@myhelix-cdk/buildscripts NPM

codepipeline-buildscripts

This module helps deploy and manage CodePipelines and CodeBuild objects which emulate the legacy GoCD pipelines at Helix. The pipelines execute our legacy build-scripts.

Setup

Once in every sub-account which will be using the CodeBuild objects, add credentials via CLI. Get the PAT from 1Password under helix-codepipeline github.

aws --profile platform-development codebuild import-source-credentials --server-type GITHUB --auth-type PERSONAL_ACCESS_TOKEN --token "$PAT_FROM_1PASSWORD"

Search ImportSourceCredentials at https://docs.aws.amazon.com/cdk/api/latest/docs/aws-codebuild-readme.html for further details

Permissions Management

The github repository must have the CI-CD Write Access role assigned Admin access in order for CDK to deploy the necessary webhooks. You can roll access back to Write once the pipeline has been successfully deployed.

We could make a helix-cdk github user specifically to be a GitHub owner and use that to deploy webhooks and even to manage permissions on our repos.

Manually modify ECR permissions to add second statement, push_from_platform_development.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "all_organization_accounts",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:GetDownloadUrlForLayer",
        "ecr:ListImages"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalOrgID": "o-oofrutwd0l"
        }
      }
    },
    {
      "Sid": "push_from_platform_development",
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com",
        "AWS": "arn:aws:iam::409670809604:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DescribeImageScanFindings",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:InitiateLayerUpload",
        "ecr:ListImages",
        "ecr:ListTagsForResource",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ]
    }
  ]
}

@aws-cdk/aws-codebuild @aws-cdk/aws-codepipeline @aws-cdk/aws-codepipeline-actions @aws-cdk/aws-ec2 @aws-cdk/aws-iam @aws-cdk/core @myhelix-cdk/core

@myhelix-cdk/applications

3 years ago

3 years ago

3 years ago

3 years ago

3 years ago