Skip to content

Commit

Permalink
chore(release): 1.81.0 (aws#12288)
Browse files Browse the repository at this point in the history
  • Loading branch information
mergify[bot] authored Dec 30, 2020
2 parents 31132ca + ad90e03 commit 6ef67c7
Show file tree
Hide file tree
Showing 125 changed files with 5,484 additions and 710 deletions.
32 changes: 32 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,38 @@

All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

## [1.81.0](https://github.com/aws/aws-cdk/compare/v1.80.0...v1.81.0) (2020-12-30)


### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

* **eks:** the `@aws-cdk/eks.KubectlLayer` layer class has been moved to `@aws-cdk/lambda-layer-kubectl.KubectlLayer`.

### Features

* **codebuild:** add `webhookTriggersBatchBuild` option to third-party Git sources ([#11743](https://github.com/aws/aws-cdk/issues/11743)) ([d9353b7](https://github.com/aws/aws-cdk/commit/d9353b7625420595401620709828de2f44c66597)), closes [#11663](https://github.com/aws/aws-cdk/issues/11663)
* **codebuild:** prevent using Secrets in plain-text environment variables ([#12150](https://github.com/aws/aws-cdk/issues/12150)) ([998af8f](https://github.com/aws/aws-cdk/commit/998af8f0e574b7b07083f0f347dc4934a6da1966))
* **ecs:** deployment circuit breaker support ([#12168](https://github.com/aws/aws-cdk/issues/12168)) ([e8801a0](https://github.com/aws/aws-cdk/commit/e8801a0ddb04e75de87ba34f3a58b1adebae5301))
* **ecs-patterns:** containerName for QueueProcessingEc2Service ([88d4149](https://github.com/aws/aws-cdk/commit/88d4149432d55e65b23448fd58d8ec3e96f3e72c)), closes [#10517](https://github.com/aws/aws-cdk/issues/10517)
* Configre containerName for QueueProcessingFargateService ([fad27f6](https://github.com/aws/aws-cdk/commit/fad27f65a73dc3b9c208439c5e474295491381da))
* **eks:** aws-node-termination-handler for spot instances now pulls the image from public ECR ([#12141](https://github.com/aws/aws-cdk/issues/12141)) ([c752fab](https://github.com/aws/aws-cdk/commit/c752fabf2022b5e697b6bf900e7878076f28b31a)), closes [#12134](https://github.com/aws/aws-cdk/issues/12134)
* **eks:** bundle kubectl, helm and awscli instead of SAR app ([#12129](https://github.com/aws/aws-cdk/issues/12129)) ([63bc98f](https://github.com/aws/aws-cdk/commit/63bc98f0d4a85b1c544d78420fd44579ce46a806)), closes [#11874](https://github.com/aws/aws-cdk/issues/11874)
* **eks:** option to disable manifest validation ([#12012](https://github.com/aws/aws-cdk/issues/12012)) ([579b923](https://github.com/aws/aws-cdk/commit/579b9235706d6848847a258bbb607a9bff6a9e11)), closes [#11763](https://github.com/aws/aws-cdk/issues/11763)
* **eks:** spot support for managed nodegroups ([#11962](https://github.com/aws/aws-cdk/issues/11962)) ([6ccd00f](https://github.com/aws/aws-cdk/commit/6ccd00fc7641f3696559367d65733b66df707fa7)), closes [#11827](https://github.com/aws/aws-cdk/issues/11827)
* **elasticsearch:** add support for version 7_8 and 7_9 ([#12222](https://github.com/aws/aws-cdk/issues/12222)) ([09d1f6c](https://github.com/aws/aws-cdk/commit/09d1f6cae610477c17234eab4a02fc731e34e2cf)), closes [#12202](https://github.com/aws/aws-cdk/issues/12202)
* **elasticsearch:** Support `EnableVersionUpgrade` update policy ([#12239](https://github.com/aws/aws-cdk/issues/12239)) ([14f8b06](https://github.com/aws/aws-cdk/commit/14f8b06686368da15211dbd528928ad4000d9eb8)), closes [#12210](https://github.com/aws/aws-cdk/issues/12210)
* **rds:** add grantConnect for RDS Proxy ([#12243](https://github.com/aws/aws-cdk/issues/12243)) ([eb45ca8](https://github.com/aws/aws-cdk/commit/eb45ca816626b243daacbd3a8916ac1e5db202ea)), closes [#10133](https://github.com/aws/aws-cdk/issues/10133)
* **rds:** add support for setting public accessibility ([#12164](https://github.com/aws/aws-cdk/issues/12164)) ([b8f48e5](https://github.com/aws/aws-cdk/commit/b8f48e514c09d2f46d8bbae27171877df61e7f2a)), closes [#12093](https://github.com/aws/aws-cdk/issues/12093)
* **s3:** option to auto delete objects upon bucket removal ([#12090](https://github.com/aws/aws-cdk/issues/12090)) ([32e9c23](https://github.com/aws/aws-cdk/commit/32e9c23be2852cfca79a57c90e52b9301b1c7081)), closes [#3297](https://github.com/aws/aws-cdk/issues/3297) [#9751](https://github.com/aws/aws-cdk/issues/9751)


