@jaypie/constructs 1.2.27 → 1.2.29
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/index.cjs +17 -12
- package/dist/cjs/index.cjs.map +1 -1
- package/dist/esm/index.js +17 -12
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
package/dist/cjs/index.cjs
CHANGED
|
@@ -3042,23 +3042,15 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3042
3042
|
actions: [
|
|
3043
3043
|
"cloudformation:CreateStack",
|
|
3044
3044
|
"cloudformation:DeleteStack",
|
|
3045
|
-
"cloudformation:
|
|
3046
|
-
"cloudformation:DescribeStackResource",
|
|
3047
|
-
"cloudformation:DescribeStackResources",
|
|
3048
|
-
"cloudformation:DescribeStacks",
|
|
3045
|
+
"cloudformation:Describe*",
|
|
3049
3046
|
"cloudformation:GetTemplate",
|
|
3050
3047
|
"cloudformation:SetStackPolicy",
|
|
3051
3048
|
"cloudformation:UpdateStack",
|
|
3052
3049
|
"cloudformation:ValidateTemplate",
|
|
3053
|
-
"ec2:
|
|
3054
|
-
"ec2:DescribeNetworkInterfaces",
|
|
3055
|
-
"ec2:DescribeRouteTables",
|
|
3056
|
-
"ec2:DescribeSecurityGroups",
|
|
3057
|
-
"ec2:DescribeSubnets",
|
|
3058
|
-
"ec2:DescribeVpcs",
|
|
3050
|
+
"ec2:Describe*",
|
|
3059
3051
|
"iam:PassRole",
|
|
3060
3052
|
"route53:ListHostedZones*",
|
|
3061
|
-
"s3:GetObject",
|
|
3053
|
+
"s3:GetObject", // TODO: this should be restricted by bucket
|
|
3062
3054
|
"s3:ListBucket",
|
|
3063
3055
|
"ssm:GetParameter",
|
|
3064
3056
|
"ssm:GetParameters",
|
|
@@ -3072,6 +3064,7 @@ class JaypieGitHubDeployRole extends constructs.Construct {
|
|
|
3072
3064
|
resources: [
|
|
3073
3065
|
"arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
|
|
3074
3066
|
"arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
|
|
3067
|
+
"arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*",
|
|
3075
3068
|
"arn:aws:iam::*:role/cdk-readOnlyRole",
|
|
3076
3069
|
],
|
|
3077
3070
|
}));
|
|
@@ -3702,6 +3695,7 @@ class JaypieSsoPermissions extends constructs.Construct {
|
|
|
3702
3695
|
"servicecatalog:*",
|
|
3703
3696
|
"sns:*",
|
|
3704
3697
|
"sqs:*",
|
|
3698
|
+
"ssm:*",
|
|
3705
3699
|
"states:*",
|
|
3706
3700
|
"tag:*",
|
|
3707
3701
|
"uxc:*",
|
|
@@ -3929,8 +3923,9 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
3929
3923
|
if (process.env.CDK_ENV_REPO) {
|
|
3930
3924
|
repo = `repo:${process.env.CDK_ENV_REPO}:*`;
|
|
3931
3925
|
}
|
|
3926
|
+
let bucketDeployRole;
|
|
3932
3927
|
if (repo) {
|
|
3933
|
-
|
|
3928
|
+
bucketDeployRole = new awsIam.Role(this, "DestinationBucketDeployRole", {
|
|
3934
3929
|
assumedBy: new awsIam.FederatedPrincipal(cdk.Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
|
|
3935
3930
|
StringLike: {
|
|
3936
3931
|
"token.actions.githubusercontent.com:sub": repo,
|
|
@@ -4030,6 +4025,16 @@ class JaypieWebDeploymentBucket extends constructs.Construct {
|
|
|
4030
4025
|
new cdk.CfnOutput(this, "DistributionId", {
|
|
4031
4026
|
value: this.distribution.distributionId,
|
|
4032
4027
|
});
|
|
4028
|
+
// Add CloudFront invalidation permission to deploy role if it exists
|
|
4029
|
+
if (bucketDeployRole) {
|
|
4030
|
+
bucketDeployRole.addToPolicy(new awsIam.PolicyStatement({
|
|
4031
|
+
effect: awsIam.Effect.ALLOW,
|
|
4032
|
+
actions: ["cloudfront:CreateInvalidation"],
|
|
4033
|
+
resources: [
|
|
4034
|
+
`arn:aws:cloudfront::${cdk.Stack.of(this).account}:distribution/${this.distribution.distributionId}`,
|
|
4035
|
+
],
|
|
4036
|
+
}));
|
|
4037
|
+
}
|
|
4033
4038
|
}
|
|
4034
4039
|
}
|
|
4035
4040
|
// Implement remaining IBucket methods by delegating to the bucket
|