in src/build_infrastructure/android/stacks/maven_release_stack.py [0:0]
def __init__(self, scope: core.App, id: str, props, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
required_props = ['github_source']
for prop in required_props:
if prop not in props:
raise RuntimeError(f"Parameter {prop} is required.")
codebuild_project_name_prefix = props['codebuild_project_name_prefix']
github_source = props['github_source']
owner = github_source['owner']
repo = github_source['repo']
base_branch = github_source['base_branch']
buildspec_path = props['buildspec_path'] if 'buildspec_path' in props else None
create_webhooks = props['create_webhooks']
policy = aws_iam.ManagedPolicy(self,
"SecretsAccessPolicy",
managed_policy_name=f"{codebuild_project_name_prefix}-SecretsAccessPolicy",
description="Policy used by the CodeBuild role to access secrets when uploading to Sonatype",
statements=[
aws_iam.PolicyStatement(
actions=["secretsmanager:GetSecretValue"],
effect=aws_iam.Effect.ALLOW,
resources=[
f"arn:aws:secretsmanager:{self.region}:{self.account}:secret:awsmobilesdk/android/signing*",
f"arn:aws:secretsmanager:{self.region}:{self.account}:secret:awsmobilesdk/android/sonatype*"
]
)
]
)
publisher = MavenPublisher(self, "ReleasePublisher", project_name=f"{codebuild_project_name_prefix}-ReleasePublisher",
github_owner=owner,
github_repo=repo,
base_branch=base_branch,
buildspec_path=buildspec_path,
create_webhooks=create_webhooks)
policy.attach_to_role(publisher.role)