diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.assets.json index 2d274f8b21777..2d87ab096ad10 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.assets.json @@ -14,7 +14,7 @@ } } }, - "c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e": { + "0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9": { "source": { "path": "aws-cdk-codepipeline-s3-deploy.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e.json", + "objectKey": "0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.template.json index a6713b413e740..a87bf0d5e0dc4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/aws-cdk-codepipeline-s3-deploy.template.json @@ -1,8 +1,59 @@ { "Resources": { + "EnvVarEncryptKey1A7CABDB": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "Description": "sample key" + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, "PipelineBucketB967BD35": { "Type": "AWS::S3::Bucket", "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "KMSMasterKeyID": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + }, + "SSEAlgorithm": "aws:kms" + } + } + ] + }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", @@ -369,6 +420,22 @@ } ] }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } + }, { "Action": "sts:AssumeRole", "Effect": "Allow", @@ -462,7 +529,13 @@ "Extract": "false", "ObjectKey": "key", "CannedACL": "private", - "CacheControl": "public, max-age=43200" + "CacheControl": "public, max-age=43200", + "KMSEncryptionKeyARN": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } }, "InputArtifacts": [ { @@ -515,6 +588,15 @@ } ], "ArtifactStore": { + "EncryptionKey": { + "Id": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + }, + "Type": "KMS" + }, "Location": { "Ref": "PipelineBucketB967BD35" }, @@ -599,6 +681,22 @@ } ] }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } + }, { "Action": [ "s3:Abort*", @@ -765,6 +863,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -877,6 +991,19 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -994,6 +1121,14 @@ } }, "Outputs": { + "ExportsOutputRefDeployBucket67E2C076D8DEC04D": { + "Value": { + "Ref": "DeployBucket67E2C076" + }, + "Export": { + "Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D" + } + }, "ExportsOutputRefPipelineBucketB967BD35BAE6E881": { "Value": { "Ref": "PipelineBucketB967BD35" @@ -1009,14 +1144,6 @@ "Export": { "Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefPipelineC660917DEB540586" } - }, - "ExportsOutputRefDeployBucket67E2C076D8DEC04D": { - "Value": { - "Ref": "DeployBucket67E2C076" - }, - "Export": { - "Name": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D" - } } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/manifest.json index 9e262633dd598..01c97429e50e0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/manifest.json @@ -17,7 +17,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c77c225bf996813c66f962ac8da785aa5fa677d3c2a632c3743e4075e07a194e.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0e8ab65ec77f46df122d00ad20da666bb3461c6aee65675b4a7a64b8b284c5a9.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -33,6 +33,12 @@ "aws-cdk-codepipeline-s3-deploy.assets" ], "metadata": { + "/aws-cdk-codepipeline-s3-deploy/EnvVarEncryptKey/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "EnvVarEncryptKey1A7CABDB" + } + ], "/aws-cdk-codepipeline-s3-deploy/PipelineBucket/Resource": [ { "type": "aws:cdk:logicalId", @@ -159,22 +165,22 @@ "data": "PipelineDisabledDisabledDeployActionCodePipelineActionRoleDefaultPolicyB1AF629C" } ], - "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineBucketB967BD35\"}": [ + "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}": [ { "type": "aws:cdk:logicalId", - "data": "ExportsOutputRefPipelineBucketB967BD35BAE6E881" + "data": "ExportsOutputRefDeployBucket67E2C076D8DEC04D" } ], - "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineC660917D\"}": [ + "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineBucketB967BD35\"}": [ { "type": "aws:cdk:logicalId", - "data": "ExportsOutputRefPipelineC660917DEB540586" + "data": "ExportsOutputRefPipelineBucketB967BD35BAE6E881" } ], - "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}": [ + "/aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineC660917D\"}": [ { "type": "aws:cdk:logicalId", - "data": "ExportsOutputRefDeployBucket67E2C076D8DEC04D" + "data": "ExportsOutputRefPipelineC660917DEB540586" } ], "/aws-cdk-codepipeline-s3-deploy/BootstrapVersion": [ @@ -208,7 +214,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -225,10 +231,10 @@ "s3deploytestDefaultTestDeployAssert6BC61647.assets" ], "metadata": { - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject/Default/Default": [ + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330/Default/Default": [ { "type": "aws:cdk:logicalId", - "data": "AwsApiCallS3putObject" + "data": "AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330" } ], "/s3-deploy-test/DefaultTest/DeployAssert/SingletonFunction1488541a7b23466481b69b4408076b81/Role": [ @@ -243,40 +249,46 @@ "data": "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F" } ], - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/Default/Default": [ + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d/Default/Default": [ + { + "type": "aws:cdk:logicalId", + "data": "AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d" + } + ], + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/Default/Default": [ { "type": "aws:cdk:logicalId", - "data": "AwsApiCallCodePipelinegetPipelineState" + "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e" } ], - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/IsCompleteProvider/Invoke": [ + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/IsCompleteProvider/Invoke": [ { "type": "aws:cdk:logicalId", - "data": "AwsApiCallCodePipelinegetPipelineStateWaitForIsCompleteProviderInvokeB83E9F2C" + "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForIsCompleteProviderInvoke821ABA06" } ], - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/TimeoutProvider/Invoke": [ + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/TimeoutProvider/Invoke": [ { "type": "aws:cdk:logicalId", - "data": "AwsApiCallCodePipelinegetPipelineStateWaitForTimeoutProviderInvoke96D2C126" + "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForTimeoutProviderInvoke2F043504" } ], - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Role": [ + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Role": [ { "type": "aws:cdk:logicalId", - "data": "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47" + "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905" } ], - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Resource": [ + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Resource": [ { "type": "aws:cdk:logicalId", - "data": "AwsApiCallCodePipelinegetPipelineStateWaitFor68BABF78" + "data": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForC3FB32C5" } ], - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/AssertionResults": [ + "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/AssertionResults": [ { "type": "aws:cdk:logicalId", - "data": "AssertionResultsAwsApiCallCodePipelinegetPipelineState" + "data": "AssertionResultsAwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e" } ], "/s3-deploy-test/DefaultTest/DeployAssert/SingletonFunction76b3e830a873425f8453eddd85c86925/Role": [ @@ -303,12 +315,6 @@ "data": "SingletonFunction5c1898e096fb4e3e95d5f6c67f3ce41aHandlerADF3E6EA" } ], - "/s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject/Default/Default": [ - { - "type": "aws:cdk:logicalId", - "data": "AwsApiCallS3getObject" - } - ], "/s3-deploy-test/DefaultTest/DeployAssert/BootstrapVersion": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.assets.json index 3447c7d92314b..c23aca437f00e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.assets.json @@ -14,7 +14,7 @@ } } }, - "2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab": { + "a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75": { "source": { "path": "s3deploytestDefaultTestDeployAssert6BC61647.template.json", "packaging": "file" @@ -22,7 +22,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "2a0db37afe84ae5c439012506dfdee1493ab05d9cc40f507fa44ff0ed8d2dfab.json", + "objectKey": "a5e87b4a3b1576f59ec7c5aeb8238a7899b624959515db8b64d69c9b7111fb75.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.template.json index 48401a56fe0a3..3e6c3e21fba3e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/s3deploytestDefaultTestDeployAssert6BC61647.template.json @@ -1,7 +1,7 @@ { "Resources": { - "AwsApiCallS3putObject": { - "Type": "Custom::DeployAssert@SdkCallS3putObject", + "AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330": { + "Type": "Custom::DeployAssert@SdkCallS3getObject", "Properties": { "ServiceToken": { "Fn::GetAtt": [ @@ -10,17 +10,24 @@ ] }, "service": "S3", - "api": "putObject", + "api": "getObject", "parameters": { "Bucket": { - "Fn::ImportValue": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefPipelineBucketB967BD35BAE6E881" + "Fn::ImportValue": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D" }, - "Key": "key", - "Body": "HelloWorld" + "Key": "key" }, "flattenResponse": "false", - "salt": "1682378113734" + "salt": "1684406090555" }, + "DependsOn": [ + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForIsCompleteProviderInvoke821ABA06", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForC3FB32C5", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForTimeoutProviderInvoke2F043504", + "AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d" + ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, @@ -52,7 +59,7 @@ "Statement": [ { "Action": [ - "s3:PutObject" + "s3:GetObject" ], "Effect": "Allow", "Resource": [ @@ -60,8 +67,17 @@ ] }, { + "Effect": "Allow", "Action": [ - "codepipeline:GetPipelineState" + "kms:Decrypt" + ], + "Resource": [ + "*" + ] + }, + { + "Action": [ + "s3:PutObject" ], "Effect": "Allow", "Resource": [ @@ -69,8 +85,17 @@ ] }, { + "Effect": "Allow", "Action": [ - "states:StartExecution" + "kms:GenerateDataKey" + ], + "Resource": [ + "*" + ] + }, + { + "Action": [ + "codepipeline:GetPipelineState" ], "Effect": "Allow", "Resource": [ @@ -79,7 +104,7 @@ }, { "Action": [ - "s3:GetObject" + "states:StartExecution" ], "Effect": "Allow", "Resource": [ @@ -112,7 +137,31 @@ } } }, - "AwsApiCallCodePipelinegetPipelineState": { + "AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d": { + "Type": "Custom::DeployAssert@SdkCallS3putObject", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F", + "Arn" + ] + }, + "service": "S3", + "api": "putObject", + "parameters": { + "Bucket": { + "Fn::ImportValue": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefPipelineBucketB967BD35BAE6E881" + }, + "Key": "key", + "Body": "HelloWorld" + }, + "flattenResponse": "false", + "salt": "1684406090555" + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e": { "Type": "Custom::DeployAssert@SdkCallCodePipelinegetPipelineState", "Properties": { "ServiceToken": { @@ -125,7 +174,7 @@ "api": "getPipelineState", "expected": "{\"$ObjectLike\":{\"stageStates\":{\"$ArrayWith\":[{\"$ObjectLike\":{\"stageName\":\"Deploy\",\"latestExecution\":{\"$ObjectLike\":{\"status\":\"Succeeded\"}}}}]}}}", "stateMachineArn": { - "Ref": "AwsApiCallCodePipelinegetPipelineStateWaitFor68BABF78" + "Ref": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForC3FB32C5" }, "parameters": { "name": { @@ -133,12 +182,12 @@ } }, "flattenResponse": "false", - "salt": "1682378113735" + "salt": "1684406090556" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" }, - "AwsApiCallCodePipelinegetPipelineStateWaitForIsCompleteProviderInvokeB83E9F2C": { + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForIsCompleteProviderInvoke821ABA06": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", @@ -150,13 +199,13 @@ }, "Principal": { "Fn::GetAtt": [ - "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905", "Arn" ] } } }, - "AwsApiCallCodePipelinegetPipelineStateWaitForTimeoutProviderInvoke96D2C126": { + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForTimeoutProviderInvoke2F043504": { "Type": "AWS::Lambda::Permission", "Properties": { "Action": "lambda:InvokeFunction", @@ -168,13 +217,13 @@ }, "Principal": { "Fn::GetAtt": [ - "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905", "Arn" ] } } }, - "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47": { + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -219,7 +268,7 @@ ] } }, - "AwsApiCallCodePipelinegetPipelineStateWaitFor68BABF78": { + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForC3FB32C5": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { "DefinitionString": { @@ -246,13 +295,13 @@ }, "RoleArn": { "Fn::GetAtt": [ - "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905", "Arn" ] } }, "DependsOn": [ - "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47" + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225eWaitForRole44AD3905" ] }, "SingletonFunction76b3e830a873425f8453eddd85c86925Role918961BB": { @@ -357,44 +406,13 @@ ] } } - }, - "AwsApiCallS3getObject": { - "Type": "Custom::DeployAssert@SdkCallS3getObject", - "Properties": { - "ServiceToken": { - "Fn::GetAtt": [ - "SingletonFunction1488541a7b23466481b69b4408076b81HandlerCD40AE9F", - "Arn" - ] - }, - "service": "S3", - "api": "getObject", - "parameters": { - "Bucket": { - "Fn::ImportValue": "aws-cdk-codepipeline-s3-deploy:ExportsOutputRefDeployBucket67E2C076D8DEC04D" - }, - "Key": "key" - }, - "flattenResponse": "false", - "salt": "1682378113736" - }, - "DependsOn": [ - "AwsApiCallCodePipelinegetPipelineState", - "AwsApiCallCodePipelinegetPipelineStateWaitForIsCompleteProviderInvokeB83E9F2C", - "AwsApiCallCodePipelinegetPipelineStateWaitFor68BABF78", - "AwsApiCallCodePipelinegetPipelineStateWaitForRoleDF2D0D47", - "AwsApiCallCodePipelinegetPipelineStateWaitForTimeoutProviderInvoke96D2C126", - "AwsApiCallS3putObject" - ], - "UpdateReplacePolicy": "Delete", - "DeletionPolicy": "Delete" } }, "Outputs": { - "AssertionResultsAwsApiCallCodePipelinegetPipelineState": { + "AssertionResultsAwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e": { "Value": { "Fn::GetAtt": [ - "AwsApiCallCodePipelinegetPipelineState", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e", "assertion" ] } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/tree.json index 3bb28177996c2..325da7459a733 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.js.snapshot/tree.json @@ -8,6 +8,58 @@ "id": "aws-cdk-codepipeline-s3-deploy", "path": "aws-cdk-codepipeline-s3-deploy", "children": { + "EnvVarEncryptKey": { + "id": "EnvVarEncryptKey", + "path": "aws-cdk-codepipeline-s3-deploy/EnvVarEncryptKey", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-codepipeline-s3-deploy/EnvVarEncryptKey/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::KMS::Key", + "aws:cdk:cloudformation:props": { + "keyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "description": "sample key" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.CfnKey", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_kms.Key", + "version": "0.0.0" + } + }, "PipelineBucket": { "id": "PipelineBucket", "path": "aws-cdk-codepipeline-s3-deploy/PipelineBucket", @@ -18,6 +70,21 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::S3::Bucket", "aws:cdk:cloudformation:props": { + "bucketEncryption": { + "serverSideEncryptionConfiguration": [ + { + "serverSideEncryptionByDefault": { + "sseAlgorithm": "aws:kms", + "kmsMasterKeyId": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } + } + } + ] + }, "tags": [ { "key": "aws-cdk:auto-delete-objects", @@ -491,6 +558,22 @@ } ] }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } + }, { "Action": "sts:AssumeRole", "Effect": "Allow", @@ -611,7 +694,13 @@ "Extract": "false", "ObjectKey": "key", "CannedACL": "private", - "CacheControl": "public, max-age=43200" + "CacheControl": "public, max-age=43200", + "KMSEncryptionKeyARN": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } }, "runOrder": 1, "roleArn": { @@ -660,6 +749,15 @@ "type": "S3", "location": { "Ref": "PipelineBucketB967BD35" + }, + "encryptionKey": { + "type": "KMS", + "id": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } } }, "disableInboundStageTransitions": [ @@ -777,6 +875,22 @@ } ] }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } + }, { "Action": [ "s3:Abort*", @@ -842,13 +956,13 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } }, "Deploy": { @@ -1007,6 +1121,22 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -1039,13 +1169,13 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } }, "Disabled": { @@ -1183,6 +1313,19 @@ ] } ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EnvVarEncryptKey1A7CABDB", + "Arn" + ] + } } ], "Version": "2012-10-17" @@ -1215,13 +1358,13 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } } }, @@ -1234,6 +1377,14 @@ "id": "Exports", "path": "aws-cdk-codepipeline-s3-deploy/Exports", "children": { + "Output{\"Ref\":\"DeployBucket67E2C076\"}": { + "id": "Output{\"Ref\":\"DeployBucket67E2C076\"}", + "path": "aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" + } + }, "Output{\"Ref\":\"PipelineBucketB967BD35\"}": { "id": "Output{\"Ref\":\"PipelineBucketB967BD35\"}", "path": "aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"PipelineBucketB967BD35\"}", @@ -1249,19 +1400,11 @@ "fqn": "aws-cdk-lib.CfnOutput", "version": "0.0.0" } - }, - "Output{\"Ref\":\"DeployBucket67E2C076\"}": { - "id": "Output{\"Ref\":\"DeployBucket67E2C076\"}", - "path": "aws-cdk-codepipeline-s3-deploy/Exports/Output{\"Ref\":\"DeployBucket67E2C076\"}", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnOutput", - "version": "0.0.0" - } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } }, "BootstrapVersion": { @@ -1299,27 +1442,27 @@ "path": "s3-deploy-test/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } }, "DeployAssert": { "id": "DeployAssert", "path": "s3-deploy-test/DefaultTest/DeployAssert", "children": { - "AwsApiCallS3putObject": { - "id": "AwsApiCallS3putObject", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject", + "AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330": { + "id": "AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330", "children": { "SdkProvider": { "id": "SdkProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject/SdkProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330/SdkProvider", "children": { "AssertionsProvider": { "id": "AssertionsProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject/SdkProvider/AssertionsProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330/SdkProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } } }, @@ -1330,11 +1473,11 @@ }, "Default": { "id": "Default", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject/Default", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330/Default", "children": { "Default": { "id": "Default", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObject/Default/Default", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject132afe15f6b0866b1b0b18d4081f0330/Default/Default", "constructInfo": { "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" @@ -1383,23 +1526,69 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" + } + }, + "AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d": { + "id": "AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d", + "children": { + "SdkProvider": { + "id": "SdkProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d/SdkProvider", + "children": { + "AssertionsProvider": { + "id": "AssertionsProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d/SdkProvider/AssertionsProvider", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.25" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.AssertionsProvider", + "version": "0.0.0" + } + }, + "Default": { + "id": "Default", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d/Default", + "children": { + "Default": { + "id": "Default", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3putObjecte1b51fae535275287a7fd0b537ad2b3d/Default/Default", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.CustomResource", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.AwsApiCall", + "version": "0.0.0" } }, - "AwsApiCallCodePipelinegetPipelineState": { - "id": "AwsApiCallCodePipelinegetPipelineState", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState", + "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e": { + "id": "AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e", "children": { "SdkProvider": { "id": "SdkProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/SdkProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/SdkProvider", "children": { "AssertionsProvider": { "id": "AssertionsProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/SdkProvider/AssertionsProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/SdkProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } } }, @@ -1410,11 +1599,11 @@ }, "Default": { "id": "Default", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/Default", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/Default", "children": { "Default": { "id": "Default", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/Default/Default", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/Default/Default", "constructInfo": { "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" @@ -1428,23 +1617,23 @@ }, "WaitFor": { "id": "WaitFor", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor", "children": { "IsCompleteProvider": { "id": "IsCompleteProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/IsCompleteProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/IsCompleteProvider", "children": { "AssertionsProvider": { "id": "AssertionsProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/IsCompleteProvider/AssertionsProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/IsCompleteProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } }, "Invoke": { "id": "Invoke", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/IsCompleteProvider/Invoke", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/IsCompleteProvider/Invoke", "constructInfo": { "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" @@ -1458,19 +1647,19 @@ }, "TimeoutProvider": { "id": "TimeoutProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/TimeoutProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/TimeoutProvider", "children": { "AssertionsProvider": { "id": "AssertionsProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/TimeoutProvider/AssertionsProvider", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/TimeoutProvider/AssertionsProvider", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } }, "Invoke": { "id": "Invoke", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/TimeoutProvider/Invoke", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/TimeoutProvider/Invoke", "constructInfo": { "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" @@ -1484,7 +1673,7 @@ }, "Role": { "id": "Role", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Role", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Role", "constructInfo": { "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" @@ -1492,7 +1681,7 @@ }, "Resource": { "id": "Resource", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/WaitFor/Resource", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/WaitFor/Resource", "constructInfo": { "fqn": "aws-cdk-lib.CfnResource", "version": "0.0.0" @@ -1506,7 +1695,7 @@ }, "AssertionResults": { "id": "AssertionResults", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState/AssertionResults", + "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallCodePipelinegetPipelineState57ac6eaf015feec14cf48d22e7e8225e/AssertionResults", "constructInfo": { "fqn": "aws-cdk-lib.CfnOutput", "version": "0.0.0" @@ -1549,7 +1738,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } }, "SingletonFunction5c1898e096fb4e3e95d5f6c67f3ce41a": { @@ -1583,53 +1772,7 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" - } - }, - "AwsApiCallS3getObject": { - "id": "AwsApiCallS3getObject", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject", - "children": { - "SdkProvider": { - "id": "SdkProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject/SdkProvider", - "children": { - "AssertionsProvider": { - "id": "AssertionsProvider", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject/SdkProvider/AssertionsProvider", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.270" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.AssertionsProvider", - "version": "0.0.0" - } - }, - "Default": { - "id": "Default", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject/Default", - "children": { - "Default": { - "id": "Default", - "path": "s3-deploy-test/DefaultTest/DeployAssert/AwsApiCallS3getObject/Default/Default", - "constructInfo": { - "fqn": "aws-cdk-lib.CfnResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.CustomResource", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.AwsApiCall", - "version": "0.0.0" + "version": "10.2.25" } }, "BootstrapVersion": { @@ -1671,7 +1814,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.270" + "version": "10.2.25" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.ts index 6ef696607bc8b..879d96e92071f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-s3-deploy.ts @@ -1,4 +1,5 @@ import * as codepipeline from 'aws-cdk-lib/aws-codepipeline'; +import * as kms from 'aws-cdk-lib/aws-kms'; import * as s3 from 'aws-cdk-lib/aws-s3'; import * as cdk from 'aws-cdk-lib'; import { Duration } from 'aws-cdk-lib'; @@ -9,10 +10,15 @@ const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-cdk-codepipeline-s3-deploy'); +const key: kms.IKey = new kms.Key(stack, 'EnvVarEncryptKey', { + description: 'sample key', +}); + const bucket = new s3.Bucket(stack, 'PipelineBucket', { versioned: true, removalPolicy: cdk.RemovalPolicy.DESTROY, autoDeleteObjects: true, + encryptionKey: key, }); const sourceOutput = new codepipeline.Artifact('SourceArtifact'); const sourceAction = new cpactions.S3SourceAction({ @@ -53,6 +59,7 @@ const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', { cpactions.CacheControl.setPublic(), cpactions.CacheControl.maxAge(cdk.Duration.hours(12)), ], + encryptionKey: key, }), ], }, @@ -74,11 +81,31 @@ const integ = new IntegTest(app, 's3-deploy-test', { testCases: [stack], }); -integ.assertions.awsApiCall('S3', 'putObject', { +const getObjectCall = integ.assertions.awsApiCall('S3', 'getObject', { + Bucket: deployBucket.bucketName, + Key: 'key', +}); + +getObjectCall.provider.addToRolePolicy({ + Effect: 'Allow', + Action: ['kms:Decrypt'], + Resource: ['*'], +}); + + +const putObjectCall = integ.assertions.awsApiCall('S3', 'putObject', { Bucket: bucket.bucketName, Key: 'key', Body: 'HelloWorld', -}).next( +}); + +putObjectCall.provider.addToRolePolicy({ + Effect: 'Allow', + Action: ['kms:GenerateDataKey'], + Resource: ['*'], +}); + +putObjectCall.next( integ.assertions.awsApiCall('CodePipeline', 'getPipelineState', { name: pipeline.pipelineName, }).expect(ExpectedResult.objectLike({ @@ -92,12 +119,7 @@ integ.assertions.awsApiCall('S3', 'putObject', { ]), })).waitForAssertions({ totalTimeout: Duration.minutes(5), - }).next( - integ.assertions.awsApiCall('S3', 'getObject', { - Bucket: deployBucket.bucketName, - Key: 'key', - }), - ), + }).next(getObjectCall), ); app.synth(); diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/README.md b/packages/aws-cdk-lib/aws-codepipeline-actions/README.md index 74a37565664ee..e5a2b9976c60f 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/README.md +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/README.md @@ -859,12 +859,16 @@ To use an S3 Bucket as a deployment target in CodePipeline: ```ts const sourceOutput = new codepipeline.Artifact(); const targetBucket = new s3.Bucket(this, 'MyBucket'); +const key: kms.IKey = new kms.Key(stack, 'EnvVarEncryptKey', { + description: 'sample key', +}); const pipeline = new codepipeline.Pipeline(this, 'MyPipeline'); const deployAction = new codepipeline_actions.S3DeployAction({ actionName: 'S3Deploy', bucket: targetBucket, input: sourceOutput, + encryptionKey: key, }); const deployStage = pipeline.addStage({ stageName: 'Deploy', diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/s3/deploy-action.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/s3/deploy-action.ts index 8bf60a2696395..91b265d4e3b01 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/s3/deploy-action.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/s3/deploy-action.ts @@ -1,6 +1,7 @@ import { kebab as toKebabCase } from 'case'; import { Construct } from 'constructs'; import * as codepipeline from '../../../aws-codepipeline'; +import * as kms from '../../../aws-kms'; import * as s3 from '../../../aws-s3'; import { Duration } from '../../../core'; import { Action } from '../action'; @@ -86,6 +87,13 @@ export interface S3DeployActionProps extends codepipeline.CommonAwsActionProps { * @default - none, decided by the HTTP client */ readonly cacheControl?: CacheControl[]; + + /** + * The AWS KMS encryption key for the host bucket. + * The encryptionKey parameter encrypts uploaded artifacts with the provided AWS KMS key. + * @default - none + */ + readonly encryptionKey?: kms.IKey; } /** @@ -121,6 +129,8 @@ export class S3DeployAction extends Action { // the Action Role also needs to read from the Pipeline's bucket options.bucket.grantRead(options.role); + this.props.encryptionKey?.grantEncrypt(options.role); + const acl = this.props.accessControl; return { configuration: { @@ -129,6 +139,7 @@ export class S3DeployAction extends Action { ObjectKey: this.props.objectKey, CannedACL: acl ? toKebabCase(acl.toString()) : undefined, CacheControl: this.props.cacheControl && this.props.cacheControl.map(ac => ac.value).join(', '), + KMSEncryptionKeyARN: this.props.encryptionKey?.keyArn, }, }; } diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/test/s3/s3-deploy-action.test.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/test/s3/s3-deploy-action.test.ts index a3ebd51a2cd4c..a2d362a9602e0 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/test/s3/s3-deploy-action.test.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/test/s3/s3-deploy-action.test.ts @@ -1,5 +1,6 @@ import { Template } from '../../../assertions'; import * as codepipeline from '../../../aws-codepipeline'; +import * as kms from '../../../aws-kms'; import * as s3 from '../../../aws-s3'; import { App, Duration, SecretValue, Stack } from '../../../core'; import * as cpactions from '../../lib'; @@ -177,6 +178,26 @@ describe('S3 Deploy Action', () => { }); }); +test('KMSEncryptionKeyARN value', () => { + const stack = new Stack(); + minimalPipeline(stack); + + Template.fromStack(stack).hasResourceProperties('AWS::CodePipeline::Pipeline', { + 'Stages': [ + {}, + { + 'Actions': [ + { + 'Configuration': { + 'KMSEncryptionKeyARN': { 'Fn::GetAtt': ['EnvVarEncryptKey1A7CABDB', 'Arn'] }, + }, + }, + ], + }, + ], + }); +}); + interface MinimalPipelineOptions { readonly accessControl?: s3.BucketAccessControl; readonly bucket?: s3.IBucket; @@ -186,6 +207,9 @@ interface MinimalPipelineOptions { } function minimalPipeline(stack: Stack, options: MinimalPipelineOptions = {}): codepipeline.IStage { + const key: kms.IKey = new kms.Key(stack, 'EnvVarEncryptKey', { + description: 'sample key', + }); const sourceOutput = new codepipeline.Artifact(); const sourceAction = new cpactions.GitHubSourceAction({ actionName: 'Source', @@ -215,6 +239,7 @@ function minimalPipeline(stack: Stack, options: MinimalPipelineOptions = {}): co extract: options.extract, input: sourceOutput, objectKey: options.objectKey, + encryptionKey: key, }), ], });