fix(codepipeline): work around CodeBuild's pipeline key bug (#4183)

CodeBuild has a bug where they ignore the encryption key of the pipeline's artifact bucket,
instead always using the project's key
(the account's default S3 key if the project key has not been set).
This makes the CodeBuild actions unusable in a cross-account pipeline,
as subsequent actions will get an 'Access Denied' error when trying to download the incorrectly encrypted artifacts.

The fix is to always set the project's key to be the same as the pipeline key in the CodeBuild action.

Fixes #4033

Author: skinny85

packages/@aws-cdk/aws-codebuild/lib/project.ts

@@ -5,6 +5,7 @@ import { DockerImageAsset, DockerImageAssetProps } from '@aws-cdk/aws-ecr-assets
 import events = require('@aws-cdk/aws-events');
 import iam = require('@aws-cdk/aws-iam');
 import kms = require('@aws-cdk/aws-kms');
+import s3 = require('@aws-cdk/aws-s3');
 import secretsmanager = require('@aws-cdk/aws-secretsmanager');
 import { Aws, CfnResource, Construct, Duration, IResource, Lazy, PhysicalName, Resource, Stack } from '@aws-cdk/core';
 import { IArtifacts } from './artifacts';
@@ -546,6 +547,16 @@ export interface ProjectProps extends CommonProjectProps {
   readonly secondaryArtifacts?: IArtifacts[];
 }
 
+/**
+ * The extra options passed to the {@link IProject.bindToCodePipeline} method.
+ */
+export interface BindToCodePipelineOptions {
+  /**
+   * The artifact bucket that will be used by the action that invokes this project.
+   */
+  readonly artifactBucket: s3.IBucket;
+}
+
 /**
  * A representation of a CodeBuild Project.
  */
@@ -627,6 +638,7 @@ export class Project extends ProjectBase {
   private readonly buildImage: IBuildImage;
   private readonly _secondarySources: CfnProject.SourceProperty[];
   private readonly _secondaryArtifacts: CfnProject.ArtifactsProperty[];
+  private _encryptionKey?: kms.IKey;
 
   constructor(scope: Construct, id: string, props: ProjectProps) {
     super(scope, id, {
@@ -689,7 +701,8 @@ export class Project extends ProjectBase {
       artifacts: artifactsConfig.artifactsProperty,
       serviceRole: this.role.roleArn,
       environment: this.renderEnvironment(props.environment, environmentVariables),
-      encryptionKey: props.encryptionKey && props.encryptionKey.keyArn,
+      // lazy, because we have a setter for it in setEncryptionKey
+      encryptionKey: Lazy.stringValue({ produce: () => this._encryptionKey && this._encryptionKey.keyArn }),
       badgeEnabled: props.badge,
       cache: cache._toCloudFormation(),
       name: this.physicalName,
@@ -712,7 +725,7 @@ export class Project extends ProjectBase {
     this.addToRolePolicy(this.createLoggingPermission());
 
     if (props.encryptionKey) {
-      props.encryptionKey.grantEncryptDecrypt(this);
+      this.encryptionKey = props.encryptionKey;
     }
   }
 
@@ -742,6 +755,32 @@ export class Project extends ProjectBase {
     this._secondaryArtifacts.push(secondaryArtifact.bind(this, this).artifactsProperty);
   }
 
+  /**
+   * A callback invoked when the given project is added to a CodePipeline.
+   *
+   * @param _scope the construct the binding is taking place in
+   * @param options additional options for the binding
+   */
+  public bindToCodePipeline(_scope: Construct, options: BindToCodePipelineOptions): void {
+    if (this.source.type !== CODEPIPELINE_SOURCE_ARTIFACTS_TYPE) {
+      throw new Error('Only a PipelineProject can be added to a CodePipeline');
+    }
+
+    // work around a bug in CodeBuild: it ignores the KMS key set on the pipeline,
+    // and always uses its own, project-level key
+    if (options.artifactBucket.encryptionKey && !this._encryptionKey) {
+      // we cannot safely do this assignment if the key is of type kms.Key,
+      // and belongs to a stack in a different account or region than the project
+      // (that would cause an illegal reference, as KMS keys don't have physical names)
+      const keyStack = Stack.of(options.artifactBucket.encryptionKey);
+      const projectStack = Stack.of(this);
+      if (!(options.artifactBucket.encryptionKey instanceof kms.Key &&
+          (keyStack.account !== projectStack.account || keyStack.region !== projectStack.region))) {
+        this.encryptionKey = options.artifactBucket.encryptionKey;
+      }
+    }
+  }
+
   /**
    * @override
    */
@@ -760,6 +799,11 @@ export class Project extends ProjectBase {
     return ret;
   }
 
