addApplication(new OneStackApp(app, 'AnotherStack')); - securityStage.addApplication(new OneStackApp(app, 'SkipCheckStack'), { confirmBroadeningPermissions: false }); - - THEN_codePipelineExpectation(); + ], }); - - // For the modern API, there is no inheritance - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ + // Lambda Function only has access to pipelines tagged SECURITY_CHECK=ALLOW_APPROVE + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ { - Actions: [Match.objectLike({ Name: 'GitHub', RunOrder: 1 })], - Name: 'Source', - }, - { - Actions: [Match.objectLike({ Name: 'Synth', RunOrder: 1 })], - Name: 'Build', - }, - { - Actions: [Match.objectLike({ Name: 'SelfMutate', RunOrder: 1 })], - Name: 'UpdatePipeline', - }, - { - Actions: [ - Match.objectLike({ Name: 'StageSecurityCheckStackSecurityCheck', RunOrder: 1 }), - Match.objectLike({ Name: 'StageSecurityCheckStackManualApproval', RunOrder: 2 }), - Match.objectLike({ Name: 'AnotherStackSecurityCheck', RunOrder: 5 }), - Match.objectLike({ Name: 'AnotherStackManualApproval', RunOrder: 6 }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - Match.objectLike({ Name: 'AnotherStack-Stack.Prepare', RunOrder: 7 }), - Match.objectLike({ Name: 'AnotherStack-Stack.Deploy', RunOrder: 8 }), - Match.objectLike({ Name: 'SkipCheckStack-Stack.Prepare', RunOrder: 9 }), - Match.objectLike({ Name: 'SkipCheckStack-Stack.Deploy', RunOrder: 10 }), - ], - Name: 'StageSecurityCheckStack', + Action: ['codepipeline:GetPipelineState', 'codepipeline:PutApprovalResult'], + Condition: { + StringEquals: { 'aws:ResourceTag/SECURITY_CHECK': 'ALLOW_APPROVE' }, + }, + Effect: 'Allow', + Resource: '*', }, ], - }); - } -}); - -behavior('confirmBroadeningPermissions option at addApplication runs security check only on selected application', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const noSecurityStage = pipeline.addApplicationStage(new OneStackApp(app, 'NoSecurityCheckStack')); - noSecurityStage.addApplication(new OneStackApp(app, 'EnableCheckStack'), { confirmBroadeningPermissions: true }); - - THEN_codePipelineExpectation(); + }, }); - - // For the modern API, there is no inheritance - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: [ + // CodeBuild must have access to the stacks and invoking the lambda function + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ { - Actions: [Match.objectLike({ Name: 'GitHub', RunOrder: 1 })], - Name: 'Source', - }, - { - Actions: [Match.objectLike({ Name: 'Synth', RunOrder: 1 })], - Name: 'Build', - }, - { - Actions: [Match.objectLike({ Name: 'SelfMutate', RunOrder: 1 })], - Name: 'UpdatePipeline', + Action: 'sts:AssumeRole', + Condition: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': [ + 'deploy', + ], + }, + }, + Effect: 'Allow', + Resource: '*', }, { - Actions: [ - Match.objectLike({ Name: 'EnableCheckStackSecurityCheck', RunOrder: 3 }), - Match.objectLike({ Name: 'EnableCheckStackManualApproval', RunOrder: 4 }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 1 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 2 }), - Match.objectLike({ Name: 'EnableCheckStack-Stack.Prepare', RunOrder: 5 }), - Match.objectLike({ Name: 'EnableCheckStack-Stack.Deploy', RunOrder: 6 }), + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + Resource: [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + { + 'Fn::Join': [ + '', + [ + { + 'Fn::GetAtt': [ + stringLike('*AutoApprove*'), + 'Arn', + ], + }, + ':*', + ], + ], + }, ], - Name: 'NoSecurityCheckStack', }, - ], - }); - } -}); - -behavior('confirmBroadeningPermissions and notification topic options generates the right resources', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const topic = new Topic(pipelineStack, 'NotificationTopic'); - pipeline.addApplicationStage(new OneStackApp(app, 'MyStack'), { - confirmBroadeningPermissions: true, - securityNotificationTopic: topic, - }); - - THEN_codePipelineExpectation(); + ]), + }, }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const topic = new Topic(pipelineStack, 'NotificationTopic'); - const stage = new OneStackApp(app, 'MyStack'); - pipeline.addStage(stage, { - pre: [ - new cdkp.ConfirmPermissionsBroadening('Approve', { - stage, - notificationTopic: topic, - }), - ], - }); - - THEN_codePipelineExpectation(); +}, +); + +test('confirmBroadeningPermissions and notification topic options generates the right resources', () => { + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const topic = new Topic(pipelineStack, 'NotificationTopic'); + const stage = new OneStackApp(app, 'MyStack'); + pipeline.addStage(stage, { + pre: [ + new cdkp.ConfirmPermissionsBroadening('Approve', { + stage, + notificationTopic: topic, + }), + ], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::SNS::Topic', 1); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'MyStack', - Actions: [ - Match.objectLike({ - Configuration: { - ProjectName: { Ref: stringLike('*SecurityCheck*') }, - EnvironmentVariables: { - 'Fn::Join': ['', [ - stringLike('*'), - { Ref: 'NotificationTopicEB7A0DF1' }, - stringLike('*'), - ]], - }, - }, - Name: stringLike('*Check'), - Namespace: stringLike('*'), - RunOrder: 1, - }), - Match.objectLike({ - Configuration: { - CustomData: stringLike('#{*.MESSAGE}'), - ExternalEntityLink: stringLike('#{*.LINK}'), + Template.fromStack(pipelineStack).resourceCountIs('AWS::SNS::Topic', 1); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'MyStack', + Actions: [ + Match.objectLike({ + Configuration: { + ProjectName: { Ref: stringLike('*SecurityCheck*') }, + EnvironmentVariables: { + 'Fn::Join': ['', [ + stringLike('*'), + { Ref: 'NotificationTopicEB7A0DF1' }, + stringLike('*'), + ]], }, - Name: stringLike('*Approv*'), - RunOrder: 2, - }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - ], - }, - ]), - }); - } -}); - -behavior('Stages declared outside the pipeline create their own ApplicationSecurityCheck', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const pipelineStage = pipeline.codePipeline.addStage({ - stageName: 'UnattachedStage', - }); - - const unattachedStage = new cdkp.CdkStage(pipelineStack, 'UnattachedStage', { - stageName: 'UnattachedStage', - pipelineStage, - cloudAssemblyArtifact: pipeline.cloudAssemblyArtifact, - host: { - publishAsset: () => undefined, - stackOutputArtifact: () => undefined, + }, + Name: stringLike('*Check'), + Namespace: stringLike('*'), + RunOrder: 1, + }), + Match.objectLike({ + Configuration: { + CustomData: stringLike('#{*.MESSAGE}'), + ExternalEntityLink: stringLike('#{*.LINK}'), + }, + Name: stringLike('*Approv*'), + RunOrder: 2, + }), + Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), + Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), + ], }, - }); - - unattachedStage.addApplication(new OneStackApp(app, 'UnattachedStage'), { - confirmBroadeningPermissions: true, - }); - - THEN_codePipelineExpectation(); + ]), }); - - // Not a valid use of the modern API - suite.doesNotApply.modern(); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::Lambda::Function', 1); - // 1 for github build, 1 for synth stage, and 1 for the application security check - Template.fromStack(pipelineStack).resourceCountIs('AWS::CodeBuild::Project', 3); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Tags: [ - { - Key: 'SECURITY_CHECK', - Value: 'ALLOW_APPROVE', - }, - ], - Stages: [ - Match.objectLike({ Name: 'Source' }), - Match.objectLike({ Name: 'Build' }), - Match.objectLike({ Name: 'UpdatePipeline' }), - { - Actions: [ - Match.objectLike({ - Configuration: { - ProjectName: { Ref: 'UnattachedStageStageApplicationSecurityCheckCDKSecurityCheckADCE795B' }, - }, - Name: 'UnattachedStageSecurityCheck', - RunOrder: 1, - }), - Match.objectLike({ - Configuration: { - CustomData: '#{UnattachedStageSecurityCheck.MESSAGE}', - ExternalEntityLink: '#{UnattachedStageSecurityCheck.LINK}', - }, - Name: 'UnattachedStageManualApproval', - RunOrder: 2, - }), - Match.objectLike({ Name: 'Stack.Prepare', RunOrder: 3 }), - Match.objectLike({ Name: 'Stack.Deploy', RunOrder: 4 }), - ], - Name: 'UnattachedStage', - }, - ], - }); - } -}); \ No newline at end of file +}, +); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts index 98828dc57eb47..836ee9472eb78 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/self-mutation.test.ts @@ -4,7 +4,7 @@ import * as cb from '../../../aws-codebuild'; import * as cp from '../../../aws-codepipeline'; import { Stack, Stage } from '../../../core'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, LegacyTestGitHubNpmPipeline, PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -18,288 +18,192 @@ afterEach(() => { app.cleanup(); }); -behavior('CodePipeline has self-mutation stage', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); - }); +test('CodePipeline has self-mutation stage', () => { - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); - }); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'UpdatePipeline', - Actions: [ - Match.objectLike({ - Name: 'SelfMutate', - Configuration: Match.objectLike({ - ProjectName: { Ref: Match.anyValue() }, - }), + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'UpdatePipeline', + Actions: [ + Match.objectLike({ + Name: 'SelfMutate', + Configuration: Match.objectLike({ + ProjectName: { Ref: Match.anyValue() }, }), - ], - }]), - }); + }), + ], + }]), + }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk@2'], - }, - build: { - commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk@2'], }, - })), - Type: 'CODEPIPELINE', - }, - }); - } -}); - -behavior('selfmutation stage correctly identifies nested assembly of pipeline stack', (suite) => { - suite.legacy(() => { - const pipelineStage = new Stage(app, 'PipelineStage'); - const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); - new LegacyTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - - THEN_codePipelineExpectation(nestedPipelineStack); + build: { + commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), + }, + }, + })), + Type: 'CODEPIPELINE', + }, }); +}, +); - suite.modern(() => { - const pipelineStage = new Stage(app, 'PipelineStage'); - const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); - new ModernTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); +test('selfmutation stage correctly identifies nested assembly of pipeline stack', () => { - THEN_codePipelineExpectation(nestedPipelineStack); - }); + const pipelineStage = new Stage(app, 'PipelineStage'); + const nestedPipelineStack = new Stack(pipelineStage, 'PipelineStack', { env: PIPELINE_ENV }); + new ModernTestGitHubNpmPipeline(nestedPipelineStack, 'Cdk'); - function THEN_codePipelineExpectation(nestedPipelineStack: Stack) { - Template.fromStack(nestedPipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: Match.arrayWith(['cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose']), - }, + Template.fromStack(nestedPipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: Match.arrayWith(['cdk -a assembly-PipelineStage deploy PipelineStage/PipelineStack --require-approval=never --verbose']), }, - })), - }, - }); - } -}); - -behavior('selfmutation feature can be turned off', (suite) => { - suite.legacy(() => { - const cloudAssemblyArtifact = new cp.Artifact(); - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - cloudAssemblyArtifact, - selfMutating: false, - }); - - THEN_codePipelineExpectation(); + }, + })), + }, }); +}, +); - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutation: false, - }); +test('selfmutation feature can be turned off', () => { - THEN_codePipelineExpectation(); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + selfMutation: false, }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.not(Match.arrayWith([{ - Name: 'UpdatePipeline', - Actions: Match.anyValue(), - }])), - }); - } -}); - -behavior('can control fix/CLI version used in pipeline selfupdate', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - pipelineName: 'vpipe', - cdkCliVersion: '1.2.3', - }); - - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.not(Match.arrayWith([{ + Name: 'UpdatePipeline', + Actions: Match.anyValue(), + }])), }); +}, +); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - pipelineName: 'vpipe', - cliVersion: '1.2.3', - }); - - THEN_codePipelineExpectation(); +test('can control fix/CLI version used in pipeline selfupdate', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + pipelineName: 'vpipe', + cliVersion: '1.2.3', }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Name: 'vpipe-selfupdate', - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm install -g aws-cdk@1.2.3'], - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Name: 'vpipe-selfupdate', + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm install -g aws-cdk@1.2.3'], }, - })), - }, - }); - } -}); - -behavior('Pipeline stack itself can use assets (has implications for selfupdate)', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { - supportDockerAssets: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - PrivilegedMode: true, - }, - }); - }); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { - dockerEnabledForSelfMutation: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - PrivilegedMode: true, - }, - }); + }, + })), + }, }); -}); +}, +); -behavior('self-update project role uses tagged bootstrap-role permissions', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); +test('Pipeline stack itself can use assets (has implications for selfupdate)', () => { - THEN_codePipelineExpectations(); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'PrivilegedPipeline', { + dockerEnabledForSelfMutation: true, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectations(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + PrivilegedMode: true, + }, }); +}); - function THEN_codePipelineExpectations() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([ - { - Action: 'sts:AssumeRole', - Effect: 'Allow', - Resource: 'arn:*:iam::123pipeline:role/*', - Condition: { - 'ForAnyValue:StringEquals': { - 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], - }, +test('self-update project role uses tagged bootstrap-role permissions', () => { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Resource: 'arn:*:iam::123pipeline:role/*', + Condition: { + 'ForAnyValue:StringEquals': { + 'iam:ResourceTag/aws-cdk:bootstrap-role': ['image-publishing', 'file-publishing', 'deploy'], }, }, - { - Action: 'cloudformation:DescribeStacks', - Effect: 'Allow', - Resource: '*', - }, - { - Action: 's3:ListBucket', - Effect: 'Allow', - Resource: '*', - }, - ]), - }, - }); - } -}); + }, + { + Action: 'cloudformation:DescribeStacks', + Effect: 'Allow', + Resource: '*', + }, + { + Action: 's3:ListBucket', + Effect: 'Allow', + Resource: '*', + }, + ]), + }, + }); +}, +); + +test('self-mutation stage can be customized with BuildSpec', () => { -behavior('self-mutation stage can be customized with BuildSpec', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutationBuildSpec: cb.BuildSpec.fromObject({ + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + selfMutationCodeBuildDefaults: { + partialBuildSpec: cb.BuildSpec.fromObject({ phases: { install: { - commands: 'npm config set registry example.com', + commands: ['npm config set registry example.com'], }, }, cache: { - paths: 'node_modules', + paths: ['node_modules'], }, }), - }); - - THEN_codePipelineExpectation(); + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - selfMutationCodeBuildDefaults: { - partialBuildSpec: cb.BuildSpec.fromObject({ - phases: { - install: { - commands: ['npm config set registry example.com'], - }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + PrivilegedMode: false, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['npm config set registry example.com', 'npm install -g aws-cdk@2'], }, - cache: { - paths: ['node_modules'], + build: { + commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), }, - }), - }, - }); - - THEN_codePipelineExpectation(); + }, + cache: { + paths: ['node_modules'], + }, + })), + Type: 'CODEPIPELINE', + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - PrivilegedMode: false, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: ['npm config set registry example.com', 'npm install -g aws-cdk@2'], - }, - build: { - commands: Match.arrayWith(['cdk -a . deploy PipelineStack --require-approval=never --verbose']), - }, - }, - cache: { - paths: ['node_modules'], - }, - })), - Type: 'CODEPIPELINE', - }, - }); - } -}); +}, +); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts index 827c2839a6462..4f42151c3d39b 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/stack-ordering.test.ts @@ -1,6 +1,6 @@ import { Match, Template } from '../../../assertions'; import { App, Stack } from '../../../core'; -import { behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, TestApp, ThreeStackApp, TwoStackApp } from '../testhelpers'; +import { ModernTestGitHubNpmPipeline, PIPELINE_ENV, sortByRunOrder, TestApp, ThreeStackApp, TwoStackApp } from '../testhelpers'; let app: App; let pipelineStack: Stack; @@ -10,169 +10,43 @@ beforeEach(() => { pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); }); -behavior('interdependent stacks are in the right order', (suite) => { - suite.legacy(() => { - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - ]), - }]), - }); - } -}); - -behavior('multiple independent stacks go in parallel', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new ThreeStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new ThreeStackApp(app, 'MyApp')); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - // 1 and 2 in parallel - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - // Then 3 - Match.objectLike({ Name: 'Stack3.Prepare' }), - Match.objectLike({ Name: 'Stack3.Deploy' }), - ]), - }]), - }); - } -}); - -behavior('user can request manual change set approvals', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { - manualApprovals: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'ManualApproval' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'ManualApproval2' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - ]), - }]), - }); - }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); -}); - -behavior('user can request extra runorder space between prepare and deploy', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new TwoStackApp(app, 'MyApp'), { - extraRunOrderSpace: 1, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ - Name: 'Stack1.Prepare', - RunOrder: 1, - }), - Match.objectLike({ - Name: 'Stack1.Deploy', - RunOrder: 3, - }), - Match.objectLike({ - Name: 'Stack2.Prepare', - RunOrder: 4, - }), - Match.objectLike({ - Name: 'Stack2.Deploy', - RunOrder: 6, - }), - ]), - }]), - }); +test('interdependent stacks are in the right order', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp')); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + ]), + }]), }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); -}); - -behavior('user can request both manual change set approval and extraRunOrderSpace', (suite) => { - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addApplicationStage(new OneStackApp(app, 'MyApp'), { - extraRunOrderSpace: 1, - manualApprovals: true, - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ - Name: 'Stack.Prepare', - RunOrder: 1, - }), - Match.objectLike({ - Name: 'ManualApproval', - RunOrder: 