@jaypie/constructs 1.2.27 → 1.2.29
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/index.cjs +17 -12
- package/dist/cjs/index.cjs.map +1 -1
- package/dist/esm/index.js +17 -12
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
package/dist/esm/index.js
CHANGED
|
@@ -3008,23 +3008,15 @@ class JaypieGitHubDeployRole extends Construct {
|
|
|
3008
3008
|
actions: [
|
|
3009
3009
|
"cloudformation:CreateStack",
|
|
3010
3010
|
"cloudformation:DeleteStack",
|
|
3011
|
-
"cloudformation:
|
|
3012
|
-
"cloudformation:DescribeStackResource",
|
|
3013
|
-
"cloudformation:DescribeStackResources",
|
|
3014
|
-
"cloudformation:DescribeStacks",
|
|
3011
|
+
"cloudformation:Describe*",
|
|
3015
3012
|
"cloudformation:GetTemplate",
|
|
3016
3013
|
"cloudformation:SetStackPolicy",
|
|
3017
3014
|
"cloudformation:UpdateStack",
|
|
3018
3015
|
"cloudformation:ValidateTemplate",
|
|
3019
|
-
"ec2:
|
|
3020
|
-
"ec2:DescribeNetworkInterfaces",
|
|
3021
|
-
"ec2:DescribeRouteTables",
|
|
3022
|
-
"ec2:DescribeSecurityGroups",
|
|
3023
|
-
"ec2:DescribeSubnets",
|
|
3024
|
-
"ec2:DescribeVpcs",
|
|
3016
|
+
"ec2:Describe*",
|
|
3025
3017
|
"iam:PassRole",
|
|
3026
3018
|
"route53:ListHostedZones*",
|
|
3027
|
-
"s3:GetObject",
|
|
3019
|
+
"s3:GetObject", // TODO: this should be restricted by bucket
|
|
3028
3020
|
"s3:ListBucket",
|
|
3029
3021
|
"ssm:GetParameter",
|
|
3030
3022
|
"ssm:GetParameters",
|
|
@@ -3038,6 +3030,7 @@ class JaypieGitHubDeployRole extends Construct {
|
|
|
3038
3030
|
resources: [
|
|
3039
3031
|
"arn:aws:iam::*:role/cdk-hnb659fds-deploy-role-*",
|
|
3040
3032
|
"arn:aws:iam::*:role/cdk-hnb659fds-file-publishing-*",
|
|
3033
|
+
"arn:aws:iam::*:role/cdk-hnb659fds-lookup-role-*",
|
|
3041
3034
|
"arn:aws:iam::*:role/cdk-readOnlyRole",
|
|
3042
3035
|
],
|
|
3043
3036
|
}));
|
|
@@ -3668,6 +3661,7 @@ class JaypieSsoPermissions extends Construct {
|
|
|
3668
3661
|
"servicecatalog:*",
|
|
3669
3662
|
"sns:*",
|
|
3670
3663
|
"sqs:*",
|
|
3664
|
+
"ssm:*",
|
|
3671
3665
|
"states:*",
|
|
3672
3666
|
"tag:*",
|
|
3673
3667
|
"uxc:*",
|
|
@@ -3895,8 +3889,9 @@ class JaypieWebDeploymentBucket extends Construct {
|
|
|
3895
3889
|
if (process.env.CDK_ENV_REPO) {
|
|
3896
3890
|
repo = `repo:${process.env.CDK_ENV_REPO}:*`;
|
|
3897
3891
|
}
|
|
3892
|
+
let bucketDeployRole;
|
|
3898
3893
|
if (repo) {
|
|
3899
|
-
|
|
3894
|
+
bucketDeployRole = new Role(this, "DestinationBucketDeployRole", {
|
|
3900
3895
|
assumedBy: new FederatedPrincipal(Fn.importValue(CDK$2.IMPORT.OIDC_PROVIDER), {
|
|
3901
3896
|
StringLike: {
|
|
3902
3897
|
"token.actions.githubusercontent.com:sub": repo,
|
|
@@ -3996,6 +3991,16 @@ class JaypieWebDeploymentBucket extends Construct {
|
|
|
3996
3991
|
new CfnOutput(this, "DistributionId", {
|
|
3997
3992
|
value: this.distribution.distributionId,
|
|
3998
3993
|
});
|
|
3994
|
+
// Add CloudFront invalidation permission to deploy role if it exists
|
|
3995
|
+
if (bucketDeployRole) {
|
|
3996
|
+
bucketDeployRole.addToPolicy(new PolicyStatement({
|
|
3997
|
+
effect: Effect.ALLOW,
|
|
3998
|
+
actions: ["cloudfront:CreateInvalidation"],
|
|
3999
|
+
resources: [
|
|
4000
|
+
`arn:aws:cloudfront::${Stack.of(this).account}:distribution/${this.distribution.distributionId}`,
|
|
4001
|
+
],
|
|
4002
|
+
}));
|
|
4003
|
+
}
|
|
3999
4004
|
}
|
|
4000
4005
|
}
|
|
4001
4006
|
// Implement remaining IBucket methods by delegating to the bucket
|