Skip to content

feat: Manage IAM permissions for (some) CFN CodePipeline actions #843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RomainMuller merged 5 commits into from
Oct 5, 2018
Merged

feat: Manage IAM permissions for (some) CFN CodePipeline actions #843

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
30840f5
feat: Manage IAM permissions for (some) CFN CodePipeline actions
RomainMuller Oct 3, 2018
0ee53be
Some DRYing up
RomainMuller Oct 4, 2018
e130edf
Use lodash instead of util, as deepStrictEqual is a node 10+ feature
RomainMuller Oct 4, 2018
eef28fb
Provide actual observed values in eror message
RomainMuller Oct 5, 2018
afcfdc9
Stop trying to resolve constructs
RomainMuller Oct 5, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,11 @@ export class PipelineExecuteChangeSetAction extends PipelineCloudFormationAction
ActionMode: 'CHANGE_SET_EXECUTE',
ChangeSetName: props.changeSetName,
});

props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
.addAction('cloudformation:ExecuteChangeSet')
.addResource(stackArnFromName(props.stackName))
.addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName }));
}
}

Expand Down Expand Up @@ -243,6 +248,24 @@ export class PipelineCreateReplaceChangeSetAction extends PipelineCloudFormation
});

this.addInputArtifact(props.templatePath.artifact);
if (props.templateConfiguration && props.templateConfiguration.artifact.name !== props.templatePath.artifact.name) {
this.addInputArtifact(props.templateConfiguration.artifact);
}

const stackArn = stackArnFromName(props.stackName);
// Allow the pipeline to check for Stack & ChangeSet existence
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
.addAction('cloudformation:DescribeStacks')
.addResource(stackArn));
// Allow the pipeline to create & delete the specified ChangeSet
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
.addActions('cloudformation:CreateChangeSet', 'cloudformation:DeleteChangeSet', 'cloudformation:DescribeChangeSet')
.addResource(stackArn)
.addCondition('StringEquals', { 'cloudformation:ChangeSetName': props.changeSetName }));
// Allow the pipeline to pass this actions' role to CloudFormation
props.stage.pipelineRole.addToPolicy(new cdk.PolicyStatement()
.addAction('iam:PassRole')
.addResource(this.role.roleArn));
}
}

Expand Down Expand Up @@ -337,3 +360,11 @@ export enum CloudFormationCapabilities {
*/
NamedIAM = 'CAPABILITY_NAMED_IAM'
}

function stackArnFromName(stackName: string): string {
return cdk.ArnUtils.fromComponents({
service: 'cloudformation',
resource: 'stack',
resourceName: `${stackName}/*`
});
}
17 changes: 14 additions & 3 deletions packages/@aws-cdk/aws-cloudformation/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-cloudformation/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,11 @@
"license": "Apache-2.0",
"devDependencies": {
"@aws-cdk/assert": "^0.10.0",
"@types/lodash": "^4.14.116",
"cdk-build-tools": "^0.10.0",
"cdk-integ-tools": "^0.10.0",
"cfn2ts": "^0.10.0",
"lodash": "^4.17.11",
"pkglint": "^0.10.0"
},
"dependencies": {
Expand Down
8 changes: 0 additions & 8 deletions packages/@aws-cdk/aws-cloudformation/test/test.cloudformation.ts
View file
Open in desktop

This file was deleted.

181 changes: 181 additions & 0 deletions packages/@aws-cdk/aws-cloudformation/test/test.pipeline-actions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
import cpapi = require('@aws-cdk/aws-codepipeline-api');
import iam = require('@aws-cdk/aws-iam');
import cdk = require('@aws-cdk/cdk');
import _ = require('lodash');
import nodeunit = require('nodeunit');
import cloudformation = require('../lib');

export = nodeunit.testCase({
CreateReplaceChangeSet: {
works(test: nodeunit.Test) {
const stack = new cdk.Stack();
const pipelineRole = new RoleDouble(stack, 'PipelineRole');
const stage = new StageDouble({ pipelineRole });
const artifact = new cpapi.Artifact(stack as any, 'TestArtifact');
const action = new cloudformation.PipelineCreateReplaceChangeSetAction(stack, 'Action', {
stage,
changeSetName: 'MyChangeSet',
stackName: 'MyStack',
templatePath: artifact.atPath('path/to/file')
});

