in typescript/lambda-api-ci/lib/ci-stack.ts [39:118]
private createBuildStage(pipeline: Pipeline, sourceOutput: Artifact) {
const project = new PipelineProject(this, `BuildProject`, {
environment: {
buildImage: LinuxBuildImage.STANDARD_3_0,
},
})
const cdkDeployPolicy = new PolicyStatement()
cdkDeployPolicy.addActions(
"cloudformation:GetTemplate",
"cloudformation:CreateChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeStacks",
"s3:*Object",
"s3:ListBucket",
"s3:getBucketLocation",
"lambda:UpdateFunctionCode",
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunctionConfiguration",
"lambda:AddPermission",
"lambda:RemovePermission"
)
cdkDeployPolicy.addResources(
this.formatArn({
service: "cloudformation",
resource: "stack",
resourceName: "CDKToolkit/*",
}),
this.formatArn({
service: "cloudformation",
resource: "stack",
resourceName: `${lambdaApiStackName}/*`,
}),
this.formatArn({
service: "lambda",
resource: "function",
arnFormat: ArnFormat.COLON_RESOURCE_NAME,
resourceName: lambdaFunctionName,
}),
"arn:aws:s3:::cdktoolkit-stagingbucket-*"
)
const editOrCreateLambdaDependencies = new PolicyStatement()
editOrCreateLambdaDependencies.addActions(
"iam:GetRole",
"iam:PassRole",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"apigateway:GET",
"apigateway:DELETE",
"apigateway:PUT",
"apigateway:POST",
"apigateway:PATCH",
"s3:CreateBucket",
"s3:PutBucketTagging"
)
editOrCreateLambdaDependencies.addResources("*")
project.addToRolePolicy(cdkDeployPolicy)
project.addToRolePolicy(editOrCreateLambdaDependencies)
const buildOutput = new Artifact(`BuildOutput`)
const buildAction = new CodeBuildAction({
actionName: `Build`,
project,
input: sourceOutput,
outputs: [buildOutput],
})
pipeline.addStage({
stageName: "build",
actions: [buildAction],
})
return buildOutput
}