(CDK Pipelines): allow passing a Role to CodePipeline

[skinny85]

Description

Because of #16244, customers have to sometimes create a Role manually and control its permissions.

We should make that easy in CodePipeline.

Use Case

See above.

Proposed Solution

Add a new property role to the CodePipeline construct.

Other information

No response

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[rix0rrr]

You can pass a codepipeline.Pipeline to CodePipeline. It can be initialized with the role you need.

[skinny85]

Yep, that's what I recommended the customer do, but it's pretty non-trivial to figure out. A property in the construct props would make it more discoverable.

[rix0rrr]

Still don't really agree. We should control better for policy size, or injecting, instead.

[pfried]

For reference: I just deployed a fix following the advice by @skinny85 which essentially (besides a narrower policy) looks like the code below:

The stack redeployed and kept its resources. I had to pull out the cross account property tough.

        // Oversimplified policy
        const codePipelineRole = new Role(this, 'CodePipelineRole', {
            assumedBy: new ServicePrincipal('codepipeline.amazonaws.com'),
            roleName: cdk.PhysicalName.GENERATE_IF_NEEDED,
            inlinePolicies: {
                rootPermissions: new PolicyDocument({
                    statements: [
                        new PolicyStatement({
                            resources: ['*'],
                            actions: ['*'],
                        }),
                    ],
                }),
            }
        })

       // Need to pull out `crossAccountKeys`
        const codePipeline = new Pipeline(this, 'CodePipeline', {
            crossAccountKeys: true,
            role: codePipelineRole.withoutPolicyUpdates()
        })

        const pipeline = new CodePipeline(this, 'Pipeline', {
            codePipeline: codePipeline,
            ...
        })

Update: Just found the docs for that:
AWS CDK V1: https://docs.aws.amazon.com/cdk/api/v1/docs/aws-iam-readme.html#opting-out-of-automatic-permissions-management
AWS_CDK V2: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam-readme.html#opting-out-of-automatic-permissions-management

Update 2: I somehow broke stuff, so not sure if it actually works

[ac259]

Hello @rix0rrr ,

I am trying to solve for the same problem; i.e to pass a role to the pipelines.CodePipeline. I am trying to do this in python.
the official cdk documentation for CDK Pipeline Here there seems to be a role parameter. But in the class definition it does not seem to have it and throws and error when I cdk deploy

Code Snippet.

class WorkshopPipelineStack(Stack):
    def __init__(self, scope: Construct, id: str, **kwargs) -> None:
        super().__init__(scope, id, **kwargs)

        codepipeline_role = iam.Role.from_role_arn(self, "Role", "arn:aws:iam::<account>:role/<pre-existing-role>",
        # Set 'mutable' to 'false' to use the role as-is and prevent adding new
        # policies to it. The default is 'true', which means the role may be
        # modified as part of the deployment.
        mutable=False
        )

        kms_key = aws_kms.Key.from_key_arn(self,"<kms-key>", "arn:aws:kms:us-east-1:account-number:key/<key>")
        pipeline_bucket = aws_s3.Bucket(self, '<bucket-name>',encryption_key=kms_key)
        
        pipeline = pipelines.CodePipeline(self,
        "<pipeline-name>",
        synth=pipelines.ShellStep(
            "Synth",
            input=pipelines.CodePipelineSource.connection("<org/repo>", "<branch>",
                connection_arn="arn:aws:codestar-connections:<connection>"
            ),
            commands=[
                "npm install -g aws-cdk",  # Installs the cdk cli on Codebuild
                "pip install -r requirements.txt",  # Instructs Codebuild to install required packages
                "cdk synth",
            ]
        ),
        role = codepipeline_role
        )

Error

Traceback (most recent call last):
  File "C:\Users\aramji\Desktop\aws-cdk\app.py", line 7, in <module>
    WorkshopPipelineStack(app, "cmg-datasvc-cdk-codepipeline-test",
  File "C:\Users\aramji\Envs\aws-cdk\lib\site-packages\jsii\_runtime.py", line 86, in __call__
    inst = super().__call__(*args, **kwargs)
  File "C:\Users\aramji\aws-cdk\cdk_workshop\pipeline_stack.py", line 41, in __init__
    pipeline = pipelines.CodePipeline(self,
  File "C:\Users\aramji\Envs\aws-cdk\lib\site-packages\jsii\_runtime.py", line 86, in __call__
    inst = super().__call__(*args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'role'

Subprocess exited with error 1

Could you kindly help on the same?

Thanks,
Ani

[skinny85]

@ac259 what version of CDK are you using?

[ac259]

@skinny85 I was using an older 2.x version but I upgraded to the 2.47.0 and tested again.

(aws-cdk) C:\Users\aramji\Desktop\aws-cdk>cdk --version
2.47.0 (build 3528e3d)

[skinny85]

I'm asking about the libraries, though; not the CDK CLI version. You'll find their version in the requirements.txt (or just execute pip list). The libraries determine whether you have access to this feature or not.

It was released in version 2.35.0, so you need your libraries to be at least at that version.

[ac259]

@skinny85 thank you so much - I was on an earlier version of the library. Was able to get it to work!