@devramps/cli 0.1.26 → 0.1.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +59 -2
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -2508,7 +2508,7 @@ function generateStageStackTemplate(options) {
|
|
|
2508
2508
|
);
|
|
2509
2509
|
const roleName = generateStageRoleName(pipelineSlug, stageName);
|
|
2510
2510
|
const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2511
|
-
const policies = buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts);
|
|
2511
|
+
const policies = buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts, orgSlug);
|
|
2512
2512
|
template.Resources.StageDeploymentRole = createIamRoleResource(
|
|
2513
2513
|
roleName,
|
|
2514
2514
|
trustPolicy,
|
|
@@ -2534,6 +2534,22 @@ function generateStageStackTemplate(options) {
|
|
|
2534
2534
|
{ Key: "ArtifactType", Value: artifact.type }
|
|
2535
2535
|
]
|
|
2536
2536
|
);
|
|
2537
|
+
template.Resources[resourceId].Properties.RepositoryPolicyText = {
|
|
2538
|
+
Version: "2012-10-17",
|
|
2539
|
+
Statement: [
|
|
2540
|
+
{
|
|
2541
|
+
Sid: "AllowLambdaPull",
|
|
2542
|
+
Effect: "Allow",
|
|
2543
|
+
Principal: {
|
|
2544
|
+
Service: "lambda.amazonaws.com"
|
|
2545
|
+
},
|
|
2546
|
+
Action: [
|
|
2547
|
+
"ecr:GetDownloadUrlForLayer",
|
|
2548
|
+
"ecr:BatchGetImage"
|
|
2549
|
+
]
|
|
2550
|
+
}
|
|
2551
|
+
]
|
|
2552
|
+
};
|
|
2537
2553
|
ecrOutputs[artifact.name] = { resourceId };
|
|
2538
2554
|
}
|
|
2539
2555
|
for (const artifact of bundleArtifacts) {
|
|
@@ -2597,7 +2613,7 @@ function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, oidcProviderUrl
|
|
|
2597
2613
|
const subject = `org:${orgSlug}/pipeline:${pipelineSlug}`;
|
|
2598
2614
|
return buildOidcTrustPolicy(accountId, subject, oidcProviderUrl, additionalTrustedAccounts, skipOidc);
|
|
2599
2615
|
}
|
|
2600
|
-
function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts) {
|
|
2616
|
+
function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleArtifacts, orgSlug) {
|
|
2601
2617
|
const policies = [];
|
|
2602
2618
|
policies.push({
|
|
2603
2619
|
PolicyName: "DevRampsValidationPolicy",
|
|
@@ -2618,6 +2634,47 @@ function buildStagePolicies(steps, additionalPolicies, dockerArtifacts, bundleAr
|
|
|
2618
2634
|
]
|
|
2619
2635
|
}
|
|
2620
2636
|
});
|
|
2637
|
+
const tfStateBucketName = generateTerraformStateBucketName(orgSlug);
|
|
2638
|
+
policies.push({
|
|
2639
|
+
PolicyName: "DevRampsTerraformStatePolicy",
|
|
2640
|
+
PolicyDocument: {
|
|
2641
|
+
Version: "2012-10-17",
|
|
2642
|
+
Statement: [
|
|
2643
|
+
{
|
|
2644
|
+
Sid: "AllowTerraformStateReadWrite",
|
|
2645
|
+
Effect: "Allow",
|
|
2646
|
+
Action: [
|
|
2647
|
+
"s3:GetObject",
|
|
2648
|
+
"s3:PutObject",
|
|
2649
|
+
"s3:DeleteObject"
|
|
2650
|
+
],
|
|
2651
|
+
Resource: `arn:aws:s3:::${tfStateBucketName}/*`
|
|
2652
|
+
},
|
|
2653
|
+
{
|
|
2654
|
+
Sid: "AllowTerraformStateList",
|
|
2655
|
+
Effect: "Allow",
|
|
2656
|
+
Action: "s3:ListBucket",
|
|
2657
|
+
Resource: `arn:aws:s3:::${tfStateBucketName}`
|
|
2658
|
+
},
|
|
2659
|
+
{
|
|
2660
|
+
Sid: "AllowKMSForTerraformState",
|
|
2661
|
+
Effect: "Allow",
|
|
2662
|
+
Action: [
|
|
2663
|
+
"kms:Encrypt",
|
|
2664
|
+
"kms:Decrypt",
|
|
2665
|
+
"kms:GenerateDataKey*",
|
|
2666
|
+
"kms:DescribeKey"
|
|
2667
|
+
],
|
|
2668
|
+
Resource: "*",
|
|
2669
|
+
Condition: {
|
|
2670
|
+
StringLike: {
|
|
2671
|
+
"kms:ViaService": "s3.*.amazonaws.com"
|
|
2672
|
+
}
|
|
2673
|
+
}
|
|
2674
|
+
}
|
|
2675
|
+
]
|
|
2676
|
+
}
|
|
2677
|
+
});
|
|
2621
2678
|
if (dockerArtifacts.length > 0) {
|
|
2622
2679
|
policies.push({
|
|
2623
2680
|
PolicyName: "DevRampsMirrorECRPolicy",
|