1 | ;
|
2 | var _a;
|
3 | Object.defineProperty(exports, "__esModule", { value: true });
|
4 | exports.UntrustedCodeBoundaryPolicy = void 0;
|
5 | const jsiiDeprecationWarnings = require("../.warnings.jsii.js");
|
6 | const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
|
7 | const iam = require("@aws-cdk/aws-iam");
|
8 | /**
|
9 | * Permissions Boundary for a CodeBuild Project running untrusted code
|
10 | *
|
11 | * This class is a Policy, intended to be used as a Permissions Boundary
|
12 | * for a CodeBuild project. It allows most of the actions necessary to run
|
13 | * the CodeBuild project, but disallows reading from Parameter Store
|
14 | * and Secrets Manager.
|
15 | *
|
16 | * Use this when your CodeBuild project is running untrusted code (for
|
17 | * example, if you are using one to automatically build Pull Requests
|
18 | * that anyone can submit), and you want to prevent your future self
|
19 | * from accidentally exposing Secrets to this build.
|
20 | *
|
21 | * (The reason you might want to do this is because otherwise anyone
|
22 | * who can submit a Pull Request to your project can write a script
|
23 | * to email those secrets to themselves).
|
24 | *
|
25 | * @example
|
26 | *
|
27 | * declare const project: codebuild.Project;
|
28 | * iam.PermissionsBoundary.of(project).apply(new codebuild.UntrustedCodeBoundaryPolicy(this, 'Boundary'));
|
29 | */
|
30 | class UntrustedCodeBoundaryPolicy extends iam.ManagedPolicy {
|
31 | constructor(scope, id, props = {}) {
|
32 | super(scope, id, {
|
33 | managedPolicyName: props.managedPolicyName,
|
34 | description: 'Permissions Boundary Policy for CodeBuild Projects running untrusted code',
|
35 | statements: [
|
36 | new iam.PolicyStatement({
|
37 | actions: [
|
38 | // For logging
|
39 | 'logs:CreateLogGroup',
|
40 | 'logs:CreateLogStream',
|
41 | 'logs:PutLogEvents',
|
42 | // For test reports
|
43 | 'codebuild:CreateReportGroup',
|
44 | 'codebuild:CreateReport',
|
45 | 'codebuild:UpdateReport',
|
46 | 'codebuild:BatchPutTestCases',
|
47 | 'codebuild:BatchPutCodeCoverages',
|
48 | // For batch builds
|
49 | 'codebuild:StartBuild',
|
50 | 'codebuild:StopBuild',
|
51 | 'codebuild:RetryBuild',
|
52 | // For pulling ECR images
|
53 | 'ecr:GetDownloadUrlForLayer',
|
54 | 'ecr:BatchGetImage',
|
55 | 'ecr:BatchCheckLayerAvailability',
|
56 | // For running in a VPC
|
57 | 'ec2:CreateNetworkInterfacePermission',
|
58 | 'ec2:CreateNetworkInterface',
|
59 | 'ec2:DescribeNetworkInterfaces',
|
60 | 'ec2:DeleteNetworkInterface',
|
61 | 'ec2:DescribeSubnets',
|
62 | 'ec2:DescribeSecurityGroups',
|
63 | 'ec2:DescribeDhcpOptions',
|
64 | 'ec2:DescribeVpcs',
|
65 | ],
|
66 | resources: ['*'],
|
67 | }),
|
68 | ...props.additionalStatements ?? [],
|
69 | ],
|
70 | });
|
71 | try {
|
72 | jsiiDeprecationWarnings._aws_cdk_aws_codebuild_UntrustedCodeBoundaryPolicyProps(props);
|
73 | }
|
74 | catch (error) {
|
75 | if (process.env.JSII_DEBUG !== "1" && error.name === "DeprecationError") {
|
76 | Error.captureStackTrace(error, UntrustedCodeBoundaryPolicy);
|
77 | }
|
78 | throw error;
|
79 | }
|
80 | }
|
81 | }
|
82 | exports.UntrustedCodeBoundaryPolicy = UntrustedCodeBoundaryPolicy;
|
83 | _a = JSII_RTTI_SYMBOL_1;
|
84 | UntrustedCodeBoundaryPolicy[_a] = { fqn: "@aws-cdk/aws-codebuild.UntrustedCodeBoundaryPolicy", version: "1.181.1" };
|
85 | //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidW50cnVzdGVkLWNvZGUtYm91bmRhcnktcG9saWN5LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsidW50cnVzdGVkLWNvZGUtYm91bmRhcnktcG9saWN5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7OztBQUFBLHdDQUF3QztBQXNCeEM7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQXFCRztBQUNILE1BQWEsMkJBQTRCLFNBQVEsR0FBRyxDQUFDLGFBQWE7SUFDaEUsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxRQUEwQyxFQUFFO1FBQ3BGLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxFQUFFO1lBQ2YsaUJBQWlCLEVBQUUsS0FBSyxDQUFDLGlCQUFpQjtZQUMxQyxXQUFXLEVBQUUsMkVBQTJFO1lBQ3hGLFVBQVUsRUFBRTtnQkFDVixJQUFJLEdBQUcsQ0FBQyxlQUFlLENBQUM7b0JBQ3RCLE9BQU8sRUFBRTt3QkFDUCxjQUFjO3dCQUNkLHFCQUFxQjt3QkFDckIsc0JBQXNCO3dCQUN0QixtQkFBbUI7d0JBRW5CLG1CQUFtQjt3QkFDbkIsNkJBQTZCO3dCQUM3Qix3QkFBd0I7d0JBQ3hCLHdCQUF3Qjt3QkFDeEIsNkJBQTZCO3dCQUM3QixpQ0FBaUM7d0JBRWpDLG1CQUFtQjt3QkFDbkIsc0JBQXNCO3dCQUN0QixxQkFBcUI7d0JBQ3JCLHNCQUFzQjt3QkFFdEIseUJBQXlCO3dCQUN6Qiw0QkFBNEI7d0JBQzVCLG1CQUFtQjt3QkFDbkIsaUNBQWlDO3dCQUVqQyx1QkFBdUI7d0JBQ3ZCLHNDQUFzQzt3QkFDdEMsNEJBQTRCO3dCQUM1QiwrQkFBK0I7d0JBQy9CLDRCQUE0Qjt3QkFDNUIscUJBQXFCO3dCQUNyQiw0QkFBNEI7d0JBQzVCLHlCQUF5Qjt3QkFDekIsa0JBQWtCO3FCQUtuQjtvQkFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7aUJBQ2