From fa441cd7b7a5a2b2578a866001cd7b93c5753dc8 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Tue, 2 Jul 2019 12:02:36 -0400 Subject: [PATCH 01/17] Added Container and Docker Image CodeBuild --- .../manifest-pipeline-pipeline.yml | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 834d16d8..2aec6b02 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -108,7 +108,16 @@ Outputs: Export: Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ApprovalTopic']] + ImageProcessorContainerRepository: + Description: The repository that contains the docker image for image processing + Value: !Ref ImageProcessorContainerRepository + Export: + Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ImageProcessorContainerRepository']] + Resources: + ImageProcessorContainerRepository: + Type: AWS::ECR::Repository + CodeBuildTrustRole: Type: 'AWS::IAM::Role' Properties: @@ -139,6 +148,27 @@ Resources: Action: - 's3:GetObject' - 's3:PutObject' + # The codebuild pipeline is going to create ECR records. Need to allow certain permissions for the authorization + - Effect: Allow + Action: + - 'ecr:GetAuthorizationToken' + - 'ecr:InitiateLayerUpload' + - 'ecr:UploadLayerPart' + - 'ecr:BatchCheckLayerAvailability' + - 'ecr:GetDownloadUrlForLayer' + - 'ecr:GetRepositoryPolicy' + - 'ecr:DescribeRepositories' + - 'ecr:ListImages' + - 'ecr:DescribeImages' + - 'ecr:BatchGetImage' + - 'ecr:CompleteLayerUpload' + - 'ecr:PutImage' + Resource: + - !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${ImageProcessorContainerRepository}' + - Effect: Allow + Action: + - 'ecr:GetAuthorizationToken' + Resource: '*' Roles: - !Ref CodeBuildTrustRole CloudFormationTrustRole: @@ -294,6 +324,12 @@ Resources: - 'route53:GetChange' Resource: '*' Effect: Allow + # The manifest pipeline is going to register a task definition for ECS. Need to allow certain permissions for ECS + - Action: + - 'ecs:RegisterTaskDefinition' + - 'iam:PassRole' + Resource: '*' + Effect: Allow Roles: - !Ref CloudFormationTrustRole CodePipelineTrustRole: @@ -436,6 +472,60 @@ Resources: - test-stack-configuration.json - prod-stack-configuration.json + DockerImageProcessorBuilder: + Type: 'AWS::CodeBuild::Project' + Properties: + Name: !Sub '${AWS::StackName}-docker-image-processor' + Description: 'Build Docker Image from GitHub for Image Processor' + ServiceRole: !GetAtt + - CodeBuildTrustRole + - Arn + TimeoutInMinutes: 10 + Source: + Type: CODEPIPELINE + GitCloneDepth: 1 + BuildSpec: | + version: 0.2 + phases: + pre_build: + commands: + - echo Logging in to Amazon ECR... + - $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) + - REPOSITORY_URI=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME + - COMMIT_HASH=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7) + - echo $COMMIT_HASH + - IMAGE_TAG=${COMMIT_HASH:=latest} + build: + commands: + - echo Build started on `date` + - echo Building the Docker image... + - docker build -t $REPOSITORY_URI:latest -t $REPOSITORY_URI:$COMMIT_HASH ./pyramid-generator + - docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$COMMIT_HASH + - docker tag $REPOSITORY_URI:$COMMIT_HASH $REPOSITORY_URI:$COMMIT_HASH + post_build: + commands: + - echo Build completed on `date` + - echo Pushing the Docker images... + - docker push $REPOSITORY_URI:latest + - docker push $REPOSITORY_URI:$COMMIT_HASH + - printf '[{"name":"%s","imageUri":"%s"}]' $TEST_CONTAINER_NAME $REPOSITORY_URI:$IMAGE_TAG > imagedefinitionstest.json + - printf '[{"name":"%s","imageUri":"%s"}]' $PROD_CONTAINER_NAME $REPOSITORY_URI:$IMAGE_TAG > imagedefinitionsprod.json + - printf $CODEBUILD_RESOLVED_SOURCE_VERSION > sha.txt + - printf $REPOSITORY_URI:$IMAGE_TAG > deployed_tag.txt + Artifacts: + Type: CODEPIPELINE + Environment: + Type: LINUX_CONTAINER + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/docker:17.09.0 + EnvironmentVariables: + - Name: AWS_DEFAULT_REGION + Value: !Ref AWS::Region + - Name: AWS_ACCOUNT_ID + Value: !Ref AWS::AccountId + - Name: IMAGE_REPO_NAME + Value: !Ref ImageProcessorContainerRepository + S3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain @@ -516,6 +606,20 @@ Resources: ProjectName: !Ref CodeBuildProject PrimarySource: AppCode RunOrder: 1 + - Name: BuildDockerImage + InputArtifacts: + - Name: AppCode + ActionTypeId: + Category: Build + Owner: AWS + Version: "1" + Provider: CodeBuild + OutputArtifacts: + - Name: BuiltCodeDockerImage + Configuration: + ProjectName: !Ref DockerImageProcessorBuilder + PrimarySource: AppCode + RunOrder: 2 - Name: Test Actions: