Add ACL support to CodeDeploy task (#459)

* Add ACL support to CodeDeploy task

* Update test code

Author: JadenSimon

.changes/next-release/Feature-3dfa1544-2757-4457-97ad-0a91767a833f.json

@@ -0,0 +1,4 @@
+{
+	"type": "Feature",
+	"description": "Added \"filesAcl\" parameter to CodeDeploy task when uploading to S3"
+}

src/tasks/CodeDeployDeployApplication/TaskOperations.ts

@@ -122,13 +122,17 @@ export class TaskOperations {
         console.log(tl.loc('UploadingBundle', archiveName, key, this.taskParameters.bucketName))
         const fileBuffer = fs.createReadStream(archiveName)
         try {
-            const response: S3.ManagedUpload.SendData = await this.s3Client
-                .upload({
-                    Bucket: this.taskParameters.bucketName,
-                    Key: key,
-                    Body: fileBuffer
-                })
-                .promise()
+            const request: S3.PutObjectRequest = {
+                Bucket: this.taskParameters.bucketName,
+                Key: key,
+                Body: fileBuffer
+            }
+
+            if (this.taskParameters.filesAcl && this.taskParameters.filesAcl !== 'none') {
+                request.ACL = this.taskParameters.filesAcl
+            }
+
+            await this.s3Client.upload(request).promise()
             console.log(tl.loc('BundleUploadCompleted'))
 
             // clean up the archive if we created one

src/tasks/CodeDeployDeployApplication/TaskParameters.ts

@@ -20,6 +20,7 @@ export interface TaskParameters {
     bucketName: string
     bundlePrefix: string
     bundleKey: string
+    filesAcl: string
     description: string
     fileExistsBehavior: string | undefined
     updateOutdatedInstancesOnly: boolean
@@ -38,6 +39,7 @@ export function buildTaskParameters(): TaskParameters {
         bucketName: getInputRequired('bucketName'),
         bundlePrefix: '',
         bundleKey: '',
+        filesAcl: '',
         description: getInputOrEmpty('description'),
         fileExistsBehavior: tl.getInput('fileExistsBehavior', false),
         updateOutdatedInstancesOnly: tl.getBoolInput('updateOutdatedInstancesOnly', false),
@@ -50,6 +52,7 @@ export function buildTaskParameters(): TaskParameters {
         case revisionSourceFromWorkspace:
             parameters.revisionBundle = getPathInputRequiredCheck('revisionBundle')
             parameters.bundlePrefix = getInputOrEmpty('bundlePrefix')
+            parameters.filesAcl = getInputOrEmpty('filesAcl')
             break
 
         case revisionSourceFromS3:

src/tasks/CodeDeployDeployApplication/task.json

@@ -111,6 +111,25 @@
             "visibleRule": "deploymentRevisionSource = s3",
             "helpMarkDown": "The Amazon S3 object key of the previously uploaded archive file containing the deployment revision artifacts."
         },
+        {
+            "name": "filesAcl",
+            "type": "pickList",
+            "label": "Access Control (ACL)",
+            "defaultValue": "none",
+            "required": false,
+            "visibleRule": "deploymentRevisionSource = workspace",
+            "helpMarkDown": "The canned Access Control List (ACL) to apply to the uploaded content. See [Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) for an explanation of the possible values. By default, no ACL is applied.",
+            "options": {
+                "none": "none",
+                "private": "private",
+                "public-read": "public read",
+                "public-read-write": "public read write",
+                "authenticated-read": "authenticated read",
+                "aws-exec-read": "aws-exec-read",
+                "bucket-owner-read": "bucket-owner-read",
+                "bucket-owner-full-control": "bucket-owner-full-control"
+            }
+        },
         {
             "name": "description",
             "label": "Description",

tests/taskTests/codeDeployDeployApplication/codeDeployDeployApplication-test.ts

@@ -28,6 +28,7 @@ const defaultTaskParameters: TaskParameters = {
     bundlePrefix: '',
     bundleKey: 'undefined',
     description: '',
+    filesAcl: '',
     fileExistsBehavior: '',
     updateOutdatedInstancesOnly: false,
     ignoreApplicationStopFailures: false,
@@ -44,6 +45,21 @@ const codeDeployDeploymentId = {
 }
 
