feat(codepipeline): support environment variables for actions #34667
Conversation
github-actions
bot
added
the
distinguished-contributor
go-to-k
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
change err msg change err msg change err msg
go-to-k
changed the title
change integ
| * | ||
| * @default - no environment variables | ||
| */ | ||
| readonly actionEnvironmentVariables?: EnvironmentVariable[]; |
There was a problem hiding this comment.
Avoided the name environmentVariables because CodeBuildActionProps that extends codepipeline.CommonAwsActionProps and this CommonActionProps has already used a property with the same name and an error occurs if the name is used in this props.
unused grantRead for secret unit tests
go-to-k
force-pushed
the
cp-env-vars
branch
3 times, most recently
from
7eb8299 to
2a82dcd
Compare
| // Don't use `grantRead` method for the secret because `secretsmanager:DescribeSecret` is not required. | ||
| // See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html#action-reference-Commands-envvars | ||
| options.role.addToPrincipalPolicy(new iam.PolicyStatement({ | ||
| actions: ['secretsmanager:GetSecretValue'], | ||
| resources: [secretArn], | ||
| })); |
There was a problem hiding this comment.
To use the SecretsManager, you must add the following permissions to your pipeline service role:
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"SECRET_ARN"
]
}
| /** | ||
| * Bind the environment variable to the action. | ||
| * @internal | ||
| */ | ||
| public abstract _bind(scope: Construct, actionProperties: ActionProperties, options: ActionBindOptions): void; |
There was a problem hiding this comment.
Originally, this abstract method was not made, but the concrete bind method was only created for SecretsManagerEnvironmentVariable. However, considering that support for PARAMETER_STORE may be added in the future, such as the one for CodeBuild, it is better to create the abstract method, so I did it this way. Otherwise, it would be necessary to implement the bind calling as follows. If more types are added in the future, the code will become even more complicated.
envVars?.forEach(envVar => {
if (envVar instanceof SecretsManagerEnvironmentVariable || envVar instanceof ParameterStoreEnvironmentVariable) {
envVar._bind(scope, this.actionProperties, options);
}
});Now we can write like:
envVars?.forEach(envVar => {
envVar._bind(scope, this.actionProperties, options);
});
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
N/A
Reason for this change
CodePipeline supports the Environment Variables in actions, but L2 Pipeline with actions doesn't support it.
SECRETS_MANAGERtype is only supported for the Commands action.Description of changes
Added
EnvironmentVariablewithPlaintextEnvironmentVariableandSecretsManagerEnvironmentVariable.Describe any new or updated permissions being added
None.
Description of how you validated changes
Both unit tests and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license