Merge pull request #5 from taoyong-ty/main

Add Compute-Actions logs permissions to CodePipelineDefaultPolicy
aws · Nov 12, 2024 · ba5cdff · ba5cdff
2 parents 757a303 + 83e7d82
commit ba5cdff
Show file tree

Hide file tree

Showing 11 changed files with 132 additions and 0 deletions.
diff --git a/templates/cloudformation/ci-build-gradle.yaml b/templates/cloudformation/ci-build-gradle.yaml
@@ -300,6 +300,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/ci-build-maven.yaml b/templates/cloudformation/ci-build-maven.yaml
@@ -300,6 +300,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/ci-build-nodejs.yaml b/templates/cloudformation/ci-build-nodejs.yaml
@@ -306,6 +306,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/ci-build-python.yaml b/templates/cloudformation/ci-build-python.yaml
@@ -303,6 +303,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/ci-schedule-build-gradle.yaml b/templates/cloudformation/ci-schedule-build-gradle.yaml
@@ -362,6 +362,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/ci-schedule-build-maven.yaml b/templates/cloudformation/ci-schedule-build-maven.yaml
@@ -362,6 +362,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/ci-schedule-build-nodejs.yaml b/templates/cloudformation/ci-schedule-build-nodejs.yaml
@@ -368,6 +368,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/ci-schedule-build-python.yaml b/templates/cloudformation/ci-schedule-build-python.yaml
@@ -365,6 +365,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/deploy-to-cfn.yaml b/templates/cloudformation/deploy-to-cfn.yaml
@@ -313,6 +313,18 @@ Resources:
               - /
               - - !GetAtt CodePipelineArtifactsBucket.Arn
                 - '*'
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CloudFormationDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/deploy-to-ecr.yaml b/templates/cloudformation/deploy-to-ecr.yaml
@@ -358,6 +358,18 @@ Resources:
             Resource:
               - !GetAtt CodeBuildActionRole.Arn
               - !GetAtt CodeConnectionsActionRole.Arn
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDefaultPolicy
       Roles:

diff --git a/templates/cloudformation/deploy-to-ecs-fargate.yaml b/templates/cloudformation/deploy-to-ecs-fargate.yaml
@@ -759,6 +759,18 @@ Resources:
                 - ''
                 - - !GetAtt CodePipelineArtifactsBucket.Arn
                   - /*
+          - Action:
+              - logs:CreateLogGroup
+              - logs:CreateLogStream
+              - logs:PutLogEvents
+            Effect: Allow
+            Resource:
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}
+                - pipelineName: !Ref CodePipelineName
+              - !Sub
+                - arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codepipeline/${pipelineName}:*
+                - pipelineName: !Ref CodePipelineName
         Version: '2012-10-17'
       PolicyName: CodePipelineDeployActionRoleDefaultPolicy
       Roles: