@myhelix-cdk/codepipeline-buildscripts v0.20.1

codepipeline-buildscripts

This module helps deploy and manage CodePipelines which emulate the legacy GoCD pipelines at Helix. The pipelines execute our legacy build-scripts.

Permissions Management

The github repository must have the CI-CD Write Access role assigned Admin access in order for CDK to deploy the necessary webhooks. You can roll access back to Write once the pipeline has been successfully deployed.

We could make a helix-cdk github user specifically to be a GitHub owner and use that to deploy webhooks and even to manage permissions on our repos.

Manually modify ECR permissions to add second statement, push_from_platform_development.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "all_organization_accounts",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:GetDownloadUrlForLayer",
        "ecr:ListImages"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalOrgID": "o-oofrutwd0l"
        }
      }
    },
    {
      "Sid": "push_from_platform_development",
      "Effect": "Allow",
      "Principal": {
        "Service": "codebuild.amazonaws.com",
        "AWS": "arn:aws:iam::409670809604:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DescribeImageScanFindings",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:InitiateLayerUpload",
        "ecr:ListImages",
        "ecr:ListTagsForResource",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ]
    }
  ]
}