Addressed review comments

Author: Tarun Belani

packages/@aws-cdk/aws-imagebuilder-alpha/lib/image-pipeline.ts

@@ -476,6 +476,8 @@ export class ImagePipeline extends ImagePipelineBase {
    */
   public readonly executionRole?: iam.IRole;
 
+  private readonly props: ImagePipelineProps;
+
   public constructor(scope: Construct, id: string, props: ImagePipelineProps) {
     super(scope, id, {
       physicalName:
@@ -494,6 +496,7 @@ export class ImagePipeline extends ImagePipelineBase {
 
     this.validateImagePipelineName();
 
+    this.props = props;
     this.infrastructureConfiguration =
       props.infrastructureConfiguration ?? new InfrastructureConfiguration(this, 'InfrastructureConfiguration');
     this.executionRole = getExecutionRole(
@@ -546,6 +549,23 @@ export class ImagePipeline extends ImagePipelineBase {
     });
   }
 
+  /**
+   * Grants the default permissions for building an image to the provided execution role.
+   *
+   * @param grantee The execution role used for the image build.
+   */
+  public grantDefaultExecutionRolePermissions(grantee: iam.IGrantable): iam.Grant[] {
+    const policies = defaultExecutionRolePolicy(this, this.props);
+    return policies.map((policy) =>
+      iam.Grant.addToPrincipal({
+        grantee: grantee,
+        resourceArns: policy.resources,
+        actions: policy.actions,
+        scope: this,
+      }),
+    );
+  }
+
   private validateImagePipelineName() {
     if (cdk.Token.isUnresolved(this.physicalName)) {
       return; // Cannot validate unresolved tokens, given their actual value is rendered at deployment time

packages/@aws-cdk/aws-imagebuilder-alpha/lib/private/policy-helper.ts

@@ -2,21 +2,26 @@ import * as cdk from 'aws-cdk-lib';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as logs from 'aws-cdk-lib/aws-logs';
 import { Construct } from 'constructs';
+import { ImagePipelineProps } from '../image-pipeline';
 import { WorkflowConfiguration } from '../workflow';
 
 /**
  * Returns the default execution role policy, for auto-generated execution roles.
  *
  * @param scope The construct scope
+ * @param props Props input for the construct
  *
  * @see https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForImageBuilder.html
  */
-export const defaultExecutionRolePolicy = (scope: Construct): iam.PolicyStatement[] => {
+export const defaultExecutionRolePolicy = <PropsT extends ImagePipelineProps>(
+  scope: Construct,
+  props?: PropsT,
+): iam.PolicyStatement[] => {
   const partition = cdk.Stack.of(scope).partition;
 
