Merge pull request #5 from taoyong-ty/main

Add Compute-Actions logs permissions to CodePipelineDefaultPolicy

Author: ZoeSang

templates/cloudformation/ci-build-gradle.yaml

@@ -300,6 +300,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/ci-build-maven.yaml

@@ -300,6 +300,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/ci-build-nodejs.yaml

@@ -306,6 +306,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/ci-build-python.yaml

@@ -303,6 +303,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/ci-schedule-build-gradle.yaml

@@ -362,6 +362,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/ci-schedule-build-maven.yaml

@@ -362,6 +362,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/ci-schedule-build-nodejs.yaml

@@ -368,6 +368,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/ci-schedule-build-python.yaml

@@ -365,6 +365,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/deploy-to-cfn.yaml

@@ -313,6 +313,18 @@ Resources:
               - /
               - - !GetAtt CodePipelineArtifactsBucket.Arn
                 - '*'
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CloudFormationDefaultPolicy
       Roles:

templates/cloudformation/deploy-to-ecr.yaml

@@ -358,6 +358,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

templates/cloudformation/deploy-to-ecs-fargate.yaml

@@ -759,6 +759,18 @@ Resources:
                 - ''
                 - - !GetAtt CodePipelineArtifactsBucket.Arn
                   - /*
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDeployActionRoleDefaultPolicy
       Roles: