From 144b1b9794cd36453913cf2d0297de4f4ddf342b Mon Sep 17 00:00:00 2001 From: "k.goto" <24818752+go-to-k@users.noreply.github.com> Date: Sat, 3 Feb 2024 03:24:30 +0900 Subject: [PATCH] feat(codepipeline): change default value for crossAccountKeys to false (under feature flag) (#28556) [The documentation](https://github.com/aws/aws-cdk/blob/f4c1d1253ee34c2837a57a93faa47c9da97ef6d8/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts#L380-L381) mentions updating the default for CDK v2. Sounds like we should add it in with feature flag. Closes #28247. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../test/integ.cfn-template-from-repo.lit.ts | 1 + ...ambda-deployed-through-codepipeline.lit.ts | 4 +- .../test/integ.lambda-pipeline.ts | 4 +- .../test/integ.pipeline-alexa-deploy.ts | 1 + .../test/integ.pipeline-cfn.ts | 4 +- .../test/integ.pipeline-code-commit-build.ts | 1 + ...integ.pipeline-code-commit-custom-event.ts | 1 + .../test/integ.pipeline-code-commit-main.ts | 1 + .../test/integ.pipeline-code-commit.ts | 1 + .../test/integ.pipeline-events.ts | 4 +- .../test/integ.pipeline-stepfunctions.ts | 4 +- .../test/integ.pipeline-with-replication.ts | 1 + ...urce-bucket-events-cross-stack-same-env.ts | 1 + .../integ.pipeline-event-target.ts | 4 +- .../pipelines/test/integ.pipeline-security.ts | 1 + ...nteg.pipeline-with-assets-single-upload.ts | 1 + .../test/integ.pipeline-with-assets.ts | 1 + .../test/pipelines/test/integ.pipeline.ts | 1 + .../test/integ.configuration.ts | 1 + ...g.codepipeline-start-pipeline-execution.ts | 1 + packages/@aws-cdk/cx-api/FEATURE_FLAGS.md | 20 ++++++++- .../test/integ.cfn-template-from-repo.lit.ts | 1 + ...ambda-deployed-through-codepipeline.lit.ts | 4 +- .../aws-codepipeline/lib/pipeline.ts | 8 ++-- .../aws-codepipeline/test/pipeline.test.ts | 43 +++++++++++++++++++ packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 20 ++++++++- packages/aws-cdk-lib/cx-api/README.md | 17 ++++++++ packages/aws-cdk-lib/cx-api/lib/features.ts | 14 ++++++ 28 files changed, 153 insertions(+), 12 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts index 2172ee7b0633c..7a9c9e681ba91 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts @@ -52,6 +52,7 @@ const prodStage = { }; new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, stages: [ sourceStage, prodStage, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts index e9fd80fd600f0..063d3b5d87ff0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts @@ -20,7 +20,9 @@ new lambda.Function(lambdaStack, 'Lambda', { // other resources that your Lambda needs, added to the lambdaStack... const pipelineStack = new cdk.Stack(app, 'PipelineStack'); -const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline'); +const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline', { + crossAccountKeys: true, +}); // add the source code repository containing this code to your Pipeline, // and the source code of the Lambda Function, if they're separate diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-pipeline.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-pipeline.ts index 57a68b327bf05..f21ea308ce0b4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-pipeline.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-pipeline.ts @@ -10,7 +10,9 @@ const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-cdk-codepipeline-lambda'); -const pipeline = new codepipeline.Pipeline(stack, 'Pipeline'); +const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, +}); const sourceStage = pipeline.addStage({ stageName: 'Source' }); const bucket = new s3.Bucket(stack, 'PipelineBucket', { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.ts index 63a546e1a65dd..9311a8972a658 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.ts @@ -39,6 +39,7 @@ const deployStage = { }; new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, stages: [ sourceStage, deployStage, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn.ts index 3441fd5972fd9..5086cf2df3926 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn.ts @@ -8,7 +8,9 @@ const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-cdk-codepipeline-cloudformation'); -const pipeline = new codepipeline.Pipeline(stack, 'Pipeline'); +const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, +}); const bucket = new s3.Bucket(stack, 'PipelineBucket', { versioned: true, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.ts index 1182f775c775b..fbbaed9b5bdcc 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.ts @@ -47,6 +47,7 @@ const testAction = new cpactions.CodeBuildAction({ }); new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, stages: [ { stageName: 'source', diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-custom-event.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-custom-event.ts index e41c97672e4a2..b0ae60e70e3f8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-custom-event.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-custom-event.ts @@ -32,6 +32,7 @@ const eventPattern const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', { pipelineName: 'IntegCustomEventPipeline', + crossAccountKeys: true, stages: [ { stageName: 'source', diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-main.