_assertPermissionGranted(test, pipelineRole.statements, 'iam:PassRole', action.role.roleArn);

const stackArn = cdk.ArnUtils.fromComponents({
service: 'cloudformation',
resource: 'stack',
resourceName: 'MyStack/*'
});
const changeSetCondition = { StringEquals: { 'cloudformation:ChangeSetName': 'MyChangeSet' } };
_assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:DescribeStacks', stackArn);
_assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:DescribeChangeSet', stackArn, changeSetCondition);
_assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:CreateChangeSet', stackArn, changeSetCondition);
_assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:DeleteChangeSet', stackArn, changeSetCondition);

test.deepEqual(action.inputArtifacts, [artifact],
'The inputArtifact was correctly registered');

_assertActionMatches(test, stage.actions, 'AWS', 'CloudFormation', 'Deploy', {
ActionMode: 'CHANGE_SET_CREATE_REPLACE',
StackName: 'MyStack',
ChangeSetName: 'MyChangeSet'
});

test.done();
}
},
ExecuteChangeSet: {
works(test: nodeunit.Test) {
const stack = new cdk.Stack();
const pipelineRole = new RoleDouble(stack, 'PipelineRole');
const stage = new StageDouble({ pipelineRole });
new cloudformation.PipelineExecuteChangeSetAction(stack, 'Action', {
stage,
changeSetName: 'MyChangeSet',
stackName: 'MyStack',
});

const stackArn = cdk.ArnUtils.fromComponents({
service: 'cloudformation',
resource: 'stack',
resourceName: 'MyStack/*'
});
_assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:ExecuteChangeSet', stackArn,
{ StringEquals: { 'cloudformation:ChangeSetName': 'MyChangeSet' } });

_assertActionMatches(test, stage.actions, 'AWS', 'CloudFormation', 'Deploy', {
ActionMode: 'CHANGE_SET_EXECUTE',
StackName: 'MyStack',
ChangeSetName: 'MyChangeSet'
});

test.done();
}
}
});

interface PolicyStatementJson {
Effect: 'Allow' | 'Deny';
Action: string | string[];
Resource: string | string[];
Condition: any;
}

function _assertActionMatches(test: nodeunit.Test,
actions: cpapi.Action[],
owner: string,
provider: string,
category: string,
configuration?: { [key: string]: any }) {
const configurationStr = configuration
? `configuration including ${JSON.stringify(cdk.resolve(configuration), null, 2)}`
: '';
const actionsStr = JSON.stringify(actions.map(a =>
({ owner: a.owner, provider: a.provider, category: a.category, configuration: cdk.resolve(a.configuration) })
), null, 2);
test.ok(_hasAction(actions, owner, provider, category, configuration),
`Expected to find an action with owner ${owner}, provider ${provider}, category ${category}${configurationStr}, but found ${actionsStr}`);
}

function _hasAction(actions: cpapi.Action[], owner: string, provider: string, category: string, configuration?: { [key: string]: any}) {
for (const action of actions) {
if (action.owner !== owner) { continue; }
if (action.provider !== provider) { continue; }
if (action.category !== category) { continue; }
if (configuration && !action.configuration) { continue; }
if (configuration) {
for (const key of Object.keys(configuration)) {
if (!_.isEqual(cdk.resolve(action.configuration[key]), cdk.resolve(configuration[key]))) {
continue;
}
}
}
return true;
}
return false;
}

