Skip to content

Commit

Permalink
fix(codebuild): Project lacks permissions to its log destinations
Browse files Browse the repository at this point in the history 
In aws#11444, we added the option of setting the logging configuration of the Project.
Unfortuantely, the Project's Role was not given permissions to write into that destination,
which means executing the Project's build would fail.

Fixes aws#12179
  • Loading branch information
@skinny85
skinny85 committed Dec 23, 2020
1 parent 53f092f commit b059b8d
Show file tree
Hide file tree
Showing 4 changed files with 253 additions and 6 deletions.
6 changes: 4 additions & 2 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1098,7 +1098,7 @@ export class Project extends ProjectBase {
private renderLoggingConfiguration(props: LoggingOptions | undefined): CfnProject.LogsConfigProperty | undefined {
if (props === undefined) {
return undefined;
};
}

let s3Config: CfnProject.S3LogsConfigProperty|undefined = undefined;
let cloudwatchConfig: CfnProject.CloudWatchLogsConfigProperty|undefined = undefined;
Expand All @@ -1107,9 +1107,10 @@ export class Project extends ProjectBase {
const s3Logs = props.s3;
s3Config = {
status: (s3Logs.enabled ?? true) ? 'ENABLED' : 'DISABLED',
location: `${s3Logs.bucket.bucketName}/${s3Logs.prefix}`,
location: `${s3Logs.bucket.bucketName}` + (s3Logs.prefix ? `/${s3Logs.prefix}` : ''),
encryptionDisabled: s3Logs.encrypted,
};
s3Logs.bucket?.grantWrite(this);
}

if (props.cloudWatch) {
Expand All @@ -1119,6 +1120,7 @@ export class Project extends ProjectBase {
if (status === 'ENABLED' && !(cloudWatchLogs.logGroup)) {
throw new Error('Specifying a LogGroup is required if CloudWatch logging for CodeBuild is enabled');
}
cloudWatchLogs.logGroup?.grantWrite(this);

cloudwatchConfig = {
status,
Expand Down
223 changes: 223 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.project-logging.expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
{
"Resources": {
"LogingGroupE599B53B": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"LoggingBucket1E5A6F3B": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
},
"ProjectRole4CCB274E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"ProjectRoleDefaultPolicy7F29461B": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"LoggingBucket1E5A6F3B",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"LoggingBucket1E5A6F3B",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"LogingGroupE599B53B",
"Arn"
]
}
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "ProjectC78D97AD"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "ProjectC78D97AD"
},
":*"
]
]
}
]
},
{
"Action": [
"codebuild:CreateReportGroup",
"codebuild:CreateReport",
"codebuild:UpdateReport",
"codebuild:BatchPutTestCases",
"codebuild:BatchPutCodeCoverages"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":codebuild:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":report-group/",
{
"Ref": "ProjectC78D97AD"
},
"-*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "ProjectRoleDefaultPolicy7F29461B",
"Roles": [
{
"Ref": "ProjectRole4CCB274E"
}
]
}
},
"ProjectC78D97AD": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"Type": "CODEPIPELINE"
},
"Environment": {
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "aws/codebuild/standard:1.0",
"ImagePullCredentialsType": "CODEBUILD",
"PrivilegedMode": false,
"Type": "LINUX_CONTAINER"
},
"ServiceRole": {
"Fn::GetAtt": [
"ProjectRole4CCB274E",
"Arn"
]
},
"Source": {
"Type": "CODEPIPELINE"
},
"EncryptionKey": "alias/aws/s3",
"LogsConfig": {
"CloudWatchLogs": {
"GroupName": {
"Ref": "LogingGroupE599B53B"
},
"Status": "ENABLED"
},
"S3Logs": {
"Location": {
"Ref": "LoggingBucket1E5A6F3B"
},
"Status": "ENABLED"
}
}
}
}
}
}
25 changes: 25 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.project-logging.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
import * as logs from '@aws-cdk/aws-logs';
import * as s3 from '@aws-cdk/aws-s3';
import * as cdk from '@aws-cdk/core';
import * as codebuild from '../lib';

const app = new cdk.App();

const stack = new cdk.Stack(app, 'aws-cdk-codebuild-logging');

new codebuild.PipelineProject(stack, 'Project', {
logging: {
cloudWatch: {
logGroup: new logs.LogGroup(stack, 'LogingGroup', {
removalPolicy: cdk.RemovalPolicy.DESTROY,
}),
},
s3: {
bucket: new s3.Bucket(stack, 'LoggingBucket', {
removalPolicy: cdk.RemovalPolicy.DESTROY,
}),
},
},
});

app.synth();
5 changes: 1 addition & 4 deletions packages/@aws-cdk/aws-codebuild/test/test.project.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -711,11 +711,9 @@ export = {
logging: {
cloudWatch: {
logGroup,
prefix: '/my-logs',
},
s3: {
bucket,
prefix: 'my-logs',
},
},
});
Expand All @@ -726,10 +724,9 @@ export = {
CloudWatchLogs: {
GroupName: 'MyLogGroupName',
Status: 'ENABLED',
StreamName: '/my-logs',
},
S3Logs: {
Location: 'MyBucketName/my-logs',
Location: 'MyBucketName',
Status: 'ENABLED',
},
}),
Expand Down

0 comments on commit b059b8d

Please sign in to comment.