feat(codepipeline-actions): support environment variables for action

go-to-k · go-to-k · commit 44b2bf70b1d9 · 2025-06-10T19:10:31.000+09:00
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-environment-variables.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-environment-variables.ts
@@ -0,0 +1,138 @@
+import * as codepipeline from 'aws-cdk-lib/aws-codepipeline';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as cdk from 'aws-cdk-lib';
+import { Duration } from 'aws-cdk-lib';
+import { IntegTest, ExpectedResult, Match } from '@aws-cdk/integ-tests-alpha';
+import * as cpactions from 'aws-cdk-lib/aws-codepipeline-actions';
+import * as path from 'path';
+import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
+import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
+
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+    '@aws-cdk/pipelines:reduceStageRoleTrustScope': false,
+  },
+});
+
+const stack = new cdk.Stack(app, 'aws-cdk-codepipeline-environment-variables');
+
+const bucket = new s3.Bucket(stack, 'SourceBucket', {
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
+  versioned: true,
+});
+
+// To start the pipeline
+const bucketDeployment = new BucketDeployment(stack, 'BucketDeployment', {
+  sources: [Source.asset(path.join(__dirname, 'assets', 'nodejs.zip'))],
+  destinationBucket: bucket,
+  extract: false,
+});
+const zipKey = cdk.Fn.select(0, bucketDeployment.objectKeys);
+
+const sourceOutput = new codepipeline.Artifact('SourceArtifact');
+const sourceAction = new cpactions.S3SourceAction({
+  actionName: 'Source',
+  output: sourceOutput,
+  bucket,
+  bucketKey: zipKey,
+});
+
+const commandsOutput = new codepipeline.Artifact('CommandsArtifact', ['my-dir/**/*']);
+
+const secret = new Secret(stack, 'Secret', {
+  secretStringValue: cdk.SecretValue.unsafePlainText('This is the content stored in secrets manager'),
+});
+const secretEnvVar = codepipeline.EnvironmentVariable.fromSecretsManager({
+  name: 'MY_SECRET',
+  secret: secret,
+});
+
+const plaintextValue = 'my-plaintext';
+const plaintextEnvVar = codepipeline.EnvironmentVariable.fromPlaintext({
+  name: 'MY_PLAINTEXT',
+  value: plaintextValue,
+});
+
+const commandsAction = new cpactions.CommandsAction({
+  actionName: 'Commands',
+  commands: [
+    `echo "MY_SECRET:$${secretEnvVar.name}"`,
+    `echo "MY_PLAINTEXT:$${plaintextEnvVar.name}"`,
+    'mkdir -p my-dir',
+    'echo "HelloWorld" > my-dir/file.txt',
+  ],
+  input: sourceOutput,
+  output: commandsOutput,
+  outputVariables: [plaintextEnvVar.name],
+  actionEnvironmentVariables: [
+    secretEnvVar,
+    plaintextEnvVar,
+  ],
+});
+
+const deployBucket = new s3.Bucket(stack, 'DeployBucket', {
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
+});
+const deployAction = new cpactions.S3DeployAction({
+  actionName: 'DeployAction',
+  extract: true,
+  input: commandsOutput,
+  bucket: deployBucket,
+  objectKey: commandsAction.variable(plaintextEnvVar.name),
+});
+
+const pipelineBucket = new s3.Bucket(stack, 'PipelineBucket', {
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  autoDeleteObjects: true,
+});
+const pipeline = new codepipeline.Pipeline(stack, 'Pipeline', {
+  artifactBucket: pipelineBucket,
+  stages: [
+    {
+      stageName: 'Source',
+      actions: [sourceAction],
+    },
+    {
+      stageName: 'Compute',
+      actions: [commandsAction],
+    },
+    {
+      stageName: 'Deploy',
+      actions: [deployAction],
+    },
+  ],
+});
+
+const integ = new IntegTest(app, 'aws-cdk-codepipeline-environment-variables-test', {
+  testCases: [stack],
+  diffAssets: true,
+});
+
+const startPipelineCall = integ.assertions.awsApiCall('CodePipeline', 'startPipelineExecution', {
+  name: pipeline.pipelineName,
+});
+
+const getObjectCall = integ.assertions.awsApiCall('S3', 'getObject', {
+  Bucket: deployBucket.bucketName,
+  Key: `${plaintextValue}/my-dir/file.txt`,
+});
+
+startPipelineCall.next(
+  integ.assertions.awsApiCall('CodePipeline', 'getPipelineState', {
+    name: pipeline.pipelineName,
+  }).expect(ExpectedResult.objectLike({
+    stageStates: Match.arrayWith([
+      Match.objectLike({
+        stageName: 'Deploy',
+        latestExecution: Match.objectLike({
+          status: 'Succeeded',
+        }),
+      }),
+    ]),
+  })).waitForAssertions({
+    totalTimeout: Duration.minutes(5),
+  }).next(getObjectCall),
+);
diff --git a/packages/aws-cdk-lib/aws-codepipeline/lib/action.ts b/packages/aws-cdk-lib/aws-codepipeline/lib/action.ts
@@ -5,6 +5,7 @@ import * as events from '../../aws-events';
 import * as iam from '../../aws-iam';
 import * as s3 from '../../aws-s3';
 import { Duration, IResource, Lazy, UnscopedValidationError } from '../../core';
+import { EnvironmentVariable, SecretsManagerEnvironmentVariable } from './environment-variable';
 