2, - }), - Match.objectLike({ - Name: 'Stack.Deploy', - RunOrder: 4, - }), - ]), - }]), - }); +}, +); + +test('multiple independent stacks go in parallel', () => { + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new ThreeStackApp(app, 'MyApp')); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + // 1 and 2 in parallel + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + // Then 3 + Match.objectLike({ Name: 'Stack3.Prepare' }), + Match.objectLike({ Name: 'Stack3.Deploy' }), + ]), + }]), }); - - // No change set approvals in Modern API for now. - suite.doesNotApply.modern(); -}); +}, +); diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts index 30cbed9db1faf..4bbb8d261dcd6 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/synths.test.ts @@ -9,7 +9,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodeBuildStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { behavior, PIPELINE_ENV, TestApp, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, ModernTestGitHubNpmPipelineProps, OneStackApp } from '../testhelpers'; +import { PIPELINE_ENV, TestApp, ModernTestGitHubNpmPipeline, ModernTestGitHubNpmPipelineProps, OneStackApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -19,10 +19,6 @@ let cloudAssemblyArtifact: codepipeline.Artifact; // Must be unique across all test files, but preferably also consistent const OUTDIR = 'testcdk0.out'; -// What phase install commands get rendered to -const LEGACY_INSTALLS = 'pre_build'; -const MODERN_INSTALLS = 'install'; - beforeEach(() => { app = new TestApp({ outdir: OUTDIR }); pipelineStack = new Stack(app, 'PipelineStack', { env: PIPELINE_ENV }); @@ -34,1124 +30,748 @@ afterEach(() => { app.cleanup(); }); -behavior('synth takes arrays of commands', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['install1', 'install2'], - buildCommands: ['build1', 'build2'], - testCommands: ['test1', 'test2'], - synthCommand: 'cdk synth', - }), - }); - - THEN_codePipelineExpectation(LEGACY_INSTALLS); +test('synth takes arrays of commands', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['install1', 'install2'], + commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: [ + 'install1', + 'install2', + ], + }, + build: { + commands: [ + 'build1', + 'build2', + 'test1', + 'test2', + 'cdk synth', + ], + }, + }, + })), + }, }); +}, +); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['install1', 'install2'], - commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], - }); +test('synth sets artifact base-directory to cdk.out', () => { - THEN_codePipelineExpectation(MODERN_INSTALLS); - }); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: [ - 'install1', - 'install2', - ], - }, - build: { - commands: [ - 'build1', - 'build2', - 'test1', - 'test2', - 'cdk synth', - ], - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + artifacts: { + 'base-directory': 'cdk.out', + }, + })), + }, + }); +}, +); + +test('synth supports setting subdirectory', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['cd subdir'], + commands: ['true'], + primaryOutputDirectory: 'subdir/cdk.out', + }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: Match.arrayWith(['cd subdir']), }, - })), - }, - }); - } -}); - -behavior('synth sets artifact base-directory to cdk.out', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - THEN_codePipelineExpectation(); + }, + artifacts: { + 'base-directory': 'subdir/cdk.out', + }, + })), + }, }); +}, +); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); +test('npm synth sets, or allows setting, UNSAFE_PERM=true', () => { - THEN_codePipelineExpectation(); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + NPM_CONFIG_UNSAFE_PERM: 'true', + }, }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - artifacts: { - 'base-directory': 'cdk.out', - }, - })), - }, - }); - } -}); - -behavior('synth supports setting subdirectory', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - subdirectory: 'subdir', - }), - }); - - THEN_codePipelineExpectation(LEGACY_INSTALLS); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + EnvironmentVariables: [ + { + Name: 'NPM_CONFIG_UNSAFE_PERM', + Type: 'PLAINTEXT', + Value: 'true', + }, + ], + }, + }); +}, +); + +test('Magic CodePipeline variables passed to synth envvars must be rendered in the action', () => { + + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + env: { + VERSION: codepipeline.GlobalVariables.executionId, + }, + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson(Match.arrayWith([ + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + ])), + }), + }), + ], + }]), }); +}, +); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['cd subdir'], - commands: ['true'], - primaryOutputDirectory: 'subdir/cdk.out', - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); - }); +test('CodeBuild: environment variables specified in multiple places are correctly merged', () => { - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new CodeBuildStep('Synth', { + env: { + SOME_ENV_VAR: 'SomeValue', }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: Match.arrayWith(['cd subdir']), - }, + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + environmentVariables: { + INNER_VAR: { value: 'InnerValue' }, + }, + privileged: true, + }, + }), + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: [ + 'install1', + 'install2', + ], }, - artifacts: { - 'base-directory': 'subdir/cdk.out', + build: { + commands: [ + 'build1', + 'build2', + 'test1', + 'test2', + 'cdk synth', + ], }, - })), - }, - }); - } -}); - -behavior('npm synth sets, or allows setting, UNSAFE_PERM=true', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - }), - }); - - THEN_codePipelineExpectation(); + }, + })), + }, }); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', env: { - NPM_CONFIG_UNSAFE_PERM: 'true', - }, - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - EnvironmentVariables: [ - { - Name: 'NPM_CONFIG_UNSAFE_PERM', - Type: 'PLAINTEXT', - Value: 'true', - }, - ], - }, - }); - } -}); - -behavior('synth assumes a JavaScript project by default (no build, yes synth)', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ sourceArtifact, cloudAssemblyArtifact }), - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: ['npm ci'], - }, - build: { - commands: ['npx cdk synth'], - }, - }, - })), + SOME_ENV_VAR: 'SomeValue', }, - }); - }); - - // Modern pipeline does not assume anything anymore - suite.doesNotApply.modern(); -}); - -behavior('Magic CodePipeline variables passed to synth envvars must be rendered in the action', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + buildEnvironment: { environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, + INNER_VAR: { value: 'InnerValue' }, }, - synthCommand: 'synth', - }), - }); - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - env: { - VERSION: codepipeline.GlobalVariables.executionId, + privileged: true, }, - }); - - THEN_codePipelineExpectation(); + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Build', - Actions: [ - Match.objectLike({ - Name: 'Synth', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson(Match.arrayWith([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - ])), - }), - }), - ], - }]), - }); - } -}); - -behavior('CodeBuild: environment variables specified in multiple places are correctly merged', (suite) => { - // We don't support merging environment variables in this way in the legacy API - suite.doesNotApply.legacy(); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new CodeBuildStep('Synth', { - env: { - SOME_ENV_VAR: 'SomeValue', - }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, - }, - privileged: true, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', }, - }), - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); - }); - - suite.additional('modern2, using the specific CodeBuild action', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: '.', - env: { - SOME_ENV_VAR: 'SomeValue', + { + Name: 'SOME_ENV_VAR', + Type: 'PLAINTEXT', + Value: 'SomeValue', }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['install1', 'install2'], }, - privileged: true, - }, - }), - }); - THEN_codePipelineExpectation(MODERN_INSTALLS); - }); - - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - EnvironmentVariables: Match.arrayWith([ - { - Name: 'INNER_VAR', - Type: 'PLAINTEXT', - Value: 'InnerValue', + build: { + commands: ['synth'], }, - { - Name: 'SOME_ENV_VAR', - Type: 'PLAINTEXT', - Value: 'SomeValue', + }, + })), + }, + }); +}, +); + +test('install command can be overridden/specified', () => { + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['/bin/true'], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: ['/bin/true'], }, - ]), - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: ['install1', 'install2'], + }, + })), + }, + }); +}, +); + +test('Synth can output additional artifacts', () => { + + // WHEN + const synth = new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['cdk synth'], + }); + synth.addOutputDirectory('test'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: synth, + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + artifacts: { + 'secondary-artifacts': { + Synth_Output: { + 'base-directory': 'cdk.out', + 'files': '**/*', }, - build: { - commands: ['synth'], + Synth_test: { + 'base-directory': 'test', + 'files': '**/*', }, }, - })), - }, - }); - } -}); + }, + })), + }, + }); +}, +); -behavior('install command can be overridden/specified', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - }), - }); +test('Synth can be made to run in a