From 9cd9040840368efec11cb9a16b508347df67ed1e Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 10:22:22 -0400 Subject: [PATCH 02/17] Parameter overrides --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 2 ++ deploy/cloudformation/manifest-pipeline.yml | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 2aec6b02..7ce4c1e7 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -639,6 +639,7 @@ Resources: ChangeSetName: TestChangeSetName TemplateConfiguration: BuiltCode::test-stack-configuration.json TemplatePath: BuiltCode::output.yml + ParameterOverrides: !Sub '{"ContainerImageUrl": "${ImageProcessorContainerRepository}:latest"}' RunOrder: 1 - Name: Deploy ActionTypeId: @@ -682,6 +683,7 @@ Resources: ChangeSetName: ProdChangeSetName TemplateConfiguration: BuiltCode::prod-stack-configuration.json TemplatePath: BuiltCode::output.yml + ParameterOverrides: !Sub '{"ContainerImageUrl": "${ImageProcessorContainerRepository}:latest"}' RunOrder: 1 - Name: Deploy ActionTypeId: diff --git a/deploy/cloudformation/manifest-pipeline.yml b/deploy/cloudformation/manifest-pipeline.yml index f21a284e..cf7595ef 100644 --- a/deploy/cloudformation/manifest-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline.yml @@ -65,7 +65,10 @@ Parameters: Type: Number Default: 2048 Description: How much memory in megabytes to give the container - + ContainerImageUrl: + Type: String + Default: hesburgh/marble-image-processing + Description: The url of a docker image that will handle image processing Conditions: CreateDNS: !Equals [ !Ref CreateDNSRecord, 'True' ] @@ -526,7 +529,7 @@ Resources: Cpu: !Ref 'ContainerCpu' Memory: !Ref 'ContainerMemory' EntryPoint: ['pyramid.py'] - Image: hesburgh/marble-image-processing + Image: !Ref ContainerImageUrl LogConfiguration: LogDriver: awslogs Options: From 8b775d1e252529eec464e03fc96c7a36bcdd3d63 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 10:41:53 -0400 Subject: [PATCH 03/17] Removed extra permissions --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 7ce4c1e7..30384b3b 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -108,12 +108,6 @@ Outputs: Export: Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ApprovalTopic']] - ImageProcessorContainerRepository: - Description: The repository that contains the docker image for image processing - Value: !Ref ImageProcessorContainerRepository - Export: - Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ImageProcessorContainerRepository']] - Resources: ImageProcessorContainerRepository: Type: AWS::ECR::Repository @@ -324,12 +318,6 @@ Resources: - 'route53:GetChange' Resource: '*' Effect: Allow - # The manifest pipeline is going to register a task definition for ECS. Need to allow certain permissions for ECS - - Action: - - 'ecs:RegisterTaskDefinition' - - 'iam:PassRole' - Resource: '*' - Effect: Allow Roles: - !Ref CloudFormationTrustRole CodePipelineTrustRole: From 5b6fb6447a6b9c899ab1d5b538ddee61210e8b20 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 10:57:23 -0400 Subject: [PATCH 04/17] Removed redundant ecr:GetAuthorization permission --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 30384b3b..05215ba4 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -145,7 +145,6 @@ Resources: # The codebuild pipeline is going to create ECR records. Need to allow certain permissions for the authorization - Effect: Allow Action: - - 'ecr:GetAuthorizationToken' - 'ecr:InitiateLayerUpload' - 'ecr:UploadLayerPart' - 'ecr:BatchCheckLayerAvailability' From 54c7823da987698f83035b88024cf1c12a73b3d1 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 14:32:57 -0400 Subject: [PATCH 05/17] Added more permissions for ImageTaskDefinition --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 05215ba4..dc20dcb6 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -317,6 +317,12 @@ Resources: - 'route53:GetChange' Resource: '*' Effect: Allow + # The manifest pipeline is going to register a task definition for ECS. Need to allow certain permissions for ECS + - Action: + - 'ecs:RegisterTaskDefinition' +# - 'iam:PassRole' + Resource: '*' + Effect: Allow Roles: - !Ref CloudFormationTrustRole CodePipelineTrustRole: From 617817134ba341cb536da96949fe87a502b851b7 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 14:56:46 -0400 Subject: [PATCH 06/17] Change permission for ImageTaskDefinition --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index dc20dcb6..a88c67d7 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -317,12 +317,17 @@ Resources: - 