@devramps/cli 0.1.26 → 0.1.27
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +43 -2
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -2508,7 +2508,7 @@ function generateStageStackTemplate(options) {
|
|
|
2508
2508
|
);
|
|
2509
2509
|
const roleName = generateStageRoleName(pipelineSlug, stageName);
|
|
2510
2510
|
const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2511
|
-
const policies = buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts);
|
|
2511
|
+
const policies = buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts, orgSlug);
|
|
2512
2512
|
template.Resources.StageDeploymentRole = createIamRoleResource(
|
|
2513
2513
|
roleName,
|
|
2514
2514
|
trustPolicy,
|
|
@@ -2597,7 +2597,7 @@ function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl
|
|
|
2597
2597
|
const subject = `org:${orgSlug}/pipeline:${pipelineSlug}`;
|
|
2598
2598
|
return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2599
2599
|
}
|
|
2600
|
-
function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts) {
|
|
2600
|
+
function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts, orgSlug) {
|
|
2601
2601
|
const policies = [];
|
|
2602
2602
|
policies.push({
|
|
2603
2603
|
PolicyName: "DevRampsValidationPolicy",
|
|
@@ -2618,6 +2618,47 @@ function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleAr
|
|
|
2618
2618
|
]
|
|
2619
2619
|
}
|
|
2620
2620
|
});
|
|
2621
|
+
const tfStateBucketName = generateTerraformStateBucketName(orgSlug);
|
|
2622
|
+
policies.push({
|
|
2623
|
+
PolicyName: "DevRampsTerraformStatePolicy",
|
|
2624
|
+
PolicyDocument: {
|
|
2625
|
+
Version: "2012-10-17",
|
|
2626
|
+
Statement: [
|
|
2627
|
+
{
|
|
2628
|
+
Sid: "AllowTerraformStateReadWrite",
|
|
2629
|
+
Effect: "Allow",
|
|
2630
|
+
Action: [
|
|
2631
|
+
"s3:GetObject",
|
|
2632
|
+
"s3:PutObject",
|
|
2633
|
+
"s3:DeleteObject"
|
|
2634
|
+
],
|
|
2635
|
+
Resource: `arn:aws:s3:::${tfStateBucketName}/*`
|
|
2636
|
+
},
|
|
2637
|
+
{
|
|
2638
|
+
Sid: "AllowTerraformStateList",
|
|
2639
|
+
Effect: "Allow",
|
|
2640
|
+
Action: "s3:ListBucket",
|
|
2641
|
+
Resource: `arn:aws:s3:::${tfStateBucketName}`
|
|
2642
|
+
},
|
|
2643
|
+
{
|
|
2644
|
+
Sid: "AllowKMSForTerraformState",
|
|
2645
|
+
Effect: "Allow",
|
|
2646
|
+
Action: [
|
|
2647
|
+
"kms:Encrypt",
|
|
2648
|
+
"kms:Decrypt",
|
|
2649
|
+
"kms:GenerateDataKey*",
|
|
2650
|
+
"kms:DescribeKey"
|
|
2651
|
+
],
|
|
2652
|
+
Resource: "*",
|
|
2653
|
+
Condition: {
|
|
2654
|
+
StringLike: {
|
|
2655
|
+
"kms:ViaService": "s3.*.amazonaws.com"
|
|
2656
|
+
}
|
|
2657
|
+
}
|
|
2658
|
+
}
|
|
2659
|
+
]
|
|
2660
|
+
}
|
|
2661
|
+
});
|
|
2621
2662
|
if (dockerArtifacts.length > 0) {
|
|
2622
2663
|
policies.push({
|
|
2623
2664
|
PolicyName: "DevRampsMirrorECRPolicy",
|