/
confirm-permissions-broadening.ts
88 lines (78 loc) · 3.18 KB
/
confirm-permissions-broadening.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import { Node } from 'constructs';
import { CodePipeline } from './codepipeline';
import { CodePipelineActionFactoryResult, ICodePipelineActionFactory, ProduceActionOptions } from './codepipeline-action-factory';
import { IStage } from '../../../aws-codepipeline';
import * as cpa from '../../../aws-codepipeline-actions';
import * as sns from '../../../aws-sns';
import { Stage } from '../../../core';
import { Step } from '../blueprint';
import { ApplicationSecurityCheck } from '../private/application-security-check';
/**
* Properties for a `PermissionsBroadeningCheck`
*/
export interface PermissionsBroadeningCheckProps {
/**
* The CDK Stage object to check the stacks of
*
* This should be the same Stage object you are passing to `addStage()`.
*/
readonly stage: Stage;
/**
* Topic to send notifications when a human needs to give manual confirmation
*
* @default - no notification
*/
readonly notificationTopic?: sns.ITopic;
}
/**
* Pause the pipeline if a deployment would add IAM permissions or Security Group rules
*
* This step is only supported in CodePipeline pipelines.
*/
export class ConfirmPermissionsBroadening extends Step implements ICodePipelineActionFactory {
constructor(id: string, private readonly props: PermissionsBroadeningCheckProps) {
super(id);
}
public produceAction(stage: IStage, options: ProduceActionOptions): CodePipelineActionFactoryResult {
const sec = this.getOrCreateSecCheck(options.pipeline);
this.props.notificationTopic?.grantPublish(sec.cdkDiffProject);
const variablesNamespace = Node.of(this.props.stage).addr;
const approveActionName = `${options.actionName}.Confirm`;
stage.addAction(new cpa.CodeBuildAction({
runOrder: options.runOrder,
actionName: `${options.actionName}.Check`,
input: options.artifacts.toCodePipeline(options.pipeline.cloudAssemblyFileSet),
project: sec.cdkDiffProject,
variablesNamespace,
environmentVariables: {
STAGE_PATH: { value: Node.of(this.props.stage).path },
STAGE_NAME: { value: stage.stageName },
ACTION_NAME: { value: approveActionName },
...this.props.notificationTopic ? {
NOTIFICATION_ARN: { value: this.props.notificationTopic.topicArn },
NOTIFICATION_SUBJECT: { value: `Confirm permission broadening in ${this.props.stage.stageName}` },
} : {},
},
}));
stage.addAction(new cpa.ManualApprovalAction({
actionName: approveActionName,
runOrder: options.runOrder + 1,
additionalInformation: `#{${variablesNamespace}.MESSAGE}`,
externalEntityLink: `#{${variablesNamespace}.LINK}`,
}));
return { runOrdersConsumed: 2 };
}
private getOrCreateSecCheck(pipeline: CodePipeline): ApplicationSecurityCheck {
const id = 'PipelinesSecurityCheck';
const existing = Node.of(pipeline).tryFindChild(id);
if (existing) {
if (!(existing instanceof ApplicationSecurityCheck)) {
throw new Error(`Expected '${Node.of(existing).path}' to be 'ApplicationSecurityCheck' but was '${existing}'`);
}
return existing;
}
return new ApplicationSecurityCheck(pipeline, id, {
codePipeline: pipeline.pipeline,
});
}
}