   // Permissions are identical to https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSServiceRoleForImageBuilder.html
   // SLR policies cannot be attached to roles, and no managed policy exists for these permissions yet
-  return [
+  const policies = [
     new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['ec2:RegisterImage'],
@@ -98,7 +103,6 @@ export const defaultExecutionRolePolicy = (scope: Construct): iam.PolicyStatemen
         'ec2:DescribeTags',
         'ec2:ModifyImageAttribute',
         'ec2:DescribeImportImageTasks',
-        'ec2:DescribeExportImageTasks',
         'ec2:DescribeSnapshots',
         'ec2:DescribeHosts',
       ],
@@ -140,11 +144,6 @@ export const defaultExecutionRolePolicy = (scope: Construct): iam.PolicyStatemen
         },
       },
     }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['license-manager:UpdateLicenseSpecificationsForResource'],
-      resources: ['*'],
-    }),
     new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['sns:Publish'],
@@ -235,103 +234,18 @@ export const defaultExecutionRolePolicy = (scope: Construct): iam.PolicyStatemen
         },
       },
     }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['sts:AssumeRole'],
-      resources: [`arn:${partition}:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole`],
-    }),
     new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
       resources: [`arn:${partition}:logs:*:*:log-group:/aws/imagebuilder/*`],
     }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: [
-        'ec2:CreateLaunchTemplateVersion',
-        'ec2:DescribeLaunchTemplates',
-        'ec2:ModifyLaunchTemplate',
-        'ec2:DescribeLaunchTemplateVersions',
-      ],
-      resources: ['*'],
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['ec2:ExportImage'],
-      resources: [`arn:${partition}:ec2:*::image/*`],
-      conditions: {
-        StringEquals: {
-          'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder',
-        },
-      },
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['ec2:ExportImage'],
-      resources: [`arn:${partition}:ec2:*:*:export-image-task/*`],
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['ec2:CancelExportTask'],
-      resources: [`arn:${partition}:ec2:*:*:export-image-task/*`],
-      conditions: {
-        StringEquals: {
-          'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder',
-        },
-      },
-    }),
     new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
       actions: ['iam:CreateServiceLinkedRole'],
       resources: ['*'],
       conditions: {
         StringEquals: {
-          'iam:AWSServiceName': ['ssm.amazonaws.com', 'ec2fastlaunch.amazonaws.com'],
-        },
-      },
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['ec2:EnableFastLaunch'],
-      resources: [`arn:${partition}:ec2:*::image/*`, `arn:${partition}:ec2:*:*:launch-template/*`],
-      conditions: {
-        StringEquals: {
-          'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder',
-        },
-      },
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['inspector2:ListCoverage', 'inspector2:ListFindings'],
-      resources: ['*'],
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['ecr:CreateRepository'],
-      resources: ['*'],
-      conditions: {
-        StringEquals: {
-          'aws:RequestTag/CreatedBy': 'EC2 Image Builder',
-        },
-      },
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['ecr:TagResource'],
-      resources: [`arn:${partition}:ecr:*:*:repository/image-builder-*`],
-      conditions: {
-        StringEquals: {
-          'aws:RequestTag/CreatedBy': 'EC2 Image Builder',
-        },
-      },
-    }),
-    new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      actions: ['ecr:BatchDeleteImage'],
-      resources: [`arn:${partition}:ecr:*:*:repository/image-builder-*`],
-      conditions: {
-        StringEquals: {
-          'ecr:ResourceTag/CreatedBy': 'EC2 Image Builder',
+          'iam:AWSServiceName': ['ssm.amazonaws.com'],
         },
       },
     }),
@@ -357,6 +271,133 @@ export const defaultExecutionRolePolicy = (scope: Construct): iam.PolicyStatemen
       resources: [`arn:${partition}:ssm:*::parameter/aws/service/*`],
     }),
   ];
+
+  const hasProps = props !== undefined;
+  if (!hasProps || (props.recipe._isImageRecipe() && props.distributionConfiguration !== undefined)) {
+    // Distribution-specific permissions if distribution settings are provided. All permissions here are for AMI builds
+    // specifically.
+    policies.push(
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['ec2:DescribeExportImageTasks'],
+        resources: ['*'],
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['license-manager:UpdateLicenseSpecificationsForResource'],
+        resources: ['*'],
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['sts:AssumeRole'],
+        resources: [`arn:${partition}:iam::*:role/EC2ImageBuilderDistributionCrossAccountRole`],
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: [
+          'ec2:CreateLaunchTemplateVersion',
+          'ec2:DescribeLaunchTemplates',
+          'ec2:ModifyLaunchTemplate',
+          'ec2:DescribeLaunchTemplateVersions',
+        ],
+        resources: ['*'],
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['ec2:ExportImage'],
+        resources: [`arn:${partition}:ec2:*::image/*`],
+        conditions: {
+          StringEquals: {
+            'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder',
+          },
+        },
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['ec2:ExportImage'],
+        resources: [`arn:${partition}:ec2:*:*:export-image-task/*`],
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['ec2:CancelExportTask'],
+        resources: [`arn:${partition}:ec2:*:*:export-image-task/*`],
+        conditions: {
+          StringEquals: {
+            'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder',
+          },
+        },
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['iam:CreateServiceLinkedRole'],
+        resources: ['*'],
+        conditions: {
+          StringEquals: {
+            'iam:AWSServiceName': ['ec2fastlaunch.amazonaws.com'],
+          },
+        },
+      }),
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['ec2:EnableFastLaunch'],
+        resources: [`arn:${partition}:ec2:*::image/*`, `arn:${partition}:ec2:*:*:launch-template/*`],
+        conditions: {
+          StringEquals: {
+            'ec2:ResourceTag/CreatedBy': 'EC2 Image Builder',
+          },
+        },
+      }),
+    );
+  }
+
+  if (!hasProps || props.imageScanningEnabled !== false) {
+    // Add Inspector permissions if scanning is enabled
+    policies.push(
+      new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['inspector2:ListCoverage', 'inspector2:ListFindings'],
+        resources: ['*'],
+      }),
+    );
+
+    // Add image scanning ECR permissions for container builds
+    if (!hasProps || props.recipe._isContainerRecipe()) {
+      policies.push(
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          actions: ['ecr:CreateRepository'],
+          resources: ['*'],
+          conditions: {
+            StringEquals: {
+              'aws:RequestTag/CreatedBy': 'EC2 Image Builder',
+            },
+          },
+        }),
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          actions: ['ecr:TagResource'],
+          resources: [`arn:${partition}:ecr:*:*:repository/image-builder-*`],
+          conditions: {
+            StringEquals: {
+              'aws:RequestTag/CreatedBy': 'EC2 Image Builder',
+            },
+          },
+        }),
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          actions: ['ecr:BatchDeleteImage'],
+          resources: [`arn:${partition}:ecr:*:*:repository/image-builder-*`],
+          conditions: {
+            StringEquals: {
+              'ecr:ResourceTag/CreatedBy': 'EC2 Image Builder',
+            },
+          },
+        }),
+      );
+    }
+  }
+
+  return policies;
 };
 
