Skip to content

Commit b7fe1e6

Browse files
SoManyHsSoManyHs
authored
Merge pull request #64 from SoManyHs/fix-arn
fix: change resource policy to use ARN
2 parents e908865 + 31d78a8 commit b7fe1e6

File tree

3 files changed

+43
-47
lines changed

3 files changed

+43
-47
lines changed

infra/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ aws secretsmanager create-secret --region us-west-2 --name EcsDevXGitHubToken --
1919

2020
## Deploy
2121

22+
Any changes to `pipeline.ts` will require a re-compilation and re-deploy.
23+
2224
To deploy this pipeline, install the AWS CDK CLI: `npm i -g aws-cdk`
2325

2426
Install and build everything: `npm install && npm run build`
@@ -31,3 +33,5 @@ cdk deploy --app 'node pipeline.js'
3133
```
3234

3335
See the pipelines in the CodePipeline console.
36+
37+
**NOTE**: Any changes to `pipeline.ts` will require the stack to be re-build wiht `npm run build` and redeployed with `cdk deploy --app 'node pipeline.js'`

infra/package-lock.json

Lines changed: 34 additions & 32 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

infra/pipeline.ts

Lines changed: 5 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -80,31 +80,21 @@ class EcsLocalContainerEndpointsImagePipeline extends cdk.Stack {
8080
});
8181

8282
buildProject.addToRolePolicy(new iam.PolicyStatement({
83-
actions: ["ecr:GetAuthorizationToken",
84-
"ecr:BatchCheckLayerAvailability",
85-
"ecr:GetDownloadUrlForLayer",
86-
"ecr:GetRepositoryPolicy",
87-
"ecr:DescribeRepositories",
88-
"ecr:ListImages",
89-
"ecr:DescribeImages",
90-
"ecr:BatchGetImage",
91-
"ecr:InitiateLayerUpload",
92-
"ecr:UploadLayerPart",
93-
"ecr:CompleteLayerUpload",
94-
"ecr:PutImage",
95-
"ecr-public:*",
83+
actions: [
9684
"secretsmanager:GetSecretValue",
9785
"sts:GetServiceBearerToken",
9886
"sts:AssumeRole",
9987
],
100-
resources: ["*"]
88+
resources: [`arn:aws:secretsmanager:us-west-2:${process.env['CDK_DEFAULT_ACCOUNT']}:secret:com.amazonaws.ec2.madison.dockerhub.amazon-ecs-local-container-endpoints.credentials-XIxFhP`]
10189
}));
10290

10391
verifyProject.addToRolePolicy(new iam.PolicyStatement({
10492
actions: [
10593
"secretsmanager:GetSecretValue",
94+
"sts:GetServiceBearerToken",
95+
"sts:AssumeRole",
10696
],
107-
resources: ["com.amazonaws.ec2.madison.dockerhub.amazon-ecs-local-container-endpoints.credentials"]
97+
resources: [`arn:aws:secretsmanager:us-west-2:${process.env['CDK_DEFAULT_ACCOUNT']}:secret:com.amazonaws.ec2.madison.dockerhub.amazon-ecs-local-container-endpoints.credentials-XIxFhP`]
10898
}));
10999

110100
const buildAction = new actions.CodeBuildAction({

0 commit comments

Comments
 (0)