in lib/codecommit-policy.ts [16:150]
constructor(scope: cdk.Construct, id: string, props: CodecommitCollaborationModelProps) {
super(scope, id);
const iamPolicyStatement = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
"iam:PassRole",
],
resources: ['*'],
});
const listAllPolicyStatement = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
"codecommit:ListApprovalRuleTemplates",
"codecommit:ListRepositories",
'codebuild:ListProjects',
],
resources: ['*'],
});
const codeBuildReadonlyPolicyStatement = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'codebuild:BatchGetBuilds',
'codebuild:BatchGetProjects',
'codebuild:ListBuildsForProject',
'codebuild:ListCuratedEnvironmentImages',
'codebuild:StartBuild',
'codebuild:StopBuild',
],
resources: ['*'],
conditions: this.toTagCondition(props.tags),
});
// Code Collaborator Policy
this.codeCommitCollaboratorPolicy = new iam.ManagedPolicy(this, `CodeCommitCollarator-${props.name}`, {
statements: [
iamPolicyStatement,
listAllPolicyStatement,
codeBuildReadonlyPolicyStatement,
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
"codecommit:BatchGet*",
"codecommit:BatchDescribe*",
"codecommit:CreatePullRequest",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:Get*",
"codecommit:Describe*",
"codecommit:List*",
"codecommit:GitPull",
"codecommit:PostCommentForComparedCommit",
"codecommit:PostCommentForPullRequest",
"codecommit:PostCommentReply",
"codecommit:UpdateComment",
"codecommit:UpdatePullRequestDescription",
"codecommit:UpdatePullRequestStatus",
"codecommit:UpdatePullRequestTitle",
],
resources: ['*'],
conditions: this.toTagCondition(props.tags),
}),
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
"codecommit:CreateBranch",
"codecommit:GitPush",
"codecommit:Merge*",
],
resources: ['*'],
conditions: Object.assign(
{
"StringLikeIfExists": {
"codecommit:References": [
"refs/heads/pr/*",
"refs/heads/features/*",
"refs/heads/bugs/*"
]
}
},
this.toTagCondition(props.tags)
)
}),
]
});
// Code Admin Policy
this.codeCommitAdminPolicy = new iam.ManagedPolicy(this, `CodeCommitAdmin-${props.name}`, {
statements: [
iamPolicyStatement,
listAllPolicyStatement,
codeBuildReadonlyPolicyStatement,
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
"codecommit:BatchGet*",
"codecommit:BatchDescribe*",
"codecommit:Create*",
"codecommit:Delete*",
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:Get*",
"codecommit:Describe*",
"codecommit:List*",
"codecommit:GitPull",
"codecommit:GitPush",
"codecommit:Put*",
"codecommit:Post*",
"codecommit:Merge*",
"codecommit:Test*",
"codecommit:Update*",
"codecommit:UploadArchive",
"codecommit:CancelUploadArchive",
],
resources: ['*'],
conditions: this.toTagCondition(props.tags),
}),
new iam.PolicyStatement({
effect: iam.Effect.DENY,
actions: [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
],
resources: ['*'],
conditions: Object.assign(
{
"StringLike": {
"codecommit:References": [
"refs/heads/master",
]
}
},
this.toTagCondition(props.tags)),
}),
]
});
}