(codepipeline_actions): Need support for Full Clone for CodeCommit action. (OutputArtifactFormat= CODEBUILD_CLONE_REF)

[pcolazurdo]

As referenced here this is a Feature Request to allow CodeBuild to access Git metadata in the pipeline build action.

Full Clone is needed in cases where the CodeBuild action needs to access the full Git Repository metadata

Use Case

In my case I'm trying to run the AWS Copilot CLI to build & deploy from CodeBuild once there is an update to the CodeCommit repo. AWS Copilot CLI needs access to the Git Repository directly. This is a supported case as referenced in the link above, but the codepipeline_actions modules seems to have exposed this only for BitBucket sources. It would be nice to extend this to other Sources.

Proposed Solution

My understanding is that exposing the property OutputArtifactFormat similar to what is done here should be enough, but I don't understand the source code enough as to make a proper PR.

Special care has to be considered when defining Role permissions as there are specific requirements for this option to work. This is clearly referenced here

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[pcolazurdo]

Found a temporary solution using an Escape hatch - documenting it for future reference

// CloudFromation Escape Hatch to add OutputArtifactFormat allows support 
// for Full Clone (bug: https://github.com/aws/aws-cdk/issues/12236)

// As additional permissions are needed I need to create a new role and assign it to the action 
// This is temporary as codepipeline_actions.CodeCommitSourceAction doesn't expose the role to add the policy directly
const codeCommitSourceActionRole = new iam.Role(this, 'CodeCommitSourceActionRole', {
  assumedBy: new iam.AccountPrincipal(this.account)
});

codeCommitSourceActionRole.addToPrincipalPolicy (new iam.PolicyStatement({
  effect: iam.Effect.ALLOW, 
  resources: [code.repositoryArn],
  actions: [
    'codecommit:GetBranch',
    'codecommit:GetCommit',
    'codecommit:UploadArchive',
    'codecommit:GetUploadArchiveStatus',
    'codecommit:CancelUploadArchive',
    'codecommit:GitPull',
    'codecommit:GetRepository',
  ]
}));

const codeCommitSourceAction = new codepipeline_actions.CodeCommitSourceAction({
  role: codeCommitSourceActionRole,
  actionName: 'CodeCommit_Source',
  repository: code,
  output: sourceOutput
});

// Also, the codebuild Service Role needs additional permissions
codeBuildServiceRole.addToPrincipalPolicy (new iam.PolicyStatement({
      effect: iam.Effect.ALLOW, 
      resources: [code.repositoryArn],
      actions: [            
        'codecommit:GitPull'
      ]
}));

// This modifies the specific Stage Properties
const cfnPipeline = pipeline.node.defaultChild as codepipeline.CfnPipeline;
cfnPipeline.addPropertyOverride('Stages.0.Actions.0.Configuration.OutputArtifactFormat', 'CODEBUILD_CLONE_REF');

[MHacker9404]

something to check in - so I did the hack-around waiting for the PR. Ran into an encryption/decryption error - the pipeline didn't have access to the key used on the S3 bucket. Will this still be an issue with this update?

[skinny85]

something to check in - so I did the hack-around waiting for the PR. Ran into an encryption/decryption error - the pipeline didn't have access to the key used on the S3 bucket. Will this still be an issue with this update?

I've just tried it, and everything worked for me!

Let's get this released - the API looks good, and if there are any remaining permissions issues, we'll handle them as we go 🙂.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.