Fix: Update index.js

Author: hwum

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-with-stage-conditions.js.snapshot/asset.97484721f29e34bf38d7a459804dd2d2a8dea6f8c27d7531e215bf4274fbc895.bundle/index.js

@@ -1002,16 +1002,21 @@ export class Pipeline extends PipelineBase {
    * @param action the action to return/create a role for
    * @param actionScope the scope, unique to the action, to create new resources in
    */
+
   private getRoleForAction(stage: Stage, action: RichAction, actionScope: Construct): iam.IRole | undefined {
     const pipelineStack = Stack.of(this);
 
     let actionRole = this.getRoleFromActionPropsOrGenerateIfCrossAccount(stage, action);
 
     if (!actionRole && this.isAwsOwned(action)) {
       // generate a Role for this specific Action
-      actionRole = new iam.Role(actionScope, 'CodePipelineActionRole', {
+      const isRemoveRootPrincipal = FeatureFlags.of(this).isEnabled(cxapi.PIPELINE_REDUCE_STAGE_ROLE_TRUST_SCOPE);
+      const roleProps = isRemoveRootPrincipal? {
+        assumedBy: new iam.ArnPrincipal(this.role.roleArn), // Allow only the pipeline execution role
+      } : {
         assumedBy: new iam.AccountPrincipal(pipelineStack.account),
-      });
+      };
+      actionRole = new iam.Role(actionScope, 'CodePipelineActionRole', roleProps);
     }
 
     // the pipeline role needs assumeRole permissions to the action role

packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts

@@ -24,9 +24,9 @@ export class Stage implements IStage {
   public readonly stageName: string;
   public readonly transitionToEnabled: boolean;
   public readonly transitionDisabledReason: string;
-  public readonly beforeEntry?: Conditions;
-  public readonly onSuccess?: Conditions;
-  public readonly onFailure?: FailureConditions;
+  private readonly beforeEntry?: Conditions;
+  private readonly onSuccess?: Conditions;
+  private readonly onFailure?: FailureConditions;
   private readonly scope: Construct;
   private readonly _pipeline: Pipeline;
   private readonly _actions = new Array<FullActionDescriptor>();

packages/aws-cdk-lib/aws-codepipeline/lib/private/stage.ts

@@ -58,14 +58,6 @@ export interface RuleProps {
    */
   readonly role?: iam.Role;
 
-  /**
-   * A category defines what kind of rule can be run in the stage.
-   * Constrains the provider type for the rule.
-   *
-   * @default 'Rule'
-   */
-  readonly category?: string;
-
   /**
    * The rule provider that implements the rule's functionality.
    *

packages/aws-cdk-lib/aws-codepipeline/lib/rule.ts

@@ -59,11 +59,7 @@ describe('Rule', () => {
       actionName: 'dummyAction',
       input: sourceArtifact,
     }));
-    // --
 
-    // eslint-disable-next-line no-console
-    console.log(Template.fromStack(stack).findResources('AWS::CodePipeline::Pipeline'));
-    // eslint-disable-next-line no-console
     Template.fromStack(stack).hasResourceProperties('AWS::CodePipeline::Pipeline', {
       Stages: [
         { Name: 'FirstStage' },

packages/aws-cdk-lib/aws-codepipeline/test/rules.test.ts

@@ -245,11 +245,7 @@ describe('stages', () => {
         actionName: 'dummyAction',
         input: sourceArtifact,
       }));
-      // --
 
-      // eslint-disable-next-line no-console
-      console.log(Template.fromStack(stack).findResources('AWS::CodePipeline::Pipeline'));
-      // eslint-disable-next-line no-console
       Template.fromStack(stack).hasResourceProperties('AWS::CodePipeline::Pipeline', {
         Stages: [
           { Name: 'FirstStage' },