fix: It is simpler, after all, to provide the SSM parameter name just…

… as a string
markusl · Aug 30, 2021 · 36f1a5b · 36f1a5b
1 parent e40469c
commit 36f1a5b
Show file tree

Hide file tree

Showing 7 changed files with 537 additions and 261 deletions.
diff --git a/API.md b/API.md
@@ -4,9 +4,9 @@
 
 ### CodePipelineBitbucketBuildResultReporter <a name="cdk-codepipeline-bitbucket-build-result-reporter.CodePipelineBitbucketBuildResultReporter"></a>
 
-A construct for reporting CodePipeline build statuses to a BitBucket server using BitBucket REST API.
+A CDK construct for reporting CodePipeline build statuses to a BitBucket server using BitBucket REST API.
 
-You need to configure SSM parameter BITBUCKET_UPDATE_BUILD_STATUS_TOKEN before using the component.
+You need to configure SSM parameter `BITBUCKET_UPDATE_BUILD_STATUS_TOKEN` before using the construct.
 
 #### Initializer <a name="cdk-codepipeline-bitbucket-build-result-reporter.CodePipelineBitbucketBuildResultReporter.Initializer"></a>
 
@@ -60,12 +60,12 @@ The BitBucket server address.
 
 ---
 
-##### `bitbucketAccessToken`<sup>Optional</sup> <a name="cdk-codepipeline-bitbucket-build-result-reporter.CodePipelineBitbucketBuildResultReporterProps.property.bitbucketAccessToken"></a>
+##### `bitbucketAccessTokenName`<sup>Optional</sup> <a name="cdk-codepipeline-bitbucket-build-result-reporter.CodePipelineBitbucketBuildResultReporterProps.property.bitbucketAccessTokenName"></a>
 
-- *Type:* [`aws-cdk-lib.aws_ssm.IStringParameter`](#aws-cdk-lib.aws_ssm.IStringParameter)
+- *Type:* `string`
 - *Default:* BITBUCKET_UPDATE_BUILD_STATUS_TOKEN
 
-The SSM parameter (SecureString) that contains the BitBucket access token for reporting build statuses.
+The SSM parameter (SecureString) name that contains the BitBucket access token for reporting build statuses.
 
 ---
 

diff --git a/README.md b/README.md
@@ -29,12 +29,12 @@ Note: `stack` must be a CDK deployment stage so that the bundled Lambda asset wi
   // AWS CDK 2.0
   import { App, Stack, aws_ssm as ssm, aws_ec2 as ec2 } from 'aws-cdk-lib';
 
-  const accessToken = ssm.StringParameter.fromStringParameterName(stack, 'param', '/my/ssm/variable/BITBUCKET_UPDATE_BUILD_STATUS_TOKEN');
+  const bitbucketAccessTokenName = '/my/ssm/variable/BITBUCKET_UPDATE_BUILD_STATUS_TOKEN';
 