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-main.ts index 6a2f137cb3864..1d5db2cc3e5f4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-main.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-main.ts @@ -15,6 +15,7 @@ const repo = new codecommit.Repository(stack, 'MyRepo', { }); new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, stages: [ { stageName: 'source', diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit.ts index c8478fae239f0..80db251c1bfc5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit.ts @@ -16,6 +16,7 @@ const repo = new codecommit.Repository(stack, 'MyRepo', { }); new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, stages: [ { stageName: 'source', diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.ts index cfb5178e2a316..f85004e2febb6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-events.ts @@ -13,7 +13,9 @@ const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-cdk-pipeline-event-target'); -const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline'); +const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline', { + crossAccountKeys: true, +}); const repository = new codecommit.Repository(stack, 'CodeCommitRepo', { repositoryName: 'foo', diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.ts index 126c5a24521b4..400f8b023b168 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.ts @@ -15,7 +15,9 @@ const simpleStateMachine = new stepfunctions.StateMachine(stack, 'SimpleStateMac definition: startState, }); -const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline'); +const pipeline = new codepipeline.Pipeline(stack, 'MyPipeline', { + crossAccountKeys: true, +}); pipeline.addStage({ stageName: 'Source', actions: [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.ts index 438e2846184f9..816a548bc8675 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-replication.ts @@ -31,6 +31,7 @@ const bucket = new Bucket(stack1, 'ReplicationBucket', { const artifact = new Artifact(); const pipeline = new Pipeline(stack2, 'Pipeline', { + crossAccountKeys: true, crossRegionReplicationBuckets: { 'us-east-1': bucket, }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.ts index e2f789e9db9a8..1ef92d1cc1594 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/s3/integ.source-bucket-events-cross-stack-same-env.ts @@ -16,6 +16,7 @@ const bucket = new s3.Bucket(bucketStack, 'Bucket', { const pipelineStack = new Stack(app, 'PipelineStack'); const sourceOutput = new codepipeline.Artifact(); new codepipeline.Pipeline(pipelineStack, 'Pipeline', { + crossAccountKeys: true, stages: [ { stageName: 'Source', diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codepipeline/integ.pipeline-event-target.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codepipeline/integ.pipeline-event-target.ts index a09a82218a771..59276b644b7e3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codepipeline/integ.pipeline-event-target.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/codepipeline/integ.pipeline-event-target.ts @@ -38,7 +38,9 @@ const repo = new codecommit.Repository(stack, 'Repo', { repositoryName: 'TestRepository', }); -const pipeline = new codepipeline.Pipeline(stack, 'pipelinePipeline22F2A91D'); +const pipeline = new codepipeline.Pipeline(stack, 'pipelinePipeline22F2A91D', { + crossAccountKeys: true, +}); const srcArtifact = new codepipeline.Artifact('Src'); pipeline.addStage({ diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.ts index 36fc9eff3d10e..ea7951477ee76 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-security.ts @@ -44,6 +44,7 @@ export class TestCdkStack extends Stack { }); const pipeline = new cdkp.CdkPipeline(this, 'TestPipeline', { + crossAccountKeys: true, selfMutating: false, pipelineName: 'TestPipeline', cloudAssemblyArtifact, diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts index 2141312f93a24..fce31b49d8fad 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets-single-upload.ts @@ -47,6 +47,7 @@ class CdkpipelinesDemoPipelineStack extends Stack { autoDeleteObjects: true, }); const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { + crossAccountKeys: true, cloudAssemblyArtifact, singlePublisherPerType: true, diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts index c97ad2b67872a..b8e89daa977fb 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline-with-assets.ts @@ -47,6 +47,7 @@ class CdkpipelinesDemoPipelineStack extends Stack { autoDeleteObjects: true, }); const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { + crossAccountKeys: true, cloudAssemblyArtifact, // Where the source can be found diff --git a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts index 3505309ae99b9..fd7c1e4500354 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/pipelines/test/integ.pipeline.ts @@ -37,6 +37,7 @@ class CdkpipelinesDemoPipelineStack extends Stack { autoDeleteObjects: true, }); const pipeline = new cdkp.CdkPipeline(this, 'Pipeline', { + crossAccountKeys: true, cloudAssemblyArtifact, // Where the source can be found diff --git a/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.ts b/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.ts index d893c415ec5b0..53b3cd161ac8d 100644 --- a/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.ts +++ b/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.ts @@ -199,6 +199,7 @@ const deployAction = new S3DeployAction({ extract: true, }); const pipeline = new Pipeline(stack, 'MyPipeline', { + crossAccountKeys: true, stages: [ { stageName: 'beta', diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.codepipeline-start-pipeline-execution.