'route53:GetChange' Resource: '*' Effect: Allow - # The manifest pipeline is going to register a task definition for ECS. Need to allow certain permissions for ECS + # The manifest pipeline is going to need to RegisterTaskDefinition for ImageTaskDefinition - Action: - 'ecs:RegisterTaskDefinition' -# - 'iam:PassRole' Resource: '*' Effect: Allow + # The manifest pipeline is going to need PassRole for ImageTaskDefinition + - Action: + - 'iam:PassRole' + Resource: + - !Sub 'arn:aws:iam:${AWS::Region}:${AWS::AccountId}:role:${InfrastructureStackName}-*' + Effect: Allow Roles: - !Ref CloudFormationTrustRole CodePipelineTrustRole: From 12503ff5017b43058a535360f08bbfe0ba6b027d Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 15:02:32 -0400 Subject: [PATCH 07/17] Change permission for ImageTaskDefinition --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index a88c67d7..8123100b 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -326,7 +326,7 @@ Resources: - Action: - 'iam:PassRole' Resource: - - !Sub 'arn:aws:iam:${AWS::Region}:${AWS::AccountId}:role:${InfrastructureStackName}-*' + - !Sub 'arn:aws:iam::${AWS::AccountId}:role:${InfrastructureStackName}-*' Effect: Allow Roles: - !Ref CloudFormationTrustRole From 4865fdb2c91869eb36c9a668af4ed29254755c70 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 15:06:05 -0400 Subject: [PATCH 08/17] Change permission for ImageTaskDefinition --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 8123100b..4179b3b2 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -326,7 +326,7 @@ Resources: - Action: - 'iam:PassRole' Resource: - - !Sub 'arn:aws:iam::${AWS::AccountId}:role:${InfrastructureStackName}-*' + - !Sub ' arn:aws:iam::${AWS::AccountId}:role/${InfrastructureStackName}-*' Effect: Allow Roles: - !Ref CloudFormationTrustRole From 6ce770777b322d268dfd2d50f6c8435d913d2b5a Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 3 Jul 2019 18:55:08 -0400 Subject: [PATCH 09/17] Added ecs:DeregisterTaskDefinition permission --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 4179b3b2..a2e09de4 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -320,13 +320,14 @@ Resources: # The manifest pipeline is going to need to RegisterTaskDefinition for ImageTaskDefinition - Action: - 'ecs:RegisterTaskDefinition' + - 'ecs:DeregisterTaskDefinition' Resource: '*' Effect: Allow # The manifest pipeline is going to need PassRole for ImageTaskDefinition - Action: - 'iam:PassRole' Resource: - - !Sub ' arn:aws:iam::${AWS::AccountId}:role/${InfrastructureStackName}-*' + - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${InfrastructureStackName}-*' Effect: Allow Roles: - !Ref CloudFormationTrustRole From d97bcca19efa5137d5615f1695971bb0c2c16aff Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Mon, 8 Jul 2019 09:39:28 -0400 Subject: [PATCH 10/17] Wording change --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index a2e09de4..55ffc999 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -317,7 +317,7 @@ Resources: - 'route53:GetChange' Resource: '*' Effect: Allow - # The manifest pipeline is going to need to RegisterTaskDefinition for ImageTaskDefinition + # The manifest pipeline is going to need to make changes to the TaskDefinition for ImageTaskDefinition - Action: - 'ecs:RegisterTaskDefinition' - 'ecs:DeregisterTaskDefinition' From 2430666c90b8a47611cb39952d2484b95ea90982 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Mon, 15 Jul 2019 16:30:02 -0400 Subject: [PATCH 11/17] Removed ContainerImageUrl default --- deploy/cloudformation/manifest-pipeline.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/cloudformation/manifest-pipeline.yml b/deploy/cloudformation/manifest-pipeline.yml index cf7595ef..2604c3ee 100644 --- a/deploy/cloudformation/manifest-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline.yml @@ -67,7 +67,6 @@ Parameters: Description: How much memory in megabytes to give the container ContainerImageUrl: Type: String - Default: hesburgh/marble-image-processing Description: The url of a docker image that will handle image processing Conditions: From ef1cf9c9cb7f0c5a5c350ac9ba5513bef16089b1 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 17 Jul 2019 09:37:55 -0400 Subject: [PATCH 12/17] Added tagging for ECR deployed to production --- .../manifest-pipeline-pipeline.