Skip to content

Commit ef9bba5

Browse files
skinny85RomainMuller
skinny85
authored and
RomainMuller
committed
feat(codepipeline): make the default CodePipeline Bucket have an encryption key (#2241)
This is a prerequisite for having a nice cross-account experience (see #1924).
1 parent fe9d6ed commit ef9bba5

12 files changed

+1314
-23
lines changed

packages/@aws-cdk/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.expected.json

Lines changed: 111 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,92 @@
77
"Triggers": []
88
}
99
},
10+
"PipelineArtifactsBucketEncryptionKey01D58D69" : {
11+
"Type": "AWS::KMS::Key",
12+
"DeletionPolicy": "Retain",
13+
"Properties": {
14+
"KeyPolicy": {
15+
"Statement": [
16+
{
17+
"Action": [
18+
"kms:Create*",
19+
"kms:Describe*",
20+
"kms:Enable*",
21+
"kms:List*",
22+
"kms:Put*",
23+
"kms:Update*",
24+
"kms:Revoke*",
25+
"kms:Disable*",
26+
"kms:Get*",
27+
"kms:Delete*",
28+
"kms:ScheduleKeyDeletion",
29+
"kms:CancelKeyDeletion"
30+
],
31+
"Effect": "Allow",
32+
"Principal": {
33+
"AWS": {
34+
"Fn::Join": [
35+
"",
36+
[
37+
"arn:",
38+
{
39+
"Ref": "AWS::Partition"
40+
},
41+
":iam::",
42+
{
43+
"Ref": "AWS::AccountId"
44+
},
45+
":root"
46+
]
47+
]
48+
}
49+
},
50+
"Resource": "*"
51+
},
52+
{
53+
"Action": [
54+
"kms:Decrypt",
55+
"kms:DescribeKey",
56+
"kms:Encrypt",
57+
"kms:ReEncrypt*",
58+
"kms:GenerateDataKey*"
59+
],
60+
"Effect": "Allow",
61+
"Principal": {
62+
"AWS": {
63+
"Fn::GetAtt": [
64+
"PipelineRoleD68726F7",
65+
"Arn"
66+
]
67+
}
68+
},
69+
"Resource": "*"
70+
}
71+
],
72+
"Version": "2012-10-17"
73+
}
74+
}
75+
},
1076
"PipelineArtifactsBucket22248F97": {
1177
"Type": "AWS::S3::Bucket",
12-
"DeletionPolicy": "Retain"
78+
"DeletionPolicy": "Retain",
79+
"Properties": {
80+
"BucketEncryption": {
81+
"ServerSideEncryptionConfiguration": [
82+
{
83+
"ServerSideEncryptionByDefault": {
84+
"KMSMasterKeyID": {
85+
"Fn::GetAtt": [
86+
"PipelineArtifactsBucketEncryptionKey01D58D69",
87+
"Arn"
88+
]
89+
},
90+
"SSEAlgorithm": "aws:kms"
91+
}
92+
}
93+
]
94+
}
95+
}
1396
},
1497
"PipelineRoleD68726F7": {
1598
"Type": "AWS::IAM::Role",
@@ -76,6 +159,22 @@
76159
}
77160
]
78161
},
162+
{
163+
"Action": [
164+
"kms:Decrypt",
165+
"kms:DescribeKey",
166+
"kms:Encrypt",
167+
"kms:ReEncrypt*",
168+
"kms:GenerateDataKey*"
169+
],
170+
"Effect": "Allow",
171+
"Resource": {
172+
"Fn::GetAtt": [
173+
"PipelineArtifactsBucketEncryptionKey01D58D69",
174+
"Arn"
175+
]
176+
}
177+
},
79178
{
80179
"Action": [
81180
"codecommit:GetBranch",
@@ -285,7 +384,16 @@
285384
"Location": {
286385
"Ref": "PipelineArtifactsBucket22248F97"
287386
},
288-
"Type": "S3"
387+
"Type": "S3",
388+
"EncryptionKey": {
389+
"Id": {
390+
"Fn::GetAtt": [
391+
"PipelineArtifactsBucketEncryptionKey01D58D69",
392+
"Arn"
393+
]
394+
},
395+
"Type": "KMS"
396+
}
289397
}
290398
},
291399
"DependsOn": [
@@ -342,4 +450,4 @@
342450
}
343451
}
344452
}
345-
}
453+
}

packages/@aws-cdk/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.expected.json

