From 13c8be9313112e9ebe1d12a75af7d027b1bdbb3a Mon Sep 17 00:00:00 2001 From: David Venable Date: Fri, 20 Mar 2026 19:16:19 -0500 Subject: [PATCH] Updates to the CDK stack to support the S3 sink integration tests. Exports the resources and grants permissions so that the integration tests on GitHub can pull in the exports. Also grants read permissions to the S3 bucket since the tests need to read to verify the results. Signed-off-by: David Venable --- .../lib/common/GitHubAccessStack.ts | 10 ++++++++++ testing/aws-testing-cdk/lib/common/KmsStack.ts | 11 ++++++++++- testing/aws-testing-cdk/lib/s3/S3SinkStack.ts | 15 ++++++++++++--- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/testing/aws-testing-cdk/lib/common/GitHubAccessStack.ts b/testing/aws-testing-cdk/lib/common/GitHubAccessStack.ts index ec2cfa5669..a563ce35ab 100644 --- a/testing/aws-testing-cdk/lib/common/GitHubAccessStack.ts +++ b/testing/aws-testing-cdk/lib/common/GitHubAccessStack.ts @@ -1,6 +1,10 @@ /* * Copyright OpenSearch Contributors * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. */ import {Stack, StackProps} from 'aws-cdk-lib'; @@ -10,6 +14,7 @@ import { CompositePrincipal, OpenIdConnectPrincipal, OpenIdConnectProvider, + PolicyStatement, Role } from 'aws-cdk-lib/aws-iam' @@ -57,5 +62,10 @@ export class GitHubAccessStack extends Stack { currentAccountPrincipal ) }); + + this.gitHubActionsTestingRole.addToPolicy(new PolicyStatement({ + actions: ['cloudformation:DescribeStacks'], + resources: [`arn:aws:cloudformation:*:${this.account}:stack/*`], + })); } } diff --git a/testing/aws-testing-cdk/lib/common/KmsStack.ts b/testing/aws-testing-cdk/lib/common/KmsStack.ts index fbc236f879..5ab0da13f6 100644 --- a/testing/aws-testing-cdk/lib/common/KmsStack.ts +++ b/testing/aws-testing-cdk/lib/common/KmsStack.ts @@ -1,9 +1,13 @@ /* * Copyright OpenSearch Contributors * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. */ -import {Stack, StackProps} from 'aws-cdk-lib'; +import {CfnOutput, Stack, StackProps} from 'aws-cdk-lib'; import {Construct} from 'constructs'; import {Role} from 'aws-cdk-lib/aws-iam'; import {Key} from 'aws-cdk-lib/aws-kms'; @@ -27,6 +31,11 @@ export class KmsStack extends Stack { }); this.kmsKey.grantEncryptDecrypt(props.testingRole) + + new CfnOutput(this, 'KmsKeyId', { + value: this.kmsKey.keyArn, + exportName: 'DataPrepperAwsTesting-KmsKeyId', + }); } } diff --git a/testing/aws-testing-cdk/lib/s3/S3SinkStack.ts b/testing/aws-testing-cdk/lib/s3/S3SinkStack.ts index 89fe05d836..146cf93c40 100644 --- a/testing/aws-testing-cdk/lib/s3/S3SinkStack.ts +++ b/testing/aws-testing-cdk/lib/s3/S3SinkStack.ts @@ -1,9 +1,13 @@ /* * Copyright OpenSearch Contributors * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. */ -import {Duration, RemovalPolicy, Stack, StackProps} from 'aws-cdk-lib'; +import {CfnOutput, Duration, RemovalPolicy, Stack, StackProps} from 'aws-cdk-lib'; import {Construct} from 'constructs'; import {Role} from 'aws-cdk-lib/aws-iam'; import {Bucket} from 'aws-cdk-lib/aws-s3'; @@ -13,7 +17,7 @@ export interface S3SinkStackProps extends StackProps { } /** - * CDK stack that creates a common KMS key. + * CDK stack for resources needed by the S3 sink integration tests. */ export class S3SinkStack extends Stack { readonly bucket: Bucket; @@ -30,7 +34,12 @@ export class S3SinkStack extends Stack { ] }); - this.bucket.grantWrite(props.testingRole) + this.bucket.grantReadWrite(props.testingRole) + + new CfnOutput(this, 'BucketName', { + value: this.bucket.bucketName, + exportName: 'DataPrepperAwsTesting-S3SinkBucketName', + }); } }