+  private set encryptionKey(encryptionKey: kms.IKey) {
+    this._encryptionKey = encryptionKey;
+    encryptionKey.grantEncryptDecrypt(this);
+  }
+
   private createLoggingPermission() {
     const logGroupArn = Stack.of(this).formatArn({
       service: 'logs',

packages/@aws-cdk/aws-codebuild/test/test.project.ts

@@ -1,6 +1,7 @@
 import { expect, haveResource, haveResourceLike, not } from '@aws-cdk/assert';
 import ec2 = require('@aws-cdk/aws-ec2');
 import iam = require('@aws-cdk/aws-iam');
+import s3 = require('@aws-cdk/aws-s3');
 import { Bucket } from '@aws-cdk/aws-s3';
 import cdk = require('@aws-cdk/core');
 import { Test } from 'nodeunit';
@@ -148,6 +149,24 @@ export = {
 
       test.done();
     },
+
+    'cannot have bindToCodePipeline() be called on it'(test: Test) {
+      const stack = new cdk.Stack();
+      const project = new codebuild.Project(stack, 'Project', {
+        source: codebuild.Source.gitHub({
+          owner: 'testowner',
+          repo: 'testrepo',
+        }),
+      });
+
+      test.throws(() => {
+        project.bindToCodePipeline(project, {
+          artifactBucket: new s3.Bucket(stack, 'Bucket'),
+        });
+      }, /Only a PipelineProject can be added to a CodePipeline/);
+
+      test.done();
+    },
   },
 
   'project with s3 cache bucket'(test: Test) {

packages/@aws-cdk/aws-codepipeline-actions/lib/codebuild/build-action.ts

@@ -113,6 +113,12 @@ export class CodeBuildAction extends Action {
       options.bucket.grantRead(this.props.project);
     }
 
+    if (this.props.project instanceof codebuild.Project) {
+      this.props.project.bindToCodePipeline(scope, {
+        artifactBucket: options.bucket,
+      });
+    }
+
     const configuration: any = {
       ProjectName: this.props.project.projectName,
     };