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.codepipeline-start-pipeline-execution.ts index 45242d93b0369..f67bb7ea009c5 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.codepipeline-start-pipeline-execution.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.codepipeline-start-pipeline-execution.ts @@ -58,6 +58,7 @@ const deployment = new BucketDeployment(stack, 'BucketDeployment', { ], }); const pipeline = new Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, stages: [ { stageName: 'source', diff --git a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md index 4235a36f11d8b..4fe530e600eff 100644 --- a/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md +++ b/packages/@aws-cdk/cx-api/FEATURE_FLAGS.md @@ -64,6 +64,7 @@ Flags come in three types: | [@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials](#aws-cdkaws-rdspreventrenderingdeprecatedcredentials) | When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials. | 2.98.0 | (fix) | | [@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource](#aws-cdkaws-codepipeline-actionsusenewdefaultbranchforcodecommitsource) | When enabled, the CodeCommit source action is using the default branch name 'main'. | 2.103.1 | (fix) | | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) | +| [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | V2NEXT | (default) | @@ -118,7 +119,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true, "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true, "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true, - "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true } } ``` @@ -1213,4 +1215,20 @@ If the flag is set to false then it can only make one alarm for the Lambda with | 2.124.0 | `false` | `true` | +### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse + +*Enables Pipeline to set the default value for crossAccountKeys to false.* (default) + +When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` +construct, the construct automatically defaults the value of this property to false. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + +**Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. + + diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts index 90ca8e3a22aea..0c934b12c5ce9 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.ts @@ -52,6 +52,7 @@ const prodStage = { }; new codepipeline.Pipeline(stack, 'Pipeline', { + crossAccountKeys: true, stages: [ sourceStage, prodStage, diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts index 24151cfe93cc8..7c7873bf5badb 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts @@ -19,7 +19,9 @@ new lambda.Function(lambdaStack, 'Lambda', { // other resources that your Lambda needs, added to the lambdaStack... const pipelineStack = new cdk.Stack(app, 'PipelineStack'); -const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline'); +const pipeline = new codepipeline.Pipeline(pipelineStack, 'Pipeline', { + crossAccountKeys: true, +}); // add the source code repository containing this code to your Pipeline, // and the source code of the Lambda Function, if they're separate diff --git a/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts b/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts index 8803e22c65ae0..d2cbc206f1efb 100644 --- a/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts +++ b/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts @@ -153,7 +153,8 @@ export interface PipelineProps { * encrypted with an AWS-managed key). However, cross-account deployments will * no longer be possible. * - * @default true + * @default false - false if the feature flag `CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE` + * is true, true otherwise */ readonly crossAccountKeys?: boolean; @@ -386,8 +387,9 @@ export class Pipeline extends PipelineBase { throw new Error('Only one of artifactBucket and crossRegionReplicationBuckets can be specified!'); } - // @deprecated(v2): switch to default false - this.crossAccountKeys = props.crossAccountKeys ?? true; + // The feature flag is set to true by default for new projects, otherwise false. + this.crossAccountKeys = props.crossAccountKeys + ?? (FeatureFlags.of(this).isEnabled(cxapi.CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE) ? false : true); this.enableKeyRotation = props.enableKeyRotation; // Cross account keys must be set for key rotation to be enabled diff --git a/packages/aws-cdk-lib/aws-codepipeline/test/pipeline.test.ts b/packages/aws-cdk-lib/aws-codepipeline/test/pipeline.test.ts index cdb13c0132ada..4c6e5c2f2085f 100644 --- a/packages/aws-cdk-lib/aws-codepipeline/test/pipeline.test.ts +++ b/packages/aws-cdk-lib/aws-codepipeline/test/pipeline.test.ts @@ -495,6 +495,49 @@ describe('', () => { 'EnableKeyRotation': true, }); }); + + test('crossAccountKeys