function _assertPermissionGranted(test: nodeunit.Test, statements: PolicyStatementJson[], action: string, resource: string, conditions?: any) {
const conditionStr = conditions
? ` with condition(s) ${JSON.stringify(cdk.resolve(conditions))}`
: '';
const statementsStr = JSON.stringify(cdk.resolve(statements), null, 2);
test.ok(_grantsPermission(statements, action, resource, conditions),
`Expected to find a statement granting ${action} on ${cdk.resolve(resource)}${conditionStr}, found:\n${statementsStr}`);
}

function _grantsPermission(statements: PolicyStatementJson[], action: string, resource: string, conditions?: any) {
for (const statement of statements.filter(s => s.Effect === 'Allow')) {
if (!_isOrContains(statement.Action, action)) { continue; }
if (!_isOrContains(statement.Resource, resource)) { continue; }
if (conditions && !_isOrContains(statement.Condition, conditions)) { continue; }
return true;
}
return false;
}

function _isOrContains(entity: string | string[], value: string): boolean {
const resolvedValue = cdk.resolve(value);
const resolvedEntity = cdk.resolve(entity);
if (_.isEqual(resolvedEntity, resolvedValue)) { return true; }
if (!Array.isArray(resolvedEntity)) { return false; }
for (const tested of entity) {
if (_.isEqual(tested, resolvedValue)) { return true; }
}
return false;
Copy link
Contributor

@skinny85 skinny85 Oct 3, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah...

Integ test instead? 🙃

Copy link
Contributor Author

@RomainMuller RomainMuller Oct 4, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My perception here (prove me wrong if you can :D) is that those are super brittle, because they involve almost as many, if not more, parts that are not part of the tested module than parts that I want to test. It is also not possible for me to integ-test from @aws-cdk/aws-cloudformation without incurring dependency cycles, and moving the test to somewhere else (aws-cdk/aws-codepipeline) feels wrong & would mis-represent the test coverage of the CFN L2, which I think is a problem.

Copy link
Contributor

@skinny85 skinny85 Oct 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it's possible to substitute some of these helper functions with our expect haveResource helpers from cdk-assert? I'm worried that the failures these produce will be pretty much impossible to diagnose (for example, when you return false from _hasAction).

Copy link
Contributor Author

@RomainMuller RomainMuller Oct 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's what we have stack traces for, but I hear you. The problem will be that expect / haveResource operate on synthesized stacks, and that I am precisely unable to synthesize a stack here because it requires me to pull in many unneeded things. Instead, I propose to make assertion-style helpers that will actually format the actual in the message, so it is more actionable.

}

class StageDouble implements cpapi.IStage {
public readonly name: string;
public readonly pipelineArn: string;
public readonly pipelineRole: iam.Role;

public readonly actions = new Array<cpapi.Action>();

constructor({ name, pipelineName, pipelineRole }: { name?: string, pipelineName?: string, pipelineRole: iam.Role }) {
this.name = name || 'TestStage';
this.pipelineArn = cdk.ArnUtils.fromComponents({ service: 'codepipeline', resource: 'pipeline', resourceName: pipelineName || 'TestPipeline' });
this.pipelineRole = pipelineRole;
}

public grantPipelineBucketReadWrite() {
throw new Error('Unsupported');
}

public _attachAction(action: cpapi.Action) {
this.actions.push(action);
}
}

class RoleDouble extends iam.Role {
public readonly statements = new Array<PolicyStatementJson>();

constructor(parent: cdk.Construct, id: string, props: iam.RoleProps = { assumedBy: new cdk.ServicePrincipal('test') }) {
super(parent, id, props);
}

public addToPolicy(statement: cdk.PolicyStatement) {
super.addToPolicy(statement);
this.statements.push(statement.toJson());
}
}
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-codepipeline-api/lib/artifact.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ export class Artifact extends Construct {
* Output is in the form "<artifact-name>::<file-name>"
* @param fileName The name of the file
*/
public subartifact(fileName: string) {
public atPath(fileName: string) {
return new ArtifactPath(this, fileName);
}

Expand Down
Loading