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json

@@ -118,6 +118,24 @@
               },
               "Resource": "*"
             },
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": {
+                  "Fn::GetAtt": [
+                    "CdkBuildProjectRoleE0B6FEB0",
+                    "Arn"
+                  ]
+                }
+              },
+              "Resource": "*"
+            },
             {
               "Action": [
                 "kms:Decrypt",
@@ -137,6 +155,24 @@
               },
               "Resource": "*"
             },
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": {
+                  "Fn::GetAtt": [
+                    "LambdaBuildProjectRoleD0C4F982",
+                    "Arn"
+                  ]
+                }
+              },
+              "Resource": "*"
+            },
             {
               "Action": [
                 "kms:Decrypt",
@@ -1386,6 +1422,21 @@
                   "Arn"
                 ]
               }
+            },
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*"
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "PipelineArtifactsBucketEncryptionKey01D58D69",
+                  "Arn"
+                ]
+              }
             }
           ],
           "Version": "2012-10-17"
@@ -1402,7 +1453,13 @@
       "Type": "AWS::CodeBuild::Project",
       "Properties": {
         "Artifacts": {
-          "Type": "NO_ARTIFACTS"
+          "Type": "CODEPIPELINE"
+        },
+        "EncryptionKey": {
+          "Fn::GetAtt": [
+            "PipelineArtifactsBucketEncryptionKey01D58D69",
+            "Arn"
+          ]
         },
         "Environment": {
           "ComputeType": "BUILD_GENERAL1_SMALL",
@@ -1418,7 +1475,7 @@
         },
         "Source": {
           "BuildSpec": "{\n  \"version\": \"0.2\",\n  \"phases\": {\n    \"install\": {\n      \"commands\": \"npm install\"\n    },\n    \"build\": {\n      \"commands\": [\n        \"npm run build\",\n        \"npm run cdk synth LambdaStack -- -o .\"\n      ]\n    }\n  },\n  \"artifacts\": {\n    \"files\": \"LambdaStack.template.yaml\"\n  }\n}",
-          "Type": "NO_SOURCE"
+          "Type": "CODEPIPELINE"
         }
       }
     },
@@ -1549,6 +1606,21 @@
                   "Arn"
                 ]
               }
+            },
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*"
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "PipelineArtifactsBucketEncryptionKey01D58D69",
+                  "Arn"
+                ]
+              }
             }
           ],
           "Version": "2012-10-17"
@@ -1565,7 +1637,13 @@
       "Type": "AWS::CodeBuild::Project",
       "Properties": {
         "Artifacts": {
-          "Type": "NO_ARTIFACTS"
+          "Type": "CODEPIPELINE"
+        },
+        "EncryptionKey": {
+          "Fn::GetAtt": [
+            "PipelineArtifactsBucketEncryptionKey01D58D69",
+            "Arn"
+          ]
         },
         "Environment": {
           "ComputeType": "BUILD_GENERAL1_SMALL",
@@ -1581,7 +1659,7 @@
         },
         "Source": {
           "BuildSpec": "{\n  \"version\": \"0.2\",\n  \"phases\": {\n    \"install\": {\n      \"commands\": \"npm install\"\n    },\n    \"build\": {\n      \"commands\": \"npm run build\"\n    }\n  },\n  \"artifacts\": {\n    \"files\": [\n      \"index.js\",\n      \"node_modules/**/*\"\n    ]\n  }\n}",
-          "Type": "NO_SOURCE"
+          "Type": "CODEPIPELINE"
         }
       }
     }

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.ts

@@ -47,7 +47,7 @@ pipeline.addStage({
 // synthesize the Lambda CDK template, using CodeBuild
 // the below values are just examples, assuming your CDK code is in TypeScript/JavaScript -
 // adjust the build environment and/or commands accordingly
-const cdkBuildProject = new codebuild.Project(pipelineStack, 'CdkBuildProject', {
+const cdkBuildProject = new codebuild.PipelineProject(pipelineStack, 'CdkBuildProject', {
   environment: {
     buildImage: codebuild.LinuxBuildImage.UBUNTU_14_04_NODEJS_10_1_0,
   },
@@ -80,7 +80,7 @@ const cdkBuildAction = new codepipeline_actions.CodeBuildAction({
 // build your Lambda code, using CodeBuild
 // again, this example assumes your Lambda is written in TypeScript/JavaScript -
 // make sure to adjust the build environment and/or commands if they don't match your specific situation
-const lambdaBuildProject = new codebuild.Project(pipelineStack, 'LambdaBuildProject', {
+const lambdaBuildProject = new codebuild.PipelineProject(pipelineStack, 'LambdaBuildProject', {
   environment: {
     buildImage: codebuild.LinuxBuildImage.UBUNTU_14_04_NODEJS_10_1_0,
   },

packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.expected.json

@@ -134,6 +134,21 @@
                 ]
               }
             },
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*"
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "PipelineArtifactsBucketEncryptionKey01D58D69",
+                  "Arn"
+                ]
+              }
+            },
             {
               "Action": [
                 "s3:GetObject*",
@@ -194,6 +209,12 @@
         "Artifacts": {
           "Type": "CODEPIPELINE"
         },
+        "EncryptionKey": {
+          "Fn::GetAtt": [
+            "PipelineArtifactsBucketEncryptionKey01D58D69",
+            "Arn"
+          ]
+        },
         "Environment": {
           "ComputeType": "BUILD_GENERAL1_SMALL",
           "Image": "aws/codebuild/standard:1.0",
@@ -310,6 +331,24 @@
               },
               "Resource": "*"
             },
+            {
+              "Action": [
+                "kms:Decrypt",
+                "kms:Encrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "AWS": {
+                  "Fn::GetAtt": [
+                    "MyBuildProjectRole6B7E2258",
+                    "Arn"
+                  ]
+                }
+              },
+              "Resource": "*"
+            },
             {
               "Action": [
                 "kms:Decrypt",