 describe('CodeDeploy Deploy Application', () => {
+    // Creates a simple mock that always succeeds (at least for these tests)
+    function createSuccessfulCodeDeploy(): CodeDeploy {
+        const codeDeploy = new CodeDeploy() as any
+        codeDeploy.getApplication = jest.fn(() => emptyPromise)
+        codeDeploy.getDeploymentGroup = jest.fn(() => emptyPromise)
+        codeDeploy.createDeployment = jest.fn(() => codeDeployDeploymentId)
+        codeDeploy.waitFor = jest.fn((thing, thing2, cb) => {
+            cb()
+
+            return { promise: () => undefined }
+        })
+
+        return codeDeploy
+    }
+
     // TODO https://github.com/aws/aws-vsts-tools/issues/167
     beforeAll(() => {
         SdkUtils.readResourcesFromRelativePath('../../build/src/tasks/CodeDeployDeployApplication/task.json')
@@ -75,10 +91,7 @@ describe('CodeDeploy Deploy Application', () => {
         expect.assertions(1)
         const taskParameters = { ...defaultTaskParameters }
         taskParameters.deploymentRevisionSource = revisionSourceFromS3
-        const codeDeploy = new CodeDeploy() as any
-        codeDeploy.getApplication = jest.fn(() => emptyPromise)
-        codeDeploy.getDeploymentGroup = jest.fn(() => emptyPromise)
-        const taskOperations = new TaskOperations(codeDeploy, new S3(), taskParameters)
+        const taskOperations = new TaskOperations(createSuccessfulCodeDeploy(), new S3(), taskParameters)
         await taskOperations.execute().catch(err => {
             expect(`${err}`).toContain('Archive with key undefined does not exist')
         })
@@ -89,10 +102,7 @@ describe('CodeDeploy Deploy Application', () => {
         const taskParameters = { ...defaultTaskParameters }
         taskParameters.deploymentRevisionSource = revisionSourceFromS3
         taskParameters.bundleKey = '/whatever/wahtever'
-        const codeDeploy = new CodeDeploy() as any
-        codeDeploy.getApplication = jest.fn(() => emptyPromise)
-        codeDeploy.getDeploymentGroup = jest.fn(() => emptyPromise)
-        codeDeploy.createDeployment = jest.fn(() => codeDeployDeploymentId)
+        const codeDeploy = createSuccessfulCodeDeploy() as any
         // the first argument of the callback is error so pass in an "error"
         codeDeploy.waitFor = jest.fn((arr1, arr2, cb) => cb(new Error('22'), undefined))
         const s3 = new S3() as any
@@ -103,44 +113,76 @@ describe('CodeDeploy Deploy Application', () => {
         })
     })
 