as default value is set to false when feature flag is enabled', () => { + const app = new cdk.App(); + app.node.setContext(cxapi.CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE, true); + + const stack = new cdk.Stack(app, 'PipelineStack'); + const sourceOutput = new codepipeline.Artifact(); + new codepipeline.Pipeline(stack, 'Pipeline', { + stages: [ + { + stageName: 'Source', + actions: [new FakeSourceAction({ actionName: 'Source', output: sourceOutput })], + }, + { + stageName: 'Build', + actions: [new FakeBuildAction({ actionName: 'Build', input: sourceOutput })], + }, + ], + }); + + Template.fromStack(stack).resourceCountIs('AWS::KMS::Key', 0); + }); + + test('crossAccountKeys as default value is set to true when feature flag is not set', () => { + const app = new cdk.App(); + + const stack = new cdk.Stack(app, 'PipelineStack'); + const sourceOutput = new codepipeline.Artifact(); + new codepipeline.Pipeline(stack, 'Pipeline', { + stages: [ + { + stageName: 'Source', + actions: [new FakeSourceAction({ actionName: 'Source', output: sourceOutput })], + }, + { + stageName: 'Build', + actions: [new FakeBuildAction({ actionName: 'Build', input: sourceOutput })], + }, + ], + }); + + Template.fromStack(stack).resourceCountIs('AWS::KMS::Key', 1); + }); }); }); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index 4235a36f11d8b..4fe530e600eff 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -64,6 +64,7 @@ Flags come in three types: | [@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials](#aws-cdkaws-rdspreventrenderingdeprecatedcredentials) | When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials. | 2.98.0 | (fix) | | [@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource](#aws-cdkaws-codepipeline-actionsusenewdefaultbranchforcodecommitsource) | When enabled, the CodeCommit source action is using the default branch name 'main'. | 2.103.1 | (fix) | | [@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction](#aws-cdkaws-cloudwatch-actionschangelambdapermissionlogicalidforlambdaaction) | When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID. | 2.124.0 | (fix) | +| [@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse](#aws-cdkaws-codepipelinecrossaccountkeysdefaultvaluetofalse) | Enables Pipeline to set the default value for crossAccountKeys to false. | V2NEXT | (default) | @@ -118,7 +119,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true, "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true, "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true, - "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true } } ``` @@ -1213,4 +1215,20 @@ If the flag is set to false then it can only make one alarm for the Lambda with | 2.124.0 | `false` | `true` | +### @aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse + +*Enables Pipeline to set the default value for crossAccountKeys to false.* (default) + +When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` +construct, the construct automatically defaults the value of this property to false. + + +| Since | Default | Recommended | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + +**Compatibility with old behavior:** Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior. + + diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index 82cf2e1596eeb..b93c709a1ee47 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -258,3 +258,20 @@ _cdk.json_ } } ``` + +* `@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse` + +Enables Pipeline to set the default value for `crossAccountKeys` to false. + +When this feature flag is enabled, and the `crossAccountKeys` property is not provided in a `Pipeline` +construct, the construct automatically defaults the value of this property to false. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 41c95953eae8b..ff49e70c2fb67 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -98,6 +98,7 @@ export const AURORA_CLUSTER_CHANGE_SCOPE_OF_INSTANCE_PARAMETER_GROUP_WITH_EACH_P export const APPSYNC_ENABLE_USE_ARN_IDENTIFIER_SOURCE_API_ASSOCIATION = '@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier'; export const CODECOMMIT_SOURCE_ACTION_DEFAULT_BRANCH_NAME = '@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource'; export const LAMBDA_PERMISSION_LOGICAL_ID_FOR_LAMBDA_ACTION = '@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction'; +export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -993,6 +994,19 @@ export const FLAGS: Record = { introducedIn: { v2: '2.124.0' }, recommendedValue: true, }, + + ////////////////////////////////////////////////////////////////////// + [CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE]: { + type: FlagType.ApiDefault, + summary: 'Enables Pipeline to set the default value for crossAccountKeys to false.', + detailsMd: ` + When this feature flag is enabled, and the \`crossAccountKeys\` property is not provided in a \`Pipeline\` + construct, the construct automatically defaults the value of this property to false. + `, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + compatibilityWithOldBehaviorMd: 'Pass `crossAccountKeys: true` to `Pipeline` construct to restore the previous behavior.', + }, }; const CURRENT_MV = 'v2';