Skip to content

Commit

Permalink
fix(codepipeline): grant missing permisisons to the CloudFormationExe…
Browse files Browse the repository at this point in the history
…cuteChangeSetAction.

Fixes #3160
  • Loading branch information
skinny85 committed Jul 2, 2019
1 parent cd1b16f commit 234cb81
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 9 deletions.
8 changes: 6 additions & 2 deletions packages/@aws-cdk/app-delivery/test/integ.cicd.expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -251,9 +251,13 @@
"PolicyDocument": {
"Statement": [
{
"Action": "cloudformation:ExecuteChangeSet",
"Action": [
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet"
],
"Condition": {
"StringEquals": {
"StringEqualsIfExists": {
"cloudformation:ChangeSetName": "CICD-ChangeSet"
}
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -494,8 +494,12 @@ class SingletonPolicy extends cdk.Construct implements iam.IGrantable {

public grantExecuteChangeSet(props: { stackName: string, changeSetName: string, region?: string }): void {
this.statementFor({
actions: ['cloudformation:ExecuteChangeSet'],
conditions: { StringEquals: { 'cloudformation:ChangeSetName': props.changeSetName } },
actions: [
'cloudformation:DescribeStacks',
'cloudformation:DescribeChangeSet',
'cloudformation:ExecuteChangeSet',
],
conditions: { StringEqualsIfExists: { 'cloudformation:ChangeSetName': props.changeSetName } },
}).addResources(this.stackArnFromProps(props));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ export = nodeunit.testCase({

const stackArn = _stackArn('MyStack', stack);
_assertPermissionGranted(test, pipelineRole.statements, 'cloudformation:ExecuteChangeSet', stackArn,
{ StringEquals: { 'cloudformation:ChangeSetName': 'MyChangeSet' } });
{ StringEqualsIfExists: { 'cloudformation:ChangeSetName': 'MyChangeSet' } });

_assertActionMatches(test, stage.actions, 'CloudFormation', 'Deploy', {
ActionMode: 'CHANGE_SET_EXECUTE',
Expand Down Expand Up @@ -157,8 +157,12 @@ export = nodeunit.testCase({
stack.resolve(pipelineRole.statements.map(s => s.toStatementJson())),
[
{
Action: 'cloudformation:ExecuteChangeSet',
Condition: { StringEquals: { 'cloudformation:ChangeSetName': 'MyChangeSet' } },
Action: [
'cloudformation:DescribeChangeSet',
'cloudformation:DescribeStacks',
'cloudformation:ExecuteChangeSet',
],
Condition: { StringEqualsIfExists: { 'cloudformation:ChangeSetName': 'MyChangeSet' } },
Effect: 'Allow',
Resource: [
// tslint:disable-next-line:max-line-length
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -770,9 +770,13 @@
"PolicyDocument": {
"Statement": [
{
"Action": "cloudformation:ExecuteChangeSet",
"Action": [
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet"
],
"Condition": {
"StringEquals": {
"StringEqualsIfExists": {
"cloudformation:ChangeSetName": "StagedChangeSet"
}
},
Expand Down

0 comments on commit 234cb81

Please sign in to comment.