aws-cdk
Version:
CDK Toolkit, the command line tool for CDK apps
72 lines • 11.3 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.determineAllowCrossAccountAssetPublishing = determineAllowCrossAccountAssetPublishing;
exports.getBootstrapStackInfo = getBootstrapStackInfo;
const logging_1 = require("../../logging");
const error_1 = require("../../toolkit/error");
async function determineAllowCrossAccountAssetPublishing(sdk, customStackName) {
try {
const stackName = customStackName || 'CDKToolkit';
const stackInfo = await getBootstrapStackInfo(sdk, stackName);
if (!stackInfo.hasStagingBucket) {
// indicates an intentional cross account setup
return true;
}
if (stackInfo.bootstrapVersion >= 21) {
// bootstrap stack version 21 contains a fix that will prevent cross
// account publishing on the IAM level
// https://github.com/aws/aws-cdk/pull/30823
return true;
}
// If there is a staging bucket AND the bootstrap version is old, then we want to protect
// against accidental cross-account publishing.
return false;
}
catch (e) {
// You would think we would need to fail closed here, but the reality is
// that we get here if we couldn't find the bootstrap stack: that is
// completely valid, and many large organizations may have their own method
// of creating bootstrap resources. If they do, there's nothing for us to validate,
// but we can't use that as a reason to disallow cross-account publishing. We'll just
// have to trust they did their due diligence. So we fail open.
(0, logging_1.debug)(`Error determining cross account asset publishing: ${e}`);
(0, logging_1.debug)('Defaulting to allowing cross account asset publishing');
return true;
}
}
async function getBootstrapStackInfo(sdk, stackName) {
try {
const cfn = sdk.cloudFormation();
const stackResponse = await cfn.describeStacks({ StackName: stackName });
if (!stackResponse.Stacks || stackResponse.Stacks.length === 0) {
throw new error_1.ToolkitError(`Toolkit stack ${stackName} not found`);
}
const stack = stackResponse.Stacks[0];
const versionOutput = stack.Outputs?.find(output => output.OutputKey === 'BootstrapVersion');
if (!versionOutput?.OutputValue) {
throw new error_1.ToolkitError(`Unable to find BootstrapVersion output in the toolkit stack ${stackName}`);
}
const bootstrapVersion = parseInt(versionOutput.OutputValue);
if (isNaN(bootstrapVersion)) {
throw new error_1.ToolkitError(`Invalid BootstrapVersion value: ${versionOutput.OutputValue}`);
}
// try to get bucketname from the logical resource id. If there is no
// bucketname, or the value doesn't look like an S3 bucket name, we assume
// the bucket doesn't exist (this is for the case where a template customizer did
// not dare to remove the Output, but put a dummy value there like '' or '-' or '***').
//
// We would have preferred to look at the stack resources here, but
// unfortunately the deploy role doesn't have permissions call DescribeStackResources.
const bucketName = stack.Outputs?.find(output => output.OutputKey === 'BucketName')?.OutputValue;
// Must begin and end with letter or number.
