@devramps/cli 0.1.25 → 0.1.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +49 -8
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -2141,7 +2141,7 @@ function buildOrgRolePolicies(orgSlug) {
|
|
|
2141
2141
|
// src/templates/pipeline-stack.ts
|
|
2142
2142
|
function generatePipelineStackTemplate(options) {
|
|
2143
2143
|
const { pipelineSlug, cicdAccountId, dockerArtifacts, bundleArtifacts, stageAccountIds } = options;
|
|
2144
|
-
const
|
|
2144
|
+
const crossAccountIds = stageAccountIds.filter((id) => id !== cicdAccountId);
|
|
2145
2145
|
const template = createBaseTemplate(`DevRamps Pipeline Stack for ${pipelineSlug}`);
|
|
2146
2146
|
const ecrOutputs = {};
|
|
2147
2147
|
const s3Outputs = {};
|
|
@@ -2157,7 +2157,7 @@ function generatePipelineStackTemplate(options) {
|
|
|
2157
2157
|
{ Key: "ArtifactType", Value: artifact.type }
|
|
2158
2158
|
]
|
|
2159
2159
|
);
|
|
2160
|
-
if (
|
|
2160
|
+
if (crossAccountIds.length > 0) {
|
|
2161
2161
|
template.Resources[resourceId].Properties.RepositoryPolicyText = {
|
|
2162
2162
|
Version: "2012-10-17",
|
|
2163
2163
|
Statement: [
|
|
@@ -2165,7 +2165,7 @@ function generatePipelineStackTemplate(options) {
|
|
|
2165
2165
|
Sid: "AllowStageAccountPull",
|
|
2166
2166
|
Effect: "Allow",
|
|
2167
2167
|
Principal: {
|
|
2168
|
-
AWS:
|
|
2168
|
+
AWS: crossAccountIds.map((id) => `arn:aws:iam::${id}:root`)
|
|
2169
2169
|
},
|
|
2170
2170
|
Action: [
|
|
2171
2171
|
"ecr:GetDownloadUrlForLayer",
|
|
@@ -2190,7 +2190,7 @@ function generatePipelineStackTemplate(options) {
|
|
|
2190
2190
|
{ Key: "ArtifactType", Value: artifact.type }
|
|
2191
2191
|
]
|
|
2192
2192
|
);
|
|
2193
|
-
if (
|
|
2193
|
+
if (crossAccountIds.length > 0) {
|
|
2194
2194
|
const policyResourceId = sanitizeResourceId(`BucketPolicy${artifactId}`);
|
|
2195
2195
|
template.Resources[policyResourceId] = {
|
|
2196
2196
|
Type: "AWS::S3::BucketPolicy",
|
|
@@ -2203,7 +2203,7 @@ function generatePipelineStackTemplate(options) {
|
|
|
2203
2203
|
Sid: "AllowStageAccountRead",
|
|
2204
2204
|
Effect: "Allow",
|
|
2205
2205
|
Principal: {
|
|
2206
|
-
AWS:
|
|
2206
|
+
AWS: crossAccountIds.map((id) => `arn:aws:iam::${id}:root`)
|
|
2207
2207
|
},
|
|
2208
2208
|
Action: [
|
|
2209
2209
|
"s3:GetObject",
|
|
@@ -2215,7 +2215,7 @@ function generatePipelineStackTemplate(options) {
|
|
|
2215
2215
|
Sid: "AllowStageAccountList",
|
|
2216
2216
|
Effect: "Allow",
|
|
2217
2217
|
Principal: {
|
|
2218
|
-
AWS:
|
|
2218
|
+
AWS: crossAccountIds.map((id) => `arn:aws:iam::${id}:root`)
|
|
2219
2219
|
},
|
|
2220
2220
|
Action: "s3:ListBucket",
|
|
2221
2221
|
Resource: `arn:aws:s3:::${bucketName}`
|
|
@@ -2508,7 +2508,7 @@ function generateStageStackTemplate(options) {
|
|
|
2508
2508
|
);
|
|
2509
2509
|
const roleName = generateStageRoleName(pipelineSlug, stageName);
|
|
2510
2510
|
const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2511
|
-
const policies = buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts);
|
|
2511
|
+
const policies = buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts, orgSlug);
|
|
2512
2512
|
template.Resources.StageDeploymentRole = createIamRoleResource(
|
|
2513
2513
|
roleName,
|
|
2514
2514
|
trustPolicy,
|
|
@@ -2597,7 +2597,7 @@ function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl
|
|
|
2597
2597
|
const subject = `org:${orgSlug}/pipeline:${pipelineSlug}`;
|
|
2598
2598
|
return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2599
2599
|
}
|
|
2600
|
-
function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts) {
|
|
2600
|
+
function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts, orgSlug) {
|
|
2601
2601
|
const policies = [];
|
|
2602
2602
|
policies.push({
|
|
2603
2603
|
PolicyName: "DevRampsValidationPolicy",
|
|
@@ -2618,6 +2618,47 @@ function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleAr
|
|
|
2618
2618
|
]
|
|
2619
2619
|
}
|
|
2620
2620
|
});
|
|
2621
|
+
const tfStateBucketName = generateTerraformStateBucketName(orgSlug);
|
|
2622
|
+
policies.push({
|
|
2623
|
+
PolicyName: "DevRampsTerraformStatePolicy",
|
|
2624
|
+
PolicyDocument: {
|
|
2625
|
+
Version: "2012-10-17",
|
|
2626
|
+
Statement: [
|
|
2627
|
+
{
|
|
2628
|
+
Sid: "AllowTerraformStateReadWrite",
|
|
2629
|
+
Effect: "Allow",
|
|
2630
|
+
Action: [
|
|
2631
|
+
"s3:GetObject",
|
|
2632
|
+
"s3:PutObject",
|
|
2633
|
+
"s3:DeleteObject"
|
|
2634
|
+
],
|
|
2635
|
+
Resource: `arn:aws:s3:::${tfStateBucketName}/*`
|
|
2636
|
+
},
|
|
2637
|
+
{
|
|
2638
|
+
Sid: "AllowTerraformStateList",
|
|
2639
|
+
Effect: "Allow",
|
|
2640
|
+
Action: "s3:ListBucket",
|
|
2641
|
+
Resource: `arn:aws:s3:::${tfStateBucketName}`
|
|
2642
|
+
},
|
|
2643
|
+
{
|
|
2644
|
+
Sid: "AllowKMSForTerraformState",
|
|
2645
|
+
Effect: "Allow",
|
|
2646
|
+
Action: [
|
|
2647
|
+
"kms:Encrypt",
|
|
2648
|
+
"kms:Decrypt",
|
|
2649
|
+
"kms:GenerateDataKey*",
|
|
2650
|
+
"kms:DescribeKey"
|
|
2651
|
+
],
|
|
2652
|
+
Resource: "*",
|
|
2653
|
+
Condition: {
|
|
2654
|
+
StringLike: {
|
|
2655
|
+
"kms:ViaService": "s3.*.amazonaws.com"
|
|
2656
|
+
}
|
|
2657
|
+
}
|
|
2658
|
+
}
|
|
2659
|
+
]
|
|
2660
|
+
}
|
|
2661
|
+
});
|
|
2621
2662
|
if (dockerArtifacts.length > 0) {
|
|
2622
2663
|
policies.push({
|
|
2623
2664
|
PolicyName: "DevRampsMirrorECRPolicy",
|