Restricting CodeCommit PR merges to non-authors

Question

Hello.

Our organization needs to ensure that developers who open a PR into the `main` branch of a given CodeCommit Repository cannot merge that same PR. How can this be accomplished?

(We already use an approval rule template to ensure that only members of a certain IAM group can approve such PRs, but our SOC Auditor has requested the additional restriction.)

Thanks,
– benton

Answer

Hello,

The recommended approach to accomplish this is with the use of Approval Rule templates where until the conditions of the templates are not satisfied, the PR will not be merged.

There is a feature where you can also override approval rules for a pull request[1], however if the OverridePullRequestApprovalRules API call[2] is denied for an IAM user, the user cannot override the rules.

[1] Override approval rules on a pull request - https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-override-approval-rules.html

[2] OverridePullRequestApprovalRules - https://docs.aws.amazon.com/codecommit/latest/APIReference/API_OverridePullRequestApprovalRules.html

Therefore, suggesting you to limit your developers for the above API call, and use Approval Rule templates for controlling who can merge the pull requests.

Hoping that the above helps. Thank you.

Restricting CodeCommit PR merges to non-authors

相關內容