### # CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK tests ### --- - name: Empty, SKIP input: {} expectations: rules: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK: SKIP - name: Scenario a) No resources, SKIP input: Resources: {} expectations: rules: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK: SKIP - name: Scenario b) Environment variables contain credentials but rule is suppressed, SKIP input: Resources: MyCodeBuildProject: Type: AWS::CodeBuild::Project Metadata: guard: SuppressedRules: - "CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK" Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER EnvironmentVariables: - Name: AWS_SECRET_ACCESS_KEY Type: PLAINTEXT Value: Tests ServiceRole: Fn::GetAtt: - MyPipelineBuildSynthRole - Arn Source: BuildSpec: | version: 0.2 phases: install: commands: - npm install build: commands: - npm test artifacts: files: - '**/*' Type: CODEPIPELINE EncryptionKey: Fn::GetAtt: - MyPipelineArtefactEncryptionKey - Arn expectations: rules: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK: SKIP - name: Scenario c) Environment variable with name AWS_ACCESS_KEY_ID is present, FAIL input: Resources: MyCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER EnvironmentVariables: - Name: AWS_ACCESS_KEY_ID Type: PLAINTEXT Value: Tests ServiceRole: Fn::GetAtt: - MyPipelineBuildSynthRole - Arn Source: BuildSpec: | version: 0.2 phases: install: commands: - npm install build: commands: - npm test artifacts: files: - '**/*' Type: CODEPIPELINE EncryptionKey: Fn::GetAtt: - MyPipelineArtefactEncryptionKey - Arn expectations: rules: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK: FAIL - name: Scenario c) Environment variable with name AWS_SECRET_ACCESS_KEY is present, FAIL input: Resources: MyCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER EnvironmentVariables: - Name: AWS_SECRET_ACCESS_KEY Type: PLAINTEXT Value: Tests ServiceRole: Fn::GetAtt: - MyPipelineBuildSynthRole - Arn Source: BuildSpec: | version: 0.2 phases: install: commands: - npm install build: commands: - npm test artifacts: files: - '**/*' Type: CODEPIPELINE EncryptionKey: Fn::GetAtt: - MyPipelineArtefactEncryptionKey - Arn expectations: rules: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK: FAIL - name: Scenario d) No environment variables are present, PASS input: Resources: MyCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER ServiceRole: Fn::GetAtt: - MyPipelineBuildSynthRole - Arn Source: BuildSpec: | version: 0.2 phases: install: commands: - npm install build: commands: - npm test artifacts: files: - '**/*' Type: CODEPIPELINE EncryptionKey: Fn::GetAtt: - MyPipelineArtefactEncryptionKey - Arn expectations: rules: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK: PASS - name: Scenario d) Environment variables with names other than AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are present, PASS input: Resources: MyCodeBuildProject: Type: AWS::CodeBuild::Project Properties: Artifacts: Type: CODEPIPELINE Environment: ComputeType: BUILD_GENERAL1_SMALL Image: aws/codebuild/standard:5.0 ImagePullCredentialsType: CODEBUILD PrivilegedMode: false Type: LINUX_CONTAINER EnvironmentVariables: - Name: MyEnvVar Type: PLAINTEXT Value: Tests ServiceRole: Fn::GetAtt: - MyPipelineBuildSynthRole - Arn Source: BuildSpec: | version: 0.2 phases: install: commands: - npm install build: commands: - npm test artifacts: files: - '**/*' Type: CODEPIPELINE EncryptionKey: Fn::GetAtt: - MyPipelineArtefactEncryptionKey - Arn expectations: rules: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK: PASS