constructor()

in lib/iam/code-build-role.ts [30:75]

• 43 lines of code
• 2 McCabe index (conditional complexity)

  constructor(scope: Construct, name: string, props: CodeBuildRoleProps = {}) {
    const { stageName, ...rest } = props
    super(scope, name, {
      ...rest,
      assumedBy: new iam.ServicePrincipal('codebuild.amazonaws.com')
    })

    if (stageName) {
      this.addToPolicy(new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ['sts:AssumeRole'],
        resources: [`arn:aws:iam::${config.accountIds[stageName]}:role/${config.deployment['cicdRoleName']}`]
      }))
    }
    
    this.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions:[
          'logs:CreateLogGroup',
          'logs:CreateLogStream',
          'logs:DeleteLogGroup',
          'logs:PutLogEvents'
        ],
        resources: [`arn:aws:logs:${config.deployment.region}:*:log-group:*`]
      })
    ) // TODO - specific log groups

    this.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions:[
          'ecr:Describe*',
          'ecr:List*',
          'ecr:Get*',
          'ecr:Put*',
          'ecr:UploadLayerPart',
          'ecr:InitiateLayerUpload',
          'ecr:CompleteLayerUpload',
          'ecr:BatchCheckLayerAvailability',
          'ssm:GetParameters'
        ],
        resources: ['*']
      })
    )
  }