Description
Describe the feature
I have developed a CodePipeline as follows.
But when I deploy the pipeline, cdk will create another 4 roles. Is there a way to stop generating those roles and tell CDK to reuse existing ones provided ?
- AWS:${cdk-codepipeline-XX/UpdatePipeline/SelfMutation/Role}
- AWS:${cdk-codepipeline-XX/Assets/FileRole}
- AWS:${cdk-codepipeline-XX/Pipeline/Source/source-change/CodePipelineActionRole}
- AWS:${cdk-codepipeline-XX/CodeBuildActionRole}
Use Case
We have around 25+ lambda functions and each of them currently having build job where CodeBuildRole is shared. We will be creating this new pipeline for all of them. Which means there will be around 100+ roles created.
I need to use a pre-existing service role created by our security team instead auto generating ones. Our security team identifies this as another vulnerability.
Proposed Solution
CodePipeline can be configured as this. Solution would be to introduce role instead of rolePolicy in CodeBuildOptions
CodePipeline codePipeline = new CodePipeline(
this,
codePipelineId,
CodePipelineProps.builder()
.pipelineName(codePipelineId)
.selfMutation(Boolean.TRUE)
.role(codePipelineRole)
.synth(synthStep)
.crossAccountKeys(Boolean.TRUE)
.artifactBucket(PipelineUtils.getArtifactBucket(this, config))
.synthCodeBuildDefaults(
CodeBuildOptions
.builder()
.cache(codebuildCache)
.role(synthRole)
.buildEnvironment(buildEnvironment)
.build()
)
.codeBuildDefaults(
CodeBuildOptions
.builder()
.cache(codebuildCache)
.role(codeBuildRole)
.buildEnvironment(buildEnvironment)
.build()
)
.selfMutationCodeBuildDefaults(
CodeBuildOptions
.builder()
.cache(codebuildCache)
.role(selfMutationRole)
.buildEnvironment(buildEnvironment)
.build()
)
.assetPublishingCodeBuildDefaults(
CodeBuildOptions
.builder()
.cache(codebuildCache)
.role(assetPublishingRole)
.buildEnvironment(buildEnvironment)
.build()
)
.build()
);
Other Information
I have tried overriding the roles using CfnResource. (L1 construct). I was able to override some roles. I was not able to override the role to But the roles are still getting generated. I couldn't find a way to stop generating the role.
CfnResource pipelineCfn = (CfnResource) codePipeline.getPipeline().getNode()
.getDefaultChild();
if (pipelineCfn != null) {
// AWS:${cdk-codepipeline-XX/Pipeline/Source/source-change/CodePipelineActionRole}
pipelineCfn.addPropertyOverride(
"Stages.0.Actions.0.RoleArn",
config.getCodePipelineActionRole()
);
// AWS:${cdk-codepipeline-XX/UpdatePipeline/SelfMutation/Role}
pipelineCfn.addPropertyOverride(
"Stages.2.Actions.0.RoleArn",
config.getCodePipelineSelfMutationRole()
);
//AWS:${cdk-codepipeline-XX/Assets/FileRole}
pipelineCfn.addPropertyOverride(
"Stages.3.Actions.0.RoleArn",
config.getCodePipelineAssetsFileRole()
);
}
CfnResource selfMutationProjectCfn = (CfnResource) codePipeline.getSelfMutationProject()
.getNode()
.getDefaultChild();
if (selfMutationProjectCfn != null) {
// replace service role for AWS:${cdk-codepipeline-XX/UpdatePipeline/SelfMutation/Role}
selfMutationProjectCfn.addPropertyOverride(
"ServiceRole",
config.getCodePipelineSelfMutationRole()
);
}
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CDK version used
software.amazon.awscdk: aws-cdk-lib: 2.99.1
Environment details (OS name and version, etc.)
AWS Amazon Linux 2 & Java