private addStepFunctionDeployFramework()

in source/lib/compliant-framework-stack.ts [1105:1178]

• 68 lines of code
• 1 McCabe index (conditional complexity)

  private addStepFunctionDeployFramework(): tasks.CodeBuildStartBuild {
    const stack = core.Stack.of(this);

    const codebuildProject = new codebuild.Project(this, 'codebuildProject', {
      projectName: 'CompliantFramework',
      source: codebuild.Source.s3({
        bucket: s3.Bucket.fromBucketName(this, 'codebuildProjectBucket', '%%BUCKET_NAME%%-' + stack.region),
        path: '%%SOLUTION_NAME%%/%%VERSION%%/repos.zip',
      }),
      timeout: Duration.hours(4),
      environment: {
        buildImage: codebuild.LinuxBuildImage.STANDARD_3_0,
        computeType: codebuild.ComputeType.SMALL,
      },
      environmentVariables: {
        ['STACK_NAME']: { value: core.Aws.STACK_NAME },
        ['VERSION']: { value: '%%VERSION%%' },
      }
    });

    codebuildProject.addToRolePolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: [
          'ssm:GetParameter',
          'ssm:GetParameters'
        ],
        resources: [this.formatArn({
          service: 'ssm',
          resource: 'parameter',
          sep: '/',
          resourceName: '*'
        })]
      }));

    codebuildProject.addToRolePolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: [
          'cloudformation:DescribeStacks'
        ],
        resources: [this.formatArn({
          service: 'cloudformation',
          resource: 'stack',
          sep: '/',
          resourceName: core.Aws.STACK_NAME + '/*'
        })]
      }));

    codebuildProject.addToRolePolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: [
          'organizations:DescribeOrganization',
          'organizations:EnableAWSServiceAccess'
        ],
        resources: ['*']
      }));

    const cfnCodeBuildDefPolicy = codebuildProject.role?.node.tryFindChild('DefaultPolicy')?.node.findChild('Resource') as iam.CfnPolicy;
    cfnCodeBuildDefPolicy.cfnOptions.metadata = {
      cfn_nag: {
        rules_to_suppress: [{
          id: 'W12',
          reason: `CodeBuild project permission actions require use of * resource`
        }]
      }
    };

    return new tasks.CodeBuildStartBuild(this, 'Deploy Framework', {
      project: codebuildProject,
      integrationPattern: sfn.IntegrationPattern.RUN_JOB
    });
  }