Product
Introducing SSO
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
@aws-c2a/cdk-pipelines-step
Advanced tools
Readme
This package contains PerformChangeAnalysis
, a custom approval step for use with a CDK Pipelines pipeline. This approval step will help you:
C2A is currently in Developer Preview. Let us know how this tool is working for you.
Add the following to your package.json
:
{
"dependencies": {
"@aws-c2a/cdk-pipelines-step": "0.5.0"
}
}
Make sure the following packages are in there as well, with a CDK version of 1.115.0
or higher:
{
"dependencies": {
"@aws-cdk/aws-codebuild": "<VERSION>",
"@aws-cdk/aws-codepipeline": "<VERSION>",
"@aws-cdk/aws-codepipeline-actions": "<VERSION>",
"@aws-cdk/aws-iam": "<VERSION>",
"@aws-cdk/aws-lambda": "<VERSION>",
"@aws-cdk/aws-s3": "<VERSION>",
"@aws-cdk/aws-secretsmanager": "<VERSION>",
"@aws-cdk/aws-sns": "<VERSION>",
"@aws-cdk/core": "<VERSION>",
"@aws-cdk/pipelines": "<VERSION>",
"constructs": "^3.3.69"
}
}
Insert PerformChangeAnalysis
by adding it as a pre
step when adding a Stage to a CDK pipeline:
import { PerformChangeAnalysis } from '@aws-c2a/cdk-pipelines-step';
const stage = new MyApplicationStage(this, 'MyApplication');
pipeline.addStage(stage, {
pre: [
new PerformChangeAnalysis('Check', { stage }),
],
});
By inserting the PerformChangeAnalysis
step before any stage deployment, the CDK Change
Analyzer (C2A) will be run to visualize
the changes that would be introduced to your deployment by the upcoming deployment, and a
a Manual Approval step is added to the pipeline to give you an opportunity to review
and confirm the changes. Your pipeline stage will look like this:
┌───────────────────────────────────────────────────────────────┐
│ MyApplicationStage │
│ │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ │ │ │ │ │ │ │ │
│ │ Check │────▶│ Confirm │────▶│ Prepare │────▶│ Deploy │ │
│ │ │ │ │ │ │ │ │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
│ │
└───────────────────────────────────────────────────────────────┘
Rules can be used to automatically classify changes in a deployment. They can be classified along 2 different axes:
To automatically classify changes according to rules, write a JSON file in the
rules
language and pass it to the PerformChangeAnalysis
step:
import { RuleSet, PerformChangeAnalysis } from '@aws-c2a/cdk-pipelines-step';
const stage = new MyApplicationStage(this, 'MyApplication');
pipeline.addStage(stage, {
pre: [
new PerformChangeAnalysis('Check', {
stage,
ruleSet: RuleSet.fromDisk(resolve(__dirname, 'rules.json')),
}),
],
});
By default, the PerformChangeAnalysis
will always run a suite of rules
that checks for broadening of IAM permissions, equivalent to what the CDK CLI
will check for during cdk deploy
. To turn this off, pass
broadeningPermissions: false
:
const stage = new MyApplicationStage(this, 'MyApplication');
pipeline.addStage(stage, {
pre: [
new PerformChangeAnalysis('Check', {
stage,
broadeningPermissions: false,
}),
],
});
To get notified when there is a change that needs your manual approval,
create an SNS Topic, subscribe your own email address, and pass it in as
as the notificationTopic
property:
import * as sns from '@aws-cdk/aws-sns';
import * as subscriptions from '@aws-cdk/aws-sns-subscriptions';
import * as pipelines from '@aws-cdk/pipelines';
const topic = new sns.Topic(this, 'SecurityChangesTopic');
topic.addSubscription(new subscriptions.EmailSubscription('test@email.com'));
const stage = new MyApplicationStage(this, 'MyApplication');
pipeline.addStage(stage, {
pre: [
new PerformChangeAnalysis('Check', {
stage,
notificationTopic: topic,
}),
],
});
FAQs
A CDK Pipelines Step that runs aws-c2a diff given a rule set
The npm package @aws-c2a/cdk-pipelines-step receives a total of 1 weekly downloads. As such, @aws-c2a/cdk-pipelines-step popularity was classified as not popular.
We found that @aws-c2a/cdk-pipelines-step demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.