// Jest Snapshot v1, https://goo.gl/fbAQLP exports[`PDK Pipeline Unit Tests CrossAccount - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "CrossAccountCodeRepositoryGRCUrlA496E759": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Name", ], }, ], ], }, }, "CrossAccountSonarCodeScannerSonarqubeSecretArn67524D2A": { "Value": { "Ref": "CrossAccountSonarCodeScannerSonarQubeToken76921F1B", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CrossAccountAccessLogsBucketAutoDeleteObjectsCustomResourceBF4BDBC9": { "DeletionPolicy": "Delete", "DependsOn": [ "CrossAccountAccessLogsBucketPolicy04189EE5", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CrossAccountAccessLogsBucketD7D72FC7": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CrossAccountAccessLogsBucketPolicy04189EE5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CrossAccountArtifactKey7D4916D3": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Delete", }, "CrossAccountArtifactsBucketA490794E": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "SSEAlgorithm": "aws:kms", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CrossAccountArtifactsBucketAutoDeleteObjectsCustomResourceDA0BD596": { "DeletionPolicy": "Delete", "DependsOn": [ "CrossAccountArtifactsBucketPolicyA1EA6713", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "CrossAccountArtifactsBucketA490794E", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CrossAccountArtifactsBucketPolicyA1EA6713": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "CrossAccountArtifactsBucketA490794E", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CrossAccountAssetsFileAsset1A747E04B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountAssetsFileRoleA62CD5A0", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountAssetsFileRoleA62CD5A0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountAssetsFileRoleDefaultPolicy75C80F22": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountAssetsFileRoleDefaultPolicy75C80F22", "Roles": [ { "Ref": "CrossAccountAssetsFileRoleA62CD5A0", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodeBuildActionRoleAD915E6A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CrossAccountCodePipelineRole6867FC22", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodeBuildActionRoleDefaultPolicy49AAE258": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountUpdatePipelineSelfMutationEC1756F0", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountAssetsFileAsset1A747E04B", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodeBuildActionRoleDefaultPolicy49AAE258", "Roles": [ { "Ref": "CrossAccountCodeBuildActionRoleAD915E6A", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProjectRole06CF955F", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountCodePipelineBuildSynthCdkBuildProjectRole06CF955F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy94879C97": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy94879C97", "Roles": [ { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProjectRole06CF955F", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineEventsRoleCF998AEF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineEventsRoleDefaultPolicyCDDAD89A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "CrossAccountCodePipelineFE6BA407", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineEventsRoleDefaultPolicyCDDAD89A", "Roles": [ { "Ref": "CrossAccountCodePipelineEventsRoleCF998AEF", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineFE6BA407": { "DependsOn": [ "CrossAccountCodePipelineRoleDefaultPolicyB81D2E54", "CrossAccountCodePipelineRole6867FC22", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "EncryptionKey": { "Id": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Type": "KMS", }, "Location": { "Ref": "CrossAccountArtifactsBucketA490794E", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodePipelineRole6867FC22", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Name", ], }, "OutputArtifacts": [ { "Name": "c8323abab1481846407037ff91e03fe414541ba20b_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"9b6cac2596443c465eb42c0d0d84de22a8632cbeb9388a40d13889341f9b20c5"}]", "ProjectName": { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, }, "InputArtifacts": [ { "Name": "c8323abab1481846407037ff91e03fe414541ba20b_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "CrossAccountAssetsFileAsset1A747E04B", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "CrossAccountCodePipelineRole6867FC22": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineRoleDefaultPolicyB81D2E54": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineRoleDefaultPolicyB81D2E54", "Roles": [ { "Ref": "CrossAccountCodePipelineRole6867FC22", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicy443B61A0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicy443B61A0", "Roles": [ { "Ref": "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodeRepositoryCF9338D3": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "Defaults", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "CrossAccountCodeRepositoryCrossAccountCodePipelineE9B4FFC3mainlineEventRule3B7BD205": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "CrossAccountCodePipelineFE6BA407", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodePipelineEventsRoleCF998AEF", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CrossAccountSonarCodeScannerSonarQubeToken76921F1B": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-SMG4", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsPrototyping-SecretsManagerRotationEnabled", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "GenerateSecretString": {}, }, "Type": "AWS::SecretsManager::Secret", "UpdateReplacePolicy": "Delete", }, "CrossAccountSonarCodeScannerSynthBuildProjectOnSynthSuccessD24D011A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "build-status": [ "SUCCEEDED", ], "project-name": [ { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", "Arn", ], }, ], }, ], }, ], }, ], }, ], }, "detail-type": [ "CodeBuild Build State Change", ], "source": [ "aws.codebuild", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectAA1083C3", "Arn", ], }, "Id": "Target0", "InputTransformer": { "InputPathsMap": { "detail-build-id": "$.detail.build-id", }, "InputTemplate": "{"environmentVariablesOverride":[{"name":"SYNTH_BUILD_ID","type":"PLAINTEXT","value":}]}", }, "RoleArn": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectEventsRole551D56DA", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CrossAccountSonarCodeScannerValidationProjectAA1083C3": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "SONARQUBE_TOKEN", "Type": "SECRETS_MANAGER", "Value": { "Ref": "CrossAccountSonarCodeScannerSonarQubeToken76921F1B", }, }, { "Name": "SONARQUBE_ENDPOINT", "Type": "PLAINTEXT", "Value": "https://sonar.dev", }, { "Name": "PROJECT_NAME", "Type": "PLAINTEXT", "Value": "Default", }, ], "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectRole25023DA5", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "env": { "shell": "bash" }, "phases": { "install": { "commands": [ "npm install -g aws-cdk", "gem install cfn-nag" ] }, "build": { "commands": [ "export RESOLVED_SOURCE_VERSION=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].resolvedSourceVersion'\`", "export BUILT_ARTIFACT_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].secondaryArtifacts[] | select(.artifactIdentifier == \\"Synth__\\") | .location' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "export SYNTH_SOURCE_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].sourceVersion' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "aws s3 cp $SYNTH_SOURCE_URI source.zip", "aws s3 cp $BUILT_ARTIFACT_URI built.zip", "unzip source.zip -d src", "unzip built.zip -d built", "rm source.zip built.zip", "rsync -a built/* src --include=\\"*/\\" --include=\\"**/coverage/**\\" --include=\\"**/cdk.out/**\\" --exclude=\\"**/node_modules/**/*\\" --exclude=\\"**/.env/**\\" --exclude=\\"*\\" --prune-empty-dirs", "CREATE_PROJECT_OUTPUT=\`curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/projects/create?name=$PROJECT_NAME&project=$PROJECT_NAME&visibility=private\\" \`", "if [[ \\"$(echo $CREATE_PROJECT_OUTPUT | jq .errors)\\" == \\"null\\" ]]; then curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=admin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=codeviewer\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=issueadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=securityhotspotadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=scan\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=user\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_branches/rename?project=$PROJECT_NAME&name=mainline\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_tags/set?project=$PROJECT_NAME&tags=dev\\" ;export DEFAULT_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=dev\\" | jq .profiles\`;export SPECIFIC_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=undefined\\" | jq .profiles\`;export MERGED_PROFILES=\`jq --argjson arr1 \\"$DEFAULT_PROFILE\\" --argjson arr2 \\"$SPECIFIC_PROFILE\\" -n '$arr1 + $arr2 | group_by(.language) | map(.[-1])'\`;echo $MERGED_PROFILES | jq -c '.[]' | while read i; do curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/add_project?project=$PROJECT_NAME&language=\`echo $i | jq -r .language\`&qualityProfile=\`echo $i | jq -r .name\`\\" ; done;export DEFAULT_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=dev\\" \`;export SPECIFIC_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=undefined\\" \`;if [[ \\"$(echo $SPECIFIC_GATE | jq .errors)\\" == \\"null\\" && \\"$(echo $SPECIFIC_GATE | jq '.results | length')\\" -gt 0 ]]; then export GATE_NAME=undefined; else export GATE_NAME=dev; fi;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/select?projectKey=$PROJECT_NAME&gateName=$GATE_NAME\\" ; fi;", "mkdir -p src/reports", "npx owasp-dependency-check --format HTML --out src/reports --exclude '**/.git/**/*' --scan src --enableExperimental --bin /tmp/dep-check --disableRetireJS", "cfn_nag built/cdk.out/**/*.template.json --output-format=json > src/reports/cfn-nag-report.json", "cd src", "npx sonarqube-scanner -Dsonar.login=$SONARQUBE_TOKEN -Dsonar.projectKey=$PROJECT_NAME -Dsonar.projectName=$PROJECT_NAME -Dsonar.projectVersion=\`echo $RESOLVED_SOURCE_VERSION | cut -c1-7\` -Dsonar.branch.name=mainline -Dsonar.host.url=$SONARQUBE_ENDPOINT -Dsonar.cfn.nag.reportFiles=reports/cfn-nag-report.json -Dsonar.dependencyCheck.htmlReportPath=reports/dependency-check-report.html -Dsonar.javascript.lcov.reportPaths=**/coverage/lcov.info -Dsonar.clover.reportPath=**/coverage/clover.xml -Dsonar.exclusions=\\"**/reports/**,**/coverage/**\\" -Dsonar.sources=.", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf_issues_breakdown?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-issues-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-executive-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/security_reports/download?project=$PROJECT_NAME\\" --output reports/prototype-security-report.pdf" ] } } }", "Type": "NO_SOURCE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountSonarCodeScannerValidationProjectEventsRole551D56DA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountSonarCodeScannerValidationProjectEventsRoleDefaultPolicy1B23C513": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectAA1083C3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountSonarCodeScannerValidationProjectEventsRoleDefaultPolicy1B23C513", "Roles": [ { "Ref": "CrossAccountSonarCodeScannerValidationProjectEventsRole551D56DA", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountSonarCodeScannerValidationProjectRole25023DA5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountSonarCodeScannerValidationProjectRoleDefaultPolicy225AB8B2": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": { "Ref": "CrossAccountSonarCodeScannerSonarQubeToken76921F1B", }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountSonarCodeScannerValidationProjectAA1083C3", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountSonarCodeScannerValidationProjectAA1083C3", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "CrossAccountSonarCodeScannerValidationProjectAA1083C3", }, "-*", ], ], }, }, { "Action": "codebuild:BatchGetBuilds", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", "Arn", ], }, }, { "Action": "s3:GetObject*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/**", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountSonarCodeScannerValidationProjectRoleDefaultPolicy225AB8B2", "Roles": [ { "Ref": "CrossAccountSonarCodeScannerValidationProjectRole25023DA5", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountUpdatePipelineSelfMutationEC1756F0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountUpdatePipelineSelfMutationRole0F9342FC", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountUpdatePipelineSelfMutationRole0F9342FC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountUpdatePipelineSelfMutationRoleDefaultPolicyA7DA8F1E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountUpdatePipelineSelfMutationRoleDefaultPolicyA7DA8F1E", "Roles": [ { "Ref": "CrossAccountUpdatePipelineSelfMutationRole0F9342FC", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests CrossAccount 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "CrossAccountCodeRepositoryGRCUrlA496E759": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Name", ], }, ], ], }, }, "CrossAccountSonarCodeScannerSonarqubeSecretArn67524D2A": { "Value": { "Ref": "CrossAccountSonarCodeScannerSonarQubeToken76921F1B", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CrossAccountAccessLogsBucketAutoDeleteObjectsCustomResourceBF4BDBC9": { "DeletionPolicy": "Delete", "DependsOn": [ "CrossAccountAccessLogsBucketPolicy04189EE5", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CrossAccountAccessLogsBucketD7D72FC7": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CrossAccountAccessLogsBucketPolicy04189EE5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountAccessLogsBucketD7D72FC7", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CrossAccountArtifactKey7D4916D3": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EnableKeyRotation": true, "KeyPolicy": { "Statement": [ { "Action": "kms:*", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, "Resource": "*", }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": "*", }, ], "Version": "2012-10-17", }, }, "Type": "AWS::KMS::Key", "UpdateReplacePolicy": "Delete", }, "CrossAccountArtifactsBucketA490794E": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "KMSMasterKeyID": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "SSEAlgorithm": "aws:kms", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "CrossAccountArtifactsBucketAutoDeleteObjectsCustomResourceDA0BD596": { "DeletionPolicy": "Delete", "DependsOn": [ "CrossAccountArtifactsBucketPolicyA1EA6713", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "CrossAccountArtifactsBucketA490794E", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "CrossAccountArtifactsBucketPolicyA1EA6713": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "CrossAccountArtifactsBucketA490794E", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "CrossAccountAssetsFileAsset1A747E04B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountAssetsFileRoleA62CD5A0", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountAssetsFileRoleA62CD5A0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountAssetsFileRoleDefaultPolicy75C80F22": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountAssetsFileRoleDefaultPolicy75C80F22", "Roles": [ { "Ref": "CrossAccountAssetsFileRoleA62CD5A0", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodeBuildActionRoleAD915E6A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CrossAccountCodePipelineRole6867FC22", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodeBuildActionRoleDefaultPolicy49AAE258": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountUpdatePipelineSelfMutationEC1756F0", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountAssetsFileAsset1A747E04B", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodeBuildActionRoleDefaultPolicy49AAE258", "Roles": [ { "Ref": "CrossAccountCodeBuildActionRoleAD915E6A", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProjectRole06CF955F", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountCodePipelineBuildSynthCdkBuildProjectRole06CF955F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy94879C97": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy94879C97", "Roles": [ { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProjectRole06CF955F", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineEventsRoleCF998AEF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineEventsRoleDefaultPolicyCDDAD89A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "CrossAccountCodePipelineFE6BA407", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineEventsRoleDefaultPolicyCDDAD89A", "Roles": [ { "Ref": "CrossAccountCodePipelineEventsRoleCF998AEF", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineFE6BA407": { "DependsOn": [ "CrossAccountCodePipelineRoleDefaultPolicyB81D2E54", "CrossAccountCodePipelineRole6867FC22", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "EncryptionKey": { "Id": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Type": "KMS", }, "Location": { "Ref": "CrossAccountArtifactsBucketA490794E", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodePipelineRole6867FC22", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Name", ], }, "OutputArtifacts": [ { "Name": "c8323abab1481846407037ff91e03fe414541ba20b_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"9b6cac2596443c465eb42c0d0d84de22a8632cbeb9388a40d13889341f9b20c5"}]", "ProjectName": { "Ref": "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", }, }, "InputArtifacts": [ { "Name": "c8323abab1481846407037ff91e03fe414541ba20b_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "CrossAccountAssetsFileAsset1A747E04B", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "CrossAccountCodePipelineRole6867FC22": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineRoleDefaultPolicyB81D2E54": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodeBuildActionRoleAD915E6A", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineRoleDefaultPolicyB81D2E54", "Roles": [ { "Ref": "CrossAccountCodePipelineRole6867FC22", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicy443B61A0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicy443B61A0", "Roles": [ { "Ref": "CrossAccountCodePipelineSourceCodeCommitCodePipelineActionRole1A00297F", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountCodeRepositoryCF9338D3": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "Defaults", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "CrossAccountCodeRepositoryCrossAccountCodePipelineE9B4FFC3mainlineEventRule3B7BD205": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "CrossAccountCodeRepositoryCF9338D3", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "CrossAccountCodePipelineFE6BA407", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "CrossAccountCodePipelineEventsRoleCF998AEF", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CrossAccountSonarCodeScannerSonarQubeToken76921F1B": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-SMG4", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsPrototyping-SecretsManagerRotationEnabled", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "GenerateSecretString": {}, }, "Type": "AWS::SecretsManager::Secret", "UpdateReplacePolicy": "Delete", }, "CrossAccountSonarCodeScannerSynthBuildProjectOnSynthSuccessD24D011A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "build-status": [ "SUCCEEDED", ], "project-name": [ { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", "Arn", ], }, ], }, ], }, ], }, ], }, ], }, "detail-type": [ "CodeBuild Build State Change", ], "source": [ "aws.codebuild", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectAA1083C3", "Arn", ], }, "Id": "Target0", "InputTransformer": { "InputPathsMap": { "detail-build-id": "$.detail.build-id", }, "InputTemplate": "{"environmentVariablesOverride":[{"name":"SYNTH_BUILD_ID","type":"PLAINTEXT","value":}]}", }, "RoleArn": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectEventsRole551D56DA", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CrossAccountSonarCodeScannerValidationProjectAA1083C3": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "SONARQUBE_TOKEN", "Type": "SECRETS_MANAGER", "Value": { "Ref": "CrossAccountSonarCodeScannerSonarQubeToken76921F1B", }, }, { "Name": "SONARQUBE_ENDPOINT", "Type": "PLAINTEXT", "Value": "https://sonar.dev", }, { "Name": "PROJECT_NAME", "Type": "PLAINTEXT", "Value": "Default", }, ], "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectRole25023DA5", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "env": { "shell": "bash" }, "phases": { "install": { "commands": [ "npm install -g aws-cdk", "gem install cfn-nag" ] }, "build": { "commands": [ "export RESOLVED_SOURCE_VERSION=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].resolvedSourceVersion'\`", "export BUILT_ARTIFACT_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].secondaryArtifacts[] | select(.artifactIdentifier == \\"Synth__\\") | .location' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "export SYNTH_SOURCE_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].sourceVersion' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "aws s3 cp $SYNTH_SOURCE_URI source.zip", "aws s3 cp $BUILT_ARTIFACT_URI built.zip", "unzip source.zip -d src", "unzip built.zip -d built", "rm source.zip built.zip", "rsync -a built/* src --include=\\"*/\\" --include=\\"**/coverage/**\\" --include=\\"**/cdk.out/**\\" --exclude=\\"**/node_modules/**/*\\" --exclude=\\"**/.env/**\\" --exclude=\\"*\\" --prune-empty-dirs", "CREATE_PROJECT_OUTPUT=\`curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/projects/create?name=$PROJECT_NAME&project=$PROJECT_NAME&visibility=private\\" \`", "if [[ \\"$(echo $CREATE_PROJECT_OUTPUT | jq .errors)\\" == \\"null\\" ]]; then curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=admin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=codeviewer\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=issueadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=securityhotspotadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=scan\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=user\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_branches/rename?project=$PROJECT_NAME&name=mainline\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_tags/set?project=$PROJECT_NAME&tags=dev\\" ;export DEFAULT_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=dev\\" | jq .profiles\`;export SPECIFIC_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=undefined\\" | jq .profiles\`;export MERGED_PROFILES=\`jq --argjson arr1 \\"$DEFAULT_PROFILE\\" --argjson arr2 \\"$SPECIFIC_PROFILE\\" -n '$arr1 + $arr2 | group_by(.language) | map(.[-1])'\`;echo $MERGED_PROFILES | jq -c '.[]' | while read i; do curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/add_project?project=$PROJECT_NAME&language=\`echo $i | jq -r .language\`&qualityProfile=\`echo $i | jq -r .name\`\\" ; done;export DEFAULT_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=dev\\" \`;export SPECIFIC_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=undefined\\" \`;if [[ \\"$(echo $SPECIFIC_GATE | jq .errors)\\" == \\"null\\" && \\"$(echo $SPECIFIC_GATE | jq '.results | length')\\" -gt 0 ]]; then export GATE_NAME=undefined; else export GATE_NAME=dev; fi;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/select?projectKey=$PROJECT_NAME&gateName=$GATE_NAME\\" ; fi;", "mkdir -p src/reports", "npx owasp-dependency-check --format HTML --out src/reports --exclude '**/.git/**/*' --scan src --enableExperimental --bin /tmp/dep-check --disableRetireJS", "cfn_nag built/cdk.out/**/*.template.json --output-format=json > src/reports/cfn-nag-report.json", "cd src", "npx sonarqube-scanner -Dsonar.login=$SONARQUBE_TOKEN -Dsonar.projectKey=$PROJECT_NAME -Dsonar.projectName=$PROJECT_NAME -Dsonar.projectVersion=\`echo $RESOLVED_SOURCE_VERSION | cut -c1-7\` -Dsonar.branch.name=mainline -Dsonar.host.url=$SONARQUBE_ENDPOINT -Dsonar.cfn.nag.reportFiles=reports/cfn-nag-report.json -Dsonar.dependencyCheck.htmlReportPath=reports/dependency-check-report.html -Dsonar.javascript.lcov.reportPaths=**/coverage/lcov.info -Dsonar.clover.reportPath=**/coverage/clover.xml -Dsonar.exclusions=\\"**/reports/**,**/coverage/**\\" -Dsonar.sources=.", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf_issues_breakdown?