fix(codepipeline): replace account root principal with pipeline role in trust policy for cross-account actions (under feature flag)

[gracelu0]

Issue # (if applicable)

GHSA-5pq3-h73f-66hr

Reason for this change

See GHSA for details.

Description of changes

Added new feature flag @aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope

When the feature flag @aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope is set to true:

• Scope down cross-account action role's trust policy to the pipeline role
• Set pipeline role's roleName to PhysicalName.GENERATE_IF_NEEDED

Describe any new or updated permissions being added

Cross-account action role trust policy is scoped with condition key ArnEquals when feature flag is enabled:

     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Condition": {
        "ArnEquals": {
         "aws:PrincipalArn": "<pipelineRoleARN>"
        }
       },
       "Effect": "Allow",
       "Principal": {
        "AWS": "arn:aws:iam::<pipelineStack.account>:root"
       }
      }
     ],

Description of how you validated changes

Added integration tests for S3, StepFunction, and Cloudformation codepipeline actions and manually verified that the cross-account action was successfully completed (reading S3 bucket, invoking state machine, and deploying a cloudformation stack in the cross-account).

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (74cbe27) to head (957319a).
Report is 9 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #34074   +/-   ##
=======================================
  Coverage   83.98%   83.98%           
=======================================
  Files         120      120           
  Lines        6976     6976           
  Branches     1178     1178           
=======================================
  Hits         5859     5859           
  Misses       1005     1005           
  Partials      112      112           

Flag	Coverage Δ
suite.unit	83.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	83.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 957319a
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.