Lines changed: 180 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,129 @@
11
{
22
"Resources": {
3+
"PipelineArtifactsBucketEncryptionKey01D58D69": {
4+
"Type": "AWS::KMS::Key",
5+
"DeletionPolicy": "Retain",
6+
"Properties": {
7+
"KeyPolicy": {
8+
"Statement": [
9+
{
10+
"Action": [
11+
"kms:Create*",
12+
"kms:Describe*",
13+
"kms:Enable*",
14+
"kms:List*",
15+
"kms:Put*",
16+
"kms:Update*",
17+
"kms:Revoke*",
18+
"kms:Disable*",
19+
"kms:Get*",
20+
"kms:Delete*",
21+
"kms:ScheduleKeyDeletion",
22+
"kms:CancelKeyDeletion"
23+
],
24+
"Effect": "Allow",
25+
"Principal": {
26+
"AWS": {
27+
"Fn::Join": [
28+
"",
29+
[
30+
"arn:",
31+
{
32+
"Ref": "AWS::Partition"
33+
},
34+
":iam::",
35+
{
36+
"Ref": "AWS::AccountId"
37+
},
38+
":root"
39+
]
40+
]
41+
}
42+
},
43+
"Resource": "*"
44+
},
45+
{
46+
"Action": [
47+
"kms:Decrypt",
48+
"kms:DescribeKey",
49+
"kms:Encrypt",
50+
"kms:ReEncrypt*",
51+
"kms:GenerateDataKey*"
52+
],
53+
"Effect": "Allow",
54+
"Principal": {
55+
"AWS": {
56+
"Fn::GetAtt": [
57+
"PipelineRoleD68726F7",
58+
"Arn"
59+
]
60+
}
61+
},
62+
"Resource": "*"
63+
},
64+
{
65+
"Action": [
66+
"kms:Decrypt",
67+
"kms:DescribeKey",
68+
"kms:Encrypt",
69+
"kms:ReEncrypt*",
70+
"kms:GenerateDataKey*"
71+
],
72+
"Effect": "Allow",
73+
"Principal": {
74+
"AWS": {
75+
"Fn::GetAtt": [
76+
"CdkBuildProjectRoleE0B6FEB0",
77+
"Arn"
78+
]
79+
}
80+
},
81+
"Resource": "*"
82+
},
83+
{
84+
"Action": [
85+
"kms:Decrypt",
86+
"kms:DescribeKey",
87+
"kms:Encrypt",
88+
"kms:ReEncrypt*",
89+
"kms:GenerateDataKey*"
90+
],
91+
"Effect": "Allow",
92+
"Principal": {
93+
"AWS": {
94+
"Fn::GetAtt": [
95+
"LambdaBuildProjectRoleD0C4F982",
96+
"Arn"
97+
]
98+
}
99+
},
100+
"Resource": "*"
101+
}
102+
],
103+
"Version": "2012-10-17"
104+
}
105+
}
106+
},
3107
"PipelineArtifactsBucket22248F97": {
4108
"Type": "AWS::S3::Bucket",
5-
"DeletionPolicy": "Retain"
109+
"DeletionPolicy": "Retain",
110+
"Properties": {
111+
"BucketEncryption": {
112+
"ServerSideEncryptionConfiguration": [
113+
{
114+
"ServerSideEncryptionByDefault": {
115+
"KMSMasterKeyID": {
116+
"Fn::GetAtt": [
117+
"PipelineArtifactsBucketEncryptionKey01D58D69",
118+
"Arn"
119+
]
120+
},
121+
"SSEAlgorithm": "aws:kms"
122+
}
123+
}
124+
]
125+
}
126+
}
6127
},
7128
"PipelineRoleD68726F7": {
8129
"Type": "AWS::IAM::Role",
@@ -69,6 +190,22 @@
69190
}
70191
]
71192
},
193+
{
194+
"Action": [
195+
"kms:Decrypt",
196+
"kms:DescribeKey",
197+
"kms:Encrypt",
198+
"kms:ReEncrypt*",
199+
"kms:GenerateDataKey*"
200+
],
201+
"Effect": "Allow",
202+
"Resource": {
203+
"Fn::GetAtt": [
204+
"PipelineArtifactsBucketEncryptionKey01D58D69",
205+
"Arn"
206+
]
207+
}
208+
},
72209
{
73210
"Action": [
74211
"codecommit:GetBranch",
@@ -346,7 +483,16 @@
346483
"Location": {
347484
"Ref": "PipelineArtifactsBucket22248F97"
348485
},
349-
"Type": "S3"
486+
"Type": "S3",
487+
"EncryptionKey": {
488+
"Id": {
489+
"Fn::GetAtt": [
490+
"PipelineArtifactsBucketEncryptionKey01D58D69",
491+
"Arn"
492+
]
493+
},
494+
"Type": "KMS"
495+
}
350496
}
351497
},
352498
"DependsOn": [
@@ -737,6 +883,22 @@
737883
]
738884
}
739885
]
886+
},
887+
{
888+
"Action": [
889+
"kms:Decrypt",
890+
"kms:DescribeKey",
891+
"kms:Encrypt",
892+
"kms:ReEncrypt*",
893+
"kms:GenerateDataKey*"
894+
],
895+
"Effect": "Allow",
896+
"Resource": {
897+
"Fn::GetAtt": [
898+
"PipelineArtifactsBucketEncryptionKey01D58D69",
899+
"Arn"
900+
]
901+
}
740902
}
741903
],
742904
"Version": "2012-10-17"
@@ -894,6 +1056,22 @@
8941056
]
8951057
}
8961058
]
1059+
},
1060+
{
1061+
"Action": [
1062+
"kms:Decrypt",
1063+
"kms:DescribeKey",
1064+
"kms:Encrypt",
1065+
"kms:ReEncrypt*",
1066+
"kms:GenerateDataKey*"
1067+
],
1068+
"Effect": "Allow",
1069+
"Resource": {
1070+
"Fn::GetAtt": [
1071+
"PipelineArtifactsBucketEncryptionKey01D58D69",
1072+
"Arn"
1073+
]
1074+
}
8971075
}
8981076
],
8991077
"Version": "2012-10-17"

0 commit comments

Comments
 (0)