-    test('Upload needed, packages properly, succeeds', async () => {
-        expect.assertions(6)
-        process.env.TEMP = __dirname
-        const taskParameters = { ...defaultTaskParameters }
-        taskParameters.deploymentRevisionSource = revisionSourceFromWorkspace
-        taskParameters.revisionBundle = path.join(__dirname, '../../resources/codeDeployCode')
-        taskParameters.applicationName = 'test'
-        const s3 = new S3() as any
-        s3.upload = jest.fn(args => {
-            expect(args.Bucket).toBe('')
-            expect(args.Key).toContain('test.v')
-            const dir = fs.readdirSync(__dirname)
-            for (const file of dir) {
-                if (path.extname(file) === '.zip') {
-                    const f = path.join(__dirname, file)
-                    const zip = new AdmZip(f)
-                    const entries = zip.getEntries().map(it => it.entryName)
-                    expect(entries.length).toBe(3)
-                    expect(entries).toContain('test.txt')
-                    expect(entries).toContain('subpath/')
-                    expect(entries).toContain('subpath/abc.txt')
-                    break
+    describe('S3 upload needed', () => {
+        let parameters: TaskParameters
+
+        beforeEach(() => {
+            process.env.TEMP = __dirname
+
+            parameters = { ...defaultTaskParameters }
+            parameters.deploymentRevisionSource = revisionSourceFromWorkspace
+            parameters.revisionBundle = path.join(__dirname, '../../resources/codeDeployCode')
+            parameters.applicationName = 'test'
+        })
+
+        test('Upload needed, packages properly, succeeds', async () => {
+            expect.assertions(7)
+
+            const s3 = new S3() as any
+            s3.upload = jest.fn(args => {
+                expect(args.Bucket).toBe('')
+                expect(args.Key).toContain('test.v')
+                expect(args.ACL).toBeUndefined()
+                const dir = fs.readdirSync(__dirname)
+                for (const file of dir) {
+                    if (path.extname(file) === '.zip') {
+                        const f = path.join(__dirname, file)
+                        const zip = new AdmZip(f)
+                        const entries = zip.getEntries().map(it => it.entryName)
+                        expect(entries.length).toBe(3)
+                        expect(entries).toContain('test.txt')
+                        expect(entries).toContain('subpath/')
+                        expect(entries).toContain('subpath/abc.txt')
+                        break
+                    }
                 }
-            }
 
-            return emptyPromise
+                return emptyPromise
+            })
+
+            const taskOperations = new TaskOperations(createSuccessfulCodeDeploy(), s3, parameters)
+            await taskOperations.execute()
         })
-        const codeDeploy = new CodeDeploy() as any
-        codeDeploy.getApplication = jest.fn(() => emptyPromise)
-        codeDeploy.getDeploymentGroup = jest.fn(() => emptyPromise)
-        codeDeploy.createDeployment = jest.fn(() => codeDeployDeploymentId)
-        codeDeploy.waitFor = jest.fn((thing, thing2, cb) => {
-            cb()
 
-            return { promise: () => undefined }
+        test('Uses ACL provided by task parameters', async () => {
+            expect.assertions(1)
+            parameters.filesAcl = 'bucket-owner-full-control'
+
+            const s3 = new S3() as any
+            s3.upload = jest.fn(args => {
+                expect(args.ACL).toBe('bucket-owner-full-control')
+
+                return emptyPromise
+            })
+
+            const taskOperations = new TaskOperations(createSuccessfulCodeDeploy(), s3, parameters)
+            await taskOperations.execute()
+        })
+
+        test('Does not set ACL when using "none"', async () => {
+            expect.assertions(1)
+            parameters.filesAcl = 'none'
+
+            const s3 = new S3() as any
+            s3.upload = jest.fn(args => {
+                expect(args.ACL).toBeUndefined()
+
+                return emptyPromise
+            })
+
+            const taskOperations = new TaskOperations(createSuccessfulCodeDeploy(), s3, parameters)
+            await taskOperations.execute()
         })
-        const taskOperations = new TaskOperations(codeDeploy, s3, taskParameters)
-        await taskOperations.execute()
     })
 
     test('Upload not needed, succeeds', async () => {
@@ -150,16 +192,7 @@ describe('CodeDeploy Deploy Application', () => {
         taskParameters.bundleKey = path.join(__dirname, '../../resources/codeDeployCode.zip')
         const s3 = new S3() as any
         s3.headObject = jest.fn(() => emptyPromise)
-        const codeDeploy = new CodeDeploy() as any
-        codeDeploy.getApplication = jest.fn(() => emptyPromise)
-        codeDeploy.getDeploymentGroup = jest.fn(() => emptyPromise)
-        codeDeploy.createDeployment = jest.fn(() => codeDeployDeploymentId)
-        codeDeploy.waitFor = jest.fn((thing, thing2, cb) => {
-            cb()
-
-            return { promise: () => undefined }
-        })
-        const taskOperations = new TaskOperations(codeDeploy, s3, taskParameters)
+        const taskOperations = new TaskOperations(createSuccessfulCodeDeploy(), s3, taskParameters)
         await taskOperations.execute()
     })
 })