 export const getExecutionRole = (

packages/@aws-cdk/aws-imagebuilder-alpha/test/image-pipeline.test.ts

@@ -87,6 +87,7 @@ describe('ImagePipeline', () => {
   });
 
   test('with all parameters - AMI pipeline', () => {
+    const executionRole = iam.Role.fromRoleName(stack, 'ExecutionRole', 'imagebuilder-execution-role');
     const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', {
       imagePipelineName: 'test-image-pipeline',
       description: 'this is an image pipeline description.',
@@ -102,7 +103,7 @@ describe('ImagePipeline', () => {
         'imported-distribution-configuration',
       ),
       status: ImagePipelineStatus.ENABLED,
-      executionRole: iam.Role.fromRoleName(stack, 'ExecutionRole', 'imagebuilder-execution-role'),
+      executionRole,
       schedule: {
         expression: events.Schedule.cron({ minute: '0', hour: '0', weekDay: '0' }),
         startCondition: ScheduleStartCondition.EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE,
@@ -126,6 +127,7 @@ describe('ImagePipeline', () => {
       imageTestsEnabled: false,
       imageScanningEnabled: true,
     });
+    imagePipeline.grantDefaultExecutionRolePermissions(executionRole);
 
     expect(ImagePipeline.isImagePipeline(imagePipeline as unknown)).toBeTruthy();
     expect(ImagePipeline.isImagePipeline('ImagePipeline')).toBeFalsy();
@@ -206,6 +208,7 @@ describe('ImagePipeline', () => {
   });
 
   test('with all parameters - container pipeline', () => {
+    const executionRole = iam.Role.fromRoleName(stack, 'ExecutionRole', 'imagebuilder-execution-role');
     const imagePipeline = new ImagePipeline(stack, 'ImagePipeline', {
       imagePipelineName: 'test-image-pipeline',
       description: 'this is an image pipeline description.',
@@ -220,7 +223,7 @@ describe('ImagePipeline', () => {
         'DistributionConfiguration',
         'imported-distribution-configuration',
       ),
-      executionRole: iam.Role.fromRoleName(stack, 'ExecutionRole', 'imagebuilder-execution-role'),
+      executionRole,
       status: ImagePipelineStatus.DISABLED,
       schedule: {
         expression: events.Schedule.rate(cdk.Duration.days(7)),
@@ -242,10 +245,11 @@ describe('ImagePipeline', () => {
       ),
       enhancedImageMetadataEnabled: false,
       imageTestsEnabled: true,
-      imageScanningEnabled: false,
+      imageScanningEnabled: true,
       imageScanningEcrRepository: ecr.Repository.fromRepositoryName(stack, 'Repository', 'scanning-repo'),
       imageScanningEcrTags: ['latest-scan'],
     });
+    imagePipeline.grantDefaultExecutionRolePermissions(executionRole);
 
     expect(ImagePipeline.isImagePipeline(imagePipeline as unknown)).toBeTruthy();
     expect(ImagePipeline.isImagePipeline('ImagePipeline')).toBeFalsy();
@@ -288,7 +292,7 @@ describe('ImagePipeline', () => {
                 ContainerTags: ['latest-scan'],
                 RepositoryName: 'scanning-repo',
               },
-              ImageScanningEnabled: false,
+              ImageScanningEnabled: true,
             },
             ImageTestsConfiguration: { ImageTestsEnabled: true },
             InfrastructureConfigurationArn: {