public prebuildCommands()

in lib/shellable.ts [409:460]

• 34 lines of code
• 6 McCabe index (conditional complexity)

  public prebuildCommands(assumeRole?: AssumeRole, useRegionalStsEndpoints?: boolean): string[] {
    const lines = new Array<string>();
    // Better echo the location here; if this fails, the error message only contains
    // the unexpanded variables by default. It might fail if you're running an old
    // definition of the CodeBuild project--the permissions will have been changed
    // to only allow downloading the very latest version.
    lines.push(`echo "Downloading scripts from s3://\${${S3_BUCKET_ENV}}/\${${S3_KEY_ENV}}"`);
    lines.push(`aws s3 cp s3://\${${S3_BUCKET_ENV}}/\${${S3_KEY_ENV}} /tmp`);
    lines.push('mkdir -p /tmp/scriptdir');
    lines.push(`unzip /tmp/$(basename \$${S3_KEY_ENV}) -d /tmp/scriptdir`);

    if (assumeRole) {

      if (assumeRole.refresh) {

        const awsHome = '~/.aws';

        const profileName = assumeRole.profileName ?? 'long-running-profile';

        lines.push(`mkdir -p ${awsHome}`);
        lines.push(`touch ${awsHome}/credentials`);
        lines.push(`config=${awsHome}/config`);
        lines.push(`echo [profile ${profileName}]>> $\{config\}`);
        lines.push('echo credential_source = EcsContainer >> $\{config\}');
        lines.push(`echo role_session_name = ${assumeRole.sessionName} >> $\{config\}`);
        lines.push(`echo role_arn = ${assumeRole.roleArn} >> $config`);

        if (assumeRole.externalId) {
          lines.push(`echo external_id = ${assumeRole.externalId} >> $config`);
        }

        // let the application code know which role is being used.
        lines.push(`export AWS_PROFILE=${profileName}`);

        // force the AWS SDK for JavaScript to actually load the config file (do automatically so users don't forget)
        lines.push('export AWS_SDK_LOAD_CONFIG=1');

      } else {

        const externalId = assumeRole.externalId ? `--external-id "${assumeRole.externalId}"` : '';
        const StsEndpoints = useRegionalStsEndpoints ? 'regional' : 'legacy';

        lines.push('creds=$(mktemp -d)/creds.json');
        lines.push(`AWS_STS_REGIONAL_ENDPOINTS=${StsEndpoints} aws sts assume-role --role-arn "${assumeRole.roleArn}" --role-session-name "${assumeRole.sessionName}" ${externalId} > $creds`);
        lines.push('export AWS_ACCESS_KEY_ID="$(cat ${creds} | grep "AccessKeyId" | cut -d\'"\' -f 4)"');
        lines.push('export AWS_SECRET_ACCESS_KEY="$(cat ${creds} | grep "SecretAccessKey" | cut -d\'"\' -f 4)"');
        lines.push('export AWS_SESSION_TOKEN="$(cat ${creds} | grep "SessionToken" | cut -d\'"\' -f 4)"');
      }
    }

    return lines;
  }