const hasStagingBucket = !!(bucketName && bucketName.match(/^[a-z0-9]/) && bucketName.match(/[a-z0-9]$/));
return {
hasStagingBucket,
bootstrapVersion,
};
}
catch (e) {
throw new error_1.ToolkitError(`Error retrieving toolkit stack info: ${e}`);
}
}
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2hlY2tzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiY2hlY2tzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBSUEsOEZBK0JDO0FBT0Qsc0RBdUNDO0FBakZELDJDQUFzQztBQUN0QywrQ0FBbUQ7QUFHNUMsS0FBSyxVQUFVLHlDQUF5QyxDQUFDLEdBQVEsRUFBRSxlQUF3QjtJQUNoRyxJQUFJLENBQUM7UUFDSCxNQUFNLFNBQVMsR0FBRyxlQUFlLElBQUksWUFBWSxDQUFDO1FBQ2xELE1BQU0sU0FBUyxHQUFHLE1BQU0scUJBQXFCLENBQUMsR0FBRyxFQUFFLFNBQVMsQ0FBQyxDQUFDO1FBRTlELElBQUksQ0FBQyxTQUFTLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztZQUNoQywrQ0FBK0M7WUFDL0MsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsSUFBSSxTQUFTLENBQUMsZ0JBQWdCLElBQUksRUFBRSxFQUFFLENBQUM7WUFDckMsb0VBQW9FO1lBQ3BFLHNDQUFzQztZQUN0Qyw0Q0FBNEM7WUFDNUMsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQseUZBQXlGO1FBQ3pGLCtDQUErQztRQUMvQyxPQUFPLEtBQUssQ0FBQztJQUNmLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsd0VBQXdFO1FBQ3hFLG9FQUFvRTtRQUNwRSwyRUFBMkU7UUFDM0UsbUZBQW1GO1FBQ25GLHFGQUFxRjtRQUNyRiwrREFBK0Q7UUFDL0QsSUFBQSxlQUFLLEVBQUMscURBQXFELENBQUMsRUFBRSxDQUFDLENBQUM7UUFDaEUsSUFBQSxlQUFLLEVBQUMsdURBQXVELENBQUMsQ0FBQztRQUMvRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7QUFDSCxDQUFDO0FBT00sS0FBSyxVQUFVLHFCQUFxQixDQUFDLEdBQVEsRUFBRSxTQUFpQjtJQUNyRSxJQUFJLENBQUM7UUFDSCxNQUFNLEdBQUcsR0FBRyxHQUFHLENBQUMsY0FBYyxFQUFFLENBQUM7UUFDakMsTUFBTSxhQUFhLEdBQUcsTUFBTSxHQUFHLENBQUMsY0FBYyxDQUFDLEVBQUUsU0FBUyxFQUFFLFNBQVMsRUFBRSxDQUFDLENBQUM7UUFFekUsSUFBSSxDQUFDLGFBQWEsQ0FBQyxNQUFNLElBQUksYUFBYSxDQUFDLE1BQU0sQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDL0QsTUFBTSxJQUFJLG9CQUFZLENBQUMsaUJBQWlCLFNBQVMsWUFBWSxDQUFDLENBQUM7UUFDakUsQ0FBQztRQUVELE1BQU0sS0FBSyxHQUFHLGFBQWEsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDdEMsTUFBTSxhQUFhLEdBQUcsS0FBSyxDQUFDLE9BQU8sRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxNQUFNLENBQUMsU0FBUyxLQUFLLGtCQUFrQixDQUFDLENBQUM7UUFFN0YsSUFBSSxDQUFDLGFBQWEsRUFBRSxXQUFXLEVBQUUsQ0FBQztZQUNoQyxNQUFNLElBQUksb0JBQVksQ0FBQywrREFBK0QsU0FBUyxFQUFFLENBQUMsQ0FBQztRQUNyRyxDQUFDO1FBRUQsTUFBTSxnQkFBZ0IsR0FBRyxRQUFRLENBQUMsYUFBYSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzdELElBQUksS0FBSyxDQUFDLGdCQUFnQixDQUFDLEVBQUUsQ0FBQztZQUM1QixNQUFNLElBQUksb0JBQVksQ0FBQyxtQ0FBbUMsYUFBYSxDQUFDLFdBQVcsRUFBRSxDQUFDLENBQUM7UUFDekYsQ0FBQztRQUVELHFFQUFxRTtRQUNyRSwwRUFBMEU7UUFDMUUsaUZBQWlGO1FBQ2pGLHVGQUF1RjtRQUN2RixFQUFFO1FBQ0YsbUVBQW1FO1FBQ25FLHNGQUFzRjtRQUN0RixNQUFNLFVBQVUsR0FBRyxLQUFLLENBQUMsT0FBTyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLE1BQU0sQ0FBQyxTQUFTLEtBQUssWUFBWSxDQUFDLEVBQUUsV0FBVyxDQUFDO1FBQ2pHLDRDQUE0QztRQUM1QyxNQUFNLGdCQUFnQixHQUFHLENBQUMsQ0FBQyxDQUFDLFVBQVUsSUFBSSxVQUFVLENBQUMsS0FBSyxDQUFDLFdBQVcsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxLQUFLLENBQUMsV0FBVyxDQUFDLENBQUMsQ0FBQztRQUUxRyxPQUFPO1lBQ0wsZ0JBQWdCO1lBQ2hCLGdCQUFnQjtTQUNqQixDQUFDO0lBQ0osQ0FBQztJQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDWCxNQUFNLElBQUksb0JBQVksQ0FBQyx3Q0FBd0MsQ0FBQyxFQUFFLENBQUMsQ0FBQztJQUN0RSxDQUFDO0FBQ0gsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IGRlYnVnIH0gZnJvbSAnLi4vLi4vbG9nZ2luZyc7XG5pbXBvcnQgeyBUb29sa2l0RXJyb3IgfSBmcm9tICcuLi8uLi90b29sa2l0L2Vycm9yJztcbmltcG9ydCB7IFNESyB9IGZyb20gJy4uL2F3cy1hdXRoJztcblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGRldGVybWluZUFsbG93Q3Jvc3NBY2NvdW50QXNzZXRQdWJsaXNoaW5nKHNkazogU0RLLCBjdXN0b21TdGFja05hbWU/OiBzdHJpbmcpOiBQcm9taXNlPGJvb2xlYW4+IHtcbiAgdHJ5IHtcbiAgICBjb25zdCBzdGFja05hbWUgPSBjdXN0b21TdGFja05hbWUgfHwgJ0NES1Rvb2xraXQnO1xuICAgIGNvbnN0IHN0YWNrSW5mbyA9IGF3YWl0IGdldEJvb3RzdHJhcFN0YWNrSW5mbyhzZGssIHN0YWNrTmFtZSk7XG5cbiAgICBpZiAoIXN0YWNrSW5mby5oYXNTdGFnaW5nQnVja2V0KSB7XG4gICAgICAvLyBpbmRpY2F0ZXMgYW4gaW50ZW50aW9uYWwgY3Jvc3MgYWNjb3VudCBzZXR1cFxuICAgICAgcmV0dXJuIHRydWU7XG4gICAgfVxuXG4gICAgaWYgKHN0YWNrSW5mby5ib290c3RyYXBWZXJzaW9uID49IDIxKSB7XG4gICAgICAvLyBib290c3RyYXAgc3RhY2sgdmVyc2lvbiAyMSBjb250YWlucyBhIGZpeCB0aGF0IHdpbGwgcHJldmVudCBjcm9zc1xuICAgICAgLy8gYWNjb3VudCBwdWJsaXNoaW5nIG9uIHRoZSBJQU0gbGV2ZWxcbiAgICAgIC8vIGh0dHBzOi8vZ2l0aHViLmNvbS9hd3MvYXdzLWNkay9wdWxsLzMwODIzXG4gICAgICByZXR1cm4gdHJ1ZTtcbiAgICB9XG5cbiAgICAvLyBJZiB0aGVyZSBpcyBhIHN0YWdpbmcgYnVja2V0IEFORCB0aGUgYm9vdHN0cmFwIHZlcnNpb24gaXMgb2xkLCB0aGVuIHdlIHdhbnQgdG8gcHJvdGVjdFxuICAgIC8vIGFnYWluc3QgYWNjaWRlbnRhbCBjcm9zcy1hY2NvdW50IHB1Ymxpc2hpbmcuXG4gICAgcmV0dXJuIGZhbHNlO1xuICB9IGNhdGNoIChlKSB7XG4gICAgLy8gWW91IHdvdWxkIHRoaW5rIHdlIHdvdWxkIG5lZWQgdG8gZmFpbCBjbG9zZWQgaGVyZSwgYnV0IHRoZSByZWFsaXR5IGlzXG4gICAgLy8gdGhhdCB3ZSBnZXQgaGVyZSBpZiB3ZSBjb3VsZG4ndCBmaW5kIHRoZSBib290c3RyYXAgc3RhY2s6IHRoYXQgaXNcbiAgICAvLyBjb21wbGV0ZWx5IHZhbGlkLCBhbmQgbWFueSBsYXJnZSBvcmdhbml6YXRpb25zIG1heSBoYXZlIHRoZWlyIG93biBtZXRob2RcbiAgICAvLyBvZiBjcmVhdGluZyBib290c3RyYXAgcmVzb3VyY2VzLiBJZiB0aGV5IGRvLCB0aGVyZSdzIG5vdGhpbmcgZm9yIHVzIHRvIHZhbGlkYXRlLFxuICAgIC8vIGJ1dCB3ZSBjYW4ndCB1c2UgdGhhdCBhcyBhIHJlYXNvbiB0byBkaXNhbGxvdyBjcm9zcy1hY2NvdW50IHB1Ymxpc2hpbmcuIFdlJ2xsIGp1c3RcbiAgICAvLyBoYXZlIHRvIHRydXN0IHRoZXkgZGlkIHRoZWlyIGR1ZSBkaWxpZ2VuY2UuIFNvIHdlIGZhaWwgb3Blbi5cbiAgICBkZWJ1ZyhgRXJyb3IgZGV0ZXJtaW5pbmcgY3Jvc3MgYWNjb3VudCBhc3NldCBwdWJsaXNoaW5nOiAke2V9YCk7XG4gICAgZGVidWcoJ0RlZmF1bHRpbmcgdG8gYWxsb3dpbmcgY3Jvc3MgYWNjb3VudCBhc3NldCBwdWJsaXNoaW5nJyk7XG4gICAgcmV0dXJuIHRydWU7XG4gIH1cbn1cblxuaW50ZXJmYWNlIEJvb3RzdHJhcFN0YWNrSW5mbyB7XG4gIGhhc1N0YWdpbmdCdWNrZXQ6IGJvb2xlYW47XG4gIGJvb3RzdHJhcFZlcnNpb246IG51bWJlcjtcbn1cblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGdldEJvb3RzdHJhcFN0YWNrSW5mbyhzZGs6IFNESywgc3RhY2tOYW1lOiBzdHJpbmcpOiBQcm9taXNlPEJvb3RzdHJhcFN0YWNrSW5mbz4ge1xuICB0cnkge1xuICAgIGNvbnN0IGNmbiA9IHNkay5jbG91ZEZvcm1hdGlvbigpO1xuICAgIGNvbnN0IHN0YWNrUmVzcG9uc2UgPSBhd2FpdCBjZm4uZGVzY3JpYmVTdGFja3MoeyBTdGFja05hbWU6IHN0YWNrTmFtZSB9KTtcblxuICAgIGlmICghc3RhY2tSZXNwb25zZS5TdGFja3MgfHwgc3RhY2tSZXNwb25zZS5TdGFja3MubGVuZ3RoID09PSAwKSB7XG4gICAgICB0aHJvdyBuZXcgVG9vbGtpdEVycm9yKGBUb29