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-issues-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-executive-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/security_reports/download?project=$PROJECT_NAME\\" --output reports/prototype-security-report.pdf" ] } } }", "Type": "NO_SOURCE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountSonarCodeScannerValidationProjectEventsRole551D56DA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountSonarCodeScannerValidationProjectEventsRoleDefaultPolicy1B23C513": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountSonarCodeScannerValidationProjectAA1083C3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountSonarCodeScannerValidationProjectEventsRoleDefaultPolicy1B23C513", "Roles": [ { "Ref": "CrossAccountSonarCodeScannerValidationProjectEventsRole551D56DA", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountSonarCodeScannerValidationProjectRole25023DA5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountSonarCodeScannerValidationProjectRoleDefaultPolicy225AB8B2": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": { "Ref": "CrossAccountSonarCodeScannerSonarQubeToken76921F1B", }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountSonarCodeScannerValidationProjectAA1083C3", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountSonarCodeScannerValidationProjectAA1083C3", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "CrossAccountSonarCodeScannerValidationProjectAA1083C3", }, "-*", ], ], }, }, { "Action": "codebuild:BatchGetBuilds", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountCodePipelineBuildSynthCdkBuildProject938B55FC", "Arn", ], }, }, { "Action": "s3:GetObject*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/**", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountSonarCodeScannerValidationProjectRoleDefaultPolicy225AB8B2", "Roles": [ { "Ref": "CrossAccountSonarCodeScannerValidationProjectRole25023DA5", }, ], }, "Type": "AWS::IAM::Policy", }, "CrossAccountUpdatePipelineSelfMutationEC1756F0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "CrossAccountUpdatePipelineSelfMutationRole0F9342FC", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "CrossAccountUpdatePipelineSelfMutationRole0F9342FC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "CrossAccountUpdatePipelineSelfMutationRoleDefaultPolicyA7DA8F1E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "CrossAccountUpdatePipelineSelfMutationEC1756F0", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "CrossAccountArtifactsBucketA490794E", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "kms:Decrypt", "kms:DescribeKey", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "CrossAccountArtifactKey7D4916D3", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "CrossAccountUpdatePipelineSelfMutationRoleDefaultPolicyA7DA8F1E", "Roles": [ { "Ref": "CrossAccountUpdatePipelineSelfMutationRole0F9342FC", }, ], }, "Type": "AWS::IAM::Policy", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "CrossAccountAccessLogsBucketD7D72FC7", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Defaults - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "DefaultsCodeRepositoryGRCUrlF9B2453F": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Name", ], }, ], ], }, }, "DefaultsSonarCodeScannerSonarqubeSecretArn61BE693F": { "Value": { "Ref": "DefaultsSonarCodeScannerSonarQubeTokenD1898305", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsAccessLogsBucket1E788CBC": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketAutoDeleteObjectsCustomResourceB315E04B": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsAccessLogsBucketPolicy87291CAB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketPolicy87291CAB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsArtifactsBucket267E29E1": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsArtifactsBucketAutoDeleteObjectsCustomResourceED1B0B57": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsArtifactsBucketPolicyA6159620", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsArtifactsBucket267E29E1", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsArtifactsBucketPolicyA6159620": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsArtifactsBucket267E29E1", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsAssetsFileAsset1C016008C": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsAssetsFileRole651D25B9", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsAssetsFileRole651D25B9": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsAssetsFileRoleDefaultPolicy3887BD04": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsAssetsFileRoleDefaultPolicy3887BD04", "Roles": [ { "Ref": "DefaultsAssetsFileRole651D25B9", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodeBuildActionRole26049CBA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "DefaultsCodePipelineRoleF466C0E3", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodeBuildActionRoleDefaultPolicy0F3A543D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsUpdatePipelineSelfMutationD1F1D812", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsAssetsFileAsset1C016008C", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodeBuildActionRoleDefaultPolicy0F3A543D", "Roles": [ { "Ref": "DefaultsCodeBuildActionRole26049CBA", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineBuildSynthCdkBuildProject81772484": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleA72DCE39", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleA72DCE39": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicyC0AFF59F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicyC0AFF59F", "Roles": [ { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleA72DCE39", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineDAB2FB72": { "DependsOn": [ "DefaultsCodePipelineRoleDefaultPolicyF4A44365", "DefaultsCodePipelineRoleF466C0E3", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "DefaultsArtifactsBucket267E29E1", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "DefaultsCodePipelineRoleF466C0E3", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Name", ], }, "OutputArtifacts": [ { "Name": "c8be7966da6130450b89fe7dd9dced39142a8f041d_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"9b6cac2596443c465eb42c0d0d84de22a8632cbeb9388a40d13889341f9b20c5"}]", "ProjectName": { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, }, "InputArtifacts": [ { "Name": "c8be7966da6130450b89fe7dd9dced39142a8f041d_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "DefaultsAssetsFileAsset1C016008C", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "DefaultsCodePipelineEventsRole44B0ACD2": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineEventsRoleDefaultPolicyB0676072": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "DefaultsCodePipelineDAB2FB72", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineEventsRoleDefaultPolicyB0676072", "Roles": [ { "Ref": "DefaultsCodePipelineEventsRole44B0ACD2", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineRoleDefaultPolicyF4A44365": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineRoleDefaultPolicyF4A44365", "Roles": [ { "Ref": "DefaultsCodePipelineRoleF466C0E3", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineRoleF466C0E3": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyF3026D6A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyF3026D6A", "Roles": [ { "Ref": "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodeRepositoryBDE0B808": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "Defaults", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "DefaultsCodeRepositoryDefaultsCodePipeline4E276C62mainlineEventRule67A64C52": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "DefaultsCodePipelineDAB2FB72", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "DefaultsCodePipelineEventsRole44B0ACD2", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "DefaultsSonarCodeScannerSonarQubeTokenD1898305": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-SMG4", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsPrototyping-SecretsManagerRotationEnabled", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "GenerateSecretString": {}, }, "Type": "AWS::SecretsManager::Secret", "UpdateReplacePolicy": "Delete", }, "DefaultsSonarCodeScannerSynthBuildProjectOnSynthSuccessE7E65027": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "build-status": [ "SUCCEEDED", ], "project-name": [ { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", "Arn", ], }, ], }, ], }, ], }, ], }, ], }, "detail-type": [ "CodeBuild Build State Change", ], "source": [ "aws.codebuild", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", "Arn", ], }, "Id": "Target0", "InputTransformer": { "InputPathsMap": { "detail-build-id": "$.detail.build-id", }, "InputTemplate": "{"environmentVariablesOverride":[{"name":"SYNTH_BUILD_ID","type":"PLAINTEXT","value":}]}", }, "RoleArn": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectEventsRole18DD9D4A", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "DefaultsSonarCodeScannerValidationProjectEventsRole18DD9D4A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsSonarCodeScannerValidationProjectEventsRoleDefaultPolicy6C4FE447": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsSonarCodeScannerValidationProjectEventsRoleDefaultPolicy6C4FE447", "Roles": [ { "Ref": "DefaultsSonarCodeScannerValidationProjectEventsRole18DD9D4A", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsSonarCodeScannerValidationProjectFAE7BAD0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "SONARQUBE_TOKEN", "Type": "SECRETS_MANAGER", "Value": { "Ref": "DefaultsSonarCodeScannerSonarQubeTokenD1898305", }, }, { "Name": "SONARQUBE_ENDPOINT", "Type": "PLAINTEXT", "Value": "https://sonar.dev", }, { "Name": "PROJECT_NAME", "Type": "PLAINTEXT", "Value": "Default", }, ], "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectRole6AF1A9E5", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "env": { "shell": "bash" }, "phases": { "install": { "commands": [ "npm install -g aws-cdk", "gem install cfn-nag" ] }, "build": { "commands": [ "export RESOLVED_SOURCE_VERSION=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].resolvedSourceVersion'\`", "export BUILT_ARTIFACT_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].secondaryArtifacts[] | select(.artifactIdentifier == \\"Synth__\\") | .location' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "export SYNTH_SOURCE_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].sourceVersion' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "aws s3 cp $SYNTH_SOURCE_URI source.zip", "aws s3 cp $BUILT_ARTIFACT_URI built.zip", "unzip source.zip -d src", "unzip built.zip -d built", "rm source.zip built.zip", "rsync -a built/* src --include=\\"*/\\" --include=\\"**/coverage/**\\" --include=\\"**/cdk.out/**\\" --exclude=\\"**/node_modules/**/*\\" --exclude=\\"**/.env/**\\" --exclude=\\"*\\" --prune-empty-dirs", "CREATE_PROJECT_OUTPUT=\`curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/projects/create?name=$PROJECT_NAME&project=$PROJECT_NAME&visibility=private\\" \`", "if [[ \\"$(echo $CREATE_PROJECT_OUTPUT | jq .errors)\\" == \\"null\\" ]]; then curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=admin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=codeviewer\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=issueadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=securityhotspotadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=scan\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=user\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_branches/rename?project=$PROJECT_NAME&name=mainline\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_tags/set?project=$PROJECT_NAME&tags=dev\\" ;export DEFAULT_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=dev\\" | jq .profiles\`;export SPECIFIC_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=undefined\\" | jq .profiles\`;export MERGED_PROFILES=\`jq --argjson arr1 \\"$DEFAULT_PROFILE\\" --argjson arr2 \\"$SPECIFIC_PROFILE\\" -n '$arr1 + $arr2 | group_by(.language) | map(.[-1])'\`;echo $MERGED_PROFILES | jq -c '.[]' | while read i; do curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/add_project?project=$PROJECT_NAME&language=\`echo $i | jq -r .language\`&qualityProfile=\`echo $i | jq -r .name\`\\" ; done;export DEFAULT_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=dev\\" \`;export SPECIFIC_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=undefined\\" \`;if [[ \\"$(echo $SPECIFIC_GATE | jq .errors)\\" == \\"null\\" && \\"$(echo $SPECIFIC_GATE | jq '.results | length')\\" -gt 0 ]]; then export GATE_NAME=undefined; else export GATE_NAME=dev; fi;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/select?projectKey=$PROJECT_NAME&gateName=$GATE_NAME\\" ; fi;", "mkdir -p src/reports", "npx owasp-dependency-check --format HTML --out src/reports --exclude '**/.git/**/*' --scan src --enableExperimental --bin /tmp/dep-check --disableRetireJS", "cfn_nag built/cdk.out/**/*.template.json --output-format=json > src/reports/cfn-nag-report.json", "cd src", "npx sonarqube-scanner -Dsonar.login=$SONARQUBE_TOKEN -Dsonar.projectKey=$PROJECT_NAME -Dsonar.projectName=$PROJECT_NAME -Dsonar.projectVersion=\`echo $RESOLVED_SOURCE_VERSION | cut -c1-7\` -Dsonar.branch.name=mainline -Dsonar.host.url=$SONARQUBE_ENDPOINT -Dsonar.cfn.nag.reportFiles=reports/cfn-nag-report.json -Dsonar.dependencyCheck.htmlReportPath=reports/dependency-check-report.html -Dsonar.javascript.lcov.reportPaths=**/coverage/lcov.info -Dsonar.clover.reportPath=**/coverage/clover.xml -Dsonar.exclusions=\\"**/reports/**,**/coverage/**\\" -Dsonar.sources=.", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf_issues_breakdown?