Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[codebuild] Codebuild Project in VPC creates policy incompatible with GovCloud #10634

Closed
michaelfedell opened this issue Oct 1, 2020 · 0 comments · Fixed by #10637
Closed

[codebuild] Codebuild Project in VPC creates policy incompatible with GovCloud #10634

michaelfedell opened this issue Oct 1, 2020 · 0 comments · Fixed by #10637
Assignees
@skinny85
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged.

Comments

@michaelfedell
Copy link
Contributor

Reproduction Steps

When attempting to create a CodeBuild project within a VPC in a GovCloud account, the DefaultPolicy attached to CodeBuild IAM Role uses a resource reference with arn:aws:ec2:... instead of arn:${Aws.PARTITION}:ec2:...

e.g.:

What did you expect to happen?

A policy should have been added for resource "arn:aws:ec2:us-gov-west-1:[ACCOUNT_NUMBER]:network-interface/*". Region us-gov-west-1 is pulled from env, as should Partition aws-gov.

What actually happened?

Aws.PARTITION is not sourced, instead :aws: is used as the partition when constructing the url
Can be seen here

Environment

  • CLI Version : 1.65.0
  • Framework Version: 1.65.0
  • Node.js Version: 12.14.1
  • OS : MacOS 10.15.6
  • Language (Version): all

Other

10:30:14 AM | UPDATE_FAILED        | AWS::IAM::Policy            | CodebuildRoleDefaultPolicy98E55375
Partition "aws" is not valid for resource "arn:aws:ec2:us-gov-west-1:[ACCOUNT_NUMBER]:network-interface/*". (Service: AmazonIdentityManagement; Status Code: 400;
Error Code: MalformedPolicyDocument; Request ID: 2ebc5411-dc37-48aa-9a8b-14aedc806049; Proxy: null)

	new Policy (/private/var/folders/wv/gltyfn4j6f910j0cydhb2bwc0000gp/T/jsii-kernel-RoWLs1/node_modules/@aws-cdk/aws-iam/lib/policy.js:42:26)
	\_ Role.addToPrincipalPolicy (/private/var/folders/wv/gltyfn4j6f910j0cydhb2bwc0000gp/T/jsii-kernel-RoWLs1/node_modules/@aws-cdk/aws-iam/lib/role.js:17

Simple Fix

Opening a PR for this, but just need to inject ${Aws.PARTITION} in place of aws in constructed arn in the codebuild/lib/project.ts package linked above.

This is 🐛 Bug Report
@michaelfedell michaelfedell added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 1, 2020
@github-actions github-actions bot added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label Oct 1, 2020
michaelfedell added a commit to michaelfedell/aws-cdk that referenced this issue Oct 1, 2020
@michaelfedell
fix(codebuild): govcloud compat for vpc project
c20705a 
Creating a CodeBuild project with vpc attachment creates and attaches a
policy to the IAM role with static resource arn that does not reference
`AWS::Partition` - this breaks compatibility with GovCloud.

fixes aws#10634
@michaelfedell michaelfedell mentioned this issue Oct 1, 2020
Merged
@skinny85 skinny85 added the in-progress This issue is being actively worked on. label Oct 1, 2020
@mergify mergify bot closed this as completed in #10637 Oct 1, 2020
mergify bot pushed a commit that referenced this issue Oct 1, 2020
@michaelfedell
fix(codebuild): permissions for Project in VPC used incorrect AWS par…
b207888 
…tition (#10637)

Creating a CodeBuild project with vpc attachment creates and attaches a
policy to the IAM role with static resource arn that does not reference
`AWS::Partition` - this breaks compatibility with GovCloud.

fixes #10634


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(codebuild): permissions for Project in VPC used incorrect AWS partition michaelfedell/aws-cdk
2 participants
@skinny85 @michaelfedell