Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(pipelines): role on CodeBuildStep doesn't get used on CodeBuildAction #18291

Closed
tobytipton opened this issue Jan 6, 2022 · 1 comment · Fixed by #18293
Closed

(pipelines): role on CodeBuildStep doesn't get used on CodeBuildAction #18291

tobytipton opened this issue Jan 6, 2022 · 1 comment · Fixed by #18293
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. effort/small Small work item – less than a day of effort in-progress This issue is being actively worked on. p1

Comments

@tobytipton
Copy link
Contributor

What is the problem?

When passing a role to the CodeBuildStep the role is used on the project, but not the CodeBuildAction.

This results in a role for each CodeBuildAction being created which can cause Maximum policy size of 10240 bytes exceeded for on the Pipeline Default Role if you have a lot of CodeBuildSteps.

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/pipelines/lib/codepipeline/_codebuild-factory.ts#L305-L322

is missing role: this.props.role to leverage that role.

Reproduction Steps

This is a quick reproduction step typically the CodeBuildStep would be used as a pre or post on a stage or wave.

  const buildRole = new iam.Role(
    pipelineStack,
    'BuildRole',
    {
      roleName: 'BuildRole',
      assumedBy: new iam.ServicePrincipal('codebuild.amazon.com'),
    },
  );
  new cdkp.CodePipeline(pipelineStack, 'Pipeline', {
    synth: new cdkp.CodeBuildStep('Synth', {
      commands: ['/bin/true'],
      input: cdkp.CodePipelineSource.gitHub('test/test', 'main'),
      role: buildRole,
    }),
  });

What did you expect to happen?

Expect to have the role used for Project and the build action.

  Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
    ServiceRole: {
      'Fn::GetAtt': [
        'BuildRole41B77417',
        'Arn',
      ],
    },
  });

  expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', {
    Stages: [
      // source stage
      {},
      // build stage,
      {
        Actions: [
          {
            ActionTypeId: {
              Category: 'Build',
              Owner: 'AWS',
              Provider: 'CodeBuild',
            },
            RoleArn: {
              'Fn::GetAtt': [
                'BuildRole41B77417',
                'Arn',
              ],
            },
          },
        ],
      },
    ],
  });

What actually happened?

The role is used for the project but not the Code Build Action. The Code Build Action gets a different role which is created for each build action.

for example

                 "RoleArn": {
                      "Fn::GetAtt": [
                        "PipelineBuildSynthCodePipelineActionRole4E7A6C97",
                        "Arn"
                      ]
                    },

CDK CLI Version

N/A

Framework Version

No response

Node.js Version

N/A

OS

N/A

Language

Typescript

Language Version

No response

Other information

This issue can be seen directly in testing the code build step.
@tobytipton tobytipton added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 6, 2022
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 6, 2022
@tobytipton tobytipton mentioned this issue Jan 6, 2022
Merged
@skinny85 skinny85 added @aws-cdk/pipelines CDK Pipelines library and removed @aws-cdk/aws-iam Related to AWS Identity and Access Management labels Jan 6, 2022
@peterwoodworth peterwoodworth added effort/small Small work item – less than a day of effort p1 labels Jan 7, 2022
@peterwoodworth peterwoodworth removed the needs-triage This issue or PR still needs to be triaged. label Jan 19, 2022
@rix0rrr rix0rrr removed their assignment Feb 9, 2022
@NGL321 NGL321 added the in-progress This issue is being actively worked on. label May 17, 2022
@mergify mergify bot closed this as completed in #18293 May 19, 2022
mergify bot pushed a commit that referenced this issue May 19, 2022
@tobytipton
fix(pipelines): specifying the Action Role for CodeBuild steps (#18293)
719edfc 
This fix should address the issue #18291 

fixes #18291 
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

wphilipw pushed a commit to wphilipw/aws-cdk that referenced this issue May 23, 2022
@tobytipton @wphilipw
fix(pipelines): specifying the Action Role for CodeBuild steps (aws#1…
d075e49 
…8293)

This fix should address the issue aws#18291 

fixes aws#18291 
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. effort/small Small work item – less than a day of effort in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(pipelines): specifying the Action Role for CodeBuild steps tobytipton/aws-cdk
5 participants
@skinny85 @rix0rrr @NGL321 @peterwoodworth @tobytipton