Skip to content

(pipelines): role on CodeBuildStep doesn't get used on CodeBuildAction #18291

Closed
#18293
Closed
(pipelines): role on CodeBuildStep doesn't get used on CodeBuildAction#18291
#18293
Labels
@aws-cdk/pipelinesCDK Pipelines librarybugThis issue is a bug.effort/smallSmall work item – less than a day of effortin-progressThis issue is being actively worked on.p1
@tobytipton

Description

@tobytipton
tobytipton
opened on Jan 6, 2022

What is the problem?

When passing a role to the CodeBuildStep the role is used on the project, but not the CodeBuildAction.

This results in a role for each CodeBuildAction being created which can cause Maximum policy size of 10240 bytes exceeded for on the Pipeline Default Role if you have a lot of CodeBuildSteps.

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/pipelines/lib/codepipeline/_codebuild-factory.ts#L305-L322

is missing role: this.props.role to leverage that role.

Reproduction Steps

This is a quick reproduction step typically the CodeBuildStep would be used as a pre or post on a stage or wave.

  const buildRole = new iam.Role(
    pipelineStack,
    'BuildRole',
    {
      roleName: 'BuildRole',
      assumedBy: new iam.ServicePrincipal('codebuild.amazon.com'),
    },
  );
  new cdkp.CodePipeline(pipelineStack, 'Pipeline', {
    synth: new cdkp.CodeBuildStep('Synth', {
      commands: ['/bin/true'],
      input: cdkp.CodePipelineSource.gitHub('test/test', 'main'),
      role: buildRole,
    }),
  });

What did you expect to happen?

Expect to have the role used for Project and the build action.

  Template.fromStack(pipelineStack).hasResourceProperties('AWS::CodeBuild::Project', {
    ServiceRole: {
      'Fn::GetAtt': [
        'BuildRole41B77417',
        'Arn',
      ],
    },
  });

  expect(pipelineStack).toHaveResourceLike('AWS::CodePipeline::Pipeline', {
    Stages: [
      // source stage
      {},
      // build stage,
      {
        Actions: [
          {
            ActionTypeId: {
              Category: 'Build',
              Owner: 'AWS',
              Provider: 'CodeBuild',
            },
            RoleArn: {
              'Fn::GetAtt': [
                'BuildRole41B77417',
                'Arn',
              ],
            },
          },
        ],
      },
    ],
  });

What actually happened?

The role is used for the project but not the Code Build Action. The Code Build Action gets a different role which is created for each build action.

for example

                 "RoleArn": {
                      "Fn::GetAtt": [
                        "PipelineBuildSynthCodePipelineActionRole4E7A6C97",
                        "Arn"
                      ]
                    },

CDK CLI Version

N/A

Framework Version

No response

Node.js Version

N/A

OS

N/A

Language

Typescript

Language Version

No response

Other information

This issue can be seen directly in testing the code build step.

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/pipelinesCDK Pipelines librarybugThis issue is a bug.effort/smallSmall work item – less than a day of effortin-progressThis issue is being actively worked on.p1

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions