fix(pipelines): 'ConfirmPermissionsBroadening' uses wrong node version (#20861)

rix0rrr · MrArnoldPalmer · commit 47b5ca06c50a · 2022-06-24T13:04:12.000-07:00
The CodeBuild Project that is used when the `ConfirmPermissionsBroadening`
feature is enabled does not have a CodeBuild image specified. This
makes it use the `standard:2.0` image by default, which is AL2-based
and comes with Node 12. CDK tooling now requires Node 14 to run.

Make it use the `standard:5.0` image like all other CodeBuild projects,
which contains Node 14.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts b/packages/@aws-cdk/pipelines/lib/private/application-security-check.ts
@@ -99,6 +99,9 @@ export class ApplicationSecurityCheck extends Construct {
       ` --message "${message.join('\n')}"`;
 
     this.cdkDiffProject = new codebuild.Project(this, 'CDKSecurityCheck', {
+      environment: {
+        buildImage: codebuild.LinuxBuildImage.STANDARD_5_0,
+      },
       buildSpec: codebuild.BuildSpec.fromObject({
         version: 0.2,
         phases: {
diff --git a/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts b/packages/@aws-cdk/pipelines/test/compliance/security-check.test.ts
@@ -40,8 +40,9 @@ behavior('security check option generates lambda/codebuild at pipeline scope', (
   });
 
   function THEN_codePipelineExpectation() {
-    Template.fromStack(pipelineStack).resourceCountIs('AWS::Lambda::Function', 1);
-    Template.fromStack(pipelineStack).hasResourceProperties('AWS::Lambda::Function', {
+    const template = Template.fromStack(pipelineStack);
+    template.resourceCountIs('AWS::Lambda::Function', 1);
+    template.hasResourceProperties('AWS::Lambda::Function', {
       Role: {
         'Fn::GetAtt': [
           stringLike('CdkPipeline*SecurityCheckCDKPipelinesAutoApproveServiceRole*'),
@@ -50,7 +51,17 @@ behavior('security check option generates lambda/codebuild at pipeline scope', (
       },
     });
     // 1 for github build, 1 for synth stage, and 1 for the application security check
-    Template.fromStack(pipelineStack).resourceCountIs('AWS::CodeBuild::Project', 3);
+    template.resourceCountIs('AWS::CodeBuild::Project', 3);
+
+    // No CodeBuild project has a build image that is not standard:5.0
+    const projects = template.findResources('AWS::CodeBuild::Project', {
+      Properties: {
+        Environment: {
+          Image: 'aws/codebuild/standard:5.0',
+        },
+      },
+    });
+    expect(Object.keys(projects).length).toEqual(3);
   }
 });
 
diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.assets.json
@@ -27,15 +27,15 @@
         }
       }
     },
-    "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f": {
+    "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115": {
       "source": {
         "path": "PipelineSecurityStack.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f.json",
+          "objectKey": "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/PipelineSecurityStack.template.json
@@ -2603,7 +2603,7 @@
     },
     "Environment": {
      "ComputeType": "BUILD_GENERAL1_SMALL",
-     "Image": "aws/codebuild/standard:1.0",
+     "Image": "aws/codebuild/standard:5.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,
      "Type": "LINUX_CONTAINER"
@@ -2947,7 +2947,7 @@
     },
     "Environment": {
      "ComputeType": "BUILD_GENERAL1_SMALL",
-     "Image": "aws/codebuild/standard:1.0",
+     "Image": "aws/codebuild/standard:5.0",
      "ImagePullCredentialsType": "CODEBUILD",
      "PrivilegedMode": false,
      "Type": "LINUX_CONTAINER"
diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/manifest.json
@@ -65,7 +65,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
diff --git a/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json b/packages/@aws-cdk/pipelines/test/pipeline-security.integ.snapshot/tree.json
@@ -268,7 +268,7 @@
                         "attributes": {
                           "aws:cdk:cloudformation:type": "AWS::KMS::Alias",
                           "aws:cdk:cloudformation:props": {
-                            "aliasName": "alias/codepipeline-pipelinesecuritystacktestpipelinef7060861",
+                            "aliasName": "alias/codepipeline-pipelinesecuritystack-testpipeline-f7060861",
                             "targetKeyId": {
                               "Fn::GetAtt": [
                                 "TestPipelineArtifactsBucketEncryptionKey13258842",
@@ -3519,7 +3519,7 @@
                             },
                             "environment": {
                               "type": "LINUX_CONTAINER",
-                              "image": "aws/codebuild/standard:1.0",
+                              "image": "aws/codebuild/standard:5.0",
                               "imagePullCredentialsType": "CODEBUILD",
                               "privilegedMode": false,
                               "computeType": "BUILD_GENERAL1_SMALL"
@@ -4065,7 +4065,7 @@
                             },
                             "environment": {
                               "type": "LINUX_CONTAINER",
-                              "image": "aws/codebuild/standard:1.0",
+                              "image": "aws/codebuild/standard:5.0",
                               "imagePullCredentialsType": "CODEBUILD",
                               "privilegedMode": false,
                               "computeType": "BUILD_GENERAL1_SMALL"

Original file line number	Diff line number	Diff line change
`@@ -27,15 +27,15 @@`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`	`},`
`30`		`- "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f": {`
	`30`	`+ "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115": {`
`31`	`31`	`"source": {`
`32`	`32`	`"path": "PipelineSecurityStack.template.json",`
`33`	`33`	`"packaging": "file"`
`34`	`34`	`},`
`35`	`35`	`"destinations": {`
`36`	`36`	`"current_account-current_region": {`
`37`	`37`	`"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",`
`38`		`- "objectKey": "89f6e045568a0cd52d21d8215bb87ce0d05485ee8c757b0eb4ac080ddc9f1d6f.json",`
	`38`	`+ "objectKey": "7f17b1fbdb3783f2f992a94602a37c674f58741617a65f348b43ba1a7637a115.json",`
`39`	`39`	`"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"`
`40`	`40`	`}`
`41`	`41`	`}`