-
Notifications
You must be signed in to change notification settings - Fork 57
2.3
Paul Duvall edited this page Oct 28, 2019
·
7 revisions
Review and ensure that you have setup your development environment before going through the steps below.
- buildspec.yml - Build specification that runs from an AWS CodeBuild action in AWS CodePipeline.
- cfn-nag-pipeline.yml - CloudFormation template that provisions AWS CodePipeline and associated resources to run the cfn_nag security static analysis tool as part of the deployment pipeline.
- volume-encrypted.yml - CloudFormation template that provisions an encrypted EBS Volume.
- volume.yml - CloudFormation template that provisions an unencrypted EBS Volume.
- From AWS Cloud9, type the following:
cd ~/environment/ccoa/
- Create a new file.
touch ccoa-2-cfn-nag-pipeline.yml
- Open the file and paste the template configuration below and save.
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Run cfn_nag as part of AWS CodeBuild in CodePipeline
Parameters:
EmailAddress:
Description: Email Address for sending SNS notifications for CodeCommit
Type: String
RepositoryBranch:
Description: The name of the branch for the CodeCommit repo
Type: String
Default: master
AllowedPattern: "[\\x20-\\x7E]*"
ConstraintDescription: Can contain only ASCII characters.
CodeCommitS3Bucket:
Description: S3 bucket that holds zip of source code for CodeCommit Repo
Type: String
Default: paulduvall.io
CodeCommitS3Key:
Description: zipfile key located in CodeCommitS3Bucket
Type: String
Default: ccoa-workshop/ccoa-lesson2-examples.zip
Resources:
MySNSTopic:
Type: AWS::SNS::Topic
Properties:
Subscription:
- Endpoint:
Ref: EmailAddress
Protocol: email
CodeCommitRepo:
Type: AWS::CodeCommit::Repository
Properties:
RepositoryName:
Ref: AWS::StackName
RepositoryDescription: CodeCommit Repository for cfn_nag solution
Code:
S3:
Bucket: !Ref CodeCommitS3Bucket
Key: !Ref CodeCommitS3Key
Triggers:
- Name: MasterTrigger
CustomData:
Ref: AWS::StackName
DestinationArn:
Ref: MySNSTopic
Events:
- all
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: codebuild-service
PolicyDocument:
Statement:
- Effect: Allow
Action: "*"
Resource: "*"
Version: '2012-10-17'
CodePipelineRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- codepipeline.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: codepipeline-service
PolicyDocument:
Statement:
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
Resource: "*"
Effect: Allow
- Action:
- s3:PutObject
Resource:
- arn:aws:s3:::codepipeline*
Effect: Allow
- Action:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
- s3:PutObject
- iam:PassRole
Resource: "*"
Effect: Allow
- Action:
- codecommit:*
- codebuild:*
Resource: "*"
Effect: Allow
Version: '2012-10-17'
CodeBuildWebsite:
Type: AWS::CodeBuild::Project
DependsOn: CodeBuildRole
Properties:
Name:
Ref: AWS::StackName
Description: Build application
ServiceRole:
Fn::GetAtt:
- CodeBuildRole
- Arn
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/eb-ruby-2.3-amazonlinux-64:2.1.6
Source:
Location:
Fn::Join:
- ''
- - https://git-codecommit.
- Ref: AWS::Region
- ".amazonaws.com/v1/repos/"
- Ref: AWS::StackName
Type: CODECOMMIT
TimeoutInMinutes: 10
Tags:
- Key: Owner
Value: MyCodeBuildProject
PipelineBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Delete
Pipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
RoleArn: !GetAtt CodePipelineRole.Arn
DependsOn: CodeBuildWebsite
Properties:
RoleArn:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- ":role/"
- Ref: CodePipelineRole
Stages:
- Name: Source
Actions:
- InputArtifacts: []
Name: Source
ActionTypeId:
Category: Source
Owner: AWS
Version: '1'
Provider: CodeCommit
OutputArtifacts:
- Name: MyApp
Configuration:
BranchName:
Ref: RepositoryBranch
RepositoryName:
Ref: AWS::StackName
RunOrder: 1
- Name: Build
Actions:
- InputArtifacts:
- Name: MyApp
Name: cfn_nag
ActionTypeId:
Category: Test
Owner: AWS
Version: '1'
Provider: CodeBuild
OutputArtifacts: []
Configuration:
ProjectName:
Ref: CodeBuildWebsite
RunOrder: 1
- InputArtifacts:
- Name: MyApp
Name: Build
ActionTypeId:
Category: Build
Owner: AWS
Version: '1'
Provider: CodeBuild
OutputArtifacts:
- Name: MyAppBuild
Configuration:
ProjectName:
Ref: CodeBuildWebsite
RunOrder: 1
- Name: Deploy
Actions:
- Name: Deploy
ActionTypeId:
Category: Approval
Owner: AWS
Version: '1'
Provider: Manual
RunOrder: 2
ArtifactStore:
Type: S3
Location: !Ref PipelineBucket
Outputs:
PipelineUrl:
Value: !Sub https://console.aws.amazon.com/codepipeline/home?region=${AWS::Region}#/view/${Pipeline}
Description: CodePipeline URL
From your Cloud9 terminal, type the following (replacing you@example.com):
aws cloudformation create-stack --stack-name ccoa-2-cfn-nag-pipeline --template-body file:///home/ec2-user/environment/ccoa/ccoa-2-cfn-nag-pipeline.yml --parameters ParameterKey=EmailAddress,ParameterValue=you@example.com --capabilities CAPABILITY_NAMED_IAM --disable-rollback
From your Cloud9 terminal, type the following:
aws cloudformation describe-stacks --stack-name ccoa-2-cfn-nag-pipeline
View the CodeCommit repo
- Go to the CloudFormation console to see the stack being launched.
- Once the CloudFormation stack is successful, select the checkbox next to the stack and click the Outputs tab.
- From Outputs, click on the PipelineUrl output to open the pipeline in AWS CodePipeline
- Go to the CodeCommit repo.
- Open
buildspec.ymland change fromvolume.ymltovolume-encrypted.ymland commit the changes. - Go back to the pipeline you created and watch the change.
Go to Cleanup to remove any resources you created in this sublesson.