VPC', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); - THEN_codePipelineExpectation(LEGACY_INSTALLS); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, }); - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['/bin/true'], - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); +}); - THEN_codePipelineExpectation(MODERN_INSTALLS); +test('Modern, using the synthCodeBuildDefaults', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synthCodeBuildDefaults: { vpc }, }); - function THEN_codePipelineExpectation(installPhase: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - [installPhase]: { - commands: ['/bin/true'], - }, - }, - })), - }, - }); - } + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); }); -behavior('synth can have its test commands set', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - installCommand: '/bin/true', - testCommands: ['echo "Running tests"'], - }), - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - pre_build: { - commands: ['/bin/true'], - }, - build: { - commands: ['echo "Running tests"', 'npx cdk synth'], - }, - }, - })), +test('Modern, using CodeBuildStep', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, }, - }); + }), + codeBuildDefaults: { vpc }, }); - // There are no implicit commands in modern synth - suite.doesNotApply.modern(); -}); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, + ], + Subnets: [ + { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, + { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, + ], + VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + }, + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + Roles: [ + { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, + ], + PolicyDocument: { + Statement: Match.arrayWith([{ + Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), + Effect: 'Allow', + Resource: '*', + }]), + }, + }); +}, +); -behavior('Synth can output additional artifacts', (suite) => { - suite.legacy(() => { - // WHEN - const addlArtifact = new codepipeline.Artifact('IntegTest'); - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [ - { - artifact: addlArtifact, - directory: 'test', - }, - ], - }), - }); +test('Pipeline action contains a hash that changes as the buildspec changes', () => { + const hash1 = modernSynthWithAction(() => ({ commands: ['asdf'] })); - THEN_codePipelineExpectation('CloudAsm', 'IntegTest'); - }); + // To make sure the hash is not just random :) + const hash1prime = modernSynthWithAction(() => ({ commands: ['asdf'] })); - suite.modern(() => { - // WHEN - const synth = new cdkp.ShellStep('Synth', { + const hash2 = modernSynthWithAction(() => ({ + installCommands: ['do install'], + })); + const hash3 = modernSynthWithAction(() => ({ + synth: new CodeBuildStep('Synth', { + commands: ['asdf'], input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['cdk synth'], - }); - synth.addOutputDirectory('test'); - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: synth, - }); - - THEN_codePipelineExpectation('Synth_Output', 'Synth_test'); - }); - - function THEN_codePipelineExpectation(asmArtifact: string, testArtifact: string) { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - artifacts: { - 'secondary-artifacts': { - [asmArtifact]: { - 'base-directory': 'cdk.out', - 'files': '**/*', - }, - [testArtifact]: { - 'base-directory': 'test', - 'files': '**/*', - }, - }, - }, - })), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + computeType: cbuild.ComputeType.LARGE, }, - }); - } + }), + })); + + const hash4 = modernSynthWithAction(() => ({ + env: { + xyz: 'SOME-VALUE', + }, + })); + + expect(hash1).toEqual(hash1prime); + + expect(hash1).not.toEqual(hash2); + expect(hash1).not.toEqual(hash3); + expect(hash1).not.toEqual(hash4); + expect(hash2).not.toEqual(hash3); + expect(hash2).not.toEqual(hash4); + expect(hash3).not.toEqual(hash4); }); -behavior('Synth can be made to run in a VPC', (suite) => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'NpmSynthTestVpc'); +function modernSynthWithAction(cb: () => ModernTestGitHubNpmPipelineProps) { + const _app = new TestApp({ outdir: OUTDIR }); + const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); + + new ModernTestGitHubNpmPipeline(_pipelineStack, 'Cdk', cb()); + + return captureProjectConfigHash(_pipelineStack); +} + +function captureProjectConfigHash(_pipelineStack: Stack) { + const theHash = new Capture(); + Template.fromStack(_pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { + name: '_PROJECT_CONFIG_HASH', + type: 'PLAINTEXT', + value: theHash, + }, + ]), + }), + }), + ], + }]), }); - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - vpc, - sourceArtifact, - cloudAssemblyArtifact, - }), - }); + return theHash.asString(); +} - THEN_codePipelineExpectation(); - }); +test('Synth CodeBuild project role can be granted permissions', () => { + const bucket: s3.IBucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); - - THEN_codePipelineExpectation(); - }); + // GIVEN + const pipe = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipe.buildPipeline(); - suite.additional('Modern, using the synthCodeBuildDefaults', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synthCodeBuildDefaults: { vpc }, - }); + // WHEN + bucket.grantRead(pipe.synthProject); - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], + })]), + }, }); +}, +); - suite.additional('Modern, using CodeBuildStep', () => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new CodeBuildStep('Synth', { - commands: ['asdf'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - computeType: cbuild.ComputeType.LARGE, - }, - }), - codeBuildDefaults: { vpc }, - }); +test('Synth can reference an imported ECR repo', () => { - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { 'Fn::GetAtt': ['CdkPipelineBuildSynthCdkBuildProjectSecurityGroupEA44D7C2', 'GroupId'] }, - ], - Subnets: [ - { Ref: 'NpmSynthTestVpcPrivateSubnet1Subnet81E3AA56' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet2SubnetC1CA3EF0' }, - { Ref: 'NpmSynthTestVpcPrivateSubnet3SubnetA04163EE' }, - ], - VpcId: { Ref: 'NpmSynthTestVpc5E703F25' }, + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + commands: ['build'], + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: 'cdk.out', + buildEnvironment: { + buildImage: cbuild.LinuxBuildImage.fromEcrRepository( + ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), + ), }, - }); + }), + }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - Roles: [ - { Ref: 'CdkPipelineBuildSynthCdkBuildProjectRole5E173C62' }, - ], - PolicyDocument: { - Statement: Match.arrayWith([{ - Action: Match.arrayWith(['ec2:DescribeSecurityGroups']), - Effect: 'Allow', - Resource: '*', - }]), - }, - }); - } + // THEN -- no exception (necessary for linter) + expect(true).toBeTruthy(); }); -behavior('Pipeline action contains a hash that changes as the buildspec changes', (suite) => { - suite.legacy(() => { - const hash1 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - // To make sure the hash is not just random :) - const hash1prime = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - })); - - const hash2 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - installCommand: 'do install', - })); - const hash3 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - computeType: cbuild.ComputeType.LARGE, - }, - })); - const hash4 = legacySynthWithAction((sa, cxa) => cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact: sa, - cloudAssemblyArtifact: cxa, - environment: { - environmentVariables: { - xyz: { value: 'SOME-VALUE' }, - }, - }, - })); +test('CodeBuild: Can specify additional policy statements', () => { - expect(hash1).toEqual(hash1prime); + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + primaryOutputDirectory: '.', + commands: ['synth'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], + resources: ['arn:my:arn'], + }), + ], + }), + }); - expect(hash1).not.toEqual(hash2); - expect(hash1).not.toEqual(hash3); - expect(hash1).not.toEqual(hash4); - expect(hash2).not.toEqual(hash3); - expect(hash2).not.toEqual(hash4); - expect(hash3).not.toEqual(hash4); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: [ + 'codeartifact:*', + 'sts:GetServiceBearerToken', + ], + Resource: 'arn:my:arn', + })]), + }, }); +}, +); - suite.modern(() => { - const hash1 = modernSynthWithAction(() => ({ commands: ['asdf'] })); - - // To make sure the hash is not just random :) - const hash1prime = modernSynthWithAction(() => ({ commands: ['asdf'] })); - - const hash2 = modernSynthWithAction(() => ({ - installCommands: ['do install'], - })); - const hash3 = modernSynthWithAction(() => ({ - synth: new CodeBuildStep('Synth', { - commands: ['asdf'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - computeType: cbuild.ComputeType.LARGE, - }, - }), - })); +test('Multiple input sources in side-by-side directories', () => { - const hash4 = modernSynthWithAction(() => ({ - env: { - xyz: 'SOME-VALUE', + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.ShellStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + commands: ['false'], + additionalInputs: { + '../sibling': cdkp.CodePipelineSource.gitHub('foo/bar', 'main'), + 'sub': new cdkp.ShellStep('Prebuild', { + input: cdkp.CodePipelineSource.gitHub('pre/build', 'main'), + commands: ['true'], + primaryOutputDirectory: 'built', + }), }, - })); - - expect(hash1).toEqual(hash1prime); - - expect(hash1).not.toEqual(hash2); - expect(hash1).not.toEqual(hash3); - expect(hash1).not.toEqual(hash4); - expect(hash2).not.toEqual(hash3); - expect(hash2).not.toEqual(hash4); - expect(hash3).not.toEqual(hash4); + }), }); - // eslint-disable-next-line max-len - function legacySynthWithAction(cb: (sourceArtifact: codepipeline.Artifact, cloudAssemblyArtifact: codepipeline.Artifact) => codepipeline.IAction) { - const _app = new TestApp({ outdir: OUTDIR }); - const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); - const _sourceArtifact = new codepipeline.Artifact(); - const _cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - - new LegacyTestGitHubNpmPipeline(_pipelineStack, 'Cdk', { - sourceArtifact: _sourceArtifact, - cloudAssemblyArtifact: _cloudAssemblyArtifact, - synthAction: cb(_sourceArtifact, _cloudAssemblyArtifact), - }); - - return captureProjectConfigHash(_pipelineStack); - } - - function modernSynthWithAction(cb: () => ModernTestGitHubNpmPipelineProps) { - const _app = new TestApp({ outdir: OUTDIR }); - const _pipelineStack = new Stack(_app, 'PipelineStack', { env: PIPELINE_ENV }); - - new ModernTestGitHubNpmPipeline(_pipelineStack, 'Cdk', cb()); - - return captureProjectConfigHash(_pipelineStack); - } - - function captureProjectConfigHash(_pipelineStack: Stack) { - const theHash = new Capture(); - Template.fromStack(_pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([ + { + Name: 'Source', + Actions: [ + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'bar' }) }), + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'build' }) }), + Match.objectLike({ Configuration: Match.objectLike({ Repo: 'test' }) }), + ], + }, + { Name: 'Build', Actions: [ + Match.objectLike({ Name: 'Prebuild', RunOrder: 1 }), Match.objectLike({ Name: 'Synth', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { - name: '_PROJECT_CONFIG_HASH', - type: 'PLAINTEXT', - value: theHash, - }, - ]), - }), + RunOrder: 2, + InputArtifacts: [ + // 3 input artifacts + Match.anyValue(), + Match.anyValue(), + Match.anyValue(), + ], }), ], - }]), - }); - - return theHash.asString(); - } -}); - -behavior('Synth CodeBuild project role can be granted permissions', (suite) => { - let bucket: s3.IBucket; - beforeEach(() => { - bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - }); - - suite.legacy(() => { - // GIVEN - const synthAction = cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - }); - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction, - }); - - // WHEN - bucket.grantRead(synthAction); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // GIVEN - const pipe = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipe.buildPipeline(); - - // WHEN - bucket.grantRead(pipe.synthProject); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], - })]), }, - }); - } -}); - -behavior('Synth can reference an imported ECR repo', (suite) => { - // Repro from https://github.com/aws/aws-cdk/issues/10535 - - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - environment: { - buildImage: cbuild.LinuxBuildImage.fromEcrRepository( - ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), - ), - }, - }), - }); - - // THEN -- no exception (necessary for linter) - expect(true).toBeTruthy(); - }); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - commands: ['build'], - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: 'cdk.out', - buildEnvironment: { - buildImage: cbuild.LinuxBuildImage.fromEcrRepository( - ecr.Repository.fromRepositoryName(pipelineStack, 'ECRImage', 'my-repo-name'), - ), + ]), + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + install: { + commands: [ + '[ ! -d "../sibling" ] || { echo \'additionalInputs: "../sibling" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_foo_bar_Source" "../sibling"', + '[ ! -d "sub" ] || { echo \'additionalInputs: "sub" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_Prebuild_Output" "sub"', + ], + }, + build: { + commands: [ + 'false', + ], + }, }, - }), - }); - - // THEN -- no exception (necessary for linter) - expect(true).toBeTruthy(); - }); -}); - -behavior('CodeBuild: Can specify additional policy statements', (suite) => { - suite.legacy(() => { - // WHEN - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:my:arn'], - }), - ], - }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - primaryOutputDirectory: '.', - commands: ['synth'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['codeartifact:*', 'sts:GetServiceBearerToken'], - resources: ['arn:my:arn'], - }), - ], - }), - }); - - THEN_codePipelineExpectation(); + })), + }, }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: [ - 'codeartifact:*', - 'sts:GetServiceBearerToken', - ], - Resource: 'arn:my:arn', - })]), - }, - }); - } }); -behavior('Multiple input sources in side-by-side directories', (suite) => { - // Legacy API does not support this - suite.doesNotApply.legacy(); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.ShellStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - commands: ['false'], - additionalInputs: { - '../sibling': cdkp.CodePipelineSource.gitHub('foo/bar', 'main'), - 'sub': new cdkp.ShellStep('Prebuild', { - input: cdkp.CodePipelineSource.gitHub('pre/build', 'main'), - commands: ['true'], - primaryOutputDirectory: 'built', - }), - }, - }), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([ - { - Name: 'Source', - Actions: [ - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'bar' }) }), - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'build' }) }), - Match.objectLike({ Configuration: Match.objectLike({ Repo: 'test' }) }), - ], - }, - { - Name: 'Build', - Actions: [ - Match.objectLike({ Name: 'Prebuild', RunOrder: 1 }), - Match.objectLike({ - Name: 'Synth', - RunOrder: 2, - InputArtifacts: [ - // 3 input artifacts - Match.anyValue(), - Match.anyValue(), - Match.anyValue(), - ], - }), - ], - }, - ]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - install: { - commands: [ - '[ ! -d "../sibling" ] || { echo \'additionalInputs: "../sibling" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_foo_bar_Source" "../sibling"', - '[ ! -d "sub" ] || { echo \'additionalInputs: "sub" must not exist yet. If you want to merge multiple artifacts, use a "cp" command.\'; exit 1; } && ln -s -- "$CODEBUILD_SRC_DIR_Prebuild_Output" "sub"', - ], - }, - build: { - commands: [ - 'false', - ], - }, +test('Can easily switch on privileged mode for synth', () => { + + // WHEN + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + dockerEnabledForSynth: true, + commands: ['LookAtMe'], + }); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'LookAtMe', + ], }, - })), - }, - }); + }, + })), + }, }); }); -behavior('Can easily switch on privileged mode for synth', (suite) => { - // Legacy API does not support this - suite.doesNotApply.legacy(); - - suite.modern(() => { - // WHEN - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - dockerEnabledForSynth: true, - commands: ['LookAtMe'], - }); +test('can provide custom BuildSpec that is merged with generated one', () => { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'LookAtMe', - ], - }, - }, - })), + new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth: new cdkp.CodeBuildStep('Synth', { + input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), + env: { + SOME_ENV_VAR: 'SomeValue', }, - }); - }); -}); - -behavior('can provide custom BuildSpec that is merged with generated one', (suite) => { - suite.legacy(() => { - new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, + buildEnvironment: { environmentVariables: { - SOME_ENV_VAR: { value: 'SomeValue' }, + INNER_VAR: { value: 'InnerValue' }, }, - environment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, + privileged: true, + }, + installCommands: [ + 'install1', + 'install2', + ], + commands: ['synth'], + partialBuildSpec: cbuild.BuildSpec.fromObject({ + env: { + variables: { + FOO: 'bar', }, - privileged: true, }, - installCommands: [ - 'install1', - 'install2', - ], - synthCommand: 'synth', - buildSpec: cbuild.BuildSpec.fromObject({ - env: { - variables: { - FOO: 'bar', - }, + phases: { + pre_build: { + commands: ['installCustom'], }, - phases: { - pre_build: { - commands: 'installCustom', - }, - }, - cache: { - paths: ['node_modules'], - }, - }), - }), - }); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth: new cdkp.CodeBuildStep('Synth', { - input: cdkp.CodePipelineSource.gitHub('test/test', 'main'), - env: { - SOME_ENV_VAR: 'SomeValue', }, - buildEnvironment: { - environmentVariables: { - INNER_VAR: { value: 'InnerValue' }, - }, - privileged: true, + cache: { + paths: ['node_modules'], }, - installCommands: [ - 'install1', - 'install2', - ], - commands: ['synth'], - partialBuildSpec: cbuild.BuildSpec.fromObject({ - env: { - variables: { - FOO: 'bar', - }, - }, - phases: { - pre_build: { - commands: ['installCustom'], - }, - }, - cache: { - paths: ['node_modules'], - }, - }), }), - }); - - THEN_codePipelineExpectation(); + }), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: Match.objectLike({ - PrivilegedMode: true, - EnvironmentVariables: Match.arrayWith([ - { - Name: 'INNER_VAR', - Type: 'PLAINTEXT', - Value: 'InnerValue', - }, - ]), - }), - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - env: { - variables: { - FOO: 'bar', - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: Match.objectLike({ + PrivilegedMode: true, + EnvironmentVariables: Match.arrayWith([ + { + Name: 'INNER_VAR', + Type: 'PLAINTEXT', + Value: 'InnerValue', + }, + ]), + }), + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + env: { + variables: { + FOO: 'bar', }, - phases: { - pre_build: { - commands: Match.arrayWith(['installCustom']), - }, - build: { - commands: ['synth'], - }, + }, + phases: { + pre_build: { + commands: Match.arrayWith(['installCustom']), }, - cache: { - paths: ['node_modules'], + build: { + commands: ['synth'], }, - })), - }, - }); - } -}); - -behavior('stacks synthesized for pipeline will be checked during synth', (suite) => { - let stage: OneStackApp; - beforeEach(() => { - stage = new OneStackApp(pipelineStack, 