Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[pipelines] add custom PolicyStatement to the ShellScriptAction

See original GitHub issue

Hi,

I have used the new pipeline constructs recently and added a custom stage with a ShellScriptAction and custom sam cli commands such as sam package and sam publish. The issue I have encountered is that it is not easy to add custom PolicyStatement to the role, that is associated with the stage. Given the nature of a ShellScriptAction to be generic step in a pipeline running bash commands, it would be great to pass a specific IAM PolicyStatement to a corresponding action role.

I have found a way to do that, but this is not an easy task, this is how it resolved now:

const publishStageNode = this.node?.tryFindChild('Pipeline')?.node.tryFindChild('Pipeline')?.node.tryFindChild('publishStageNode')
publishStageNode?.node.tryFindChild('publishAction')?.node.children?.forEach(item => {
    if (item instanceof PipelineProject) {
        item.addToRolePolicy(allowCreateLayerSererlessRepoPolicy);
        item.addToRolePolicy(allowUploadToS3Policy);
     }
})

As you can see this is not an easy way to fetch the stage and the PipelineProject construct that is nested within the tree. Furthermore, I have to loop through the children, because in some cases there is a Role and a PipelineProject construct.

Proposed Solution

it would be great to add a policy statement directly to an action i.e.:

const policyStatement = new iam.PolicyStatement({...});

const action = new ShellScriptAction({
    actionName: 'mySpecialShellScriptAction',
    commands: [_some_bash_commands_here_]
});

action.addToRolePolicy(policyStatement);

Other

Pinging @webdog as per request.

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Comments:7 (1 by maintainers)

Top GitHub Comments

3reactions

brianfoodycommented, Nov 4, 2020

Got it working by creating a role in the testing account and assuming it in my tests from the build account.

Screenshot from 2020-10-14 17-24-50 (1)

1reaction

brianfoodycommented, Aug 26, 2020

@am29d @Chriscbr do you know how to do this for cross-account deployments?

I have a build account where the pipeline runs and deploys the stack to a staging account. I want to assume a role in the staging account to execute the acceptance tests on but I’m not sure how to do this with CDK pipelines.

Top Results From Across the Web

class ShellScriptAction · AWS CDK

IBuildImage; declare const policyStatement: iam.PolicyStatement; declare const securityGroup: ec2.SecurityGroup; declare const stackOutput: pipelines.

aws-cdk.pipelines - PyPI

If you prefer more control over the underlying CodePipeline object, you can create one yourself, including custom Source and Build stages:

CDK Pipelines: Use Stack output in `post`step of stage

addActions( new ShellScriptAction({ actionName: 'TestService', ... rolePolicyStatements: [ new PolicyStatement({ effect: Effect.

Building CICD pipelines for serverless microservices using the ...

How to use the AWS CDK to create CodePipeline/CodeBuild pipelines ... The custom ServicePipeline construct is where most of the logic lies.

pipelines package - github.com/aws/aws-cdk-go/awscdk/pipelines ...

func NewShellScriptAction_Override(s ShellScriptAction, props *ShellScriptActionProps) ... Options for adding an application stage to a pipeline.