   // In your infrastructure account, add to your stack
   new CodePipelineBitbucketBuildResultReporter(stack, 'CodePipelineBitbucketBuildResultReporter', {
-    bitBucketServerAddress: 'bitbucket-server.com',
-    bitbucketAccessToken: accessToken,
-    vpc,
+    bitbucketServerAddress: 'bitbucket-server.com',
+    bitbucketAccessTokenName,
+    vpc: fakeVpc,
   });
 ```
diff --git a/package.json b/package.json
diff --git a/src/index.ts b/src/index.ts
@@ -1,7 +1,6 @@
 import {
   aws_ec2 as ec2,
   aws_iam as iam,
-  aws_ssm as ssm,
   aws_logs as logs,
   aws_lambda as lambda,
   aws_lambda_nodejs as lambda_nodejs,
@@ -37,6 +36,11 @@ const listAliasesPolicy = new iam.PolicyStatement({
   resources: ['*'],
 });
 
+const ssmPolicy = (bitbucketTokenName: string) => new iam.PolicyStatement({
+  actions: ['ssm:GetParameter'],
+  resources: [`arn:aws:ssm:*:*:parameter/${bitbucketTokenName}`],
+});
+
 /** Common properties */
 export interface CodePipelineBitbucketBuildResultReporterProps {
   /**
@@ -45,10 +49,10 @@ export interface CodePipelineBitbucketBuildResultReporterProps {
   readonly vpc?: ec2.VpcAttributes;
 
   /**
-   * The SSM parameter (SecureString) that contains the BitBucket access token for reporting build statuses.
+   * The SSM parameter (SecureString) name that contains the BitBucket access token for reporting build statuses.
    * @default BITBUCKET_UPDATE_BUILD_STATUS_TOKEN
    */
-  readonly bitbucketAccessToken?: ssm.IStringParameter;
+  readonly bitbucketAccessTokenName?: string;
 
   /**
    * The BitBucket server address.
@@ -58,14 +62,15 @@ export interface CodePipelineBitbucketBuildResultReporterProps {
 
 const defaultBitbucketAccessTokenParameterName = 'BITBUCKET_UPDATE_BUILD_STATUS_TOKEN';
 
-/** A construct for reporting CodePipeline build statuses to a BitBucket server using BitBucket REST API.
- * You need to configure SSM parameter BITBUCKET_UPDATE_BUILD_STATUS_TOKEN before using the component.
+/** A CDK construct for reporting CodePipeline build statuses to a BitBucket server using BitBucket REST API.
+ * You need to configure SSM parameter `BITBUCKET_UPDATE_BUILD_STATUS_TOKEN` before using the construct.
+ *
+ * @stability stable
  */
 export class CodePipelineBitbucketBuildResultReporter extends Construct {
   constructor(scope: Construct, id: string, props: CodePipelineBitbucketBuildResultReporterProps) {
     super(scope, id);
-    const accessToken = props.bitbucketAccessToken ??
-      ssm.StringParameter.fromStringParameterName(this, defaultBitbucketAccessTokenParameterName, defaultBitbucketAccessTokenParameterName);
+    const accessTokenName = props.bitbucketAccessTokenName ?? defaultBitbucketAccessTokenParameterName;
     const vpc = props.vpc ? ec2.Vpc.fromVpcAttributes(scope, 'LambdaVpc', props.vpc) : undefined;
     const codePipelineStatusHandler = new lambda_nodejs.NodejsFunction(scope, 'CodePipelineStatusHandler', {
       vpc,
@@ -74,11 +79,11 @@ export class CodePipelineBitbucketBuildResultReporter extends Construct {
       description: 'Synchronize CodePipeline build statuses to BitBucket',
       environment: {
         BITBUCKET_SERVER: props.bitbucketServerAddress,
-        BITBUCKET_TOKEN: accessToken.parameterName,
+        BITBUCKET_TOKEN: accessTokenName,
       },
       logRetention: logs.RetentionDays.ONE_MONTH,
     });
-    accessToken.grantRead(codePipelineStatusHandler);
+    codePipelineStatusHandler.role?.addToPrincipalPolicy(ssmPolicy(accessTokenName));
     codePipelineStatusHandler.role?.addToPrincipalPolicy(listAliasesPolicy);
     codePipelineStatusHandler.role?.addToPrincipalPolicy(new iam.PolicyStatement({
       actions: ['codepipeline:GetPipelineExecution', 'codepipeline:GetPipelineState'],
@@ -96,11 +101,11 @@ export class CodePipelineBitbucketBuildResultReporter extends Construct {
       description: 'Synchronize CodeBuild build statuses to BitBucket',
       environment: {
         BITBUCKET_SERVER: props.bitbucketServerAddress,
-        BITBUCKET_TOKEN: accessToken.parameterName,
+        BITBUCKET_TOKEN: accessTokenName,
       },
       logRetention: logs.RetentionDays.ONE_MONTH,
     });
-    accessToken.grantRead(codeBuildStatusHandler);
+    codePipelineStatusHandler.role?.addToPrincipalPolicy(ssmPolicy(accessTokenName));
     codeBuildStatusHandler.role?.addToPrincipalPolicy(listAliasesPolicy);
     codeBuildStatusHandler.role?.addToPrincipalPolicy(new iam.PolicyStatement({
       actions: ['codebuild:BatchGetBuilds'],