'MyApp'); - }); - - suite.legacy(() => { - // WHEN - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: new cdkp.SimpleSynthAction({ - sourceArtifact, - cloudAssemblyArtifact, - installCommands: ['install1', 'install2'], - buildCommands: ['build1', 'build2'], - testCommands: ['test1', 'test2'], - synthCommand: 'cdk synth', - }), - }); - pipeline.addApplicationStage(stage); - - THEN(); + }, + cache: { + paths: ['node_modules'], + }, + })), + }, }); +}, +); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - installCommands: ['install1', 'install2'], - commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], - }); - pipeline.addStage(stage); +test('stacks synthesized for pipeline will be checked during synth', () => { + let stage: OneStackApp = new OneStackApp(pipelineStack, 'MyApp'); - THEN(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + installCommands: ['install1', 'install2'], + commands: ['build1', 'build2', 'test1', 'test2', 'cdk synth'], }); + pipeline.addStage(stage); - function THEN() { - // All stacks in the ASM have been synthesized with 'validateOnSynth: true' - const asm = stage.synth(); - for (const stack of asm.stacks) { - expect(stack.validateOnSynth).toEqual(true); - } + // All stacks in the ASM have been synthesized with 'validateOnSynth: true' + const asm = stage.synth(); + for (const stack of asm.stacks) { + expect(stack.validateOnSynth).toEqual(true); } -}); \ No newline at end of file +}, +); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts b/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts index f1a560fdae911..2de8cdcc17b41 100644 --- a/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts +++ b/packages/aws-cdk-lib/pipelines/test/compliance/validations.test.ts @@ -9,7 +9,7 @@ import { Stack } from '../../../core'; import * as cdkp from '../../lib'; import { CodePipelineSource, ShellStep } from '../../lib'; import { CDKP_DEFAULT_CODEBUILD_IMAGE } from '../../lib/private/default-codebuild-image'; -import { AppWithOutput, behavior, LegacyTestGitHubNpmPipeline, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, StageWithStackOutput, stringNoLongerThan, TestApp, TwoStackApp } from '../testhelpers'; +import { AppWithOutput, ModernTestGitHubNpmPipeline, OneStackApp, PIPELINE_ENV, sortByRunOrder, StageWithStackOutput, stringNoLongerThan, TestApp, TwoStackApp } from '../testhelpers'; let app: TestApp; let pipelineStack: Stack; @@ -23,775 +23,479 @@ afterEach(() => { app.cleanup(); }); -behavior('can add manual approval after app', (suite) => { - // No need to be backwards compatible - suite.doesNotApply.legacy(); +test('can add manual approval after app', () => { - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [ - new cdkp.ManualApprovalStep('Approve'), - ], - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stack1.Prepare' }), - Match.objectLike({ Name: 'Stack1.Deploy' }), - Match.objectLike({ Name: 'Stack2.Prepare' }), - Match.objectLike({ Name: 'Stack2.Deploy' }), - Match.objectLike({ Name: 'Approve' }), - ]), - }]), - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'MyApp'), { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyApp', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stack1.Prepare' }), + Match.objectLike({ Name: 'Stack1.Deploy' }), + Match.objectLike({ Name: 'Stack2.Prepare' }), + Match.objectLike({ Name: 'Stack2.Deploy' }), + Match.objectLike({ Name: 'Approve' }), + ]), + }]), }); }); -behavior('can add steps to wave', (suite) => { - // No need to be backwards compatible - suite.doesNotApply.legacy(); +test('can add steps to wave', () => { - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const wave = pipeline.addWave('MyWave', { - post: [ - new cdkp.ManualApprovalStep('Approve'), - ], - }); - wave.addStage(new OneStackApp(pipelineStack, 'Stage1')); - wave.addStage(new OneStackApp(pipelineStack, 'Stage2')); - wave.addStage(new OneStackApp(pipelineStack, 'Stage3')); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyWave', - Actions: sortByRunOrder([ - Match.objectLike({ Name: 'Stage1.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage2.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage3.Stack.Prepare' }), - Match.objectLike({ Name: 'Stage1.Stack.Deploy' }), - Match.objectLike({ Name: 'Stage2.Stack.Deploy' }), - Match.objectLike({ Name: 'Stage3.Stack.Deploy' }), - Match.objectLike({ Name: 'Approve' }), - ]), - }]), - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const wave = pipeline.addWave('MyWave', { + post: [ + new cdkp.ManualApprovalStep('Approve'), + ], + }); + wave.addStage(new OneStackApp(pipelineStack, 'Stage1')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage2')); + wave.addStage(new OneStackApp(pipelineStack, 'Stage3')); + + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'MyWave', + Actions: sortByRunOrder([ + Match.objectLike({ Name: 'Stage1.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage2.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage3.Stack.Prepare' }), + Match.objectLike({ Name: 'Stage1.Stack.Deploy' }), + Match.objectLike({ Name: 'Stage2.Stack.Deploy' }), + Match.objectLike({ Name: 'Stage3.Stack.Deploy' }), + Match.objectLike({ Name: 'Approve' }), + ]), + }]), }); }); -behavior('script validation steps can use stack outputs as environment variables', (suite) => { - suite.legacy(() => { - // GIVEN - const { pipeline } = legacySetup(); - const stage = new StageWithStackOutput(app, 'MyApp'); - - // WHEN - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'MyApp', - Actions: Match.arrayWith([ - Match.objectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: Match.anyValue(), - }, - InputArtifacts: [{ Name: Match.anyValue() }], - Name: 'TestOutput', - }), - Match.objectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: Match.anyValue() }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - ]), - }]), - }); +test('script validation steps can use stack outputs as environment variables', () => { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'export BUCKET_NAME="$(node -pe \'require(process.env.CODEBUILD_SRC_DIR + "/outputs.json")["BucketName"]\')"', - 'echo $BUCKET_NAME', - ], - }, - }, - })), - Type: 'CODEPIPELINE', - }, - }); - }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const myApp = new AppWithOutput(app, 'Alpha'); - pipeline.addStage(myApp, { - post: [ - new cdkp.ShellStep('Approve', { - commands: ['/bin/true'], - envFromCfnOutputs: { - THE_OUTPUT: myApp.theOutput, - }, - }), - ], - }); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Alpha', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'Stack.Deploy', - Namespace: 'AlphaStack6B3389FA', - }), - Match.objectLike({ - Name: 'Approve', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { name: 'THE_OUTPUT', value: '#{AlphaStack6B3389FA.MyOutput}', type: 'PLAINTEXT' }, - ]), - }), - }), - ]), - }]), - }); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const myApp = new AppWithOutput(app, 'Alpha'); + pipeline.addStage(myApp, { + post: [ + new cdkp.ShellStep('Approve', { + commands: ['/bin/true'], + envFromCfnOutputs: { + THE_OUTPUT: myApp.theOutput, + }, + }), + ], }); -}); -behavior('stackOutput generates names limited to 100 characters', (suite) => { - suite.legacy(() => { - const { pipeline } = legacySetup(); - const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); - const pipeStage = pipeline.addApplicationStage(stage); - pipeStage.addActions(new cdkp.ShellScriptAction({ - actionName: 'TestOutput', - useOutputs: { - BUCKET_NAME: pipeline.stackOutput(stage.output), - }, - commands: ['echo $BUCKET_NAME'], - })); - - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', - Actions: Match.arrayWith([ - Match.objectLike({ - ActionTypeId: { - Provider: 'CodeBuild', - }, - Configuration: { - ProjectName: Match.anyValue(), - }, - InputArtifacts: [{ Name: stringNoLongerThan(100) }], - Name: 'TestOutput', - }), - Match.objectLike({ - Name: 'Stack.Deploy', - OutputArtifacts: [{ Name: stringNoLongerThan(100) }], - Configuration: { - OutputFileName: 'outputs.json', - }, - }), - ]), - }]), - }); - }); - - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); - pipeline.addStage(stage, { - post: [ - new cdkp.ShellStep('TestOutput', { - commands: ['echo $BUCKET_NAME'], - envFromCfnOutputs: { - BUCKET_NAME: stage.output, - }, + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Alpha', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'Stack.Deploy', + Namespace: 'AlphaStack6B3389FA', }), - ], - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'Stack.Deploy', - Namespace: stringNoLongerThan(100), + Match.objectLike({ + Name: 'Approve', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { name: 'THE_OUTPUT', value: '#{AlphaStack6B3389FA.MyOutput}', type: 'PLAINTEXT' }, + ]), }), - ]), - }]), - }); + }), + ]), + }]), }); }); -behavior('validation step can run from scripts in source', (suite) => { - suite.legacy(() => { - const { pipeline, sourceArtifact } = legacySetup(); - - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseSources', - additionalArtifacts: [sourceArtifact], - commands: ['true'], - })); +test('stackOutput generates names limited to 100 characters', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const stage = new StageWithStackOutput(app, 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild'); + pipeline.addStage(stage, { + post: [ + new cdkp.ShellStep('TestOutput', { + commands: ['echo $BUCKET_NAME'], + envFromCfnOutputs: { + BUCKET_NAME: stage.output, + }, + }), + ], }); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.ShellStep('UseSources', { - input: pipeline.gitHubSource, - commands: ['set -eu', 