feat(codepipeline): support environment variables for actions #35741
Conversation
github-actions
bot
added
the
distinguished-contributor
| /** | ||
| * The environment variables for the action. | ||
| * | ||
| * @default - no environment variables | ||
| */ | ||
| readonly actionEnvironmentVariables?: EnvironmentVariable[]; |
There was a problem hiding this comment.
Avoided the name environmentVariables because CodeBuildActionProps that extends codepipeline.CommonAwsActionProps and this CommonActionProps has already used a property with the same name and an error occurs if the name is used in this props.
| // Don't use `grantRead` method for the secret because `secretsmanager:DescribeSecret` is not required. | ||
| // See https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html#action-reference-Commands-envvars | ||
| options.role.addToPrincipalPolicy(new iam.PolicyStatement({ | ||
| actions: ['secretsmanager:GetSecretValue'], | ||
| resources: [secretArn], | ||
| })); |
There was a problem hiding this comment.
To use the SecretsManager, you must add the following permissions to your pipeline service role:
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"SECRET_ARN"
]
}
| /** | ||
| * Bind the environment variable to the action. | ||
| * @internal | ||
| */ | ||
| public abstract _bind(scope: Construct, actionProperties: ActionProperties, options: ActionBindOptions): void; |
There was a problem hiding this comment.
Originally, this abstract method was not made, but the concrete bind method was only created for SecretsManagerEnvironmentVariable. However, considering that support for PARAMETER_STORE may be added in the future, such as the one for CodeBuild, it is better to create the abstract method, so I did it this way. Otherwise, it would be necessary to implement the bind calling as follows. If more types are added in the future, the code will become even more complicated.
envVars?.forEach(envVar => {
if (envVar instanceof SecretsManagerEnvironmentVariable || envVar instanceof ParameterStoreEnvironmentVariable) {
envVar._bind(scope, this.actionProperties, options);
}
});Now we can write like:
envVars?.forEach(envVar => {
envVar._bind(scope, this.actionProperties, options);
});
go-to-k
changed the title
go-to-k
changed the title
aws-cdk-automation
added
the
pr/needs-community-review
2 participants
Issue # (if applicable)
N/A
Reason for this change
CodePipeline supports the Environment Variables in actions, but L2 Pipeline with actions doesn't support it.
SECRETS_MANAGERtype is only supported for the Commands action.Description of changes
Added
EnvironmentVariablewithPlaintextEnvironmentVariableandSecretsManagerEnvironmentVariable.Describe any new or updated permissions being added
Description of how you validated changes
Both unit tests and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license