 export enum ActionCategory {
   SOURCE = 'Source',
@@ -132,6 +133,13 @@ export interface ActionProperties {
    * @see https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html
    */
   readonly timeout?: Duration;
+
+  /**
+   * The environment variables for the action.
+   *
+   * @default - no environment variables
+   */
+  readonly actionEnvironmentVariables?: EnvironmentVariable[];
 }
 
 export interface ActionBindOptions {
@@ -351,6 +359,13 @@ export interface CommonActionProps {
    *   no namespace will be set
    */
   readonly variablesNamespace?: string;
+
+  /**
+   * The environment variables for the action.
+   *
+   * @default - no environment variables
+   */
+  readonly actionEnvironmentVariables?: EnvironmentVariable[];
 }
 
 /**
@@ -434,6 +449,20 @@ export abstract class Action implements IAction {
       ? `${stage.stageName}_${this.actionProperties.actionName}_NS`
       : this._customerProvidedNamespace;
 
+    const envVars = this.actionProperties.actionEnvironmentVariables;
+    envVars?.forEach(envVar => {
+      if (envVar instanceof SecretsManagerEnvironmentVariable) {
+        if (this.actionProperties.actionName !== 'Commands') {
+          throw new UnscopedValidationError(`Secrets Manager environment variables are only supported for the Commands action, got: ${this.actionProperties.actionName}`);
+        }
+        envVar.secret.grantRead(options.role);
+      }
+    });
+
+    if (envVars && envVars.length > 10) {
+      throw new UnscopedValidationError(`The length of \`environmentVariables\` in action '${this.actionProperties.actionName}' must be less than or equal to 10, got: ${envVars.length}`);
+    }
+
     return this.bound(scope, stage, options);
   }
 
