Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(codebuild): correctly handle permissions for Projects inside a VPC #2662

Merged
merged 1 commit into from
Jun 18, 2019
Merged

fix(codebuild): correctly handle permissions for Projects inside a VPC #2662

merged 1 commit into from
Jun 18, 2019

Conversation

skinny85
Copy link
Contributor

A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

Also correctly handle the case when the Project's Role is imported.

Fixes #2651
Fixes #2652

Pull Request Checklist

  • Testing
    • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
    • CLI change?: coordinate update of integration tests with team
    • cdk-init template change?: coordinated update of integration tests with team
  • Docs
    • jsdocs: All public APIs documented
    • README: README and/or documentation topic updated
    • Design: For significant features, design document added to design folder
  • Title and Description
    • Change type: title prefixed with fix, feat and module name in parens, which will appear in changelog
    • Title: use lower-case and doesn't end with a period
    • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
    • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
  • Sensitive Modules (requires 2 PR approvers)
    • IAM Policy Document (in @aws-cdk/aws-iam)
    • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
    • Grant APIs (only if not based on official documentation with a reference)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

@skinny85 skinny85 requested a review from rix0rrr May 28, 2019 21:33
@skinny85 skinny85 requested review from RomainMuller and a team as code owners May 28, 2019 21:33
@rix0rrr
Copy link
Contributor

rix0rrr commented May 29, 2019

If we get an imported role to create a policy as usual (if the imported role is in the same account as the deployed stack!), we can also solve this at the same time: #2381

@cjyclaire
Copy link

cjyclaire commented Jun 5, 2019
edited
Loading

+1 and thanks! :D

rix0rrr added a commit that referenced this pull request Jun 10, 2019
@rix0rrr
fix(iam): support adding permissions to imported roles
a26f7ee 
Now create a Policy and attach it to imported roles as well.

This will only work for imported roles in the same account. If you
need to reference roles in other accounts without trying to add
these policy statements, use an `AwsPrincipal`.

Relates to #2381, #2651, #2652, #2662.
@rix0rrr rix0rrr mentioned this pull request Jun 10, 2019
Merged
4 tasks
@corymhall corymhall mentioned this pull request Jun 12, 2019
Closed
@skinny85
Copy link
Contributor Author

Waiting for #2805 to land before resuming work on this.

rix0rrr added a commit that referenced this pull request Jun 17, 2019
@rix0rrr
fix(iam): support adding permissions to imported roles (#2805)
936464f 
Now create a Policy and attach it to imported roles as well.

This will only work for imported roles in the same account. If you
need to reference roles in other accounts without trying to add
these policy statements, use an `AwsPrincipal`.

Relates to #2381, #2651, #2652, #2662.
@skinny85 skinny85 force-pushed the fix/codebuild-vpc-permissions branch from 2eef183 to cc7aa81 Compare June 17, 2019 18:34
@skinny85
Copy link
Contributor Author

#2805 has been merged, so I rebased this PR on top of it. @rix0rrr , please re-review. Thanks!

@skinny85
fix(codebuild): correctly handle permissions for Projects inside VPC.
d2d4b87 
A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.

Fixes aws#2651
Fixes aws#2652
@skinny85 skinny85 force-pushed the fix/codebuild-vpc-permissions branch from cc7aa81 to d2d4b87 Compare June 18, 2019 18:10
@skinny85
Copy link
Contributor Author

Rebased to resolve conflicts.

@skinny85 skinny85 mentioned this pull request Jun 18, 2019
Merged
4 tasks
@skinny85 skinny85 merged commit 390baf1 into aws:master Jun 18, 2019
@skinny85 skinny85 deleted the fix/codebuild-vpc-permissions branch June 18, 2019 20:18
@skinny85
Copy link
Contributor Author

@cjyclaire Merged :)

This was referenced Aug 22, 2019
Open
Open
Open
Open
Open
@NGL321 NGL321 added the contribution/core This is a PR that came from AWS. label Sep 27, 2019
This was referenced Dec 12, 2019
Closed
Closed
Closed
This was referenced Dec 12, 2019
Merged
Closed
Closed
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jan 20, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rix0rrr rix0rrr rix0rrr approved these changes

@RomainMuller RomainMuller Awaiting requested review from RomainMuller

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
4 participants
@skinny85 @rix0rrr @cjyclaire @NGL321