UNPKG

aws-cdk

Version:

AWS CDK CLI, the command line tool for CDK apps

github.com/aws/aws-cdk

aws/aws-cdk-cli

72 lines • 11.9 kB

JavaScript

"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.determineAllowCrossAccountAssetPublishing = determineAllowCrossAccountAssetPublishing; exports.getBootstrapStackInfo = getBootstrapStackInfo; const api_1 = require("../../../../@aws-cdk/tmp-toolkit-helpers/src/api"); const private_1 = require("../../../../@aws-cdk/tmp-toolkit-helpers/src/api/io/private"); async function determineAllowCrossAccountAssetPublishing(sdk, ioHelper, customStackName) { try { const stackName = customStackName || 'CDKToolkit'; const stackInfo = await getBootstrapStackInfo(sdk, stackName); if (!stackInfo.hasStagingBucket) { // indicates an intentional cross account setup return true; } if (stackInfo.bootstrapVersion >= 21) { // bootstrap stack version 21 contains a fix that will prevent cross // account publishing on the IAM level // https://github.com/aws/aws-cdk/pull/30823 return true; } // If there is a staging bucket AND the bootstrap version is old, then we want to protect // against accidental cross-account publishing. return false; } catch (e) { // You would think we would need to fail closed here, but the reality is // that we get here if we couldn't find the bootstrap stack: that is // completely valid, and many large organizations may have their own method // of creating bootstrap resources. If they do, there's nothing for us to validate, // but we can't use that as a reason to disallow cross-account publishing. We'll just // have to trust they did their due diligence. So we fail open. await ioHelper.notify(private_1.IO.DEFAULT_TOOLKIT_DEBUG.msg(`Error determining cross account asset publishing: ${e}`)); await ioHelper.notify(private_1.IO.DEFAULT_TOOLKIT_DEBUG.msg('Defaulting to allowing cross account asset publishing')); return true; } } async function getBootstrapStackInfo(sdk, stackName) { try { const cfn = sdk.cloudFormation(); const stackResponse = await cfn.describeStacks({ StackName: stackName }); if (!stackResponse.Stacks || stackResponse.Stacks.length === 0) { throw new api_1.ToolkitError(`Toolkit stack ${stackName} not found`); } const stack = stackResponse.Stacks[0]; const versionOutput = stack.Outputs?.find(output => output.OutputKey === 'BootstrapVersion'); if (!versionOutput?.OutputValue) { throw new api_1.ToolkitError(`Unable to find BootstrapVersion output in the toolkit stack ${stackName}`); } const bootstrapVersion = parseInt(versionOutput.OutputValue); if (isNaN(bootstrapVersion)) { throw new api_1.ToolkitError(`Invalid BootstrapVersion value: ${versionOutput.OutputValue}`); } // try to get bucketname from the logical resource id. If there is no // bucketname, or the value doesn't look like an S3 bucket name, we assume // the bucket doesn't exist (this is for the case where a template customizer did // not dare to remove the Output, but put a dummy value there like '' or '-' or '***'). // // We would have preferred to look at the stack resources here, but // unfortunately the deploy role doesn't have permissions call DescribeStackResources. const bucketName = stack.Outputs?.find(output => output.OutputKey === 'BucketName')?.OutputValue; // Must begin and end with letter or number. const hasStagingBucket = !!(bucketName && bucketName.match(/^[a-z0-9]/) && bucketName.match(/[a-z0-9]$/)); return { hasStagingBucket, bootstrapVersion, }; } catch (e) { throw new api_1.ToolkitError(`Error retrieving toolkit stack info: ${e}`); } } //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2hlY2tzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiY2hlY2tzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBSUEsOEZBbUNDO0FBT0Qsc0RBdUNDO0FBckZELDBFQUFnRjtBQUNoRix5RkFBZ0c7QUFHekYsS0FBSyxVQUFVLHlDQUF5QyxDQUM3RCxHQUFRLEVBQ1IsUUFBa0IsRUFDbEIsZUFBd0I7SUFFeEIsSUFBSSxDQUFDO1FBQ0gsTUFBTSxTQUFTLEdBQUcsZUFBZSxJQUFJLFlBQVksQ0FBQztRQUNsRCxNQUFNLFNBQVMsR0FBRyxNQUFNLHFCQUFxQixDQUFDLEdBQUcsRUFBRSxTQUFTLENBQUMsQ0FBQztRQUU5RCxJQUFJLENBQUMsU0FBUyxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDaEMsK0NBQStDO1lBQy9DLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELElBQUksU0FBUyxDQUFDLGdCQUFnQixJQUFJLEVBQUUsRUFBRSxDQUFDO1lBQ3JDLG9FQUFvRTtZQUNwRSxzQ0FBc0M7WUFDdEMsNENBQTRDO1lBQzVDLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELHlGQUF5RjtRQUN6RiwrQ0FBK0M7UUFDL0MsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLHdFQUF3RTtRQUN4RSxvRUFBb0U7UUFDcEUsMkVBQTJFO1FBQzNFLG1GQUFtRjtRQUNuRixxRkFBcUY7UUFDckYsK0RBQStEO1FBQy9ELE1BQU0sUUFBUSxDQUFDLE1BQU0sQ0FBQyxZQUFFLENBQUMscUJBQXFCLENBQUMsR0FBRyxDQUFDLHFEQUFxRCxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDOUcsTUFBTSxRQUFRLENBQUMsTUFBTSxDQUFDLFlBQUUsQ0FBQyxxQkFBcUIsQ0FBQyxHQUFHLENBQUMsdURBQXVELENBQUMsQ0FBQyxDQUFDO1FBQzdHLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztBQUNILENBQUM7QUFPTSxLQUFLLFVBQVUscUJBQXFCLENBQUMsR0FBUSxFQUFFLFNBQWlCO0lBQ3JFLElBQUksQ0FBQztRQUNILE1BQU0sR0FBRyxHQUFHLEdBQUcsQ0FBQyxjQUFjLEVBQUUsQ0FBQztRQUNqQyxNQUFNLGFBQWEsR0FBRyxNQUFNLEdBQUcsQ0FBQyxjQUFjLENBQUMsRUFBRSxTQUFTLEVBQUUsU0FBUyxFQUFFLENBQUMsQ0FBQztRQUV6RSxJQUFJLENBQUMsYUFBYSxDQUFDLE1BQU0sSUFBSSxhQUFhLENBQUMsTUFBTSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUMvRCxNQUFNLElBQUksa0JBQVksQ0FBQyxpQkFBaUIsU0FBUyxZQUFZLENBQUMsQ0FBQztRQUNqRSxDQUFDO1FBRUQsTUFBTSxLQUFLLEdBQUcsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN0QyxNQUFNLGFBQWEsR0FBRyxLQUFLLENBQUMsT0FBTyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxTQUFTLEtBQUssa0JBQWtCLENBQUMsQ0FBQztRQUU3RixJQUFJLENBQUMsYUFBYSxFQUFFLFdBQVcsRUFBRSxDQUFDO1lBQ2hDLE1BQU0sSUFBSSxrQkFBWSxDQUFDLCtEQUErRCxTQUFTLEVBQUUsQ0FBQyxDQUFDO1FBQ3JHLENBQUM7UUFFRCxNQUFNLGdCQUFnQixHQUFHLFFBQVEsQ0FBQyxhQUFhLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDN0QsSUFBSSxLQUFLLENBQUMsZ0JBQWdCLENBQUMsRUFBRSxDQUFDO1lBQzVCLE1BQU0sSUFBSSxrQkFBWSxDQUFDLG1DQUFtQyxhQUFhLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztRQUN6RixDQUFDO1FBRUQscUVBQXFFO1FBQ3JFLDBFQUEwRTtRQUMxRSxpRkFBaUY7UUFDakYsdUZBQXVGO1FBQ3ZGLEVBQUU7UUFDRixtRUFBbUU7UUFDbkUsc0ZBQXNGO1FBQ3RGLE1BQU0sVUFBVSxHQUFHLEtBQUssQ0FBQyxPQUFPLEVBQUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsTUFBTSxDQUFDLFNBQVMsS0FBSyxZQUFZLENBQUMsRUFBRSxXQUFXLENBQUM7UUFDakcsNENBQTRDO1FBQzVDLE1BQU0sZ0JBQWdCLEdBQUcsQ0FBQyxDQUFDLENBQUMsVUFBVSxJQUFJLFVBQVUsQ0FBQyxLQUFLLENBQUMsV0FBVyxDQUFDLElBQUksVUFBVSxDQUFDLEtBQUssQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDO1FBRTFHLE9BQU87WUFDTCxnQkFBZ0I7WUFDaEIsZ0JBQWdCO1NBQ2pCLENBQUM7SUFDSixDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLE1BQU0sSUFBSSxrQkFBWSxDQUFDLHdDQUF3QyxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQ3RFLENBQUM7QUFDSCxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgVG9vbGtpdEVycm9yIH0gZnJvbSAnLi4vLi4vLi4vLi4vQGF3cy1jZGsvdG1wLXRvb2xraXQtaGVscGVycy9zcmMvYXBpJztcbmltcG9ydCB7IElPLCB0eXBlIElvSGVscGVyIH0gZnJvbSAnLi4vLi4vLi4vLi4vQGF3cy1jZGsvdG1wLXRvb2xraXQtaGVscGVycy9zcmMvYXBpL2lvL3ByaXZhdGUnO1xuaW1wb3J0IHR5cGUgeyBTREsgfSBmcm9tICcuLi9hd3MtYXV0aCc7XG5cbmV4cG9ydCBhc3luYyBmdW5jdGlvbiBkZXRlcm1pbmVBbGxvd0Nyb3NzQWNjb3VudEFzc2V0UHVibGlzaGluZyhcbiAgc2RrOiBTREssXG4gIGlvSGVscGVyOiBJb0hlbHBlcixcbiAgY3VzdG9tU3RhY2tOYW1lPzogc3RyaW5nLFxuKTogUHJvbWlzZTxib29sZWFuPiB7XG4gIHRyeSB7XG4gICAgY29uc3Qgc3RhY2tOYW1lID0gY3VzdG9tU3RhY2tOYW1lIHx8ICdDREtUb29sa2l0JztcbiAgICBjb25zdCBzdGFja0luZm8gPSBhd2FpdCBnZXRCb290c3RyYXBTdGFja0luZm8oc2RrLCBzdGFja05hbWUpO1xuXG4gICAgaWYgKCFzdGFja0luZm8uaGFzU3RhZ2luZ0J1Y2tldCkge1xuICAgICAgLy8gaW5kaWNhdGVzIGFuIGludGVudGlvbmFsIGNyb3NzIGFjY291bnQgc2V0dXBcbiAgICAgIHJldHVybiB0cnVlO1xuICAgIH1cblxuICAgIGlmIChzdGFja0luZm8uYm9vdHN0cmFwVmVyc2lvbiA+PSAyMSkge1xuICAgICAgLy8gYm9vdHN0cmFwIHN0YWNrIHZlcnNpb24gMjEgY29udGFpbnMgYSBmaXggdGhhdCB3aWxsIHByZXZlbnQgY3Jvc3NcbiAgICAgIC8vIGFjY291bnQgcHVibGlzaGluZyBvbiB0aGUgSUFNIGxldmVsXG4gICAgICAvLyBodHRwczovL2dpdGh1Yi5jb20vYXdzL2F3cy1jZGsvcHVsbC8zMDgyM1xuICAgICAgcmV0dXJuIHRydWU7XG4gICAgfVxuXG4gICAgLy8gSWYgdGhlcmUgaXMgYSBzdGFnaW5nIGJ1Y2tldCBBTkQgdGhlIGJvb3RzdHJhcCB2ZXJzaW9uIGlzIG9sZCwgdGhlbiB3ZSB3YW50IHRvIHByb3RlY3RcbiAgICAvLyBhZ2FpbnN0IGFjY2lkZW50YWwgY3Jvc3MtYWNjb3VudCBwdWJsaXNoaW5nLlxuICAgIHJldHVybiBmYWxzZTtcbiAgfSBjYXRjaCAoZSkge1xuICAgIC8vIFlvdSB3b3VsZCB0aGluayB3ZSB3b3VsZCBuZWVkIHRvIGZhaWwgY2xvc2VkIGhlcmUsIGJ1dCB0aGUgcmVhbGl0eSBpc1xuICAgIC8vIHRoYXQgd2UgZ2V0IGhlcmUgaWYgd2UgY291bGRuJ3QgZmluZCB0aGUgYm9vdHN0cmFwIHN0YWNrOiB0aGF0IGlzXG4gICAgLy8gY29tcGxldGVseSB2YWxpZCwgYW5kIG1hbnkgbGFyZ2Ugb3JnYW5pemF0aW9ucyBtYXkgaGF2ZSB0aGVpciBvd24gbWV0aG9kXG4gICAgLy8gb2YgY3JlYXRpbmcgYm9vdHN0cmFwIHJlc291cmNlcy4gSWYgdGhleSBkbywgdGhlcmUncyBub3RoaW5nIGZvciB1cyB0byB2YWxpZGF0ZSxcbiAgICAvLyBidXQgd2UgY2FuJ3QgdXNlIHRoYXQgYXMgYSByZWFzb24gdG8gZGlzYWxsb3cgY3Jvc3MtYWNjb3VudCBwdWJsaXNoaW5nLiBXZSdsbCBqdXN0XG4gICAgLy8gaGF2ZSB0byB0cnVzdCB0aGV5IGRpZCB0aGVpciBkdWUgZGlsaWdlbmNlLiBTbyB3ZSBmYWlsIG9wZW4uXG4gICAgYXdhaXQgaW9IZWxwZXIubm90aWZ5KElPLkRFRkFVTFRfVE9PTEtJVF9ERUJVRy5tc2coYEVycm9yIGRldGVybWluaW5nIGNyb3NzIGFjY291bnQgYXNzZXQgcHVibGlzaGluZzogJHtlfWApKTtcbiAgICBhd2FpdCBpb0hlbHBlci5ub3RpZnkoSU8uREVGQVVMVF9UT09MS0lUX0RFQlVHLm1zZygnRGVmYXVsdGluZyB0byBhbGxvd2luZyBjcm9zcyBhY2NvdW50IGFzc2V0IHB1Ymxpc2hpbmcnKSk7XG4gICAgcmV0dXJuIHRydWU7XG4gIH1cbn1cblxuaW50ZXJmYWNlIEJvb3RzdHJhcFN0YWNrSW5mbyB7XG4gIGhhc1N0YWdpbmdCdWNrZXQ6IGJvb2xlYW47XG4gIGJvb3RzdHJhcFZlcnNpb246IG51bWJlcjtcbn1cblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGdldEJvb3RzdHJhcFN0YWNrSW5mbyhzZGs6IFNESywgc3RhY2tOYW1lOiBzdHJpbmcpOiBQcm9taXNlPEJvb3RzdHJhcFN0YWNrSW5mbz4ge1xuICB0cnkge1xuICAgIGNvbnN0IGNmbiA9IHNkay5jbG91ZEZvcm1hdGlvbigpO1xuICAgIGNvbnN0IHN0YWNrUmVzcG9uc2UgPSBhd2FpdCBjZm4uZGVzY3JpYmVTdGFja3MoeyBTdGFja05hbWU6IHN0YWNrTmFtZSB9KTtcblxuICAgIGlmICghc3RhY2tSZXNwb25zZS5TdGFja3MgfHwgc3RhY2tSZXNwb25zZS5TdGFja3MubGVuZ3RoID09PSAwKSB7XG4gICAgICB0aHJvdyBuZXcgVG9vbGtpdEVycm9yKGBUb29sa2l0IHN0YWNrICR7c3RhY2tOYW1lfSBub3QgZm91bmRgKTtcbiAgICB9XG5cbiAgICBjb25zdCBzdGFjayA9IHN0YWNrUmVzcG9uc2UuU3RhY2tzWzBdO1xuICAgIGNvbnN0IHZlcnNpb25PdXRwdXQgPSBzdGFjay5PdXRwdXRzPy5maW5kKG91dHB1dCA9PiBvdXRwdXQuT3V0cHV0S2V5ID09PSAnQm9vdHN0cmFwVmVyc2lvbicpO1xuXG4gICAgaWYgKCF2ZXJzaW9uT3V0cHV0Py5PdXRwdXRWYWx1ZSkge1xuICAgICAgdGhyb3cgbmV3IFRvb2xraXRFcnJvcihgVW5hYmxlIHRvIGZpbmQgQm9vdHN0cmFwVmVyc2lvbiBvdXRwdXQgaW4gdGhlIHRvb2xraXQgc3RhY2sgJHtzdGFja05hbWV9YCk7XG4gICAgfVxuXG4gICAgY29uc3QgYm9vdHN0cmFwVmVyc2lvbiA9IHBhcnNlSW50KHZlcnNpb25PdXRwdXQuT3V0cHV0VmFsdWUpO1xuICAgIGlmIChpc05hTihib290c3RyYXBWZXJzaW9uKSkge1xuICAgICAgdGhyb3cgbmV3IFRvb2xraXRFcnJvcihgSW52YWxpZCBCb290c3RyYXBWZXJzaW9uIHZhbHVlOiAke3ZlcnNpb25PdXRwdXQuT3V0cHV0VmFsdWV9YCk7XG4gICAgfVxuXG4gICAgLy8gdHJ5IHRvIGdldCBidWNrZXRuYW1lIGZyb20gdGhlIGxvZ2ljYWwgcmVzb3VyY2UgaWQuIElmIHRoZXJlIGlzIG5vXG4gICAgLy8gYnVja2V0bmFtZSwgb3IgdGhlIHZhbHVlIGRvZXNuJ3QgbG9vayBsaWtlIGFuIFMzIGJ1Y2tldCBuYW1lLCB3ZSBhc3N1bWVcbiAgICAvLyB0aGUgYnVja2V0IGRvZXNuJ3QgZXhpc3QgKHRoaXMgaXMgZm9yIHRoZSBjYXNlIHdoZXJlIGEgdGVtcGxhdGUgY3VzdG9taXplciBkaWRcbiAgICAvLyBub3QgZGFyZSB0byByZW1vdmUgdGhlIE91dHB1dCwgYnV0IHB1dCBhIGR1bW15IHZhbHVlIHRoZXJlIGxpa2UgJycgb3IgJy0nIG9yICcqKionKS5cbiAgICAvL1xuICAgIC8vIFdlIHdvdWxkIGhhdmUgcHJlZmVycmVkIHRvIGxvb2sgYXQgdGhlIHN0YWNrIHJlc291cmNlcyBoZXJlLCBidXRcbiAgICAvLyB1bmZvcnR1bmF0ZWx5IHRoZSBkZXBsb3kgcm9sZSBkb2Vzbid0IGhhdmUgcGVybWlzc2lvbnMgY2FsbCBEZXNjcmliZVN0YWNrUmVzb3VyY2VzLlxuICAgIGNvbnN0IGJ1Y2tldE5hbWUgPSBzdGFjay5PdXRwdXRzPy5maW5kKG91dHB1dCA9PiBvdXRwdXQuT3V0cHV0S2V5ID09PSAnQnVja2V0TmFtZScpPy5PdXRwdXRWYWx1ZTtcbiAgICAvLyBNdXN0IGJlZ2luIGFuZCBlbmQgd2l0aCBsZXR0ZXIgb3IgbnVtYmVyLlxuICAgIGNvbnN0IGhhc1N0YWdpbmdCdWNrZXQgPSAhIShidWNrZXROYW1lICYmIGJ1Y2tldE5hbWUubWF0Y2goL15bYS16MC05XS8pICYmIGJ1Y2tldE5hbWUubWF0Y2goL1thLXowLTldJC8pKTtcblxuICAgIHJldHVybiB7XG4gICAgICBoYXNTdGFnaW5nQnVja2V0LFxuICAgICAgYm9vdHN0cmFwVmVyc2lvbixcbiAgICB9O1xuICB9IGNhdGNoIChlKSB7XG4gICAgdGhyb3cgbmV3IFRvb2xraXRFcnJvcihgRXJyb3IgcmV0cmlldmluZyB0b29sa2l0IHN0YWNrIGluZm86ICR7ZX1gKTtcbiAgfVxufVxuIl19