@devramps/cli 0.1.24 → 0.1.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +94 -5
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -2140,7 +2140,8 @@ function buildOrgRolePolicies(orgSlug) {
|
|
|
2140
2140
|
|
|
2141
2141
|
// src/templates/pipeline-stack.ts
|
|
2142
2142
|
function generatePipelineStackTemplate(options) {
|
|
2143
|
-
const { pipelineSlug, cicdAccountId, dockerArtifacts, bundleArtifacts } = options;
|
|
2143
|
+
const { pipelineSlug, cicdAccountId, dockerArtifacts, bundleArtifacts, stageAccountIds } = options;
|
|
2144
|
+
const allAccountIds = [.../* @__PURE__ */ new Set([cicdAccountId, ...stageAccountIds])];
|
|
2144
2145
|
const template = createBaseTemplate(`DevRamps Pipeline Stack for ${pipelineSlug}`);
|
|
2145
2146
|
const ecrOutputs = {};
|
|
2146
2147
|
const s3Outputs = {};
|
|
@@ -2156,6 +2157,25 @@ function generatePipelineStackTemplate(options) {
|
|
|
2156
2157
|
{ Key: "ArtifactType", Value: artifact.type }
|
|
2157
2158
|
]
|
|
2158
2159
|
);
|
|
2160
|
+
if (stageAccountIds.length > 0) {
|
|
2161
|
+
template.Resources[resourceId].Properties.RepositoryPolicyText = {
|
|
2162
|
+
Version: "2012-10-17",
|
|
2163
|
+
Statement: [
|
|
2164
|
+
{
|
|
2165
|
+
Sid: "AllowStageAccountPull",
|
|
2166
|
+
Effect: "Allow",
|
|
2167
|
+
Principal: {
|
|
2168
|
+
AWS: allAccountIds.map((id) => `arn:aws:iam::${id}:root`)
|
|
2169
|
+
},
|
|
2170
|
+
Action: [
|
|
2171
|
+
"ecr:GetDownloadUrlForLayer",
|
|
2172
|
+
"ecr:BatchGetImage",
|
|
2173
|
+
"ecr:BatchCheckLayerAvailability"
|
|
2174
|
+
]
|
|
2175
|
+
}
|
|
2176
|
+
]
|
|
2177
|
+
};
|
|
2178
|
+
}
|
|
2159
2179
|
ecrOutputs[artifact.name] = { repoName, resourceId };
|
|
2160
2180
|
}
|
|
2161
2181
|
for (const artifact of bundleArtifacts) {
|
|
@@ -2170,6 +2190,41 @@ function generatePipelineStackTemplate(options) {
|
|
|
2170
2190
|
{ Key: "ArtifactType", Value: artifact.type }
|
|
2171
2191
|
]
|
|
2172
2192
|
);
|
|
2193
|
+
if (stageAccountIds.length > 0) {
|
|
2194
|
+
const policyResourceId = sanitizeResourceId(`BucketPolicy${artifactId}`);
|
|
2195
|
+
template.Resources[policyResourceId] = {
|
|
2196
|
+
Type: "AWS::S3::BucketPolicy",
|
|
2197
|
+
Properties: {
|
|
2198
|
+
Bucket: { Ref: resourceId },
|
|
2199
|
+
PolicyDocument: {
|
|
2200
|
+
Version: "2012-10-17",
|
|
2201
|
+
Statement: [
|
|
2202
|
+
{
|
|
2203
|
+
Sid: "AllowStageAccountRead",
|
|
2204
|
+
Effect: "Allow",
|
|
2205
|
+
Principal: {
|
|
2206
|
+
AWS: allAccountIds.map((id) => `arn:aws:iam::${id}:root`)
|
|
2207
|
+
},
|
|
2208
|
+
Action: [
|
|
2209
|
+
"s3:GetObject",
|
|
2210
|
+
"s3:HeadObject"
|
|
2211
|
+
],
|
|
2212
|
+
Resource: `arn:aws:s3:::${bucketName}/*`
|
|
2213
|
+
},
|
|
2214
|
+
{
|
|
2215
|
+
Sid: "AllowStageAccountList",
|
|
2216
|
+
Effect: "Allow",
|
|
2217
|
+
Principal: {
|
|
2218
|
+
AWS: allAccountIds.map((id) => `arn:aws:iam::${id}:root`)
|
|
2219
|
+
},
|
|
2220
|
+
Action: "s3:ListBucket",
|
|
2221
|
+
Resource: `arn:aws:s3:::${bucketName}`
|
|
2222
|
+
}
|
|
2223
|
+
]
|
|
2224
|
+
}
|
|
2225
|
+
}
|
|
2226
|
+
};
|
|
2227
|
+
}
|
|
2173
2228
|
s3Outputs[artifact.name] = { bucketName, resourceId };
|
|
2174
2229
|
}
|
|
2175
2230
|
for (const [artifactName, { resourceId }] of Object.entries(ecrOutputs)) {
|
|
@@ -2453,7 +2508,7 @@ function generateStageStackTemplate(options) {
|
|
|
2453
2508
|
);
|
|
2454
2509
|
const roleName = generateStageRoleName(pipelineSlug, stageName);
|
|
2455
2510
|
const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2456
|
-
const policies = buildStagePolicies(steps, additionalPolicies);
|
|
2511
|
+
const policies = buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts);
|
|
2457
2512
|
template.Resources.StageDeploymentRole = createIamRoleResource(
|
|
2458
2513
|
roleName,
|
|
2459
2514
|
trustPolicy,
|
|
@@ -2542,7 +2597,7 @@ function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl
|
|
|
2542
2597
|
const subject = `org:${orgSlug}/pipeline:${pipelineSlug}`;
|
|
2543
2598
|
return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2544
2599
|
}
|
|
2545
|
-
function buildStagePolicies(steps, additionalPolicies) {
|
|
2600
|
+
function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts) {
|
|
2546
2601
|
const policies = [];
|
|
2547
2602
|
policies.push({
|
|
2548
2603
|
PolicyName: "DevRampsValidationPolicy",
|
|
@@ -2563,6 +2618,38 @@ function buildStagePolicies(steps, additionalPolicies) {
|
|
|
2563
2618
|
]
|
|
2564
2619
|
}
|
|
2565
2620
|
});
|
|
2621
|
+
if (dockerArtifacts.length > 0) {
|
|
2622
|
+
policies.push({
|
|
2623
|
+
PolicyName: "DevRampsMirrorECRPolicy",
|
|
2624
|
+
PolicyDocument: {
|
|
2625
|
+
Version: "2012-10-17",
|
|
2626
|
+
Statement: [
|
|
2627
|
+
{
|
|
2628
|
+
Sid: "AllowECRMirror",
|
|
2629
|
+
Effect: "Allow",
|
|
2630
|
+
Action: MIRROR_ECR_PERMISSIONS.actions,
|
|
2631
|
+
Resource: MIRROR_ECR_PERMISSIONS.resources || ["*"]
|
|
2632
|
+
}
|
|
2633
|
+
]
|
|
2634
|
+
}
|
|
2635
|
+
});
|
|
2636
|
+
}
|
|
2637
|
+
if (bundleArtifacts.length > 0) {
|
|
2638
|
+
policies.push({
|
|
2639
|
+
PolicyName: "DevRampsMirrorS3Policy",
|
|
2640
|
+
PolicyDocument: {
|
|
2641
|
+
Version: "2012-10-17",
|
|
2642
|
+
Statement: [
|
|
2643
|
+
{
|
|
2644
|
+
Sid: "AllowS3Mirror",
|
|
2645
|
+
Effect: "Allow",
|
|
2646
|
+
Action: MIRROR_S3_PERMISSIONS.actions,
|
|
2647
|
+
Resource: MIRROR_S3_PERMISSIONS.resources || ["*"]
|
|
2648
|
+
}
|
|
2649
|
+
]
|
|
2650
|
+
}
|
|
2651
|
+
});
|
|
2652
|
+
}
|
|
2566
2653
|
for (const step of steps) {
|
|
2567
2654
|
if (!hasPermissions(step.type)) {
|
|
2568
2655
|
continue;
|
|
@@ -2863,7 +2950,8 @@ async function buildDeploymentPlan(pipelines, pipelineArtifacts, authData, curre
|
|
|
2863
2950
|
action: await determineStackAction(stackName, cicdCredentials, cicdRegion),
|
|
2864
2951
|
pipelineSlug: pipeline.slug,
|
|
2865
2952
|
dockerArtifacts: filteredArtifacts.docker,
|
|
2866
|
-
bundleArtifacts: filteredArtifacts.bundle
|
|
2953
|
+
bundleArtifacts: filteredArtifacts.bundle,
|
|
2954
|
+
stageAccountIds: pipeline.targetAccountIds
|
|
2867
2955
|
});
|
|
2868
2956
|
}
|
|
2869
2957
|
const accountStacks = [];
|
|
@@ -3276,7 +3364,8 @@ async function deployPipelineStack(stack, authData, currentAccountId, options) {
|
|
|
3276
3364
|
pipelineSlug: stack.pipelineSlug,
|
|
3277
3365
|
cicdAccountId,
|
|
3278
3366
|
dockerArtifacts: stack.dockerArtifacts,
|
|
3279
|
-
bundleArtifacts: stack.bundleArtifacts
|
|
3367
|
+
bundleArtifacts: stack.bundleArtifacts,
|
|
3368
|
+
stageAccountIds: stack.stageAccountIds
|
|
3280
3369
|
});
|
|
3281
3370
|
const deployOptions = {
|
|
3282
3371
|
stackName: stack.stackName,
|