sa2l0IHN0YWNrICR7c3RhY2tOYW1lfSBub3QgZm91bmRgKTtcbiAgICB9XG5cbiAgICBjb25zdCBzdGFjayA9IHN0YWNrUmVzcG9uc2UuU3RhY2tzWzBdO1xuICAgIGNvbnN0IHZlcnNpb25PdXRwdXQgPSBzdGFjay5PdXRwdXRzPy5maW5kKG91dHB1dCA9PiBvdXRwdXQuT3V0cHV0S2V5ID09PSAnQm9vdHN0cmFwVmVyc2lvbicpO1xuXG4gICAgaWYgKCF2ZXJzaW9uT3V0cHV0Py5PdXRwdXRWYWx1ZSkge1xuICAgICAgdGhyb3cgbmV3IFRvb2xraXRFcnJvcihgVW5hYmxlIHRvIGZpbmQgQm9vdHN0cmFwVmVyc2lvbiBvdXRwdXQgaW4gdGhlIHRvb2xraXQgc3RhY2sgJHtzdGFja05hbWV9YCk7XG4gICAgfVxuXG4gICAgY29uc3QgYm9vdHN0cmFwVmVyc2lvbiA9IHBhcnNlSW50KHZlcnNpb25PdXRwdXQuT3V0cHV0VmFsdWUpO1xuICAgIGlmIChpc05hTihib290c3RyYXBWZXJzaW9uKSkge1xuICAgICAgdGhyb3cgbmV3IFRvb2xraXRFcnJvcihgSW52YWxpZCBCb290c3RyYXBWZXJzaW9uIHZhbHVlOiAke3ZlcnNpb25PdXRwdXQuT3V0cHV0VmFsdWV9YCk7XG4gICAgfVxuXG4gICAgLy8gdHJ5IHRvIGdldCBidWNrZXRuYW1lIGZyb20gdGhlIGxvZ2ljYWwgcmVzb3VyY2UgaWQuIElmIHRoZXJlIGlzIG5vXG4gICAgLy8gYnVja2V0bmFtZSwgb3IgdGhlIHZhbHVlIGRvZXNuJ3QgbG9vayBsaWtlIGFuIFMzIGJ1Y2tldCBuYW1lLCB3ZSBhc3N1bWVcbiAgICAvLyB0aGUgYnVja2V0IGRvZXNuJ3QgZXhpc3QgKHRoaXMgaXMgZm9yIHRoZSBjYXNlIHdoZXJlIGEgdGVtcGxhdGUgY3VzdG9taXplciBkaWRcbiAgICAvLyBub3QgZGFyZSB0byByZW1vdmUgdGhlIE91dHB1dCwgYnV0IHB1dCBhIGR1bW15IHZhbHVlIHRoZXJlIGxpa2UgJycgb3IgJy0nIG9yICcqKionKS5cbiAgICAvL1xuICAgIC8vIFdlIHdvdWxkIGhhdmUgcHJlZmVycmVkIHRvIGxvb2sgYXQgdGhlIHN0YWNrIHJlc291cmNlcyBoZXJlLCBidXRcbiAgICAvLyB1bmZvcnR1bmF0ZWx5IHRoZSBkZXBsb3kgcm9sZSBkb2Vzbid0IGhhdmUgcGVybWlzc2lvbnMgY2FsbCBEZXNjcmliZVN0YWNrUmVzb3VyY2VzLlxuICAgIGNvbnN0IGJ1Y2tldE5hbWUgPSBzdGFjay5PdXRwdXRzPy5maW5kKG91dHB1dCA9PiBvdXRwdXQuT3V0cHV0S2V5ID09PSAnQnVja2V0TmFtZScpPy5PdXRwdXRWYWx1ZTtcbiAgICAvLyBNdXN0IGJlZ2luIGFuZCBlbmQgd2l0aCBsZXR0ZXIgb3IgbnVtYmVyLlxuICAgIGNvbnN0IGhhc1N0YWdpbmdCdWNrZXQgPSAhIShidWNrZXROYW1lICYmIGJ1Y2tldE5hbWUubWF0Y2goL15bYS16MC05XS8pICYmIGJ1Y2tldE5hbWUubWF0Y2goL1thLXowLTldJC8pKTtcblxuICAgIHJldHVybiB7XG4gICAgICBoYXNTdGFnaW5nQnVja2V0LFxuICAgICAgYm9vdHN0cmFwVmVyc2lvbixcbiAgICB9O1xuICB9IGNhdGNoIChlKSB7XG4gICAgdGhyb3cgbmV3IFRvb2xraXRFcnJvcihgRXJyb3IgcmV0cmlldmluZyB0b29sa2l0IHN0YWNrIGluZm86ICR7ZX1gKTtcbiAgfVxufVxuIl19