diff --git a/packages/aws-cdk-lib/aws-codepipeline/lib/environment-variable.ts b/packages/aws-cdk-lib/aws-codepipeline/lib/environment-variable.ts
@@ -0,0 +1,115 @@
+import { CfnPipeline } from './codepipeline.generated';
+import { ISecret } from '../../aws-secretsmanager';
+
+/**
+ * Properties for an environment variable.
+ */
+interface CommonEnvironmentVariableProps {
+  /**
+   * The environment variable name in the key-value pair.
+   */
+  readonly name: string;
+}
+
+/**
+ * Properties for a plaintext environment variable.
+ */
+export interface PlaintextEnvironmentVariableProps extends CommonEnvironmentVariableProps {
+  /**
+   * The environment variable value in the key-value pair.
+   */
+  readonly value: string;
+}
+
+/**
+ * Properties for a Secrets Manager environment variable.
+ */
+export interface SecretsManagerEnvironmentVariableProps extends CommonEnvironmentVariableProps {
+  /**
+   * The Secrets Manager secret reference.
+   */
+  readonly secret: ISecret;
+}
+
+/**
+ * An environment variable.
+ */
+export abstract class EnvironmentVariable {
+  /**
+   * Create a new plaintext environment variable.
+   */
+  public static fromPlaintext(props: PlaintextEnvironmentVariableProps): PlaintextEnvironmentVariable {
+    return new PlaintextEnvironmentVariable(props);
+  }
+
+  /**
+   * Create a new Secrets Manager environment variable.
+   */
+  public static fromSecretsManager(props: SecretsManagerEnvironmentVariableProps): SecretsManagerEnvironmentVariable {
+    return new SecretsManagerEnvironmentVariable(props);
+  }
+
+  public readonly name: string;
+
+  /**
+   * Create a new environment variable.
+   */
+  protected constructor(props: CommonEnvironmentVariableProps) {
+    this.name = props.name;
+  }
+
+  /**
+   * Render the environment variable to a CloudFormation resource.
+   * @internal
+   */
+  public _render(): CfnPipeline.EnvironmentVariableProperty {
+    return {
+      name: this.name,
+      value: this.value,
+      type: this.type,
+    };
+  }
+
+  protected abstract get value(): string;
+  protected abstract get type(): string;
+}
+
+/**
+ * A plaintext environment variable.
+ */
+export class PlaintextEnvironmentVariable extends EnvironmentVariable {
+  private readonly _value: string;
+
+  constructor(props: PlaintextEnvironmentVariableProps) {
+    super(props);
+    this._value = props.value;
+  }
+
+  protected get value(): string {
+    return this._value;
+  }
+
+  protected get type(): string {
+    return 'PLAINTEXT';
+  }
+}
+
+/**
+ * A Secrets Manager environment variable.
+ */
+export class SecretsManagerEnvironmentVariable extends EnvironmentVariable {
+  public readonly secret: ISecret;
+
+  constructor(props: SecretsManagerEnvironmentVariableProps) {
+    super(props);
+    this.secret = props.secret;
+  }
+
+  protected get value(): string {
+    return this.secret.secretName;
+  }
+
+  protected get type(): string {
+    return 'SECRETS_MANAGER';
+  }
+}
diff --git a/packages/aws-cdk-lib/aws-codepipeline/lib/index.ts b/packages/aws-cdk-lib/aws-codepipeline/lib/index.ts
@@ -1,5 +1,6 @@
 export * from './action';
 export * from './artifact';
+export * from './environment-variable';
 export * from './pipeline';
 export * from './trigger';
 export * from './variable';
diff --git a/packages/aws-cdk-lib/aws-codepipeline/lib/private/full-action-descriptor.ts b/packages/aws-cdk-lib/aws-codepipeline/lib/private/full-action-descriptor.ts
@@ -1,6 +1,7 @@
 import * as iam from '../../../aws-iam';
 import { Duration } from '../../../core';
 import { ActionArtifactBounds, ActionCategory, ActionConfig, IAction } from '../action';
+import { EnvironmentVariable } from '../environment-variable';
 import { Artifact } from '../artifact';
 
 export interface FullActionDescriptorProps {
@@ -31,6 +32,7 @@ export class FullActionDescriptor {
   public readonly commands?: string[];
   public readonly outputVariables?: string[];
   public readonly timeout?: Duration;
+  public readonly environmentVariables?: EnvironmentVariable[];
 
   constructor(props: FullActionDescriptorProps) {
     this.action = props.action;
@@ -52,6 +54,7 @@ export class FullActionDescriptor {
     this.commands = actionProperties.commands;
     this.outputVariables = actionProperties.outputVariables;
     this.timeout = actionProperties.timeout;
+    this.environmentVariables = actionProperties.actionEnvironmentVariables;
   }
 }
 
diff --git a/packages/aws-cdk-lib/aws-codepipeline/lib/private/stage.ts b/packages/aws-cdk-lib/aws-codepipeline/lib/private/stage.ts
@@ -194,6 +194,7 @@ export class Stage implements IStage {
       roleArn: action.role ? action.role.roleArn : undefined,
       region: action.region,
       namespace: action.namespace,
+      environmentVariables: action.environmentVariables?.length ? action.environmentVariables.map(envVar => envVar._render()) : undefined,
     };
   }
 

Original file line number	Diff line number	Diff line change
`@@ -194,6 +194,7 @@ export class Stage implements IStage {`
`194`	`194`	`roleArn: action.role ? action.role.roleArn : undefined,`
`195`	`195`	`region: action.region,`
`196`	`196`	`namespace: action.namespace,`
	`197`	`+ environmentVariables: action.environmentVariables?.length ? action.environmentVariables.map(envVar => envVar._render()) : undefined,`
`197`	`198`	`};`
`198`	`199`	`}`
`199`	`200`