feat(codepipeline): support environment variables for actions

[go-to-k]

Issue # (if applicable)

N/A

Reason for this change

CodePipeline supports the Environment Variables in actions, but L2 Pipeline with actions doesn't support it.

• https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-codepipeline-pipeline-environmentvariable.html
• https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html
  • The SECRETS_MANAGER type is only supported for the Commands action.

Description of changes

Added EnvironmentVariable with PlaintextEnvironmentVariable and SecretsManagerEnvironmentVariable.

Describe any new or updated permissions being added

Description of how you validated changes

Both unit tests and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[go-to-k]

Avoided the name environmentVariables because CodeBuildActionProps that extends codepipeline.CommonAwsActionProps and this CommonActionProps has already used a property with the same name and an error occurs if the name is used in this props.

https://github.com/aws/aws-cdk/blob/v2.200.1/packages/aws-cdk-lib/aws-codepipeline-actions/lib/codebuild/build-action.ts#L81

[go-to-k]

https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-Commands.html#action-reference-Commands-envvars

To use the SecretsManager, you must add the following permissions to your pipeline service role:

{
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "SECRET_ARN"
            ]
        }

[go-to-k]

Originally, this abstract method was not made, but the concrete bind method was only created for SecretsManagerEnvironmentVariable. However, considering that support for PARAMETER_STORE may be added in the future, such as the one for CodeBuild, it is better to create the abstract method, so I did it this way. Otherwise, it would be necessary to implement the bind calling as follows. If more types are added in the future, the code will become even more complicated.

    envVars?.forEach(envVar => {
      if (envVar instanceof SecretsManagerEnvironmentVariable || envVar instanceof ParameterStoreEnvironmentVariable) {
        envVar._bind(scope, this.actionProperties, options);
      }
    });

Now we can write like:

    envVars?.forEach(envVar => {
      envVar._bind(scope, this.actionProperties, options);
    });

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results	50 ran	49 passed		1 failed

Test	Result
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-environment-variables.js.snapshot/aws-cdk-codepipeline-environment-variables.template.json
s3-encryption-enabled.guard	❌ failure

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	50 ran	49 passed		1 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-environment-variables.js.snapshot/aws-cdk-codepipeline-environment-variables.template.json
s3-encryption-enabled.guard	❌ failure

• View Security Guardian Results with resolved templates