From 82c30d79fcfce3496ceb08cdd6020395ea66423b Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Fri, 24 Jun 2022 18:04:53 +0200 Subject: [PATCH 1/2] fix(pipelines): 'ConfirmPermissionsBroadening' uses wrong node version The CodeBuild Project that is used when the `ConfirmPermissionsBroadening` feature is enabled does not have a CodeBuild image specified. This makes it use the `standard:2.0` image by default, which is AL2-based and comes with Node 12. CDK tooling now requires Node 14 to run. Make it use the `standard:5.0` image like all other CodeBuild projects, which contains Node 14. --- .../lib/private/application-security-check.ts | 3 +++ .../test/compliance/security-check.test.ts | 17 +++++++++++--- .../PipelineSecurityStack.assets.json | 4 ++-- .../PipelineSecurityStack.template.json | 4 ++-- .../manifest.json | 2 +- .../tree.json | 22 +++++++++---------- 6 files changed, 33 insertions(+), 19 deletions(-) diff --git a/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts b/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts index b94324290ac37..38aaa04abf802 100644 --- a/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts +++ b/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts @@ -99,6 +99,9 @@ export class ApplicationSecurityCheck extends Construct { ` --message "${message.join('\n')}"`; this.cdkDiffProject = new codebuild.Project(this, 'CDKSecurityCheck', { + environment: { + buildImage: codebuild.LinuxBuildImage.STANDARD_5_0, + }, buildSpec: codebuild.BuildSpec.fromObject({ version: 0.2, phases: { diff --git a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts index f8c53a40e3e37..958145f67ceb3 100644 --- a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts +++ b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts @@ -40,8 +40,9 @@ behavior('security check option generates lambda/codebuild at pipeline scope', ( }); function THEN_codePipelineExpectation() { - Template.fromStack(pipelineStack).resourceCountIs('AWS::Lambda::Function', 1); - Template.fromStack(pipelineStack).hasResourceProperties('AWS::Lambda::Function', { + const template = Template.fromStack(pipelineStack); + template.resourceCountIs('AWS::Lambda::Function', 1); + template.hasResourceProperties('AWS::Lambda::Function', { Role: { 'Fn::GetAtt': [ stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'), @@ -50,7 +51,17 @@ behavior('security check option generates lambda/codebuild at pipeline scope', ( }, }); // 1 for github build, 1 for synth stage, and 1 for the application security check - Template.fromStack(pipelineStack).resourceCountIs('AWS::CodeBuild::Project', 3); + template.resourceCountIs('AWS::CodeBuild::Project', 3); + + // No CodeBuild project has a build image that is not standard:5.0 + const projects = template.findResources('AWS::CodeBuild::Project', { + Properties: { + Environment: { + Image: 'aws/codebuild/standard:5.0', + }, + }, + }); + expect(Object.keys(projects).length).toEqual(3); } }); diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json index c697034eb608a..c218215c95fd8 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json @@ -27,7 +27,7 @@ } } }, - "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f": { + "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115": { "source": { "path": "PipelineSecurityStack.template.json", "packaging": "file" @@ -35,7 +35,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f.json", + "objectKey": "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json index 4a198bda45898..c2ecebd2a612a 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json @@ -2603,7 +2603,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" @@ -2947,7 +2947,7 @@ }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", - "Image": "aws/codebuild/standard:1.0", + "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER" diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json index 2f600dffd75c4..e9ce1f9e4e7bf 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json @@ -65,7 +65,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json index 66cb3d249a4f4..3585354331d56 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json @@ -268,7 +268,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::KMS::Alias", "aws:cdk:cloudformation:props": { - "aliasName": "alias/codepipeline-pipelinesecuritystacktestpipelinef7060861", + "aliasName": "alias/codepipeline-pipelinesecuritystack-testpipeline-f7060861", "targetKeyId": { "Fn::GetAtt": [ "TestPipelineArtifactsBucketEncryptionKey13258842", @@ -3085,8 +3085,8 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/pipelines.CdkStage", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.1.33" } }, "PipelineApplicationSecurityCheck": { @@ -3519,7 +3519,7 @@ }, "environment": { "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:1.0", + "image": "aws/codebuild/standard:5.0", "imagePullCredentialsType": "CODEBUILD", "privilegedMode": false, "computeType": "BUILD_GENERAL1_SMALL" @@ -3621,14 +3621,14 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/pipelines.CdkStage", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.1.33" } } }, "constructInfo": { - "fqn": "@aws-cdk/pipelines.CdkPipeline", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.1.33" } }, "UnattachedStage": { @@ -4065,7 +4065,7 @@ }, "environment": { "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:1.0", + "image": "aws/codebuild/standard:5.0", "imagePullCredentialsType": "CODEBUILD", "privilegedMode": false, "computeType": "BUILD_GENERAL1_SMALL" @@ -4163,8 +4163,8 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/pipelines.CdkStage", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.1.33" } }, "SecurityChangesTopic": { From 36039ee8e7d49b8f632c82e3cf793d6107f009f6 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Fri, 24 Jun 2022 18:17:51 +0200 Subject: [PATCH 2/2] Update tree.json --- .../pipeline-security.integ.snapshot/tree.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json index 3585354331d56..6a70ad206ee3f 100644 --- a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json +++ b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json @@ -3085,8 +3085,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.33" + "fqn": "@aws-cdk/pipelines.CdkStage", + "version": "0.0.0" } }, "PipelineApplicationSecurityCheck": { @@ -3621,14 +3621,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.33" + "fqn": "@aws-cdk/pipelines.CdkStage", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.33" + "fqn": "@aws-cdk/pipelines.CdkPipeline", + "version": "0.0.0" } }, "UnattachedStage": { @@ -4163,8 +4163,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.33" + "fqn": "@aws-cdk/pipelines.CdkStage", + "version": "0.0.0" } }, "SecurityChangesTopic": {