### Bug Fixes

* **codebuild:** missing permissions for SecretsManager environment variables ([#12121](https://github.com/aws/aws-cdk/issues/12121)) ([1a13d8f](https://github.com/aws/aws-cdk/commit/1a13d8fbb3ea4edd4ff8fb0a2608547f63b902f9))
* **codebuild:** Project lacks permissions to its log destinations ([#12213](https://github.com/aws/aws-cdk/issues/12213)) ([b92ed51](https://github.com/aws/aws-cdk/commit/b92ed51c6ff11f8453755b6381a3cf1f12b0fcc1)), closes [#11444](https://github.com/aws/aws-cdk/issues/11444) [#12179](https://github.com/aws/aws-cdk/issues/12179)
* **codepipeline-actions:** use codebuild batch iam permissions when `executeBatchBuild: true` ([#12181](https://github.com/aws/aws-cdk/issues/12181)) ([5279f37](https://github.com/aws/aws-cdk/commit/5279f37288283a37c952440a7f2082517c56af3a))
* **elasticsearch:** domain configured with access policies and a custom kms key fails to deploy ([#11699](https://github.com/aws/aws-cdk/issues/11699)) ([245ee6a](https://github.com/aws/aws-cdk/commit/245ee6a1253eeaa79177e960c164bf3a409d2e57))

## [1.80.0](https://github.com/aws/aws-cdk/compare/v1.79.0...v1.80.0) (2020-12-22)


Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-codebuild/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ const gitHubSource = codebuild.Source.gitHub({
owner: 'awslabs',
repo: 'aws-cdk',
webhook: true, // optional, default: true if `webhookFilters` were provided, false otherwise
webhookTriggersBatchBuild: true, // optional, default is false
webhookFilters: [
codebuild.FilterGroup
.inEventOf(codebuild.EventAction.PUSH)
Expand Down
101 changes: 82 additions & 19 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import * as iam from '@aws-cdk/aws-iam';
import * as kms from '@aws-cdk/aws-kms';
import * as s3 from '@aws-cdk/aws-s3';
import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
import { Aws, Duration, IResource, Lazy, Names, PhysicalName, Resource, Stack } from '@aws-cdk/core';
import { Aws, Duration, IResource, Lazy, Names, PhysicalName, Resource, SecretValue, Stack, Tokenization } from '@aws-cdk/core';
import { Construct } from 'constructs';
import { IArtifacts } from './artifacts';
import { BuildSpec } from './build-spec';
Expand Down Expand Up @@ -465,6 +465,17 @@ export interface CommonProjectProps {
*/
readonly environmentVariables?: { [name: string]: BuildEnvironmentVariable };

/**
* Whether to check for the presence of any secrets in the environment variables of the default type, BuildEnvironmentVariableType.PLAINTEXT.
* Since using a secret for the value of that kind of variable would result in it being displayed in plain text in the AWS Console,
* the construct will throw an exception if it detects a secret was passed there.
* Pass this property as false if you want to skip this validation,
* and keep using a secret in a plain text environment variable.
*
* @default true
*/
readonly checkSecretsInPlainTextEnvVariables?: boolean;

