Skip to content

Commit

Permalink
fix(codebuild): remove oauthToken property from source (#2252)
Browse files Browse the repository at this point in the history
Auth field should not be set since it's ignored by CodeBuild
https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectSource.html#CodeBuild-Type-ProjectSource-auth

BREAKING CHANGE: customers who use GitHub, GitHubEnterprise or Bitbucket as source
will need to remove the oauthToken field as it's no longer available

Fixes #2199
  • Loading branch information
Kaixiang-AWS authored and rix0rrr committed Apr 16, 2019
1 parent a09d364 commit 8705af3
Show file tree
Hide file tree
Showing 6 changed files with 236 additions and 89 deletions.
13 changes: 9 additions & 4 deletions packages/@aws-cdk/aws-codebuild/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,20 +90,25 @@ Example:
const gitHubSource = new codebuild.GitHubSource({
owner: 'awslabs',
repo: 'aws-cdk',
oauthToken: new secretsmanager.SecretString(this, 'GitHubOAuthToken', {
secretId: 'my-github-token',
}).stringValue,
webhook: true, // optional, default: false
});
```

To provide GitHub credentials, please either go to AWS CodeBuild Console to connect
or call `ImportSourceCredentials` to persist your personal access token.
Example:

```
aws codebuild import-source-credentials --server-type GITHUB --auth-type PERSONAL_ACCESS_TOKEN --token <token_value>
```

### `BitBucketSource`

This source type can be used to build code from a BitBucket repository.

## Environment

By default, projects use a small instance with an Ubuntu 14.04 image. You
By default, projects use a small instance with an Ubuntu 18.04 image. You
can use the `environment` property to customize the build environment:

* `buildImage` defines the Docker image used. See [Images](#images) below for
Expand Down
19 changes: 0 additions & 19 deletions packages/@aws-cdk/aws-codebuild/lib/source.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
import codecommit = require('@aws-cdk/aws-codecommit');
import iam = require('@aws-cdk/aws-iam');
import s3 = require('@aws-cdk/aws-s3');
import { SecretValue } from '@aws-cdk/cdk';
import { CfnProject } from './codebuild.generated';
import { Project } from './project';

Expand Down Expand Up @@ -211,13 +210,6 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
*/
readonly repo: string;

/**
* The oAuthToken used to authenticate when cloning source git repo.
* Note that you need to give CodeBuild permissions to your GitHub account in order for the token to work.
* That is a one-time operation that can be done through the AWS Console for CodeBuild.
*/
readonly oauthToken: SecretValue;

/**
* Whether to create a webhook that will trigger a build every time a commit is pushed to the GitHub repository.
*
Expand All @@ -239,14 +231,12 @@ export interface GitHubSourceProps extends GitBuildSourceProps {
export class GitHubSource extends GitBuildSource {
public readonly type: SourceType = SourceType.GitHub;
private readonly httpsCloneUrl: string;
private readonly oauthToken: SecretValue;
private readonly reportBuildStatus: boolean;
private readonly webhook?: boolean;

constructor(props: GitHubSourceProps) {
super(props);
this.httpsCloneUrl = `https://github.com/${props.owner}/${props.repo}.git`;
this.oauthToken = props.oauthToken;
this.webhook = props.webhook;
this.reportBuildStatus = props.reportBuildStatus === undefined ? true : props.reportBuildStatus;
}
Expand All @@ -261,7 +251,6 @@ export class GitHubSource extends GitBuildSource {

protected toSourceProperty(): any {
return {
auth: { type: 'OAUTH', resource: this.oauthToken },
location: this.httpsCloneUrl,
reportBuildStatus: this.reportBuildStatus,
};
Expand All @@ -277,11 +266,6 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
*/
readonly httpsCloneUrl: string;

/**
* The OAuth token used to authenticate when cloning the git repository.
*/
readonly oauthToken: SecretValue;

/**
* Whether to ignore SSL errors when connecting to the repository.
*
Expand All @@ -296,19 +280,16 @@ export interface GitHubEnterpriseSourceProps extends GitBuildSourceProps {
export class GitHubEnterpriseSource extends GitBuildSource {
public readonly type: SourceType = SourceType.GitHubEnterprise;
private readonly httpsCloneUrl: string;
private readonly oauthToken: SecretValue;
private readonly ignoreSslErrors?: boolean;

constructor(props: GitHubEnterpriseSourceProps) {
super(props);
this.httpsCloneUrl = props.httpsCloneUrl;
this.oauthToken = props.oauthToken;
this.ignoreSslErrors = props.ignoreSslErrors;
}

protected toSourceProperty(): any {
