Skip to content

Commit

Permalink
fix(codebuild): permissions for Project in VPC used incorrect AWS par…
Browse files Browse the repository at this point in the history 
…tition (#10637)

Creating a CodeBuild project with vpc attachment creates and attaches a
policy to the IAM role with static resource arn that does not reference
`AWS::Partition` - this breaks compatibility with GovCloud.

fixes #10634


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@michaelfedell
michaelfedell committed Oct 1, 2020
1 parent c908c7b commit b207888
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 8 deletions.
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1038,13 +1038,13 @@ export class Project extends ProjectBase {
}

this.role.addToPolicy(new iam.PolicyStatement({
resources: [`arn:aws:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:network-interface/*`],
resources: [`arn:${Aws.PARTITION}:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:network-interface/*`],
actions: ['ec2:CreateNetworkInterfacePermission'],
conditions: {
StringEquals: {
'ec2:Subnet': props.vpc
.selectSubnets(props.subnetSelection).subnetIds
.map(si => `arn:aws:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:subnet/${si}`),
.map(si => `arn:${Aws.PARTITION}:ec2:${Aws.REGION}:${Aws.ACCOUNT_ID}:subnet/${si}`),
'ec2:AuthorizedService': 'codebuild.amazonaws.com',
},
},
Expand Down
25 changes: 22 additions & 3 deletions packages/@aws-cdk/aws-codebuild/test/integ.project-file-system-location.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,11 @@
"Fn::Join": [
"",
[
"arn:aws:ec2:",
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:",
{
"Ref": "AWS::Region"
},
Expand All @@ -268,7 +272,11 @@
"Fn::Join": [
"",
[
"arn:aws:ec2:",
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:",
{
"Ref": "AWS::Region"
},
Expand Down Expand Up @@ -375,7 +383,18 @@
"FileSystemLocations": [
{
"Identifier": "myidentifier",
"Location": "fs-c8d04839.efs.eu-west-2.amazonaws.com:/mnt",
"Location": {
"Fn::Join": [
"",
[
"fs-c8d04839.efs.",
{
"Ref": "AWS::Region"
},
".amazonaws.com:/mnt"
]
]
},
"MountOptions": "nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2",
"MountPoint": "/media",
"Type": "EFS"
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-codebuild/test/integ.project-file-system-location.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ new codebuild.Project(stack, 'MyProject', {
securityGroups: [securityGroup],
fileSystemLocations: [codebuild.FileSystemLocation.efs({
identifier: 'myidentifier',
location: 'fs-c8d04839.efs.eu-west-2.amazonaws.com:/mnt',
location: `fs-c8d04839.efs.${cdk.Aws.REGION}.amazonaws.com:/mnt`,
mountOptions: 'nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2',
mountPoint: '/media',
})],
Expand Down
12 changes: 10 additions & 2 deletions packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,11 @@
"Fn::Join": [
"",
[
"arn:aws:ec2:",
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:",
{
"Ref": "AWS::Region"
},
Expand All @@ -268,7 +272,11 @@
"Fn::Join": [
"",
[
"arn:aws:ec2:",
"arn:",
{
"Ref": "AWS::Partition"
},
":ec2:",
{
"Ref": "AWS::Region"
},
Expand Down

0 comments on commit b207888

Please sign in to comment.