diff --git a/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts b/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts index 38aaa04abf802..f40222904346c 100644 --- a/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts +++ b/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts @@ -77,6 +77,7 @@ export class ApplicationSecurityCheck extends Construct { 'aws lambda invoke' + ` --function-name ${this.preApproveLambda.functionName}` + ' --invocation-type Event' + + ' --cli-binary-format raw-in-base64-out' + ' --payload "$payload"' + ' lambda.out'; diff --git a/packages/@aws-cdk/pipelines/package.json b/packages/@aws-cdk/pipelines/package.json index 0cb4789b7ab6f..8737aaf3b2008 100644 --- a/packages/@aws-cdk/pipelines/package.json +++ b/packages/@aws-cdk/pipelines/package.json @@ -47,6 +47,7 @@ "@aws-cdk/aws-sqs": "0.0.0", "@aws-cdk/cdk-build-tools": "0.0.0", "@aws-cdk/integ-runner": "0.0.0", + "@aws-cdk/integ-tests": "0.0.0", "@aws-cdk/cfn2ts": "0.0.0", "@aws-cdk/pkglint": "0.0.0", "@types/jest": "^27.5.2", diff --git a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts index 2bcf8654368c1..736e984569577 100644 --- a/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts +++ b/packages/@aws-cdk/pipelines/test/integ.pipeline-security.ts @@ -5,7 +5,8 @@ import * as iam from '@aws-cdk/aws-iam'; import * as s3 from '@aws-cdk/aws-s3'; import * as sns from '@aws-cdk/aws-sns'; import * as subscriptions from '@aws-cdk/aws-sns-subscriptions'; -import { App, RemovalPolicy, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; +import { App, DefaultStackSynthesizer, RemovalPolicy, Stack, StackProps, Stage, StageProps } from '@aws-cdk/core'; +import * as integ from '@aws-cdk/integ-tests'; import { Construct } from 'constructs'; import * as cdkp from '../lib'; @@ -13,6 +14,7 @@ class MyStage extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { super(scope, id, props); const stack = new Stack(this, 'MyStack', { + synthesizer: new DefaultStackSynthesizer(), }); const topic = new sns.Topic(stack, 'Topic'); topic.grantPublish(new iam.AccountPrincipal(stack.account)); @@ -23,6 +25,7 @@ class MySafeStage extends Stage { constructor(scope: Construct, id: string, props?: StageProps) { super(scope, id, props); const stack = new Stack(this, 'MySafeStack', { + synthesizer: new DefaultStackSynthesizer(), }); new sns.Topic(stack, 'MySafeTopic'); } @@ -98,5 +101,12 @@ const app = new App({ '@aws-cdk/core:newStyleStackSynthesis': 'true', }, }); -new TestCdkStack(app, 'PipelineSecurityStack'); +const stack = new TestCdkStack(app, 'PipelineSecurityStack', { + synthesizer: new DefaultStackSynthesizer(), +}); + +new integ.IntegTest(app, 'PipelineSecurityTest', { + testCases: [stack], +}); + app.synth(); diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json index 63fc4ae8d98f1..af0cfd4ae145f 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json @@ -27,7 +27,7 @@ } } }, - "ff8909e2b3e01298b53c87d97e8e745b4f0b2e4b6d29d5680c44e5da87a207a4": { + "db81913e08aad04a7b47fcf422f74cb3e791e1d9aba3a1d6f6c6b0b8b40b8f34": { "source": { "path": "PipelineSecurityStack.template.json", "packaging": "file" @@ -35,7 +35,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "ff8909e2b3e01298b53c87d97e8e745b4f0b2e4b6d29d5680c44e5da87a207a4.json", + "objectKey": "db81913e08aad04a7b47fcf422f74cb3e791e1d9aba3a1d6f6c6b0b8b40b8f34.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json index 532053325229d..56ef2b0ff02bb 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json @@ -2623,7 +2623,7 @@ { "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81" }, - " --invocation-type Event --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" + " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" ] ] }, @@ -2967,7 +2967,7 @@ { "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9" }, - " --invocation-type Event --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" + " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" ] ] }, diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json new file mode 100644 index 0000000000000..9e26dfeeb6e64 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.207d1c59082dd1ab722c445b190e0c2cbb20d6c3e981cf674a60159b56338e86/__entrypoint__.js b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/__entrypoint__.js similarity index 100% rename from packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.207d1c59082dd1ab722c445b190e0c2cbb20d6c3e981cf674a60159b56338e86/__entrypoint__.js rename to packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/__entrypoint__.js diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.d.ts b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.d.ts new file mode 100644 index 0000000000000..3554dc94d4617 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.d.ts @@ -0,0 +1 @@ +export declare function handler(event: AWSLambda.CloudFormationCustomResourceEvent): Promise; diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.207d1c59082dd1ab722c445b190e0c2cbb20d6c3e981cf674a60159b56338e86/index.js b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.js similarity index 100% rename from packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.207d1c59082dd1ab722c445b190e0c2cbb20d6c3e981cf674a60159b56338e86/index.js rename to packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.js diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.ts b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.ts new file mode 100644 index 0000000000000..2459d44ab1d18 --- /dev/null +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/asset.60767da3831353fede3cfe92efef10580a600592dec8ccbb06c051e95b9c1b26/index.ts @@ -0,0 +1,82 @@ +// eslint-disable-next-line import/no-extraneous-dependencies +import { S3 } from 'aws-sdk'; + +const AUTO_DELETE_OBJECTS_TAG = 'aws-cdk:auto-delete-objects'; + +const s3 = new S3(); + +export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent) { + switch (event.RequestType) { + case 'Create': + return; + case 'Update': + return onUpdate(event); + case 'Delete': + return onDelete(event.ResourceProperties?.BucketName); + } +} + +async function onUpdate(event: AWSLambda.CloudFormationCustomResourceEvent) { + const updateEvent = event as AWSLambda.CloudFormationCustomResourceUpdateEvent; + const oldBucketName = updateEvent.OldResourceProperties?.BucketName; + const newBucketName = updateEvent.ResourceProperties?.BucketName; + const bucketNameHasChanged = newBucketName != null && oldBucketName != null && newBucketName !== oldBucketName; + + /* If the name of the bucket has changed, CloudFormation will try to delete the bucket + and create a new one with the new name. So we have to delete the contents of the + bucket so that this operation does not fail. */ + if (bucketNameHasChanged) { + return onDelete(oldBucketName); + } +} + +/** + * Recursively delete all items in the bucket + * + * @param bucketName the bucket name + */ +async function emptyBucket(bucketName: string) { + const listedObjects = await s3.listObjectVersions({ Bucket: bucketName }).promise(); + const contents = [...listedObjects.Versions ?? [], ...listedObjects.DeleteMarkers ?? []]; + if (contents.length === 0) { + return; + } + + const records = contents.map((record: any) => ({ Key: record.Key, VersionId: record.VersionId })); + await s3.deleteObjects({ Bucket: bucketName, Delete: { Objects: records } }).promise(); + + if (listedObjects?.IsTruncated) { + await emptyBucket(bucketName); + } +} + +async function onDelete(bucketName?: string) { + if (!bucketName) { + throw new Error('No BucketName was provided.'); + } + if (!await isBucketTaggedForDeletion(bucketName)) { + process.stdout.write(`Bucket does not have '${AUTO_DELETE_OBJECTS_TAG}' tag, skipping cleaning.\n`); + return; + } + try { + await emptyBucket(bucketName); + } catch (e) { + if (e.code !== 'NoSuchBucket') { + throw e; + } + // Bucket doesn't exist. Ignoring + } +} + +/** + * The bucket will only be tagged for deletion if it's being deleted in the same + * deployment as this Custom Resource. + * + * If the Custom Resource is every deleted before the bucket, it must be because + * `autoDeleteObjects` has been switched to false, in which case the tag would have + * been removed before we get to this Delete event. + */ +async function isBucketTaggedForDeletion(bucketName: string) { + const response = await s3.getBucketTagging({ Bucket: bucketName }).promise(); + return response.TagSet.some(tag => tag.Key === AUTO_DELETE_OBJECTS_TAG && tag.Value === 'true'); +} \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/integ.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/integ.json index b4ffa25712780..686cdc6b4f734 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/integ.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/integ.json @@ -1,16 +1,11 @@ { "version": "20.0.0", "testCases": { - "integ.pipeline-security": { + "PipelineSecurityTest/DefaultTest": { "stacks": [ "PipelineSecurityStack" ], - "diffAssets": false, - "stackUpdateWorkflow": true + "assertionStack": "PipelineSecurityTestDefaultTestDeployAssertEE246BCA" } - }, - "synthContext": { - "@aws-cdk/core:newStyleStackSynthesis": "true" - }, - "enableLookups": false + } } \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json index 5104a5d678640..f1d71d5748325 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json @@ -65,7 +65,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/ff8909e2b3e01298b53c87d97e8e745b4f0b2e4b6d29d5680c44e5da87a207a4.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/db81913e08aad04a7b47fcf422f74cb3e791e1d9aba3a1d6f6c6b0b8b40b8f34.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -365,6 +365,15 @@ ] }, "displayName": "PipelineSecurityStack" + }, + "PipelineSecurityTestDefaultTestDeployAssertEE246BCA": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "PipelineSecurityTestDefaultTestDeployAssertEE246BCA.template.json", + "validateOnSynth": false + }, + "displayName": "PipelineSecurityTest/DefaultTest/DeployAssert" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json index 6a70ad206ee3f..36ee7b9a53b8a 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json @@ -9,7 +9,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "PipelineSecurityStack": { @@ -1826,13 +1826,13 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "Build": { @@ -2216,13 +2216,13 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "UnattachedStage": { @@ -2334,7 +2334,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "SingleStageManualApproval": { @@ -2394,7 +2394,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "SingleStage-MyStack.Deploy": { @@ -2402,7 +2402,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/UnattachedStage/SingleStage-MyStack.Deploy", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "SingleStage-MyStack.Prepare": { @@ -2410,13 +2410,13 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/UnattachedStage/SingleStage-MyStack.Prepare", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "PreProduction": { @@ -2528,7 +2528,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "PreProductionManualApproval": { @@ -2588,7 +2588,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "SafeProductionSecurityCheck": { @@ -2696,7 +2696,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "SafeProductionManualApproval": { @@ -2756,7 +2756,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "MyStack.Deploy": { @@ -2764,7 +2764,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/PreProduction/MyStack.Deploy", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "MyStack.Prepare": { @@ -2772,7 +2772,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/PreProduction/MyStack.Prepare", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "SafeProduction-MySafeStack.Deploy": { @@ -2780,7 +2780,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/PreProduction/SafeProduction-MySafeStack.Deploy", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "SafeProduction-MySafeStack.Prepare": { @@ -2788,7 +2788,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/PreProduction/SafeProduction-MySafeStack.Prepare", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "DisableSecurityCheck-MySafeStack.Deploy": { @@ -2796,7 +2796,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/PreProduction/DisableSecurityCheck-MySafeStack.Deploy", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "DisableSecurityCheck-MySafeStack.Prepare": { @@ -2804,13 +2804,13 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/PreProduction/DisableSecurityCheck-MySafeStack.Prepare", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "NoSecurityCheck": { @@ -2922,7 +2922,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "EnableSecurityCheckManualApproval": { @@ -2982,7 +2982,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "MyStack.Deploy": { @@ -2990,7 +2990,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/NoSecurityCheck/MyStack.Deploy", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "MyStack.Prepare": { @@ -2998,7 +2998,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/NoSecurityCheck/MyStack.Prepare", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "EnableSecurityCheck-MyStack.Deploy": { @@ -3006,7 +3006,7 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/NoSecurityCheck/EnableSecurityCheck-MyStack.Deploy", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "EnableSecurityCheck-MyStack.Prepare": { @@ -3014,13 +3014,13 @@ "path": "PipelineSecurityStack/TestPipeline/Pipeline/NoSecurityCheck/EnableSecurityCheck-MyStack.Prepare", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, @@ -3034,7 +3034,7 @@ "path": "PipelineSecurityStack/TestPipeline/Assets", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "PreProduction": { @@ -3058,7 +3058,7 @@ "path": "PipelineSecurityStack/TestPipeline/PreProduction/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, @@ -3540,7 +3540,7 @@ { "Ref": "TestPipelinePipelineApplicationSecurityCheckCDKPipelinesAutoApprove1EE0AA81" }, - " --invocation-type Event --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" + " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" ] ] } @@ -3570,7 +3570,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "NoSecurityCheck": { @@ -3594,7 +3594,7 @@ "path": "PipelineSecurityStack/TestPipeline/NoSecurityCheck/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, @@ -4086,7 +4086,7 @@ { "Ref": "UnattachedStageStageApplicationSecurityCheckCDKPipelinesAutoApprove249F82F9" }, - " --invocation-type Event --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" + " --invocation-type Event --cli-binary-format raw-in-base64-out --payload \\\"$payload\\\" lambda.out; export MESSAGE=\\\"No security-impacting changes detected.\\\"; else [ -z \\\"${NOTIFICATION_ARN}\\\" ] || aws sns publish --topic-arn $NOTIFICATION_ARN --subject \\\"$NOTIFICATION_SUBJECT\\\" --message \\\"An upcoming change would broaden security changes in $PIPELINE_NAME.\\nReview and approve the changes in CodePipeline to proceed with the deployment.\\n\\nReview the changes in CodeBuild:\\n\\n$LINK\\n\\nApprove the changes in CodePipeline (stage $STAGE_NAME, action $ACTION_NAME):\\n\\n$PIPELINE_LINK\\\"; export MESSAGE=\\\"Deployment would make security-impacting changes. Click the link below to inspect them, then click Approve if all changes are expected.\\\"; fi\"\n ]\n }\n },\n \"env\": {\n \"exported-variables\": [\n \"LINK\",\n \"MESSAGE\"\n ]\n }\n}" ] ] } @@ -4116,7 +4116,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } }, "MutableRolearn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}": { @@ -4136,7 +4136,7 @@ "path": "PipelineSecurityStack/UnattachedStage/arn:${AWS::Partition}:iam::${AWS::AccountId}:role--cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}/8389e75f-0810-4838-bf64-d6f85a95cf83", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.33" + "version": "10.1.65" } } }, @@ -4806,6 +4806,42 @@ "fqn": "@aws-cdk/core.Stack", "version": "0.0.0" } + }, + "PipelineSecurityTest": { + "id": "PipelineSecurityTest", + "path": "PipelineSecurityTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "PipelineSecurityTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "PipelineSecurityTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.1.65" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "PipelineSecurityTest/DefaultTest/DeployAssert", + "constructInfo": { + "fqn": "@aws-cdk/core.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests.IntegTest", + "version": "0.0.0" + } } }, "constructInfo": {