Merge pull request #3 from brettswift/codereview

Codereview
brettswift · Aug 23, 2018 · c88be71 · c88be71
2 parents 8030b01 + 09dd3da
commit c88be71
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 31 deletions.
diff --git a/cumulus/policies/codebuild.py b/cumulus/policies/codebuild.py
@@ -3,6 +3,7 @@
 import awacs.logs
 import awacs.iam
 import awacs.s3
+from awacs import ecr
 
 from troposphere import iam
 
@@ -35,6 +36,9 @@ def get_policy_code_build_general_access(policy_name):
                         awacs.aws.Action("lambda", "*"),
                         awacs.aws.Action("sqs", "*"),
                         awacs.aws.Action("events", "*"),
+                        awacs.ecr.GetDownloadUrlForLayer,
+                        awacs.ecr.BatchGetImage,
+                        awacs.ecr.BatchCheckLayerAvailability,
                         awacs.iam.PassRole,
                     ],
                     Resource=["*"]

diff --git a/cumulus/steps/development/approval_action.py b/cumulus/steps/development/approval_action.py
@@ -0,0 +1,77 @@
+import awacs
+import awacs.aws
+import awacs.ec2
+import awacs.iam
+import awacs.logs
+import awacs.s3
+import awacs.sts
+from troposphere import iam
+
+import cumulus.policies
+import cumulus.policies.codebuild
+import cumulus.types.codebuild.buildaction
+import cumulus.util.tropo
+from cumulus.chain import step
+from cumulus.steps.development import META_PIPELINE_BUCKET_POLICY_REF
+
+
+class ApprovalAction(step.Step):
+
+    def __init__(self,
+                 action_name,
+                 stage_name_to_add):
+        """
+        :type stage_name_to_add: basestring Stage name to add the action to.
+        :type action_name: basestring Displayed on the console
+        """
+        step.Step.__init__(self)
+        self.action_name = action_name
+        self.stage_name_to_add = stage_name_to_add
+
+    def handle(self, chain_context):
+
+        print("Adding approval action %s." % self.action_name)
+
+        policy_name = "CodeBuildPolicy%sStage" % chain_context.instance_name
+        role_name = "CodeBuildRole%sStage" % self.action_name
+
+        codebuild_role = iam.Role(
+            role_name,
+            Path="/",
+            AssumeRolePolicyDocument=awacs.aws.Policy(
+                Statement=[
+                    awacs.aws.Statement(
+                        Effect=awacs.aws.Allow,
+                        Action=[awacs.sts.AssumeRole],
+                        Principal=awacs.aws.Principal(
+                            'Service',
+                            "codebuild.amazonaws.com"
+                        )
+                    )]
+            ),
+            Policies=[  # TODO: policy 'could' be reduced to executing cfn approvals
+                cumulus.policies.codebuild.get_policy_code_build_general_access(policy_name)
+            ],
+            ManagedPolicyArns=[
+                chain_context.metadata[META_PIPELINE_BUCKET_POLICY_REF]
+            ]
+        )
+
+        approval_action = cumulus.types.codebuild.buildaction.ApprovalAction(
+            Name=self.action_name,
+            RunOrder="1"
+        )
+
+        chain_context.template.add_resource(codebuild_role)
+
+        template = chain_context.template
+        stage_to_add = self.stage_name_to_add
+
+        stage = cumulus.util.tropo.TemplateQuery.get_pipeline_stage_by_name(
+            template=template,
+            stage_name=stage_to_add,
+        )
+
+        next_run_order = len(stage.Actions) + 1
+        approval_action.RunOrder = next_run_order
+        stage.Actions.append(approval_action)
diff --git a/cumulus/steps/development/code_build_action.py b/cumulus/steps/development/code_build_action.py
@@ -106,11 +106,9 @@ def handle(self, chain_context):
         chain_context.template.add_resource(project)
 
         template = chain_context.template
-        stage_to_add = self.stage_name_to_add
-
         stage = cumulus.util.tropo.TemplateQuery.get_pipeline_stage_by_name(
             template=template,
-            stage_name=stage_to_add,
+            stage_name=self.stage_name_to_add,
         )
 
         # TODO accept a parallel action to the previous action, and don't +1 here.
@@ -148,6 +146,9 @@ def create_project(self, chain_context, codebuild_role, codebuild_environment, n
 
         project_name = "project%s" % name
 
+        print("Action %s is using buildspec: " % self.action_name)
+        print(self.buildspec)
+
         project = codebuild.Project(
             project_name,
             DependsOn=codebuild_role,
@@ -164,30 +165,3 @@ def create_project(self, chain_context, codebuild_role, codebuild_environment, n
         )
 
         return project
-
-
-#
-# source_stage = codepipeline.Stages(
-#     Name="SourceStage",
-#     Actions=[
-#         codepipeline.Actions(
-#             Name="SourceAction",
-#             ActionTypeId=codepipeline.ActionTypeId(
-#                 Category="Source",
-#                 Owner="AWS",
-#                 Version="1",
-#                 Provider='S3',
-#             ),
-#             OutputArtifacts=[
-#                 codepipeline.OutputArtifacts(
-#                     Name=SOURCE_STAGE_OUTPUT_NAME
-#                 )
-#             ],
-#             Configuration={
-#                 "S3Bucket": Ref(pipeline_bucket),
-#                 "S3ObjectKey": self.artifact_path
-#             },
-#             RunOrder="1"
-#         )
-#     ]
-# )
diff --git a/cumulus/steps/development/pipeline_source_action.py b/cumulus/steps/development/pipeline_source_action.py
@@ -40,7 +40,7 @@ def __init__(self,
         self.action_name = action_name
 
     def handle(self, chain_context):
-        print("Adding action %s." % self.action_name)
+        print("Adding source action %s." % self.action_name)
 
         policy_name = "CodeBuildPolicy%s" % chain_context.instance_name
         codebuild_policy = cumulus.policies.codebuild.get_policy_code_build_general_access(policy_name)

diff --git a/cumulus/types/codebuild/buildaction.py b/cumulus/types/codebuild/buildaction.py
@@ -31,3 +31,19 @@ def __init__(self, **kwargs):
                 Provider="CodeBuild"
             )
         self.RunOrder = "1"
+
+
+class ApprovalAction(troposphere.codepipeline.Actions):
+    """
+      This class doesn't do much except set the ActionType to reduce code clutter
+    """
+    def __init__(self, **kwargs):
+        super(ApprovalAction, self).__init__(**kwargs)
+
+        self.ActionTypeId = troposphere.codepipeline.ActionTypeId(
+            Category="Approval",
+            Owner="AWS",
+            Version="1",
+            Provider="Manual"
+        )
+        self.RunOrder = "1"