Skip to content

2.3

Jump to bottom
Paul Duvall edited this page Mar 6, 2020 · 7 revisions

2.3 Configure cfn_nag to run from CodePipeline

Review and ensure that you have setup your development environment before going through the steps below.

Review Files

  • buildspec.yml - Build specification that runs from an AWS CodeBuild action in AWS CodePipeline.
  • ccoa-2-cfn-nag-pipeline.yml - CloudFormation template that provisions AWS CodePipeline and associated resources to run the cfn_nag security static analysis tool as part of the deployment pipeline.
  • volume-encrypted.yml - CloudFormation template that provisions an encrypted EBS Volume.
  • volume.yml - CloudFormation template that provisions an unencrypted EBS Volume.

Create a new template

  1. From AWS Cloud9, type the following:
cd ~/environment/ccoa/
  1. Create a new file.
touch ccoa-2-cfn-nag-pipeline.yml
  1. Copy the source contents from the ccoa-2-cfn-nag-pipeline.yml file and save it to your local file in your Cloud9 environment called ccoa-2-cfn-nag-pipeline.yml. This CloudFormation template provisions a deployment pipeline that runs preventive checks via cfn_nag.

Launch the CloudFormation stack from the CLI

From your Cloud9 terminal, type the following (replacing you@example.com):

aws cloudformation create-stack --stack-name ccoa-2-cfn-nag-pipeline --template-body file:///home/ec2-user/environment/ccoa/ccoa-2-cfn-nag-pipeline.yml --parameters ParameterKey=EmailAddress,ParameterValue=you@example.com --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Check the status

From your Cloud9 terminal, type the following:

aws cloudformation describe-stacks --stack-name ccoa-2-cfn-nag-pipeline

View the CodeCommit repo

Launch Pipeline

  1. Go to the CloudFormation console to see the stack being launched.
  2. Once the CloudFormation stack is successful, select the checkbox next to the stack and click the Outputs tab.
  3. From Outputs, click on the PipelineUrl output to open the pipeline in AWS CodePipeline

Fix the build

  1. Go to the CodeCommit repo.
  2. Open buildspec.yml and change from volume.yml to volume-encrypted.yml and commit the changes.
  3. Go back to the pipeline you created and watch the change.

Additional Resources

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.

Clone this wiki locally