Merge pull request #64 from SoManyHs/fix-arn

fix: change resource policy to use ARN
awslabs · Mar 30, 2021 · b7fe1e6 · b7fe1e6
2 parents e908865 + 31d78a8
commit b7fe1e6
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 47 deletions.
diff --git a/infra/README.md b/infra/README.md
@@ -19,6 +19,8 @@ aws secretsmanager create-secret --region us-west-2 --name EcsDevXGitHubToken --
 
 ## Deploy
 
+Any changes to `pipeline.ts` will require a re-compilation and re-deploy.
+
 To deploy this pipeline, install the AWS CDK CLI: `npm i -g aws-cdk`
 
 Install and build everything: `npm install && npm run build`
@@ -31,3 +33,5 @@ cdk deploy --app 'node pipeline.js'
 ```
 
 See the pipelines in the CodePipeline console.
+
+**NOTE**: Any changes to `pipeline.ts` will require the stack to be re-build wiht `npm run build` and redeployed with `cdk deploy --app 'node pipeline.js'`
diff --git a/infra/package-lock.json b/infra/package-lock.json
diff --git a/infra/pipeline.ts b/infra/pipeline.ts
@@ -80,31 +80,21 @@ class EcsLocalContainerEndpointsImagePipeline extends cdk.Stack {
       });
 
       buildProject.addToRolePolicy(new iam.PolicyStatement({
-        actions: ["ecr:GetAuthorizationToken",
-          "ecr:BatchCheckLayerAvailability",
-          "ecr:GetDownloadUrlForLayer",
-          "ecr:GetRepositoryPolicy",
-          "ecr:DescribeRepositories",
-          "ecr:ListImages",
-          "ecr:DescribeImages",
-          "ecr:BatchGetImage",
-          "ecr:InitiateLayerUpload",
-          "ecr:UploadLayerPart",
-          "ecr:CompleteLayerUpload",
-          "ecr:PutImage",
-          "ecr-public:*",
+        actions: [
           "secretsmanager:GetSecretValue",
           "sts:GetServiceBearerToken",
           "sts:AssumeRole",
         ],
-        resources: ["*"]
+        resources: [`arn:aws:secretsmanager:us-west-2:${process.env['CDK_DEFAULT_ACCOUNT']}:secret:com.amazonaws.ec2.madison.dockerhub.amazon-ecs-local-container-endpoints.credentials-XIxFhP`]
       }));
 
       verifyProject.addToRolePolicy(new iam.PolicyStatement({
         actions: [
           "secretsmanager:GetSecretValue",
+          "sts:GetServiceBearerToken",
+          "sts:AssumeRole",
         ],
-        resources: ["com.amazonaws.ec2.madison.dockerhub.amazon-ecs-local-container-endpoints.credentials"]
+        resources: [`arn:aws:secretsmanager:us-west-2:${process.env['CDK_DEFAULT_ACCOUNT']}:secret:com.amazonaws.ec2.madison.dockerhub.amazon-ecs-local-container-endpoints.credentials-XIxFhP`]
       }));
 
       const buildAction = new actions.CodeBuildAction({