feat(aws-codepipeline): support for pipeline action’s service role

In realation to aws#49 The action’s service roles is a role which will be assumed by pipeline during execution of this action. The pipeline action’s service role can be used to perform more advanced configuration, when i.e. elevation of permissions is required, or when fine grained access control may be required. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html This commit is motivated by enabling cross-account deployments, for which service role will be used as jump role to assume one used by Cloud Formation in target account.
rsmogura · Jan 6, 2019 · 58a6e37 · 58a6e37
1 parent 82ec0ff
commit 58a6e37
Show file tree

Hide file tree

Showing 12 changed files with 448 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 .vscode
+# VSCode extension
+/.favorites.json 
 .DS_Store
 node_modules
 lerna-debug.log

diff --git a/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts b/packages/@aws-cdk/aws-cloudformation/lib/pipeline-actions.ts
@@ -61,6 +61,7 @@ export abstract class PipelineCloudFormationAction extends codepipeline.Action {
     super(scope, id, {
       stage: props.stage,
       runOrder: props.runOrder,
+      actionRole: props.actionRole,
       region: props.region,
       artifactBounds: {
         minInputs: 0,

diff --git a/packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts b/packages/@aws-cdk/aws-codecommit/lib/pipeline-action.ts
@@ -49,6 +49,7 @@ export class PipelineSourceAction extends codepipeline.SourceAction {
   constructor(scope: cdk.Construct, id: string, props: PipelineSourceActionProps) {
     super(scope, id, {
       stage: props.stage,
+      actionRole: props.actionRole,
       runOrder: props.runOrder,
       provider: 'CodeCommit',
       configuration: {

diff --git a/packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts b/packages/@aws-cdk/aws-codedeploy/lib/pipeline-action.ts
@@ -32,6 +32,7 @@ export class PipelineDeployAction extends codepipeline.DeployAction {
   constructor(scope: cdk.Construct, id: string, props: PipelineDeployActionProps) {
     super(scope, id, {
       stage: props.stage,
+      actionRole: props.actionRole,
       runOrder: props.runOrder,
       artifactBounds: { minInputs: 1, maxInputs: 1, minOutputs: 0, maxOutputs: 0 },
       provider: 'CodeDeploy',

diff --git a/packages/@aws-cdk/aws-codepipeline-api/lib/action.ts b/packages/@aws-cdk/aws-codepipeline-api/lib/action.ts
@@ -136,6 +136,15 @@ export interface CommonActionProps {
    * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html
    */
   runOrder?: number;
+
+  /**
+   * The service role that is assumed during execution of action.
+   * This role is not mandatory, however more advanced configuration
+   * may require specifying it.
+   *
+   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html
+   */
+  actionRole?: iam.IRole;
 }
 
 /**
@@ -205,6 +214,15 @@ export abstract class Action extends cdk.Construct {
    */
   public readonly configuration?: any;
 
+  /**
+   * The service role that is assumed during execution of action.
+   * This role is not mandatory, however more advanced configuration
+   * may require specifying it.
+   *
+   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html
+   */
+  public readonly actionRole?: iam.IRole;
+
   /**
    * The order in which AWS CodePipeline runs this action.
    * For more information, see the AWS CodePipeline User Guide.
@@ -218,6 +236,7 @@ export abstract class Action extends cdk.Construct {
 
   private readonly _actionInputArtifacts = new Array<Artifact>();
   private readonly _actionOutputArtifacts = new Array<Artifact>();
+
   private readonly artifactBounds: ActionArtifactBounds;
   private readonly stage: IStage;
 
@@ -235,6 +254,7 @@ export abstract class Action extends cdk.Construct {
     this.artifactBounds = props.artifactBounds;
     this.runOrder = props.runOrder === undefined ? 1 : props.runOrder;
     this.stage = props.stage;
+    this.actionRole = props.actionRole;
 
     this.stage._internal._attachAction(this);
   }

diff --git a/packages/@aws-cdk/aws-codepipeline/lib/github-source-action.ts b/packages/@aws-cdk/aws-codepipeline/lib/github-source-action.ts
@@ -62,6 +62,7 @@ export class GitHubSourceAction extends actions.SourceAction {
       runOrder: props.runOrder,
       owner: 'ThirdParty',
       provider: 'GitHub',
+      actionRole: props.actionRole,
       configuration: {
         Owner: props.owner,
         Repo: props.repo,

diff --git a/packages/@aws-cdk/aws-codepipeline/lib/stage.ts b/packages/@aws-cdk/aws-codepipeline/lib/stage.ts
@@ -162,6 +162,7 @@ export class Stage extends cdk.Construct implements cpapi.IStage, cpapi.IInterna
       configuration: action.configuration,
       outputArtifacts: action._outputArtifacts.map(a => ({ name: a.name })),
       runOrder: action.runOrder,
+      roleArn: action.actionRole ? action.actionRole.roleArn : undefined
     };
   }