'true'], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'APreposterouslyLongAndComplicatedNameMadeUpJustToMakeItExceedTheLimitDefinedByCodeBuild', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'Stack.Deploy', + Namespace: stringNoLongerThan(100), }), - ], - }); - - THEN_codePipelineExpectation(); + ]), + }]), }); - - function THEN_codePipelineExpectation() { - const sourceArtifact = new Capture(); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Source', - Actions: [ - Match.objectLike({ - OutputArtifacts: [{ Name: sourceArtifact }], - }), - ], - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'UseSources', - InputArtifacts: [{ Name: sourceArtifact.asString() }], - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, - }, - })), - }, - }); - } }); -behavior('can use additional output artifacts from build', (suite) => { - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'UseBuildArtifact', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); +test('validation step can run from scripts in source', () => { - THEN_codePipelineExpectation(); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseSources', { + input: pipeline.gitHubSource, + commands: ['set -eu', 'true'], + }), + ], }); - suite.modern(() => { - const synth = new ShellStep('Synth', { - input: CodePipelineSource.gitHub('test/test', 'main'), - commands: ['synth'], - }); + const sourceArtifact = new Capture(); - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - synth, - }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.ShellStep('UseBuildArtifact', { - input: synth.addOutputDirectory('test'), - commands: ['set -eu', 'true'], + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Source', + Actions: [ + Match.objectLike({ + OutputArtifacts: [{ Name: sourceArtifact }], }), ], - }); - - THEN_codePipelineExpectation(); + }]), }); - - function THEN_codePipelineExpectation() { - const integArtifact = new Capture(); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Build', - Actions: [ - Match.objectLike({ - Name: 'Synth', - OutputArtifacts: [ - { Name: Match.anyValue() }, // It's not the first output - { Name: integArtifact }, + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'UseSources', + InputArtifacts: [{ Name: sourceArtifact.asString() }], + }), + ]), + }]), + }); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', ], - }), - ], - }]), - }); - - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'UseBuildArtifact', - InputArtifacts: [{ Name: integArtifact.asString() }], - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, }, - })), - }, - }); - } -}); + }, + })), + }, + }); +}, +); -behavior('can add policy statements to shell script action', (suite) => { - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:Banana'], - resources: ['*'], - }), - ], - })); - - THEN_codePipelineExpectation(); - }); - - suite.modern(() => { - // WHEN - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [ - new cdkp.CodeBuildStep('Boop', { - commands: ['true'], - rolePolicyStatements: [ - new iam.PolicyStatement({ - actions: ['s3:Banana'], - resources: ['*'], - }), +test('can use additional output artifacts from build', () => { + const synth = new ShellStep('Synth', { + input: CodePipelineSource.gitHub('test/test', 'main'), + commands: ['synth'], + }); + + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + synth, + }); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.ShellStep('UseBuildArtifact', { + input: synth.addOutputDirectory('test'), + commands: ['set -eu', 'true'], + }), + ], + }); + + const integArtifact = new Capture(); + + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Build', + Actions: [ + Match.objectLike({ + Name: 'Synth', + OutputArtifacts: [ + { Name: Match.anyValue() }, // It's not the first output + { Name: integArtifact }, ], }), ], - }); - - THEN_codePipelineExpectation(); + }]), }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: 's3:Banana', - Resource: '*', - })]), - }, - }); - } -}); - -behavior('can grant permissions to shell script action', (suite) => { - let bucket: s3.IBucket; - beforeEach(() => { - bucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'UseBuildArtifact', + InputArtifacts: [{ Name: integArtifact.asString() }], + }), + ]), + }]), }); - - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); - const action = new cdkp.ShellScriptAction({ - actionName: 'Boop', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - }); - pipeline.addStage('Test').addActions(action); - - // WHEN - bucket.grantRead(action); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], + }, + }, + })), + }, }); +}, +); - suite.modern(() => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); +test('can add policy statements to shell script action', () => { - const codeBuildStep = new cdkp.CodeBuildStep('Boop', { - commands: ['true'], - }); + // WHEN + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [ + new cdkp.CodeBuildStep('Boop', { + commands: ['true'], + rolePolicyStatements: [ + new iam.PolicyStatement({ + actions: ['s3:Banana'], + resources: ['*'], + }), + ], + }), + ], + }); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [codeBuildStep], - }); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: 's3:Banana', + Resource: '*', + })]), + }, + }); +}, +); - pipeline.buildPipeline(); +test('can grant permissions to shell script action', () => { + const bucket: s3.IBucket = s3.Bucket.fromBucketArn(pipelineStack, 'Bucket', 'arn:aws:s3:::this-particular-bucket'); - // WHEN - bucket.grantRead(codeBuildStep.project); + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - THEN_codePipelineExpectation(); + const codeBuildStep = new cdkp.CodeBuildStep('Boop', { + commands: ['true'], }); - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: Match.arrayWith([Match.objectLike({ - Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], - Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], - })]), - }, - }); - } -}); - -behavior('can run shell script actions in a VPC', (suite) => { - let vpc: ec2.Vpc; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'VPC'); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [codeBuildStep], }); - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); + pipeline.buildPipeline(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - vpc, - actionName: 'VpcAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); + // WHEN + bucket.grantRead(codeBuildStep.project); - THEN_codePipelineExpectation(); + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([Match.objectLike({ + Action: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'], + Resource: ['arn:aws:s3:::this-particular-bucket', 'arn:aws:s3:::this-particular-bucket/*'], + })]), + }, }); +}, +); - suite.modern(() => { - // All CodeBuild jobs automatically go into the VPC - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { vpc }, - }); +test('can run shell script actions in a VPC', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'VPC'); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [new cdkp.ShellStep('VpcAction', { - commands: ['set -eu', 'true'], - })], - }); + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { vpc }, + }); - THEN_codePipelineExpectation(); + pipeline.addStage(new TwoStackApp(app, 'MyApp'), { + post: [new cdkp.ShellStep('VpcAction', { + commands: ['set -eu', 'true'], + })], }); - suite.additional('modern, alternate API', () => { - // Can also explicitly specify a VPC when going to the "full config" class - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + // Can also explicitly specify a VPC when going to the "full config" class + const pipeline2 = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'MyApp'), { - post: [new cdkp.CodeBuildStep('VpcAction', { - commands: ['set -eu', 'true'], - vpc, - })], - }); - - THEN_codePipelineExpectation(); + pipeline2.addStage(new TwoStackApp(app, 'MyApp'), { + post: [new cdkp.CodeBuildStep('VpcAction', { + commands: ['set -eu', 'true'], + vpc, + })], }); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, - }, - VpcConfig: { - Subnets: [ - { - Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', - }, - { - Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', - }, - { - Ref: 'VPCPrivateSubnet3Subnet3EDCD457', - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: CDKP_DEFAULT_CODEBUILD_IMAGE.imageId, + }, + VpcConfig: { + Subnets: [ + { + Ref: 'VPCPrivateSubnet1Subnet8BCA10E0', + }, + { + Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A', + }, + { + Ref: 'VPCPrivateSubnet3Subnet3EDCD457', }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', }, - Source: { - BuildSpec: Match.serializedJson(Match.objectLike({ - phases: { - build: { - commands: [ - 'set -eu', - 'true', - ], - }, + }, + Source: { + BuildSpec: Match.serializedJson(Match.objectLike({ + phases: { + build: { + commands: [ + 'set -eu', + 'true', + ], }, - })), - }, - }); - } -}); - -behavior('can run shell script actions with a specific SecurityGroup', (suite) => { - let vpc: ec2.Vpc; - let sg: ec2.SecurityGroup; - beforeEach(() => { - vpc = new ec2.Vpc(pipelineStack, 'VPC'); - sg = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); + }, + })), + }, }); +}, +); + +test('can run shell script actions with a specific SecurityGroup', () => { + const vpc: ec2.Vpc = new ec2.Vpc(pipelineStack, 'VPC'); + const sg: ec2.SecurityGroup = new ec2.SecurityGroup(pipelineStack, 'SG', { vpc }); - suite.legacy(() => { - // WHEN - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ + // All CodeBuild jobs automatically go into the VPC + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.CodeBuildStep('sgAction', { + commands: ['set -eu', 'true'], vpc, securityGroups: [sg], - actionName: 'sgAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - })); - - THEN_codePipelineExpectation(); + })], }); - suite.modern(() => { - // All CodeBuild jobs automatically go into the VPC - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.CodeBuildStep('sgAction', { - commands: ['set -eu', 'true'], - vpc, - securityGroups: [sg], - })], - }); - - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'sgAction', + }), + ]), + }]), }); - - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'sgAction', - }), - ]), - }]), - }); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - VpcConfig: { - SecurityGroupIds: [ - { - 'Fn::GetAtt': [ - 'SGADB53937', - 'GroupId', - ], - }, - ], - VpcId: { - Ref: 'VPCB9E5F0B4', + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + VpcConfig: { + SecurityGroupIds: [ + { + 'Fn::GetAtt': [ + 'SGADB53937', + 'GroupId', + ], }, + ], + VpcId: { + Ref: 'VPCB9E5F0B4', }, - }); - } -}); - -behavior('can run scripts with specified BuildEnvironment', (suite) => { - suite.legacy(() => { - let { pipeline, integTestArtifact } = legacySetup(); - - // WHEN - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], - commands: ['true'], - environment: { buildImage: codebuild.LinuxBuildImage.STANDARD_2_0 }, - })); - - THEN_codePipelineExpectation(); + }, }); +}, +); - suite.modern(() => { - // Run all Build jobs with the given image - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - codeBuildDefaults: { - buildEnvironment: { - buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, - }, - }, - }); +test('can run scripts with specified BuildEnvironment', () => { - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.ShellStep('imageAction', { - commands: ['true'], - })], - }); + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk', { + codeBuildDefaults: { + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, + }, + }, + }); - THEN_codePipelineExpectation(); + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.ShellStep('imageAction', { + commands: ['true'], + })], }); - suite.additional('modern, alternative API', () => { - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); + const pipeline2 = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.CodeBuildStep('imageAction', { - commands: ['true'], - buildEnvironment: { - buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, - }, - })], - }); + pipeline2.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.CodeBuildStep('imageAction', { + commands: ['true'], + buildEnvironment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_2_0, + }, + })], + }); - THEN_codePipelineExpectation(); + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { + Environment: { + Image: 'aws/codebuild/standard:2.0', + }, }); +}, +); - function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', { - Environment: { - Image: 'aws/codebuild/standard:2.0', - }, - }); - } -}); +test('can run scripts with magic environment variables', () => { + + // Run all Build jobs with the given image + const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); -behavior('can run scripts with magic environment variables', (suite) => { - suite.legacy(() => { - const { pipeline, integTestArtifact } = legacySetup(); - pipeline.addStage('Test').addActions(new cdkp.ShellScriptAction({ - actionName: 'imageAction', - additionalArtifacts: [integTestArtifact], + pipeline.addStage(new TwoStackApp(app, 'Test'), { + post: [new cdkp.ShellStep('imageAction', { commands: ['true'], - environmentVariables: { - VERSION: { value: codepipeline.GlobalVariables.executionId }, + env: { + VERSION: codepipeline.GlobalVariables.executionId, }, - })); - - THEN_codePipelineExpectation(); + })], }); - suite.modern(() => { - // Run all Build jobs with the given image - const pipeline = new ModernTestGitHubNpmPipeline(pipelineStack, 'Cdk'); - - pipeline.addStage(new TwoStackApp(app, 'Test'), { - post: [new cdkp.ShellStep('imageAction', { - commands: ['true'], - env: { - VERSION: codepipeline.GlobalVariables.executionId, - }, - })], - }); - - THEN_codePipelineExpectation(); - }); - - function THEN_codePipelineExpectation() { - // THEN - Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { - Stages: Match.arrayWith([{ - Name: 'Test', - Actions: Match.arrayWith([ - Match.objectLike({ - Name: 'imageAction', - Configuration: Match.objectLike({ - EnvironmentVariables: Match.serializedJson([ - { - name: 'VERSION', - type: 'PLAINTEXT', - value: '#{codepipeline.PipelineExecutionId}', - }, - ]), - }), + // THEN + Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + Stages: Match.arrayWith([{ + Name: 'Test', + Actions: Match.arrayWith([ + Match.objectLike({ + Name: 'imageAction', + Configuration: Match.objectLike({ + EnvironmentVariables: Match.serializedJson([ + { + name: 'VERSION', + type: 'PLAINTEXT', + value: '#{codepipeline.PipelineExecutionId}', + }, + ]), }), - ]), - }]), - }); - } -}); - -/** - * Some shared setup for legacy API tests - */ -function legacySetup() { - const sourceArtifact = new codepipeline.Artifact(); - const cloudAssemblyArtifact = new codepipeline.Artifact('CloudAsm'); - const integTestArtifact = new codepipeline.Artifact('IntegTests'); - const pipeline = new LegacyTestGitHubNpmPipeline(pipelineStack, 'Cdk', { - sourceArtifact, - cloudAssemblyArtifact, - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - additionalArtifacts: [{ directory: 'test', artifact: integTestArtifact }], - }), - }); - - return { sourceArtifact, cloudAssemblyArtifact, integTestArtifact, pipeline }; -} \ No newline at end of file + }), + ]), + }]), + }); +}, +); \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts index 2d3c4ebed35ba..d50366234083f 100644 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts +++ b/packages/aws-cdk-lib/pipelines/test/testhelpers/compliance.ts @@ -1,68 +1,13 @@ import { describeDeprecated } from '@aws-cdk/cdk-build-tools'; interface SkippedSuite { - legacy(reason?: string): void; - modern(reason?: string): void; } interface Suite { readonly doesNotApply: SkippedSuite; - legacy(fn: () => void): void; - modern(fn: () => void): void; additional(description: string, fn: () => void): void; -} - -// eslint-disable-next-line jest/no-export -export function behavior(name: string, cb: (suite: Suite) => void) { - // Since the goal of the compliance test suites is to compare modern and legacy (i.e. deprecated) APIs, - // use `describeDeprecated()` block here since usage of the legacy API is inevitable. - describeDeprecated(name, () => { - const unwritten = new Set(['modern', 'legacy']); - - function scratchOff(flavor: string) { - if (!unwritten.has(flavor)) { - throw new Error(`Already had test for ${flavor}. Use .additional() to add more tests.`); - } - unwritten.delete(flavor); - } - - cb({ - legacy: (testFn) => { - scratchOff('legacy'); - test('legacy', testFn); - }, - modern: (testFn) => { - scratchOff('modern'); - test('modern', testFn); - }, - additional: test, - doesNotApply: { - modern: (reason?: string) => { - scratchOff('modern'); - - if (reason != null) { - // eslint-disable-next-line jest/no-disabled-tests - test.skip(`modern - ${reason}`, () => {}); - } - }, - - legacy: (reason?: string) => { - scratchOff('legacy'); - - if (reason != null) { - // eslint-disable-next-line jest/no-disabled-tests - test.skip(`legacy - ${reason}`, () => {}); - } - }, - }, - }); - - for (const missing of unwritten) { - test.todo(missing); - } - }); -} +} \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts index fbc50d3b1a003..866d791e45856 100644 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts +++ b/packages/aws-cdk-lib/pipelines/test/testhelpers/index.ts @@ -1,5 +1,4 @@ export * from './compliance'; -export * from './legacy-pipeline'; export * from './modern-pipeline'; export * from './test-app'; export * from './matchers'; \ No newline at end of file diff --git a/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts b/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts deleted file mode 100644 index cc5340b74e7c8..0000000000000 --- a/packages/aws-cdk-lib/pipelines/test/testhelpers/legacy-pipeline.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { Construct } from 'constructs'; -import * as codepipeline from '../../../aws-codepipeline'; -import * as codepipeline_actions from '../../../aws-codepipeline-actions'; -import { SecretValue } from '../../../core'; -import * as cdkp from '../../lib'; - -export interface LegacyTestGitHubNpmPipelineExtraProps { - readonly sourceArtifact?: codepipeline.Artifact; - readonly npmSynthOptions?: Partial; -} - -export class LegacyTestGitHubNpmPipeline extends cdkp.CdkPipeline { - public readonly sourceArtifact: codepipeline.Artifact; - public readonly cloudAssemblyArtifact: codepipeline.Artifact; - - constructor(scope: Construct, id: string, props?: Partial & LegacyTestGitHubNpmPipelineExtraProps) { - const sourceArtifact = props?.sourceArtifact ?? new codepipeline.Artifact(); - const cloudAssemblyArtifact = props?.cloudAssemblyArtifact ?? new codepipeline.Artifact(); - - super(scope, id, { - sourceAction: new TestGitHubAction(sourceArtifact), - synthAction: cdkp.SimpleSynthAction.standardNpmSynth({ - sourceArtifact, - cloudAssemblyArtifact, - ...props?.npmSynthOptions, - }), - cloudAssemblyArtifact, - ...props, - }); - - this.sourceArtifact = sourceArtifact; - this.cloudAssemblyArtifact = cloudAssemblyArtifact; - } -} - -export class TestGitHubAction extends codepipeline_actions.GitHubSourceAction { - constructor(sourceArtifact: codepipeline.Artifact) { - super({ - actionName: 'GitHub', - output: sourceArtifact, - oauthToken: SecretValue.unsafePlainText('$3kr1t'), - owner: 'test', - repo: 'test', - trigger: codepipeline_actions.GitHubTrigger.POLL, - }); - } -}