pCLENBQUM7Z0JBQ0YsR0FBRyxLQUFLLENBQUMsb0JBQW9CLElBQUksRUFBRTthQUNwQztTQUNGLENBQUMsQ0FBQzs7Ozs7OytDQWhETSwyQkFBMkI7Ozs7S0FpRHJDOztBQWpESCxrRUFrREMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgKiBhcyBpYW0gZnJvbSAnQGF3cy1jZGsvYXdzLWlhbSc7XG5pbXBvcnQgeyBDb25zdHJ1Y3QgfSBmcm9tICdjb25zdHJ1Y3RzJztcblxuLyoqXG4gKiBDb25zdHJ1Y3Rpb24gcHJvcGVydGllcyBmb3IgVW50cnVzdGVkQ29kZUJvdW5kYXJ5UG9saWN5XG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgVW50cnVzdGVkQ29kZUJvdW5kYXJ5UG9saWN5UHJvcHMge1xuICAvKipcbiAgICogVGhlIG5hbWUgb2YgdGhlIG1hbmFnZWQgcG9saWN5LlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIEEgbmFtZSBpcyBhdXRvbWF0aWNhbGx5IGdlbmVyYXRlZC5cbiAgICovXG4gIHJlYWRvbmx5IG1hbmFnZWRQb2xpY3lOYW1lPzogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBBZGRpdGlvbmFsIHN0YXRlbWVudHMgdG8gYWRkIHRvIHRoZSBkZWZhdWx0IHNldCBvZiBzdGF0ZW1lbnRzXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gTm8gYWRkaXRpb25hbCBzdGF0ZW1lbnRzXG4gICAqL1xuICByZWFkb25seSBhZGRpdGlvbmFsU3RhdGVtZW50cz86IGlhbS5Qb2xpY3lTdGF0ZW1lbnRbXTtcbn1cblxuLyoqXG4gKiBQZXJtaXNzaW9ucyBCb3VuZGFyeSBmb3IgYSBDb2RlQnVpbGQgUHJvamVjdCBydW5uaW5nIHVudHJ1c3RlZCBjb2RlXG4gKlxuICogVGhpcyBjbGFzcyBpcyBhIFBvbGljeSwgaW50ZW5kZWQgdG8gYmUgdXNlZCBhcyBhIFBlcm1pc3Npb25zIEJvdW5kYXJ5XG4gKiBmb3IgYSBDb2RlQnVpbGQgcHJvamVjdC4gSXQgYWxsb3dzIG1vc3Qgb2YgdGhlIGFjdGlvbnMgbmVjZXNzYXJ5IHRvIHJ1blxuICogdGhlIENvZGVCdWlsZCBwcm9qZWN0LCBidXQgZGlzYWxsb3dzIHJlYWRpbmcgZnJvbSBQYXJhbWV0ZXIgU3RvcmVcbiAqIGFuZCBTZWNyZXRzIE1hbmFnZXIuXG4gKlxuICogVXNlIHRoaXMgd2hlbiB5b3VyIENvZGVCdWlsZCBwcm9qZWN0IGlzIHJ1bm5pbmcgdW50cnVzdGVkIGNvZGUgKGZvclxuICogZXhhbXBsZSwgaWYgeW91IGFyZSB1c2luZyBvbmUgdG8gYXV0b21hdGljYWxseSBidWlsZCBQdWxsIFJlcXVlc3RzXG4gKiB0aGF0IGFueW9uZSBjYW4gc3VibWl0KSwgYW5kIHlvdSB3YW50IHRvIHByZXZlbnQgeW91ciBmdXR1cmUgc2VsZlxuICogZnJvbSBhY2NpZGVudGFsbHkgZXhwb3NpbmcgU2VjcmV0cyB0byB0aGlzIGJ1aWxkLlxuICpcbiAqIChUaGUgcmVhc29uIHlvdSBtaWdodCB3YW50IHRvIGRvIHRoaXMgaXMgYmVjYXVzZSBvdGhlcndpc2UgYW55b25lXG4gKiB3aG8gY2FuIHN1Ym1pdCBhIFB1bGwgUmVxdWVzdCB0byB5b3VyIHByb2plY3QgY2FuIHdyaXRlIGEgc2NyaXB0XG4gKiB0byBlbWFpbCB0aG9zZSBzZWNyZXRzIHRvIHRoZW1zZWx2ZXMpLlxuICpcbiAqIEBleGFtcGxlXG4gKlxuICogZGVjbGFyZSBjb25zdCBwcm9qZWN0OiBjb2RlYnVpbGQuUHJvamVjdDtcbiAqIGlhbS5QZXJtaXNzaW9uc0JvdW5kYXJ5Lm9mKHByb2plY3QpLmFwcGx5KG5ldyBjb2RlYnVpbGQuVW50cnVzdGVkQ29kZUJvdW5kYXJ5UG9saWN5KHRoaXMsICdCb3VuZGFyeScpKTtcbiAqL1xuZXhwb3J0IGNsYXNzIFVudHJ1c3RlZENvZGVCb3VuZGFyeVBvbGljeSBleHRlbmRzIGlhbS5NYW5hZ2VkUG9saWN5IHtcbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IFVudHJ1c3RlZENvZGVCb3VuZGFyeVBvbGljeVByb3BzID0ge30pIHtcbiAgICBzdXBlcihzY29wZSwgaWQsIHtcbiAgICAgIG1hbmFnZWRQb2xpY3lOYW1lOiBwcm9wcy5tYW5hZ2VkUG9saWN5TmFtZSxcbiAgICAgIGRlc2NyaXB0aW9uOiAnUGVybWlzc2lvbnMgQm91bmRhcnkgUG9saWN5IGZvciBDb2RlQnVpbGQgUHJvamVjdHMgcnVubmluZyB1bnRydXN0ZWQgY29kZScsXG4gICAgICBzdGF0ZW1lbnRzOiBbXG4gICAgICAgIG5ldyBpYW0uUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgICAvLyBGb3IgbG9nZ2luZ1xuICAgICAgICAgICAgJ2xvZ3M6Q3JlYXRlTG9nR3JvdXAnLFxuICAgICAgICAgICAgJ2xvZ3M6Q3JlYXRlTG9nU3RyZWFtJyxcbiAgICAgICAgICAgICdsb2dzOlB1dExvZ0V2ZW50cycsXG5cbiAgICAgICAgICAgIC8vIEZvciB0ZXN0IHJlcG9ydHNcbiAgICAgICAgICAgICdjb2RlYnVpbGQ6Q3JlYXRlUmVwb3J0R3JvdXAnLFxuICAgICAgICAgICAgJ2NvZGVidWlsZDpDcmVhdGVSZXBvcnQnLFxuICAgICAgICAgICAgJ2NvZGVidWlsZDpVcGRhdGVSZXBvcnQnLFxuICAgICAgICAgICAgJ2NvZGVidWlsZDpCYXRjaFB1dFRlc3RDYXNlcycsXG4gICAgICAgICAgICAnY29kZWJ1aWxkOkJhdGNoUHV0Q29kZUNvdmVyYWdlcycsXG5cbiAgICAgICAgICAgIC8vIEZvciBiYXRjaCBidWlsZHNcbiAgICAgICAgICAgICdjb2RlYnVpbGQ6U3RhcnRCdWlsZCcsXG4gICAgICAgICAgICAnY29kZWJ1aWxkOlN0b3BCdWlsZCcsXG4gICAgICAgICAgICAnY29kZWJ1aWxkOlJldHJ5QnVpbGQnLFxuXG4gICAgICAgICAgICAvLyBGb3IgcHVsbGluZyBFQ1IgaW1hZ2VzXG4gICAgICAgICAgICAnZWNyOkdldERvd25sb2FkVXJsRm9yTGF5ZXInLFxuICAgICAgICAgICAgJ2VjcjpCYXRjaEdldEltYWdlJyxcbiAgICAgICAgICAgICdlY3I6QmF0Y2hDaGVja0xheWVyQXZhaWxhYmlsaXR5JyxcblxuICAgICAgICAgICAgLy8gRm9yIHJ1bm5pbmcgaW4gYSBWUENcbiAgICAgICAgICAgICdlYzI6Q3JlYXRlTmV0d29ya0ludGVyZmFjZVBlcm1pc3Npb24nLFxuICAgICAgICAgICAgJ2VjMjpDcmVhdGVOZXR3b3JrSW50ZXJmYWNlJyxcbiAgICAgICAgICAgICdlYzI6RGVzY3JpYmVOZXR3b3JrSW50ZXJmYWNlcycsXG4gICAgICAgICAgICAnZWMyOkRlbGV0ZU5ldHdvcmtJbnRlcmZhY2UnLFxuICAgICAgICAgICAgJ2VjMjpEZXNjcmliZVN1Ym5ldHMnLFxuICAgICAgICAgICAgJ2VjMjpEZXNjcmliZVNlY3VyaXR5R3JvdXBzJyxcbiAgICAgICAgICAgICdlYzI6RGVzY3JpYmVEaGNwT3B0aW9ucycsXG4gICAgICAgICAgICAnZWMyOkRlc2NyaWJlVnBjcycsXG5cbiAgICAgICAgICAgIC8vIE5PVEFCTFkgTUlTU0lORzpcbiAgICAgICAgICAgIC8vIC0gUmVhZGluZyBzZWNyZXRzXG4gICAgICAgICAgICAvLyAtIFJlYWRpbmcgcGFyYW1ldGVyc3RvcmVcbiAgICAgICAgICBdLFxuICAgICAgICAgIHJlc291cmNlczogWycqJ10sXG4gICAgICAgIH0pLFxuICAgICAgICAuLi5wcm9wcy5hZGRpdGlvbmFsU3RhdGVtZW50cyA/PyBbXSxcbiAgICAgIF0sXG4gICAgfSk7XG4gIH1cbn0iXX0= |
\ | No newline at end of file |