feat(codebuild): add support for Source Credentials

[skinny85]

This allows automating providing credentials to CodeBuild projects, without the need to do it manually through the AWS Console.

Fixes #2086

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[NetaNir]

doesn't it mean you will commit your password into code?

[skinny85]

No. This will result in a SecretsManager dynamic reference being inserted into the template, and only resolved at deploy time. More details: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager

This is our standard mechanism for handling secrets in CDK code.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 36cb9ac
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 6431fbc
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 43e2f48
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[ben8p]

I have the feeling this change broke something when we use CodePipeline with CodeCommit...

Before this change, creating my pipeline was resulting into something like this (following templates are examples):

"Resources": {
    "PipelineRoleD68726F7": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "codepipeline.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        }
      }
	},
	"PipelineRoleDefaultPolicyC7A05455": {
		"Type": "AWS::IAM::Policy",
		"Properties": {
		  "PolicyDocument": {
			"Statement": [
			  {
				"Action": [
				  "s3:*"
				],
				"Effect": "Allow",
				"Resource": [
				  {
					"Fn::Join": [
					  "",
					  [
						"arn:",
						{
						  "Ref": "AWS::Partition"
						},
						":s3:::ABC"
					  ]
					]
				  }
				]
			  }
			],
			"Version": "2012-10-17"
		  },
		  "PolicyName": "PipelineRoleDefaultPolicyC7A05455",
		  "Roles": [
			{
			  "Ref": "PipelineRoleD68726F7"
			}
		  ]
		}
	  },
	"PipelineC660917D": {
      "Type": "AWS::CodePipeline::Pipeline",
      "Properties": {
        "RoleArn": {
          "Fn::GetAtt": [
            "PipelineRoleD68726F7",
            "Arn"
          ]
        },
        "Stages": [
          {
            "Actions": [
              {
                "ActionTypeId": {
                  "Category": "Source",
                  "Owner": "AWS",
                  "Provider": "CodeCommit",
                  "Version": "1"
                },
                "Configuration": {
                  "RepositoryName": "XXX",
                  "BranchName": "YYY",
                  "PollForSourceChanges": false
                },
                "Name": "CodeCommit",
                "OutputArtifacts": [
                  {
                    "Name": "SourceOutput"
                  }
                ],
                "RoleArn": {
                  "Fn::GetAtt": [
                    "ZZZ",
                    "Arn"
                  ]
                },
                "RunOrder": 1
              }
            ],
            "Name": "Source"
          }
        ],
        "ArtifactStores": [
          {
            "ArtifactStore": {
              "Location": "ABC",
              "Type": "S3"
            },
            "Region": "us-west-2"
          }
        ],
        "Name": "Pipeline"
      },
      "DependsOn": [
        "PipelineRoleDefaultPolicyC7A05455",
        "PipelineRoleD68726F7"
      ]
	}
}

and now it is:

"Resources": {
    "PipelineRoleD68726F7": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "codepipeline.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        }
      }
	},
	"PipelineRoleDefaultPolicyC7A05455": {
		"Type": "AWS::IAM::Policy",
		"Properties": {
		  "PolicyDocument": {
			"Statement": [
			  {
				"Action": [
				  "s3:*"
				],
				"Effect": "Allow",
				"Resource": [
				  {
					"Fn::Join": [
					  "",
					  [
						"arn:",
						{
						  "Ref": "AWS::Partition"
						},
						":s3:::ABC"
					  ]
					]
				  }
				]
			  }
			],
			"Version": "2012-10-17"
		  },
		  "PolicyName": "PipelineRoleDefaultPolicyC7A05455",
		  "Roles": [
			{
			  "Ref": "PipelineRoleD68726F7"
			}
		  ]
		}
	  },
	"PipelineC660917D": {
      "Type": "AWS::CodePipeline::Pipeline",
      "Properties": {
        "RoleArn": {
          "Fn::GetAtt": [
            "PipelineRoleD68726F7",
            "Arn"
          ]
        },
        "Stages": [
          {
            "Actions": [
              {
                "ActionTypeId": {
                  "Category": "Source",
                  "Owner": "AWS",
                  "Provider": "CodeCommit",
                  "Version": "1"
                },
                "Configuration": {
                  "RepositoryName": "XXX",
                  "BranchName": "YYY",
                  "PollForSourceChanges": false
                },
                "Name": "CodeCommit",
                "OutputArtifacts": [
                  {
                    "Name": "SourceOutput"
                  }
                ],
                "RoleArn": {
                  "Fn::GetAtt": [
                    "ZZZ",
                    "Arn"
                  ]
                },
                "RunOrder": 1
              }
            ],
            "Name": "Source"
          }
        ],
        "ArtifactStores": [
          {
            "ArtifactStore": {
              "Location": "ABC",
              "Type": "S3"
            },
            "Region": "us-west-2"
          }
        ],
        "Name": "Pipeline"
      }
	}
}

The DependsOn section is gone.

As a result, the stack cannot be deployed and the following error is raised:
arn:aws:iam::00000:role/Pipeline-PipelineRoleD68726F7-HXREO878DHM5 is not authorized to perform AssumeRole on role arn:aws:iam::00000:role/Pipeline-PipelineSourceCodeCommit-RAQ6WGHUVD5I (Service: AWSCodePipeline; Status Code: 400; Error Code: InvalidStructureException; Request ID: c6217d7e-7412-4bf9-b97f-982ee8cbd799)

Reverting back to 1.28.0 fixes the issue.

[skinny85]

@ben8p can you open us a separate bug for this, showing also your code that illustrates when this happens? Also, feel free to use GitHub Gists for larger things like the resulting template fragments.

Thanks,
Adam

[ben8p]

Took me ages to find out the minimal reproduction path!
But I figured out and created a bug

[skinny85]

Thanks! I'll take a look today.