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-issues-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-executive-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/security_reports/download?project=$PROJECT_NAME\\" --output reports/prototype-security-report.pdf" ] } } }", "Type": "NO_SOURCE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsSonarCodeScannerValidationProjectRole6AF1A9E5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsSonarCodeScannerValidationProjectRoleDefaultPolicyF147A45E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": { "Ref": "DefaultsSonarCodeScannerSonarQubeTokenD1898305", }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", }, "-*", ], ], }, }, { "Action": "codebuild:BatchGetBuilds", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", "Arn", ], }, }, { "Action": "s3:GetObject*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/**", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsSonarCodeScannerValidationProjectRoleDefaultPolicyF147A45E", "Roles": [ { "Ref": "DefaultsSonarCodeScannerValidationProjectRole6AF1A9E5", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsUpdatePipelineSelfMutationD1F1D812": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsUpdatePipelineSelfMutationRole0C19159A", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsUpdatePipelineSelfMutationRole0C19159A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsUpdatePipelineSelfMutationRoleDefaultPolicyCE04D82F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsUpdatePipelineSelfMutationRoleDefaultPolicyCE04D82F", "Roles": [ { "Ref": "DefaultsUpdatePipelineSelfMutationRole0C19159A", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Defaults 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "DefaultsCodeRepositoryGRCUrlF9B2453F": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Name", ], }, ], ], }, }, "DefaultsSonarCodeScannerSonarqubeSecretArn61BE693F": { "Value": { "Ref": "DefaultsSonarCodeScannerSonarQubeTokenD1898305", }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "DefaultsAccessLogsBucket1E788CBC": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketAutoDeleteObjectsCustomResourceB315E04B": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsAccessLogsBucketPolicy87291CAB", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsAccessLogsBucketPolicy87291CAB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsAccessLogsBucket1E788CBC", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsArtifactsBucket267E29E1": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "DefaultsAccessLogsBucket1E788CBC", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "DefaultsArtifactsBucketAutoDeleteObjectsCustomResourceED1B0B57": { "DeletionPolicy": "Delete", "DependsOn": [ "DefaultsArtifactsBucketPolicyA6159620", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "DefaultsArtifactsBucket267E29E1", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "DefaultsArtifactsBucketPolicyA6159620": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "DefaultsArtifactsBucket267E29E1", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "DefaultsAssetsFileAsset1C016008C": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsAssetsFileRole651D25B9", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsAssetsFileRole651D25B9": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsAssetsFileRoleDefaultPolicy3887BD04": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsAssetsFileRoleDefaultPolicy3887BD04", "Roles": [ { "Ref": "DefaultsAssetsFileRole651D25B9", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodeBuildActionRole26049CBA": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "DefaultsCodePipelineRoleF466C0E3", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodeBuildActionRoleDefaultPolicy0F3A543D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsUpdatePipelineSelfMutationD1F1D812", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsAssetsFileAsset1C016008C", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodeBuildActionRoleDefaultPolicy0F3A543D", "Roles": [ { "Ref": "DefaultsCodeBuildActionRole26049CBA", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineBuildSynthCdkBuildProject81772484": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleA72DCE39", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleA72DCE39": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicyC0AFF59F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicyC0AFF59F", "Roles": [ { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProjectRoleA72DCE39", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineDAB2FB72": { "DependsOn": [ "DefaultsCodePipelineRoleDefaultPolicyF4A44365", "DefaultsCodePipelineRoleF466C0E3", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "DefaultsArtifactsBucket267E29E1", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "DefaultsCodePipelineRoleF466C0E3", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Name", ], }, "OutputArtifacts": [ { "Name": "c8be7966da6130450b89fe7dd9dced39142a8f041d_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"9b6cac2596443c465eb42c0d0d84de22a8632cbeb9388a40d13889341f9b20c5"}]", "ProjectName": { "Ref": "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", }, }, "InputArtifacts": [ { "Name": "c8be7966da6130450b89fe7dd9dced39142a8f041d_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "DefaultsAssetsFileAsset1C016008C", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "DefaultsCodePipelineEventsRole44B0ACD2": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineEventsRoleDefaultPolicyB0676072": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "DefaultsCodePipelineDAB2FB72", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineEventsRoleDefaultPolicyB0676072", "Roles": [ { "Ref": "DefaultsCodePipelineEventsRole44B0ACD2", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineRoleDefaultPolicyF4A44365": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodeBuildActionRole26049CBA", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineRoleDefaultPolicyF4A44365", "Roles": [ { "Ref": "DefaultsCodePipelineRoleF466C0E3", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodePipelineRoleF466C0E3": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyF3026D6A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyF3026D6A", "Roles": [ { "Ref": "DefaultsCodePipelineSourceCodeCommitCodePipelineActionRole1F53CA96", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsCodeRepositoryBDE0B808": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "Defaults", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "DefaultsCodeRepositoryDefaultsCodePipeline4E276C62mainlineEventRule67A64C52": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "DefaultsCodeRepositoryBDE0B808", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "DefaultsCodePipelineDAB2FB72", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "DefaultsCodePipelineEventsRole44B0ACD2", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "DefaultsSonarCodeScannerSonarQubeTokenD1898305": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-SMG4", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsPrototyping-SecretsManagerRotationEnabled", "reason": "Key rotation is not possible as a user token needs to be generated from Sonarqube", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "GenerateSecretString": {}, }, "Type": "AWS::SecretsManager::Secret", "UpdateReplacePolicy": "Delete", }, "DefaultsSonarCodeScannerSynthBuildProjectOnSynthSuccessE7E65027": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "build-status": [ "SUCCEEDED", ], "project-name": [ { "Fn::Select": [ 1, { "Fn::Split": [ "/", { "Fn::Select": [ 5, { "Fn::Split": [ ":", { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", "Arn", ], }, ], }, ], }, ], }, ], }, ], }, "detail-type": [ "CodeBuild Build State Change", ], "source": [ "aws.codebuild", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", "Arn", ], }, "Id": "Target0", "InputTransformer": { "InputPathsMap": { "detail-build-id": "$.detail.build-id", }, "InputTemplate": "{"environmentVariablesOverride":[{"name":"SYNTH_BUILD_ID","type":"PLAINTEXT","value":}]}", }, "RoleArn": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectEventsRole18DD9D4A", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "DefaultsSonarCodeScannerValidationProjectEventsRole18DD9D4A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsSonarCodeScannerValidationProjectEventsRoleDefaultPolicy6C4FE447": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsSonarCodeScannerValidationProjectEventsRoleDefaultPolicy6C4FE447", "Roles": [ { "Ref": "DefaultsSonarCodeScannerValidationProjectEventsRole18DD9D4A", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsSonarCodeScannerValidationProjectFAE7BAD0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "SONARQUBE_TOKEN", "Type": "SECRETS_MANAGER", "Value": { "Ref": "DefaultsSonarCodeScannerSonarQubeTokenD1898305", }, }, { "Name": "SONARQUBE_ENDPOINT", "Type": "PLAINTEXT", "Value": "https://sonar.dev", }, { "Name": "PROJECT_NAME", "Type": "PLAINTEXT", "Value": "Default", }, ], "Image": "aws/codebuild/standard:5.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsSonarCodeScannerValidationProjectRole6AF1A9E5", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "env": { "shell": "bash" }, "phases": { "install": { "commands": [ "npm install -g aws-cdk", "gem install cfn-nag" ] }, "build": { "commands": [ "export RESOLVED_SOURCE_VERSION=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].resolvedSourceVersion'\`", "export BUILT_ARTIFACT_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].secondaryArtifacts[] | select(.artifactIdentifier == \\"Synth__\\") | .location' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "export SYNTH_SOURCE_URI=\`aws codebuild batch-get-builds --ids $SYNTH_BUILD_ID | jq -r '.builds[0].sourceVersion' | awk '{sub(\\"arn:aws:s3:::\\",\\"s3://\\")}1' $1\`", "aws s3 cp $SYNTH_SOURCE_URI source.zip", "aws s3 cp $BUILT_ARTIFACT_URI built.zip", "unzip source.zip -d src", "unzip built.zip -d built", "rm source.zip built.zip", "rsync -a built/* src --include=\\"*/\\" --include=\\"**/coverage/**\\" --include=\\"**/cdk.out/**\\" --exclude=\\"**/node_modules/**/*\\" --exclude=\\"**/.env/**\\" --exclude=\\"*\\" --prune-empty-dirs", "CREATE_PROJECT_OUTPUT=\`curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/projects/create?name=$PROJECT_NAME&project=$PROJECT_NAME&visibility=private\\" \`", "if [[ \\"$(echo $CREATE_PROJECT_OUTPUT | jq .errors)\\" == \\"null\\" ]]; then curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=admin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=codeviewer\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=issueadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=securityhotspotadmin\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=scan\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/permissions/add_group?projectKey=$PROJECT_NAME&groupName=dev&permission=user\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_branches/rename?project=$PROJECT_NAME&name=mainline\\" ;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/project_tags/set?project=$PROJECT_NAME&tags=dev\\" ;export DEFAULT_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=dev\\" | jq .profiles\`;export SPECIFIC_PROFILE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/search?qualityProfile=undefined\\" | jq .profiles\`;export MERGED_PROFILES=\`jq --argjson arr1 \\"$DEFAULT_PROFILE\\" --argjson arr2 \\"$SPECIFIC_PROFILE\\" -n '$arr1 + $arr2 | group_by(.language) | map(.[-1])'\`;echo $MERGED_PROFILES | jq -c '.[]' | while read i; do curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualityprofiles/add_project?project=$PROJECT_NAME&language=\`echo $i | jq -r .language\`&qualityProfile=\`echo $i | jq -r .name\`\\" ; done;export DEFAULT_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=dev\\" \`;export SPECIFIC_GATE=\`curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/search?gateName=undefined\\" \`;if [[ \\"$(echo $SPECIFIC_GATE | jq .errors)\\" == \\"null\\" && \\"$(echo $SPECIFIC_GATE | jq '.results | length')\\" -gt 0 ]]; then export GATE_NAME=undefined; else export GATE_NAME=dev; fi;curl -X POST -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/qualitygates/select?projectKey=$PROJECT_NAME&gateName=$GATE_NAME\\" ; fi;", "mkdir -p src/reports", "npx owasp-dependency-check --format HTML --out src/reports --exclude '**/.git/**/*' --scan src --enableExperimental --bin /tmp/dep-check --disableRetireJS", "cfn_nag built/cdk.out/**/*.template.json --output-format=json > src/reports/cfn-nag-report.json", "cd src", "npx sonarqube-scanner -Dsonar.login=$SONARQUBE_TOKEN -Dsonar.projectKey=$PROJECT_NAME -Dsonar.projectName=$PROJECT_NAME -Dsonar.projectVersion=\`echo $RESOLVED_SOURCE_VERSION | cut -c1-7\` -Dsonar.branch.name=mainline -Dsonar.host.url=$SONARQUBE_ENDPOINT -Dsonar.cfn.nag.reportFiles=reports/cfn-nag-report.json -Dsonar.dependencyCheck.htmlReportPath=reports/dependency-check-report.html -Dsonar.javascript.lcov.reportPaths=**/coverage/lcov.info -Dsonar.clover.reportPath=**/coverage/clover.xml -Dsonar.exclusions=\\"**/reports/**,**/coverage/**\\" -Dsonar.sources=.", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf_issues_breakdown?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-issues-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/bitegarden/report/pdf?resource=$PROJECT_NAME&branch=mainline\\" --output reports/prototype-executive-report.pdf", "curl -X GET -u $SONARQUBE_TOKEN: \\"$SONARQUBE_ENDPOINT/api/security_reports/download?project=$PROJECT_NAME\\" --output reports/prototype-security-report.pdf" ] } } }", "Type": "NO_SOURCE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsSonarCodeScannerValidationProjectRole6AF1A9E5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsSonarCodeScannerValidationProjectRoleDefaultPolicyF147A45E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<.*SonarCodeScannerValidationProject.*>:\\*$/g", }, { "regex": "/^Resource::arn::codebuild:::report-group/<.*SonarCodeScannerValidationProject.*>-\\*$/g", }, { "regex": "/^Action::s3:GetObject\\*$/g", }, { "regex": "/^Resource::/\\*\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Validation CodeBuild project requires access to the ArtifactsBucket and ability to create logs.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "secretsmanager:GetSecretValue", "Effect": "Allow", "Resource": { "Ref": "DefaultsSonarCodeScannerSonarQubeTokenD1898305", }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "DefaultsSonarCodeScannerValidationProjectFAE7BAD0", }, "-*", ], ], }, }, { "Action": "codebuild:BatchGetBuilds", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "DefaultsCodePipelineBuildSynthCdkBuildProject81772484", "Arn", ], }, }, { "Action": "s3:GetObject*", "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/**", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsSonarCodeScannerValidationProjectRoleDefaultPolicyF147A45E", "Roles": [ { "Ref": "DefaultsSonarCodeScannerValidationProjectRole6AF1A9E5", }, ], }, "Type": "AWS::IAM::Policy", }, "DefaultsUpdatePipelineSelfMutationD1F1D812": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "DefaultsUpdatePipelineSelfMutationRole0C19159A", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "DefaultsUpdatePipelineSelfMutationRole0C19159A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "DefaultsUpdatePipelineSelfMutationRoleDefaultPolicyCE04D82F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "DefaultsUpdatePipelineSelfMutationD1F1D812", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "DefaultsArtifactsBucket267E29E1", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "DefaultsUpdatePipelineSelfMutationRoleDefaultPolicyCE04D82F", "Roles": [ { "Ref": "DefaultsUpdatePipelineSelfMutationRole0C19159A", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Feature Branches - feature/new-feature_branch - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "featurenewfeaturebranchFeatureBranchesCodeRepositoryGRCUrl47F29C59": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://FeatureBranches", ], ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CodeRepositoryfeaturenewfeaturebranchFeatureBranchesCodePipeline8DEDC297featurenewfeaturebranchEventRuleC60909CC": { "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "feature/new-feature_branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codecommit:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":FeatureBranches", ], ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipeline1B736A77", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRole66EF5150", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesAccessLogsBucketAutoDeleteObjectsCustomResourceD5422663": { "DeletionPolicy": "Delete", "DependsOn": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketPolicy6CC3B274", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesAccessLogsBucketPolicy6CC3B274": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "featurenewfeaturebranchFeatureBranchesArtifactsBucketAutoDeleteObjectsCustomResource676F453C": { "DeletionPolicy": "Delete", "DependsOn": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketPolicyE9AA1518", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesArtifactsBucketPolicyE9AA1518": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "featurenewfeaturebranchFeatureBranchesAssetsFileAsset1BAAF74C5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAssetsFileRole0732610A", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-feature-new-feature-branch-Stage/featurenewfeaturebranchStageAppStack9BC96CAD.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodeBuild::Project", }, "featurenewfeaturebranchFeatureBranchesAssetsFileRole0732610A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesAssetsFileRoleDefaultPolicyF4DEAA77": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesAssetsFileRoleDefaultPolicyF4DEAA77", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesAssetsFileRole0732610A", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodeBuildActionRoleDefaultPolicy986C6D71": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAssetsFileAsset1BAAF74C5", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodeBuildActionRoleDefaultPolicy986C6D71", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipeline1B736A77": { "DependsOn": [ "featurenewfeaturebranchFeatureBranchesCodePipelineRoleDefaultPolicy7E1D880B", "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "feature/new-feature_branch", "PollForSourceChanges": false, "RepositoryName": "FeatureBranches", }, "Name": "FeatureBranches", "OutputArtifacts": [ { "Name": "FeatureBranches_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"7bf3917a8bbdb63d144a12066dfcb5d5ec707592fcca5d3671715100cd08d871"}]", "ProjectName": { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, }, "InputArtifacts": [ { "Name": "FeatureBranches_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "featurenewfeaturebranchFeatureBranchesAssetsFileAsset1BAAF74C5", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "feature-new-feature-branch-Stage-AppStack", "TemplateConfiguration": "Synth_Output::assembly-feature-new-feature-branch-Stage/featurenewfeaturebranchStageAppStack9BC96CAD.template.json.config.json", "TemplatePath": "Synth_Output::assembly-feature-new-feature-branch-Stage/featurenewfeaturebranchStageAppStack9BC96CAD.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "feature-new-feature-branch-Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "feature-new-feature-branch-Stage", }, ], "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "BRANCH", "Type": "PLAINTEXT", "Value": "feature/new-feature_branch", }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole64A47476", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodeBuild::Project", }, "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole64A47476": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy9BFFDEBB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy9BFFDEBB", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole64A47476", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRole66EF5150": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRoleDefaultPolicyAC70ADDB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipeline1B736A77", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRoleDefaultPolicyAC70ADDB", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRole66EF5150", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineRoleDefaultPolicy7E1D880B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineRoleDefaultPolicy7E1D880B", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRoleDefaultPolicy5E4D4EC6": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codecommit:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":FeatureBranches", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRoleDefaultPolicy5E4D4EC6", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRole19AEAC1E", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodeBuild::Project", }, "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRole19AEAC1E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicyC0E09F45": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicyC0E09F45", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRole19AEAC1E", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Feature Branches - feature/new-feature_branch 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "featurenewfeaturebranchFeatureBranchesCodeRepositoryGRCUrl47F29C59": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://FeatureBranches", ], ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CodeRepositoryfeaturenewfeaturebranchFeatureBranchesCodePipeline8DEDC297featurenewfeaturebranchEventRuleC60909CC": { "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "feature/new-feature_branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codecommit:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":FeatureBranches", ], ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipeline1B736A77", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRole66EF5150", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesAccessLogsBucketAutoDeleteObjectsCustomResourceD5422663": { "DeletionPolicy": "Delete", "DependsOn": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketPolicy6CC3B274", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesAccessLogsBucketPolicy6CC3B274": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "featurenewfeaturebranchFeatureBranchesArtifactsBucketAutoDeleteObjectsCustomResource676F453C": { "DeletionPolicy": "Delete", "DependsOn": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketPolicyE9AA1518", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "featurenewfeaturebranchFeatureBranchesAccessLogsBucketA63A7172", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "featurenewfeaturebranchFeatureBranchesArtifactsBucketPolicyE9AA1518": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "featurenewfeaturebranchFeatureBranchesAssetsFileAsset1BAAF74C5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAssetsFileRole0732610A", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-feature-new-feature-branch-Stage/featurenewfeaturebranchStageAppStack9BC96CAD.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodeBuild::Project", }, "featurenewfeaturebranchFeatureBranchesAssetsFileRole0732610A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesAssetsFileRoleDefaultPolicyF4DEAA77": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesAssetsFileRoleDefaultPolicyF4DEAA77", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesAssetsFileRole0732610A", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodeBuildActionRoleDefaultPolicy986C6D71": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesAssetsFileAsset1BAAF74C5", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodeBuildActionRoleDefaultPolicy986C6D71", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipeline1B736A77": { "DependsOn": [ "featurenewfeaturebranchFeatureBranchesCodePipelineRoleDefaultPolicy7E1D880B", "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "feature/new-feature_branch", "PollForSourceChanges": false, "RepositoryName": "FeatureBranches", }, "Name": "FeatureBranches", "OutputArtifacts": [ { "Name": "FeatureBranches_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"7bf3917a8bbdb63d144a12066dfcb5d5ec707592fcca5d3671715100cd08d871"}]", "ProjectName": { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, }, "InputArtifacts": [ { "Name": "FeatureBranches_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "featurenewfeaturebranchFeatureBranchesAssetsFileAsset1BAAF74C5", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "feature-new-feature-branch-Stage-AppStack", "TemplateConfiguration": "Synth_Output::assembly-feature-new-feature-branch-Stage/featurenewfeaturebranchStageAppStack9BC96CAD.template.json.config.json", "TemplatePath": "Synth_Output::assembly-feature-new-feature-branch-Stage/featurenewfeaturebranchStageAppStack9BC96CAD.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "feature-new-feature-branch-Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "feature-new-feature-branch-Stage", }, ], "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "BRANCH", "Type": "PLAINTEXT", "Value": "feature/new-feature_branch", }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole64A47476", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodeBuild::Project", }, "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole64A47476": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy9BFFDEBB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectF14755B5", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy9BFFDEBB", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole64A47476", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRole66EF5150": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRoleDefaultPolicyAC70ADDB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipeline1B736A77", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRoleDefaultPolicyAC70ADDB", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineEventsRole66EF5150", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineRoleDefaultPolicy7E1D880B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesCodeBuildActionRole003FB4DB", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineRoleDefaultPolicy7E1D880B", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineRoleC185E2E1", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRoleDefaultPolicy5E4D4EC6": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codecommit:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":FeatureBranches", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRoleDefaultPolicy5E4D4EC6", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesCodePipelineSourceFeatureBranchesCodePipelineActionRole513AECAC", }, ], }, "Type": "AWS::IAM::Policy", }, "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRole19AEAC1E", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::CodeBuild::Project", }, "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRole19AEAC1E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "Tags": [ { "Key": "FeatureBranch", "Value": "feature/new-feature_branch", }, { "Key": "RepoName", "Value": "FeatureBranches", }, ], }, "Type": "AWS::IAM::Role", }, "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicyC0E09F45": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutation637D36C5", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "featurenewfeaturebranchFeatureBranchesArtifactsBucketC4C9DA46", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicyC0E09F45", "Roles": [ { "Ref": "featurenewfeaturebranchFeatureBranchesUpdatePipelineSelfMutationRole19AEAC1E", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Feature Branches - mainline - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "FeatureBranchesCodeRepositoryGRCUrlA78583F8": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, ], ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAccessLogsBucket26F49982": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketAutoDeleteObjectsCustomResourceCE3362D5": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesAccessLogsBucketPolicy10128DEF", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketPolicy10128DEF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesArtifactsBucketAE5F1C21": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketAutoDeleteObjectsCustomResource54C6B193": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesArtifactsBucketPolicyBF161175", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketPolicyBF161175": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesAssetsFileAsset1F7F9D557": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileRoleCD61D8A8", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesAssetsFileRoleCD61D8A8": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238", "Roles": [ { "Ref": "FeatureBranchesAssetsFileRoleCD61D8A8", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodeBuildActionRole5632928F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileAsset1F7F9D557", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0", "Roles": [ { "Ref": "FeatureBranchesCodeBuildActionRole5632928F", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "BRANCH", "Type": "PLAINTEXT", "Value": "mainline", }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5", "Roles": [ { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineEC802A1B": { "DependsOn": [ "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "FeatureBranchesCodePipelineRole25A9A50B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, "OutputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"7cb930276e2c624899dadc5cd557500f267ff825956ffae5529d532ebc7f659d"}]", "ProjectName": { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, }, "InputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "FeatureBranchesAssetsFileAsset1F7F9D557", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "FeatureBranchesCodePipelineEventsRole25B14D6E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25", "Roles": [ { "Ref": "FeatureBranchesCodePipelineEventsRole25B14D6E", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineRole25A9A50B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "Roles": [ { "Ref": "FeatureBranchesCodePipelineRole25A9A50B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43", "Roles": [ { "Ref": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference created event.", "EventPattern": { "detail": { "event": [ "referenceCreated", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchCreateTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch6324E6DC16417AC9": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference deleted event.", "EventPattern": { "detail": { "event": [ "referenceDeleted", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchDestroyTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch9976B4E11308B9EB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryD5ABDB8F": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "FeatureBranches", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "FeatureBranchesCodeRepositoryFeatureBranchesCodePipelineE4C72340mainlineEventRule3D893216": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineEventsRole25B14D6E", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Build project to deploy feature branch pipelines", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", "Arn", ], }, "Source": { "BuildSpec": "version: "0.2" phases: install: commands: - npm install -g aws-cdk - yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile build: commands: - npx nx run-many --target=build --all - "cd " - npx cdk synth - npx cdk deploy --require-approval=never artifacts: files: - "**/*" ", "Location": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "CloneUrlHttp", ], }, "Type": "CODECOMMIT", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codecommit:GitPull", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "3dffd1223abe6a9d3f28ac0373433ddb0be9a7d7a446b101dfa131cce1904ca6.zip", }, "Environment": { "Variables": { "CODEBUILD_PROJECT": { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "MAIN_BRANCH": "mainline", }, }, "Handler": "create_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f590c9801399fa0d9348b320971d85367d58bf736ce2a832b8eddce2a34501a5.zip", }, "Environment": { "Variables": { "MAIN_BRANCH": "mainline", "REPO_NAME": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, }, "Handler": "destroy_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudformation:DeleteStack", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "FeatureBranch", "RepoName", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":stack/*/*", ], ], }, }, { "Action": "tag:GetResources", "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesUpdatePipelineSelfMutation0C4FE793": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesUpdatePipelineSelfMutationRole9669379F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4", "Roles": [ { "Ref": "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Feature Branches - mainline 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "FeatureBranchesCodeRepositoryGRCUrlA78583F8": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, ], ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAccessLogsBucket26F49982": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketAutoDeleteObjectsCustomResourceCE3362D5": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesAccessLogsBucketPolicy10128DEF", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketPolicy10128DEF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesArtifactsBucketAE5F1C21": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketAutoDeleteObjectsCustomResource54C6B193": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesArtifactsBucketPolicyBF161175", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketPolicyBF161175": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesAssetsFileAsset1F7F9D557": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileRoleCD61D8A8", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesAssetsFileRoleCD61D8A8": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238", "Roles": [ { "Ref": "FeatureBranchesAssetsFileRoleCD61D8A8", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodeBuildActionRole5632928F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileAsset1F7F9D557", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0", "Roles": [ { "Ref": "FeatureBranchesCodeBuildActionRole5632928F", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "BRANCH", "Type": "PLAINTEXT", "Value": "mainline", }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5", "Roles": [ { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineEC802A1B": { "DependsOn": [ "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "FeatureBranchesCodePipelineRole25A9A50B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, "OutputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"7cb930276e2c624899dadc5cd557500f267ff825956ffae5529d532ebc7f659d"}]", "ProjectName": { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, }, "InputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "FeatureBranchesAssetsFileAsset1F7F9D557", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "FeatureBranchesCodePipelineEventsRole25B14D6E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25", "Roles": [ { "Ref": "FeatureBranchesCodePipelineEventsRole25B14D6E", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineRole25A9A50B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "Roles": [ { "Ref": "FeatureBranchesCodePipelineRole25A9A50B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43", "Roles": [ { "Ref": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference created event.", "EventPattern": { "detail": { "event": [ "referenceCreated", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchCreateTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch6324E6DC16417AC9": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference deleted event.", "EventPattern": { "detail": { "event": [ "referenceDeleted", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchDestroyTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch9976B4E11308B9EB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryD5ABDB8F": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "FeatureBranches", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "FeatureBranchesCodeRepositoryFeatureBranchesCodePipelineE4C72340mainlineEventRule3D893216": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineEventsRole25B14D6E", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Build project to deploy feature branch pipelines", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", "Arn", ], }, "Source": { "BuildSpec": "version: "0.2" phases: install: commands: - npm install -g aws-cdk - yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile build: commands: - npx nx run-many --target=build --all - "cd " - npx cdk synth - npx cdk deploy --require-approval=never artifacts: files: - "**/*" ", "Location": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "CloneUrlHttp", ], }, "Type": "CODECOMMIT", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codecommit:GitPull", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "3dffd1223abe6a9d3f28ac0373433ddb0be9a7d7a446b101dfa131cce1904ca6.zip", }, "Environment": { "Variables": { "CODEBUILD_PROJECT": { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "MAIN_BRANCH": "mainline", }, }, "Handler": "create_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f590c9801399fa0d9348b320971d85367d58bf736ce2a832b8eddce2a34501a5.zip", }, "Environment": { "Variables": { "MAIN_BRANCH": "mainline", "REPO_NAME": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, }, "Handler": "destroy_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudformation:DeleteStack", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "FeatureBranch", "RepoName", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":stack/*/*", ], ], }, }, { "Action": "tag:GetResources", "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesUpdatePipelineSelfMutation0C4FE793": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesUpdatePipelineSelfMutationRole9669379F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4", "Roles": [ { "Ref": "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Feature Branches - using AwsPrototyping NagPack 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "FeatureBranchesCodeRepositoryGRCUrlA78583F8": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, ], ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAccessLogsBucket26F49982": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketAutoDeleteObjectsCustomResourceCE3362D5": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesAccessLogsBucketPolicy10128DEF", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketPolicy10128DEF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesArtifactsBucketAE5F1C21": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketAutoDeleteObjectsCustomResource54C6B193": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesArtifactsBucketPolicyBF161175", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketPolicyBF161175": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesAssetsFileAsset1F7F9D557": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileRoleCD61D8A8", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesAssetsFileRoleCD61D8A8": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238", "Roles": [ { "Ref": "FeatureBranchesAssetsFileRoleCD61D8A8", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodeBuildActionRole5632928F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileAsset1F7F9D557", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0", "Roles": [ { "Ref": "FeatureBranchesCodeBuildActionRole5632928F", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "BRANCH", "Type": "PLAINTEXT", "Value": "mainline", }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5", "Roles": [ { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineEC802A1B": { "DependsOn": [ "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "FeatureBranchesCodePipelineRole25A9A50B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, "OutputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"7cb930276e2c624899dadc5cd557500f267ff825956ffae5529d532ebc7f659d"}]", "ProjectName": { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, }, "InputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "FeatureBranchesAssetsFileAsset1F7F9D557", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "FeatureBranchesCodePipelineEventsRole25B14D6E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25", "Roles": [ { "Ref": "FeatureBranchesCodePipelineEventsRole25B14D6E", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineRole25A9A50B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "Roles": [ { "Ref": "FeatureBranchesCodePipelineRole25A9A50B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43", "Roles": [ { "Ref": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference created event.", "EventPattern": { "detail": { "event": [ "referenceCreated", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchCreateTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch6324E6DC16417AC9": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference deleted event.", "EventPattern": { "detail": { "event": [ "referenceDeleted", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchDestroyTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch9976B4E11308B9EB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryD5ABDB8F": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "FeatureBranches", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "FeatureBranchesCodeRepositoryFeatureBranchesCodePipelineE4C72340mainlineEventRule3D893216": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineEventsRole25B14D6E", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Build project to deploy feature branch pipelines", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", "Arn", ], }, "Source": { "BuildSpec": "version: "0.2" phases: install: commands: - npm install -g aws-cdk - yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile build: commands: - npx nx run-many --target=build --all - "cd " - npx cdk synth - npx cdk deploy --require-approval=never artifacts: files: - "**/*" ", "Location": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "CloneUrlHttp", ], }, "Type": "CODECOMMIT", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codecommit:GitPull", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "3dffd1223abe6a9d3f28ac0373433ddb0be9a7d7a446b101dfa131cce1904ca6.zip", }, "Environment": { "Variables": { "CODEBUILD_PROJECT": { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "MAIN_BRANCH": "mainline", }, }, "Handler": "create_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f590c9801399fa0d9348b320971d85367d58bf736ce2a832b8eddce2a34501a5.zip", }, "Environment": { "Variables": { "MAIN_BRANCH": "mainline", "REPO_NAME": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, }, "Handler": "destroy_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudformation:DeleteStack", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "FeatureBranch", "RepoName", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":stack/*/*", ], ], }, }, { "Action": "tag:GetResources", "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesUpdatePipelineSelfMutation0C4FE793": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesUpdatePipelineSelfMutationRole9669379F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4", "Roles": [ { "Ref": "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `; exports[`PDK Pipeline Unit Tests Feature Branches 1`] = ` { "Mappings": { "DefaultCrNodeVersionMap": { "af-south-1": { "value": "nodejs16.x", }, "ap-east-1": { "value": "nodejs16.x", }, "ap-northeast-1": { "value": "nodejs16.x", }, "ap-northeast-2": { "value": "nodejs16.x", }, "ap-northeast-3": { "value": "nodejs16.x", }, "ap-south-1": { "value": "nodejs16.x", }, "ap-south-2": { "value": "nodejs16.x", }, "ap-southeast-1": { "value": "nodejs16.x", }, "ap-southeast-2": { "value": "nodejs16.x", }, "ap-southeast-3": { "value": "nodejs16.x", }, "ca-central-1": { "value": "nodejs16.x", }, "cn-north-1": { "value": "nodejs16.x", }, "cn-northwest-1": { "value": "nodejs16.x", }, "eu-central-1": { "value": "nodejs16.x", }, "eu-central-2": { "value": "nodejs16.x", }, "eu-north-1": { "value": "nodejs16.x", }, "eu-south-1": { "value": "nodejs16.x", }, "eu-south-2": { "value": "nodejs16.x", }, "eu-west-1": { "value": "nodejs16.x", }, "eu-west-2": { "value": "nodejs16.x", }, "eu-west-3": { "value": "nodejs16.x", }, "me-central-1": { "value": "nodejs16.x", }, "me-south-1": { "value": "nodejs16.x", }, "sa-east-1": { "value": "nodejs16.x", }, "us-east-1": { "value": "nodejs16.x", }, "us-east-2": { "value": "nodejs16.x", }, "us-gov-east-1": { "value": "nodejs16.x", }, "us-gov-west-1": { "value": "nodejs16.x", }, "us-iso-east-1": { "value": "nodejs14.x", }, "us-iso-west-1": { "value": "nodejs14.x", }, "us-isob-east-1": { "value": "nodejs14.x", }, "us-west-1": { "value": "nodejs16.x", }, "us-west-2": { "value": "nodejs16.x", }, }, }, "Outputs": { "FeatureBranchesCodeRepositoryGRCUrlA78583F8": { "Value": { "Fn::Join": [ "", [ "codecommit::", { "Ref": "AWS::Region", }, "://", { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, ], ], }, }, }, "Parameters": { "BootstrapVersion": { "Default": "/cdk-bootstrap/hnb659fds/version", "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]", "Type": "AWS::SSM::Parameter::Value", }, }, "Resources": { "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { "DependsOn": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", ], "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "350185a1069fa20a23a583e20c77f6844218bd73097902362dc94f1a108f5d89.zip", }, "Description": { "Fn::Join": [ "", [ "Lambda function for auto-deleting objects in ", { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, " S3 bucket.", ], ], }, "Handler": "__entrypoint__.handler", "MemorySize": 128, "Role": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, "Runtime": "nodejs16.x", "Timeout": 900, }, "Type": "AWS::Lambda::Function", }, "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Sub": "arn:\${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAccessLogsBucket26F49982": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "ObjectWriter", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketAutoDeleteObjectsCustomResourceCE3362D5": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesAccessLogsBucketPolicy10128DEF", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesAccessLogsBucketPolicy10128DEF": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "s3:PutObject", "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, }, "StringEquals": { "aws:SourceAccount": { "Ref": "AWS::AccountId", }, }, }, "Effect": "Allow", "Principal": { "Service": "logging.s3.amazonaws.com", }, "Resource": { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesAccessLogsBucket26F49982", "Arn", ], }, "/access-logs*", ], ], }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesArtifactsBucketAE5F1C21": { "DeletionPolicy": "Delete", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", }, }, ], }, "LoggingConfiguration": { "DestinationBucketName": { "Ref": "FeatureBranchesAccessLogsBucket26F49982", }, "LogFilePrefix": "access-logs", }, "OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerEnforced", }, ], }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "Tags": [ { "Key": "aws-cdk:auto-delete-objects", "Value": "true", }, ], }, "Type": "AWS::S3::Bucket", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketAutoDeleteObjectsCustomResource54C6B193": { "DeletionPolicy": "Delete", "DependsOn": [ "FeatureBranchesArtifactsBucketPolicyBF161175", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "BucketName": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "ServiceToken": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", "Arn", ], }, }, "Type": "Custom::S3AutoDeleteObjects", "UpdateReplacePolicy": "Delete", }, "FeatureBranchesArtifactsBucketPolicyBF161175": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Bucket": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "PolicyDocument": { "Statement": [ { "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": "false", }, }, "Effect": "Deny", "Principal": { "AWS": "*", }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", "Arn", ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, }, "Type": "AWS::S3::BucketPolicy", }, "FeatureBranchesAssetsFileAsset1F7F9D557": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Assets/FileAsset1", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileRoleCD61D8A8", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g cdk-assets@2" ] }, "build": { "commands": [ "cdk-assets --path \\"assembly-Stage/StageAppStack7618C9EF.assets.json\\" --verbose publish \\"43559360d7c264e7c786aba128df39186007c2ca4d04d8bcac25f871d521ed4a:current_account-current_region\\"" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesAssetsFileRoleCD61D8A8": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/*", ], ], }, }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/*", ], ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": "*", }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Sub": "arn:\${AWS::Partition}:iam::\${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-\${AWS::AccountId}-\${AWS::Region}", }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesAssetsFileRoleDefaultPolicy3527F238", "Roles": [ { "Ref": "FeatureBranchesAssetsFileRoleCD61D8A8", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodeBuildActionRole5632928F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", "Arn", ], }, }, { "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesAssetsFileAsset1F7F9D557", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodeBuildActionRoleDefaultPolicy6F2B9AF0", "Roles": [ { "Ref": "FeatureBranchesCodeBuildActionRole5632928F", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/Build/Synth", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "EnvironmentVariables": [ { "Name": "BRANCH", "Type": "PLAINTEXT", "Value": "mainline", }, ], "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk", "yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile" ] }, "build": { "commands": [ "npx nx run-many --target=build --all" ] } }, "artifacts": { "secondary-artifacts": { "Synth_Output": { "base-directory": "cdk.out", "files": "**/*" }, "Synth__": { "base-directory": ".", "files": "**/*" } } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, "-*", ], ], }, }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRoleDefaultPolicy2A0E55F5", "Roles": [ { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProjectRole63DBFA18", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineEC802A1B": { "DependsOn": [ "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "FeatureBranchesCodePipelineRole25A9A50B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "ArtifactStore": { "Location": { "Ref": "FeatureBranchesArtifactsBucketAE5F1C21", }, "Type": "S3", }, "RestartExecutionOnUpdate": true, "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineRole25A9A50B", "Arn", ], }, "Stages": [ { "Actions": [ { "ActionTypeId": { "Category": "Source", "Owner": "AWS", "Provider": "CodeCommit", "Version": "1", }, "Configuration": { "BranchName": "mainline", "PollForSourceChanges": false, "RepositoryName": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, "Name": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, "OutputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Source", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"7cb930276e2c624899dadc5cd557500f267ff825956ffae5529d532ebc7f659d"}]", "ProjectName": { "Ref": "FeatureBranchesCodePipelineBuildSynthCdkBuildProject09632D29", }, }, "InputArtifacts": [ { "Name": "c8c8089eecde98d03bd22313f7aea14e30445074f9_Source", }, ], "Name": "Synth", "OutputArtifacts": [ { "Name": "Synth_Output", }, { "Name": "Synth__", }, ], "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Build", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "EnvironmentVariables": "[{"name":"_PROJECT_CONFIG_HASH","type":"PLAINTEXT","value":"e437283b833a76d1459ba3b9b11f0bf0f0c58fc4c9c6a130298f52e21508b79e"}]", "ProjectName": { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "SelfMutate", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "UpdatePipeline", }, { "Actions": [ { "ActionTypeId": { "Category": "Build", "Owner": "AWS", "Provider": "CodeBuild", "Version": "1", }, "Configuration": { "ProjectName": { "Ref": "FeatureBranchesAssetsFileAsset1F7F9D557", }, }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "FileAsset1", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, "RunOrder": 1, }, ], "Name": "Assets", }, { "Actions": [ { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_REPLACE", "Capabilities": "CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND", "ChangeSetName": "PipelineChange", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-cfn-exec-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "StackName": "Stage-AppStack", "TemplatePath": "Synth_Output::assembly-Stage/StageAppStack7618C9EF.template.json", }, "InputArtifacts": [ { "Name": "Synth_Output", }, ], "Name": "Prepare", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 1, }, { "ActionTypeId": { "Category": "Deploy", "Owner": "AWS", "Provider": "CloudFormation", "Version": "1", }, "Configuration": { "ActionMode": "CHANGE_SET_EXECUTE", "ChangeSetName": "PipelineChange", "StackName": "Stage-AppStack", }, "Name": "Deploy", "RoleArn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, "RunOrder": 2, }, ], "Name": "Stage", }, ], }, "Type": "AWS::CodePipeline::Pipeline", }, "FeatureBranchesCodePipelineEventsRole25B14D6E": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codepipeline:StartPipelineExecution", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineEventsRoleDefaultPolicy120BFB25", "Roles": [ { "Ref": "FeatureBranchesCodePipelineEventsRole25B14D6E", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineRole25A9A50B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codepipeline.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeBuildActionRole5632928F", "Arn", ], }, }, { "Action": "sts:AssumeRole", "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":role/cdk-hnb659fds-deploy-role-", { "Ref": "AWS::AccountId", }, "-", { "Ref": "AWS::Region", }, ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineRoleDefaultPolicy02B3A9F7", "Roles": [ { "Ref": "FeatureBranchesCodePipelineRole25A9A50B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", "s3:DeleteObject*", "s3:PutObject", "s3:PutObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectTagging", "s3:PutObjectVersionTagging", "s3:Abort*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, { "Action": [ "codecommit:GetBranch", "codecommit:GetCommit", "codecommit:UploadArchive", "codecommit:GetUploadArchiveStatus", "codecommit:CancelUploadArchive", ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleDefaultPolicyBD26FC43", "Roles": [ { "Ref": "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesCodePipelineSourceCodeCommitCodePipelineActionRoleE3F1E37D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::", { "Ref": "AWS::AccountId", }, ":root", ], ], }, }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference created event.", "EventPattern": { "detail": { "event": [ "referenceCreated", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchCreateTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch6324E6DC16417AC9": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchCreateTrigger0DFB7CE7", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Description": "AWS CodeCommit reference deleted event.", "EventPattern": { "detail": { "event": [ "referenceDeleted", ], "referenceName": [ { "prefix": "", }, ], "referenceType": [ "branch", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Id": "Target0", }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesCodeRepositoryBranchDestroyTriggerAllowEventRuleFeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch9976B4E11308B9EB": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Action": "lambda:InvokeFunction", "FunctionName": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3", "Arn", ], }, "Principal": "events.amazonaws.com", "SourceArn": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryBranchDestroyTrigger71719207", "Arn", ], }, }, "Type": "AWS::Lambda::Permission", }, "FeatureBranchesCodeRepositoryD5ABDB8F": { "DeletionPolicy": "Retain", "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "RepositoryName": "FeatureBranches", }, "Type": "AWS::CodeCommit::Repository", "UpdateReplacePolicy": "Retain", }, "FeatureBranchesCodeRepositoryFeatureBranchesCodePipelineE4C72340mainlineEventRule3D893216": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "EventPattern": { "detail": { "event": [ "referenceCreated", "referenceUpdated", ], "referenceName": [ "mainline", ], }, "detail-type": [ "CodeCommit Repository State Change", ], "resources": [ { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, ], "source": [ "aws.codecommit", ], }, "State": "ENABLED", "Targets": [ { "Arn": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codepipeline:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":", { "Ref": "FeatureBranchesCodePipelineEC802A1B", }, ], ], }, "Id": "Target0", "RoleArn": { "Fn::GetAtt": [ "FeatureBranchesCodePipelineEventsRole25B14D6E", "Arn", ], }, }, ], }, "Type": "AWS::Events::Rule", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "NO_ARTIFACTS", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Build project to deploy feature branch pipelines", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", "Arn", ], }, "Source": { "BuildSpec": "version: "0.2" phases: install: commands: - npm install -g aws-cdk - yarn install --frozen-lockfile || npx projen && yarn install --frozen-lockfile build: commands: - npx nx run-many --target=build --all - "cd " - npx cdk synth - npx cdk deploy --require-approval=never artifacts: files: - "**/*" ", "Location": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "CloneUrlHttp", ], }, "Type": "CODECOMMIT", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "applies_to": [ "Action::codecommit:Get*", "Action::codecommit:List*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires get, list, and pull access to the CodeCommit repository.", }, { "applies_to": [ { "regex": "/^Resource::arn::codebuild:::report-group/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>-\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to create report groups that are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn::logs:::log-group:/aws/codebuild/<[a-zA-Z0-9]*CreateFeatureBranchProject.*>:\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to manage logs and streams whose names are dynamically determined.", }, { "applies_to": [ { "regex": "/^Resource::arn:\\*:iam:::role/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "CodeBuild requires access to assume a role from within the current account limited by a condition in order to deploy.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codecommit:GitPull", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Arn", ], }, }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRoleDefaultPolicyAD0C661D", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProjectRole4447D4AD", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranch322D891A": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "3dffd1223abe6a9d3f28ac0373433ddb0be9a7d7a446b101dfa131cce1904ca6.zip", }, "Environment": { "Variables": { "CODEBUILD_PROJECT": { "Ref": "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", }, "MAIN_BRANCH": "mainline", }, }, "Handler": "create_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "codebuild:StartBuild", "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesCreateFeatureBranchProject3679E880", "Arn", ], }, }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRoleDefaultPolicy2CC3795A", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerCreateBranchServiceRole6C035B41", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranch73D260A3": { "DependsOn": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", ], "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Code": { "S3Bucket": { "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}", }, "S3Key": "f590c9801399fa0d9348b320971d85367d58bf736ce2a832b8eddce2a34501a5.zip", }, "Environment": { "Variables": { "MAIN_BRANCH": "mainline", "REPO_NAME": { "Fn::GetAtt": [ "FeatureBranchesCodeRepositoryD5ABDB8F", "Name", ], }, }, }, "Handler": "destroy_branch.handler", "Role": { "Fn::GetAtt": [ "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", "Arn", ], }, "Runtime": "python3.10", }, "Type": "AWS::Lambda::Function", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com", }, }, ], "Version": "2012-10-17", }, "ManagedPolicyArns": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ], ], }, ], }, "Type": "AWS::IAM::Role", }, "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsSolutions-IAM5", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Resource::arn::cloudformation:::stack/\\*/\\*$/g", }, ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to delete any stacks with specific tags.", }, { "applies_to": [ "Resource::*", ], "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "The DestroyBranch Lambda requires access to look up CloudFormation stacks by tag. The Resource Group Tagging API must use 'Resource': '*'.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsSolutions-IAM4", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "applies_to": [ { "regex": "/^Policy::arn::iam::aws:policy/service-role/AWSLambdaBasicExecutionRole$/g", }, ], "id": "AwsPrototyping-IAMNoManagedPolicies", "reason": "Lambda functions use the default AWS LambdaBasicExecutionRole managed role.", }, { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudformation:DeleteStack", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "FeatureBranch", "RepoName", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":cloudformation:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":stack/*/*", ], ], }, }, { "Action": "tag:GetResources", "Effect": "Allow", "Resource": "*", }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRoleDefaultPolicy273B724B", "Roles": [ { "Ref": "FeatureBranchesFeatureBranchPipelinesLambdaTriggerDestroyBranchServiceRole81FC6B0B", }, ], }, "Type": "AWS::IAM::Policy", }, "FeatureBranchesUpdatePipelineSelfMutation0C4FE793": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "Artifacts": { "Type": "CODEPIPELINE", }, "Cache": { "Type": "NO_CACHE", }, "Description": "Pipeline step Default/CodePipeline/UpdatePipeline/SelfMutate", "EncryptionKey": "alias/aws/s3", "Environment": { "ComputeType": "BUILD_GENERAL1_SMALL", "Image": "aws/codebuild/standard:6.0", "ImagePullCredentialsType": "CODEBUILD", "PrivilegedMode": false, "Type": "LINUX_CONTAINER", }, "ServiceRole": { "Fn::GetAtt": [ "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", "Arn", ], }, "Source": { "BuildSpec": "{ "version": "0.2", "phases": { "install": { "commands": [ "npm install -g aws-cdk@2" ] }, "build": { "commands": [ "cdk -a . deploy Default --require-approval=never --verbose" ] } } }", "Type": "CODEPIPELINE", }, }, "Type": "AWS::CodeBuild::Project", }, "FeatureBranchesUpdatePipelineSelfMutationRole9669379F": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com", }, }, ], "Version": "2012-10-17", }, }, "Type": "AWS::IAM::Role", }, "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4": { "Metadata": { "cdk_nag": { "rules_to_suppress": [ { "id": "AwsSolutions-IAM5", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsPrototyping-IAMNoWildcardPermissions", "reason": "Wildcards are needed for dynamically created resources.", }, { "id": "AwsSolutions-CB4", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts", "reason": "Encryption of Codebuild is not required.", }, { "id": "AwsSolutions-S1", "reason": "Access Log buckets should not have s3 bucket logging", }, { "id": "AwsPrototyping-S3BucketLoggingEnabled", "reason": "Access Log buckets should not have s3 bucket logging", }, ], }, }, "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ], ], }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":logs:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":log-group:/aws/codebuild/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, ":*", ], ], }, ], }, { "Action": [ "codebuild:CreateReportGroup", "codebuild:CreateReport", "codebuild:UpdateReport", "codebuild:BatchPutTestCases", "codebuild:BatchPutCodeCoverages", ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition", }, ":codebuild:", { "Ref": "AWS::Region", }, ":", { "Ref": "AWS::AccountId", }, ":report-group/", { "Ref": "FeatureBranchesUpdatePipelineSelfMutation0C4FE793", }, "-*", ], ], }, }, { "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:StringEquals": { "iam:ResourceTag/aws-cdk:bootstrap-role": [ "image-publishing", "file-publishing", "deploy", ], }, }, "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:*:iam::", { "Ref": "AWS::AccountId", }, ":role/*", ], ], }, }, { "Action": "cloudformation:DescribeStacks", "Effect": "Allow", "Resource": "*", }, { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": "*", }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*", ], "Effect": "Allow", "Resource": [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, { "Fn::Join": [ "", [ { "Fn::GetAtt": [ "FeatureBranchesArtifactsBucketAE5F1C21", "Arn", ], }, "/*", ], ], }, ], }, ], "Version": "2012-10-17", }, "PolicyName": "FeatureBranchesUpdatePipelineSelfMutationRoleDefaultPolicy2C1692D4", "Roles": [ { "Ref": "FeatureBranchesUpdatePipelineSelfMutationRole9669379F", }, ], }, "Type": "AWS::IAM::Policy", }, }, "Rules": { "CheckBootstrapVersion": { "Assertions": [ { "Assert": { "Fn::Not": [ { "Fn::Contains": [ [ "1", "2", "3", "4", "5", ], { "Ref": "BootstrapVersion", }, ], }, ], }, "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.", }, ], }, }, } `;