feat(pipelines): confirm IAM changes before starting the deployment#15441
feat(pipelines): confirm IAM changes before starting the deployment#15441mergify[bot] merged 24 commits intomasterfrom
Conversation
|
|
rix0rrr
left a comment
There was a problem hiding this comment.
This is looking great! Amazing you've been able to get this to work so quickly
fix test docs + notifications
e9ac203 to
c87f688
Compare
|
|
||
| ### Security Check | ||
|
|
||
| CDK Pipelines offers a security check option for the applications you deploy. The |
There was a problem hiding this comment.
Try to put yourself in the shoes of the customer when reading this section.
Do you care more about how it's implemented, or do you care more about what it does for YOU, the customer, and why/when you should be using it?
This rule of thumb will also help you to think about what to include. If this was someone else's product that you were just using, at what point would you be satisfied? I know you are trying to be thorough but for my money there's too much detail in the section below, eating up attention and space for other topics.
| // ...source and build information here (see above) | ||
| }); | ||
| const stage = pipeline.addApplicationStage(new MyApplication(this, 'Testing'), { | ||
| securityCheck: true, |
There was a problem hiding this comment.
I'm thinking this term is a little vague.
How about we call it confirmPermissionsWidening ? Broadening ?
There was a problem hiding this comment.
how about checkBroadeningPermissions?
There was a problem hiding this comment.
I think confirm is a better verb to use, as it also implies what's going to happen ("check" leaves the door open too much... so you checked it. Now what?)
confirmPermissionsBroadening then?
packages/@aws-cdk/pipelines/lib/private/application-security-check.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/pipelines/lib/private/application-security-check.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/pipelines/lib/private/application-security-check.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/pipelines/lib/private/application-security-check.ts
Outdated
Show resolved
Hide resolved
| runOrder: this.nextSequentialRunOrder(), | ||
| additionalInformation: `#{${appStageName}SecurityCheck.MESSAGE}`, | ||
| // Boot strap cicd2 us-west-1 --trust | ||
| externalEntityLink: `https://#{${appStageName}SecurityCheck.LINK}`, |
There was a problem hiding this comment.
I saw you saying in the other thing the https was added by the manual approval action, but I didn't know WE were the ones making that choice. Is this necessary?
There was a problem hiding this comment.
LMAO that's embarrassing... i guess this was a change i made early on that i just forgot about.. I think it's better if we remove it and keep it to the script itself
| project: cdkDiffProject, | ||
| variablesNamespace: `${appStageName}SecurityCheck`, | ||
| environmentVariables: { | ||
| STACK_NAME: { |
There was a problem hiding this comment.
I'm noticing we have STACK_NAME here -- what if there are more than one stacks in the stage we're deploying?
There was a problem hiding this comment.
Ah so this is the pipeline stack name..not like a stack within the stage
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| // Run invoke only if cdk diff passes (returns exit code 0) | ||
| // 0 -> true, 1 -> false | ||
| ifElse({ | ||
| condition: 'cdk diff -a . --security-only --fail $STAGE_PATH/\\*', |
There was a problem hiding this comment.
This will not work because $STAGE_PATH is the pipeline stack name
We need to target the assembly for the stage itself:
assembly-PipelineStackName-StageName
|
THis is a very interesting and exciting peice of work to add to the project. Looking forward to seeing it soon. The question now begs, what other things can we check in a a similar fashion |
Stay tuned :D |
…ws#15441) Add an option under `addApplication` for a given stage to create a CodeBuild that checks if there are any security changes within the stage's assembly. * If the changes exist: **manual approval is required** * else: a lambda function will automatically approve the manual approval action Adding a security check to an application creates two actions that precede the prepare and deploy actions of an application: 1. A CodeBuild Project that runs a security diff on the stage 2. A Manual Approval Action that can be approved via a shared Lambda function. ```txt Pipeline ├── Stage: Build │ └── ... ├── Stage: Synth │ └── ... ├── Stage: UpdatePipeline │ └── ... ├── Stage: MyApplicationStage │ └── Actions │ ├── MyApplicationSecurityCheck // Security Diff Action │ ├── MyApplicationManualApproval // Manual Approval Action │ ├── Stack.Prepare │ └── Stack.Deploy └── ... ``` <details> <summary>Example Usage</summary> You can enable the security check in one of two ways: 1. Enable security check across the entire `CdkStage` ```ts const pipeline = new CdkPipeline(app, 'Pipeline', { // ...source and build information here (see above) }); const stage = pipeline.addApplicationStage(new MyApplication(this, 'Testing'), { securityCheck: true, }); // The 'PreProd' application is also run against a security diff because we configured // the stage to enable security checks stage.addApplication(new MyApplication(this, 'PreProd')); ``` 2. Enable security check for a single application ```ts const pipeline = new CdkPipeline(app, 'Pipeline', { // ...source and build information here (see above) }); const stage = pipeline.addApplicationStage(new MyApplication(this, 'NoCheck')); stage.addApplication(new MyApplication(this, 'RunSecurityDiff'), { securityCheck: true, }); ``` </details> Fixes: aws#12748 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ws#15441) Add an option under `addApplication` for a given stage to create a CodeBuild that checks if there are any security changes within the stage's assembly. * If the changes exist: **manual approval is required** * else: a lambda function will automatically approve the manual approval action Adding a security check to an application creates two actions that precede the prepare and deploy actions of an application: 1. A CodeBuild Project that runs a security diff on the stage 2. A Manual Approval Action that can be approved via a shared Lambda function. ```txt Pipeline ├── Stage: Build │ └── ... ├── Stage: Synth │ └── ... ├── Stage: UpdatePipeline │ └── ... ├── Stage: MyApplicationStage │ └── Actions │ ├── MyApplicationSecurityCheck // Security Diff Action │ ├── MyApplicationManualApproval // Manual Approval Action │ ├── Stack.Prepare │ └── Stack.Deploy └── ... ``` <details> <summary>Example Usage</summary> You can enable the security check in one of two ways: 1. Enable security check across the entire `CdkStage` ```ts const pipeline = new CdkPipeline(app, 'Pipeline', { // ...source and build information here (see above) }); const stage = pipeline.addApplicationStage(new MyApplication(this, 'Testing'), { securityCheck: true, }); // The 'PreProd' application is also run against a security diff because we configured // the stage to enable security checks stage.addApplication(new MyApplication(this, 'PreProd')); ``` 2. Enable security check for a single application ```ts const pipeline = new CdkPipeline(app, 'Pipeline', { // ...source and build information here (see above) }); const stage = pipeline.addApplicationStage(new MyApplication(this, 'NoCheck')); stage.addApplication(new MyApplication(this, 'RunSecurityDiff'), { securityCheck: true, }); ``` </details> Fixes: aws#12748 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Add an option under
addApplicationfor a given stage to create a CodeBuild that checks if there are any security changes within the stage's assembly.Adding a security check to an application creates two actions that precede the prepare
and deploy actions of an application:
Example Usage
You can enable the security check in one of two ways:Enable security check across the entire
CdkStageEnable security check for a single application
Fixes: #12748
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license