return {
auth: { type: 'OAUTH', resource: this.oauthToken },
location: this.httpsCloneUrl,
insecureSsl: this.ignoreSslErrors,
};
Expand Down
129 changes: 129 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.github.expected.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
{
"Resources": {
"MyProjectRole9BBE5233": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"codebuild.",
{
"Ref": "AWS::URLSuffix"
}
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
},
"MyProjectRoleDefaultPolicyB19B7C29": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "MyProject39F7B0AE"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "MyProject39F7B0AE"
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyProjectRoleDefaultPolicyB19B7C29",
"Roles": [
{
"Ref": "MyProjectRole9BBE5233"
}
]
}
},
"MyProject39F7B0AE": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"Type": "NO_ARTIFACTS"
},
"Environment": {
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "aws/codebuild/standard:1.0",
"PrivilegedMode": false,
"Type": "LINUX_CONTAINER"
},
"ServiceRole": {
"Fn::GetAtt": [
"MyProjectRole9BBE5233",
"Arn"
]
},
"Source": {
"Location": "https://github.com/awslabs/aws-cdk.git",
"ReportBuildStatus": false,
"Type": "GITHUB"
}
}
}
}
}
23 changes: 23 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.github.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
import cdk = require('@aws-cdk/cdk');
import codebuild = require('../lib');

class TestStack extends cdk.Stack {
constructor(scope: cdk.App, id: string) {
super(scope, id);

const source = new codebuild.GitHubSource({
owner: 'awslabs',
repo: 'aws-cdk',
reportBuildStatus: false,
});
new codebuild.Project(this, 'MyProject', {
source
});
}
}

const app = new cdk.App();

new TestStack(app, 'test-codebuild-github');

app.run();
77 changes: 75 additions & 2 deletions packages/@aws-cdk/aws-codebuild/test/test.codebuild.ts
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,79 @@ export = {
});
test.done();
},
'with GitHub source'(test: Test) {
const stack = new cdk.Stack();

new codebuild.Project(stack, 'Project', {
source: new codebuild.GitHubSource({
owner: 'testowner',
repo: 'testrepo',
cloneDepth: 3,
webhook: true,
reportBuildStatus: false,
})
});

expect(stack).to(haveResource('AWS::CodeBuild::Project', {
Source: {
Type: "GITHUB",
Location: 'https://github.com/testowner/testrepo.git',
ReportBuildStatus: false,
GitCloneDepth: 3,
}
}));

expect(stack).to(haveResourceLike('AWS::CodeBuild::Project', {
Triggers: {
Webhook: true,
},
}));

test.done();
},
'with GitHubEnterprise source'(test: Test) {
const stack = new cdk.Stack();

new codebuild.Project(stack, 'MyProject', {
source: new codebuild.GitHubEnterpriseSource({
httpsCloneUrl: 'https://github.testcompany.com/testowner/testrepo',
ignoreSslErrors: true,
cloneDepth: 4,
})
});

expect(stack).to(haveResource('AWS::CodeBuild::Project', {
Source: {
Type: "GITHUB_ENTERPRISE",
InsecureSsl: true,
GitCloneDepth: 4,
Location: 'https://github.testcompany.com/testowner/testrepo'
}
}));

test.done();
},
'with Bitbucket source'(test: Test) {
const stack = new cdk.Stack();

new codebuild.Project(stack, 'Project', {
source: new codebuild.BitBucketSource({
owner: 'testowner',
repo: 'testrepo',
cloneDepth: 5,
})
});

expect(stack).to(haveResource('AWS::CodeBuild::Project', {
Source: {
Type: 'BITBUCKET',
Location: 'https://bitbucket.org/testowner/testrepo.git',
GitCloneDepth: 5,
},
}));

test.done();
},
'fail creating a Project when no build spec is given'(test: Test) {
const stack = new cdk.Stack();

Expand Down Expand Up @@ -1065,8 +1138,8 @@ export = {
{ source: new codebuild.CodePipelineSource(), shouldPassValidation: false },
{ source: new codebuild.CodeCommitSource({ repository: repo }), shouldPassValidation: false },
{ source: new codebuild.S3BucketSource({ bucket, path: 'path/to/source.zip' }), shouldPassValidation: false },
{ source: new codebuild.GitHubSource({ owner: 'awslabs', repo: 'aws-cdk', oauthToken: new cdk.SecretValue()}), shouldPassValidation: true },
{ source: new codebuild.GitHubEnterpriseSource({ httpsCloneUrl: 'url', oauthToken: new cdk.SecretValue()}), shouldPassValidation: true },
{ source: new codebuild.GitHubSource({ owner: 'awslabs', repo: 'aws-cdk' }), shouldPassValidation: true },
{ source: new codebuild.GitHubEnterpriseSource({ httpsCloneUrl: 'url' }), shouldPassValidation: true },
{ source: new codebuild.BitBucketSource({ owner: 'awslabs', repo: 'aws-cdk' }), shouldPassValidation: true }
];

Expand Down
Loading

0 comments on commit 8705af3

Please sign in to comment.