/**
* The physical, human-readable name of the CodeBuild Project.
*
Expand Down Expand Up @@ -659,15 +670,39 @@ export class Project extends ProjectBase {
* which is the representation of environment variables in CloudFormation.
*
* @param environmentVariables the map of string to environment variables
* @param validateNoPlainTextSecrets whether to throw an exception
* if any of the plain text environment variables contain secrets, defaults to 'false'
* @returns an array of {@link CfnProject.EnvironmentVariableProperty} instances
*/
public static serializeEnvVariables(environmentVariables: { [name: string]: BuildEnvironmentVariable }):
CfnProject.EnvironmentVariableProperty[] {
return Object.keys(environmentVariables).map(name => ({
name,
type: environmentVariables[name].type || BuildEnvironmentVariableType.PLAINTEXT,
value: environmentVariables[name].value,
}));
public static serializeEnvVariables(environmentVariables: { [name: string]: BuildEnvironmentVariable },
validateNoPlainTextSecrets: boolean = false): CfnProject.EnvironmentVariableProperty[] {

const ret = new Array<CfnProject.EnvironmentVariableProperty>();

for (const [name, envVariable] of Object.entries(environmentVariables)) {
const cfnEnvVariable: CfnProject.EnvironmentVariableProperty = {
name,
type: envVariable.type || BuildEnvironmentVariableType.PLAINTEXT,
value: envVariable.value?.toString(),
};
ret.push(cfnEnvVariable);

// validate that the plain-text environment variables don't contain any secrets in them
if (validateNoPlainTextSecrets && cfnEnvVariable.type === BuildEnvironmentVariableType.PLAINTEXT) {
const fragments = Tokenization.reverseString(cfnEnvVariable.value);
for (const token of fragments.tokens) {
if (token instanceof SecretValue) {
throw new Error(`Plaintext environment variable '${name}' contains a secret value! ` +
'This means the value of this variable will be visible in plain text in the AWS Console. ' +
"Please consider using CodeBuild's SecretsManager environment variables feature instead. " +
"If you'd like to continue with having this secret in the plaintext environment variables, " +
'please set the checkSecretsInPlainTextEnvVariables property to false');
}
}
}
}

return ret;
}

public readonly grantPrincipal: iam.IPrincipal;
Expand Down Expand Up @@ -761,7 +796,7 @@ export class Project extends ProjectBase {
},
artifacts: artifactsConfig.artifactsProperty,
serviceRole: this.role.roleArn,
environment: this.renderEnvironment(props.environment, environmentVariables),
environment: this.renderEnvironment(props, environmentVariables),
fileSystemLocations: Lazy.any({ produce: () => this.renderFileSystemLocations() }),
// lazy, because we have a setter for it in setEncryptionKey
// The 'alias/aws/s3' default is necessary because leaving the `encryptionKey` field
Expand Down Expand Up @@ -790,7 +825,7 @@ export class Project extends ProjectBase {
this.projectName = this.getResourceNameAttribute(resource.ref);

this.addToRolePolicy(this.createLoggingPermission());
this.addParameterStorePermission(props);
this.addEnvVariablesPermissions(props.environmentVariables);
// add permissions to create and use test report groups
// with names starting with the project's name,
// unless the customer explicitly opts out of it
Expand Down Expand Up @@ -922,12 +957,13 @@ export class Project extends ProjectBase {
});
}

private addParameterStorePermission(props: ProjectProps) {
if (!props.environmentVariables) {
return;
}
private addEnvVariablesPermissions(environmentVariables: { [name: string]: BuildEnvironmentVariable } | undefined): void {
this.addParameterStorePermissions(environmentVariables);
this.addSecretsManagerPermissions(environmentVariables);
}

const resources = Object.values(props.environmentVariables)
private addParameterStorePermissions(environmentVariables: { [name: string]: BuildEnvironmentVariable } | undefined): void {
const resources = Object.values(environmentVariables || {})
.filter(envVariable => envVariable.type === BuildEnvironmentVariableType.PARAMETER_STORE)
.map(envVariable =>
// If the parameter name starts with / the resource name is not separated with a double '/'
Expand All @@ -951,9 +987,32 @@ export class Project extends ProjectBase {
}));
}

private addSecretsManagerPermissions(environmentVariables: { [name: string]: BuildEnvironmentVariable } | undefined): void {
const resources = Object.values(environmentVariables || {})
.filter(envVariable => envVariable.type === BuildEnvironmentVariableType.SECRETS_MANAGER)
.map(envVariable => Stack.of(this).formatArn({
service: 'secretsmanager',
resource: 'secret',
// we don't know the exact ARN of the Secret just from its name, but we can get close
resourceName: `${envVariable.value}-??????`,
sep: ':',
}));

if (resources.length === 0) {
return;
}

this.addToRolePolicy(new iam.PolicyStatement({
actions: ['secretsmanager:GetSecretValue'],
resources,
}));
}

private renderEnvironment(
env: BuildEnvironment = {},
props: ProjectProps,
projectVars: { [name: string]: BuildEnvironmentVariable } = {}): CfnProject.EnvironmentProperty {

const env = props.environment ?? {};
const vars: { [name: string]: BuildEnvironmentVariable } = {};
const containerVars = env.environmentVariables || {};

Expand Down Expand Up @@ -1008,7 +1067,9 @@ export class Project extends ProjectBase {
: undefined,
privilegedMode: env.privileged || false,
computeType: env.computeType || this.buildImage.defaultComputeType,
environmentVariables: hasEnvironmentVars ? Project.serializeEnvVariables(vars) : undefined,
environmentVariables: hasEnvironmentVars
? Project.serializeEnvVariables(vars, props.checkSecretsInPlainTextEnvVariables ?? true)
: undefined,
};
}

Expand Down Expand Up @@ -1076,7 +1137,7 @@ export class Project extends ProjectBase {
private renderLoggingConfiguration(props: LoggingOptions | undefined): CfnProject.LogsConfigProperty | undefined {
if (props === undefined) {
return undefined;
};
}

let s3Config: CfnProject.S3LogsConfigProperty|undefined = undefined;
let cloudwatchConfig: CfnProject.CloudWatchLogsConfigProperty|undefined = undefined;
Expand All @@ -1085,9 +1146,10 @@ export class Project extends ProjectBase {
const s3Logs = props.s3;
s3Config = {
status: (s3Logs.enabled ?? true) ? 'ENABLED' : 'DISABLED',
location: `${s3Logs.bucket.bucketName}/${s3Logs.prefix}`,
location: `${s3Logs.bucket.bucketName}` + (s3Logs.prefix ? `/${s3Logs.prefix}` : ''),
encryptionDisabled: s3Logs.encrypted,
};
s3Logs.bucket?.grantWrite(this);
}

if (props.cloudWatch) {
Expand All @@ -1097,6 +1159,7 @@ export class Project extends ProjectBase {
if (status === 'ENABLED' && !(cloudWatchLogs.logGroup)) {
throw new Error('Specifying a LogGroup is required if CloudWatch logging for CodeBuild is enabled');
}
cloudWatchLogs.logGroup?.grantWrite(this);

cloudwatchConfig = {
status,
Expand Down
18 changes: 18 additions & 0 deletions packages/@aws-cdk/aws-codebuild/lib/source.ts
Original file line number Diff line number Diff line change
Expand Up @@ -482,6 +482,13 @@ interface ThirdPartyGitSourceProps extends GitSourceProps {
*/
readonly webhook?: boolean;

/**
* Trigger a batch build from a webhook instead of a standard one.
*
* @default false
*/
readonly webhookTriggersBatchBuild?: boolean;

/**
* A list of webhook filters that can constraint what events in the repository will trigger a build.
* A build is triggered if any of the provided filter groups match.
Expand All @@ -500,19 +507,29 @@ abstract class ThirdPartyGitSource extends GitSource {
protected readonly webhookFilters: FilterGroup[];
private readonly reportBuildStatus: boolean;
private readonly webhook?: boolean;
private readonly webhookTriggersBatchBuild?: boolean;

protected constructor(props: ThirdPartyGitSourceProps) {
super(props);

this.webhook = props.webhook;
this.reportBuildStatus = props.reportBuildStatus === undefined ? true : props.reportBuildStatus;
this.webhookFilters = props.webhookFilters || [];
this.webhookTriggersBatchBuild = props.webhookTriggersBatchBuild;
}

public bind(_scope: CoreConstruct, _project: IProject): SourceConfig {
const anyFilterGroupsProvided = this.webhookFilters.length > 0;
const webhook = this.webhook === undefined ? (anyFilterGroupsProvided ? true : undefined) : this.webhook;

if (!webhook && anyFilterGroupsProvided) {
throw new Error('`webhookFilters` cannot be used when `webhook` is `false`');
}

if (!webhook && this.webhookTriggersBatchBuild) {
throw new Error('`webhookTriggersBatchBuild` cannot be used when `webhook` is `false`');
}

const superConfig = super.bind(_scope, _project);
return {
sourceProperty: {
Expand All @@ -522,6 +539,7 @@ abstract class ThirdPartyGitSource extends GitSource {
sourceVersion: superConfig.sourceVersion,
buildTriggers: webhook === undefined ? undefined : {
webhook,
buildType: this.webhookTriggersBatchBuild ? 'BUILD_BATCH' : undefined,
filterGroups: anyFilterGroupsProvided ? this.webhookFilters.map(fg => fg._toJson()) : undefined,
},
};
Expand Down
Loading

0 comments on commit 6ef67c7

Please sign in to comment.