Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeBuild: CDK produces incorrect IAM role and results in failed build #2605

Closed
thesurlydev opened this issue May 21, 2019 · 3 comments
Closed

CodeBuild: CDK produces incorrect IAM role and results in failed build #2605

thesurlydev opened this issue May 21, 2019 · 3 comments
Labels
bug This issue is a bug.

Comments

@thesurlydev
Copy link
Contributor

thesurlydev commented May 21, 2019
edited
Loading

Describe the bug
I successfully created a new CodeBuild project and the resulting default IAM role had two issues that resulted in failed builds (in the PROVISIONING step).

To Reproduce
Using the following CDK code to produce the CodeBuild project in question:

val codeBuildBootstrapProps = CodeBuildBootstrapProps(
        stackProps, "https://github.foo.com/me/bar",
        "$appName-build-bucket",
        ComputeType.Small,
        LinuxBuildImage.UBUNTU_18_04_STANDARD_1_0,
        vpc
    )

    CodeBuildBootstrap(app, "code-build-bootstrap", codeBuildBootstrapProps)


val projectName = this.node.getContext("app") as String

        val buildEnvironment = BuildEnvironment.builder()
            .withComputeType(props.computeType)
            .withBuildImage(props.buildImage)
            .withPrivileged(false) // true only if used to build Docker images
            .build()

        val gitHubEnterpriseSourceProps = GitHubEnterpriseSourceProps.builder()
            .withCloneDepth(1)
            .withHttpsCloneUrl(props.cloneUrl)
            .build()
        val gitHubEnterpriseSource = GitHubEnterpriseSource(gitHubEnterpriseSourceProps)

        val buildBucket = Bucket(
            this, "buildbucket", BucketProps.builder()
                .withBucketName(props.buildBucketName)
                .withRemovalPolicy(RemovalPolicy.Destroy)
                .build()
        )

        val s3BucketBuildArtifactsProps = S3BucketBuildArtifactsProps.builder()
            .withName("code-build-artifacts")
            .withIdentifier("BuildArtifact")
            .withBucket(buildBucket)
            .withPath("code-build-artifacts/${projectName}.jar")
            .withIncludeBuildId(true)
            .build()
        val s3BucketBuildArtifacts = S3BucketBuildArtifacts(s3BucketBuildArtifactsProps)


        val projectProps = ProjectProps.builder()
            .withEnvironment(buildEnvironment)
            .withProjectName(projectName)
            .withSource(gitHubEnterpriseSource)
            .withBuildSpec("buildspec.yml")
            .withVpc(props.vpc)
            .withArtifacts(NoBuildArtifacts())
            .withSecondaryArtifacts(
                listOf(
                    s3BucketBuildArtifacts
                )
            )
            .build()

        val project = Project(this, "code-build-project", projectProps)

The first issue is the ec2:DescribeSecurityGroups action was missing on the IAM policy.
I fixed this with the following code:

project.addToRolePolicy(
PolicyStatement(PolicyStatementEffect.Allow).addAllResources().addActions("ec2:DescribeSecurityGroups")
        )

The second issue was that the following snippet was generated:

{
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterfacePermission"
            ],
            "Resource": "arn:aws:ec2:us-east-1:123456789000:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "ec2:Subnet": [
                        "arn:aws:ec2:us-east-1:123456789000:subnet/[[subnets]]"
                    ],
                    "ec2:AuthorizedService": "codebuild.amazonaws.com"
                }
            }
        }

I fixed by explicitly setting the subnets in the condition clause:

{
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterfacePermission"
            ],
            "Resource": "arn:aws:ec2:us-east-1:123456789000:network-interface/*",
            "Condition": {
                "StringEquals": {
                    "ec2:Subnet": [
                        "arn:aws:ec2:us-east-1:123456789000:subnet/subnet-0c3840...aab329b0",
                        "arn:aws:ec2:us-east-1:123456789000:subnet/subnet-02a111...27737a5f",
                        "arn:aws:ec2:us-east-1:123456789000:subnet/subnet-03957...a50cc5f73"
                    ],
                    "ec2:AuthorizedService": "codebuild.amazonaws.com"
                }
            }
        }

Expected behavior
The default IAM role produced by the CDK should be correct and allow successful build.

Version:

  • Ubuntu 18.04
  • Kotlin using Java CDK artifacts
  • 0.31.0
@thesurlydev thesurlydev added the bug This issue is a bug. label May 21, 2019
@skinny85
Copy link
Contributor

Thanks for reporting the issue @digitalsanctum . This was indeed a bug, fixed here: #2506 .

I'm resolving this one, feel free to re-open if you have any further questions.

@thesurlydev
Copy link
Contributor Author

@skinny85 The fix you referred to looks like it fixes the subnet issue but not the IAM role policy issue?

@skinny85
Copy link
Contributor

It fixes it was well. See here for the contents of the IAM Policy in an integ test we have.

@thesurlydev thesurlydev mentioned this issue May 27, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thesurlydev @skinny85