Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug? in default policy created by CodeBuild with VPC config #2335

Closed
cjyclaire opened this issue Apr 19, 2019 · 3 comments · Fixed by #2506 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Closed

Bug? in default policy created by CodeBuild with VPC config #2335

cjyclaire opened this issue Apr 19, 2019 · 3 comments · Fixed by #2506 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug.

Comments

@cjyclaire
Copy link

https://github.com/awslabs/aws-cdk/blob/master/packages/%40aws-cdk/aws-codebuild/lib/project.ts#L900

`arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/[[subnets]]`

instead of [[subnets]], it need to provide actually subnet-ids such as

`arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/subnet-dsdas`
...

current policy generated will cause

9/18 | 12:43:58 PM | CREATE_FAILED        | AWS::CodeBuild::Project     | XXX (XXX0DDC635A) Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException; Request ID: 4e0ba4fa-6212-11e9-9b2d-15eae6919f60)

I'm guessing the policy content is invalid as when I tried with exact subnet ids, deploy will succeed.
@cjyclaire cjyclaire added the bug This issue is a bug. label Apr 19, 2019
@RomainMuller
Copy link
Contributor

Hey @cjyclaire,

Would you be able to provide a minimal reproduction of your problem? It'll help us solve it faster.

@RomainMuller RomainMuller added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label Apr 23, 2019
@cjyclaire
Copy link
Author

cjyclaire commented Apr 23, 2019
edited
Loading

you should be able to reproduce with a vpc and any codebuild project place in the private subnets of the vpc, such as:

// default vpc example
 const vpc = new ec2.VpcNetwork(this, 'Vpc', {
      maxAZs: 2,
      cidr: '10.0.0.0/21',
      enableDnsSupport: true,
      natGateways: 2,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'application',
          subnetType: ec2.SubnetType.Private
        },
        {
          cidrMask: 24,
          name: 'ingress',
          subnetType: ec2.SubnetType.Public
        },
        {
          cidrMask: 28,
          name: 'database',
          subnetType: ec2.SubnetType.Isolated
        },
      ],
    });

  const dbMigration = new codebuild.Project(this, '...', {
      source: new codebuild.CodeCommitSource({ repository: repo}),
      projectName: '...',
      description: '...',
      environment:{
        buildImage: codebuild.LinuxBuildImage.UBUNTU_14_04_RUBY_2_5_1
      },
      buildSpec: 'buildspec-db.yml',
      vpc: vpc,
      subnetSelection: {
        subnetType: ec2.SubnetType.Private
      }
    });

@skinny85
Copy link
Contributor

skinny85 commented May 7, 2019

Thanks for reporting @cjyclaire . Confirming this is a bug on our side.

skinny85 added a commit to skinny85/aws-cdk that referenced this issue May 9, 2019
@skinny85
fix(codebuild): correctly pass the VPC subnet IDs to the Policy State…
180167f 
…ment's condition when using a VPC.

Fixes aws#2335
@skinny85 skinny85 mentioned this issue May 9, 2019
Merged
4 tasks
skinny85 added a commit that referenced this issue May 10, 2019
@skinny85
fix(codebuild): correctly pass the VPC subnet IDs to the Policy State…
145da28 
…ment's condition when using a VPC. (#2506)

Fixes #2335
SanderKnape pushed a commit to SanderKnape/aws-cdk that referenced this issue May 14, 2019
@skinny85 @SanderKnape
fix(codebuild): correctly pass the VPC subnet IDs to the Policy State…
25f5ad1 
…ment's condition when using a VPC. (aws#2506)

Fixes aws#2335
This was referenced Aug 22, 2019
Open
Open
Open
Open
Open
This was referenced Dec 12, 2019
Closed
Closed
Closed
Merged
Closed
Closed
Open
Open
Open
Open
Open
Open
Open
Open
Open
@snyk-bot snyk-bot mentioned this issue Dec 13, 2019
Open
This was referenced Jan 20, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(codebuild): correctly pass the VPC subnet IDs to the Policy State… skinny85/aws-cdk
[Snyk] Upgrade @aws-cdk/aws-iam from 0.22.0 to 0.39.0 MechanicalRock/tech-radar
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-s3 from 0.24.1 to 0.39.0 MechanicalRock/cdk-constructs
[Snyk] Upgrade @aws-cdk/aws-cloudfront from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codebuild from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codecommit from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/aws-codepipeline from 0.15.2 to 0.39.0 MechanicalRock/cdk-products
[Snyk] Upgrade @aws-cdk/cdk from 0.24.1 to 0.35.0 MechanicalRock/account-reaper
3 participants
@RomainMuller @skinny85 @cjyclaire