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 55ffc999..68e66434 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -525,6 +525,50 @@ Resources: - Name: IMAGE_REPO_NAME Value: !Ref ImageProcessorContainerRepository + PostDeployDocker: + Type: AWS::CodeBuild::Project + Properties: + Name: !Sub '${AWS::StackName}-docker-add-tag' + Description: 'CodeBuild to update the current_release tag in ECR' + ServiceRole: !GetAtt + - CodeBuildTrustRole + - Arn + TimeoutInMinutes: 10 + Source: + Type: CODEPIPELINE + GitCloneDepth: 1 + BuildSpec: | + version: 0.2 + phases: + pre_build: + commands: + - echo Pre-build started on `date` + - echo Logging in to Amazon ECR... + - $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) + - REPOSITORY_URI=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME + build: + commands: + - DEPLOYED_VERSION=$(cat deployed_tag.txt) + - docker pull $DEPLOYED_VERSION + - docker tag $DEPLOYED_VERSION $REPOSITORY_URI:current_release + post_build: + commands: + - echo Beginning post build on `date` + - docker push $REPOSITORY_URI:current_release + Artifacts: + Type: CODEPIPELINE + Environment: + Type: LINUX_CONTAINER + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/docker:17.09.0 + EnvironmentVariables: + - Name: IMAGE_REPO_NAME + Value: !Ref ImageProcessorContainerRepository + - Name: AWS_DEFAULT_REGION + Value: !Ref AWS::Region + - Name: AWS_ACCOUNT_ID + Value: !Ref AWS::AccountId + S3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain @@ -697,6 +741,20 @@ Resources: StackName: !Ref ProdStackName RunOrder: 2 + - Name: PostProduction + Actions: + - Name: "AddDockerTag" + InputArtifacts: + - Name: BuiltCode + ActionTypeId: + Owner: AWS + Category: Build + Provider: CodeBuild + Version: "1" + Configuration: + ProjectName: !Ref PostDeployDocker + RunOrder: 1 + ArtifactStore: Type: S3 Location: !Ref S3Bucket From d95e17867c719c7e74b5df0b3219d6fb24c9bb29 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 17 Jul 2019 11:03:45 -0400 Subject: [PATCH 13/17] Added post back to github --- .../manifest-pipeline-pipeline.yml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 68e66434..9c67a0c1 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -569,6 +569,47 @@ Resources: - Name: AWS_ACCOUNT_ID Value: !Ref AWS::AccountId + PostDeployGitHub: + Type: AWS::CodeBuild::Project + Properties: + Name: !Sub '${AWS::StackName}-add-github-status' + Description: 'CodeBuild to tag the latest commit in repo post-deploy' + ServiceRole: !GetAtt + - CodeBuildTrustRole + - Arn + TimeoutInMinutes: 10 + Source: + Type: CODEPIPELINE + GitCloneDepth: 1 + BuildSpec: | + version: 0.2 + phases: + pre_build: + commands: + - echo Pre-build started on `date` + build: + commands: + - SOURCE_SHA=$(cat sha.txt) + - DATE=$(date) + post_build: + commands: + - curl -i -X POST -H "Authorization:token ${OAUTH_TOKEN}" "${API_URL}/${SOURCE_SHA}" -d "{\"state\":\"success\",\"description\":\"Deployed to production on ${DATE}\",\"context\":\"${CODEBUILD_INITIATOR}\",\"target_url\":\"https://${TARGET_HOST}\"}" + Artifacts: + Type: CODEPIPELINE + Environment: + Type: LINUX_CONTAINER + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/ubuntu-base:14.04 + EnvironmentVariables: + - Name: OAUTH_TOKEN + Type: PARAMETER_STORE + Value: /esu/github/ndlib-git/oauth + - Name: API_URL + Value: !Sub "https://api.github.com/repos/${GitHubUser}/${ManifestPipelineRepoName}/statuses" + - Name: TARGET_HOST + Type: PARAMETER_STORE + Value: !Sub "/all/stacks/${ImageServiceProdStackName}/hostname" + S3Bucket: Type: AWS::S3::Bucket DeletionPolicy: Retain @@ -755,6 +796,18 @@ Resources: ProjectName: !Ref PostDeployDocker RunOrder: 1 + - Name: "AddGitHubStatus" + InputArtifacts: + - Name: BuiltCode + ActionTypeId: + Owner: AWS + Category: Build + Provider: CodeBuild + Version: "1" + Configuration: + ProjectName: !Ref PostDeployGitHub + RunOrder: 1 + ArtifactStore: Type: S3 Location: !Ref S3Bucket From 0d132ac1d37fe6101bfc5eabeacc64d8b35591d7 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 17 Jul 2019 12:08:22 -0400 Subject: [PATCH 14/17] Parametr store permissions for codebuild lookup --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 9c67a0c1..aec61ef3 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -162,6 +162,14 @@ Resources: Action: - 'ecr:GetAuthorizationToken' Resource: '*' + - Effect: Allow + Action: + - ssm:GetParameters + Resource: + - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/esu/github/ndlib-git/oauth" + - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/all/stacks/${ImageServiceProdStackName}/hostname" + - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/all/stacks/${ImageServiceTestStackName}/hostname" + Roles: - !Ref CodeBuildTrustRole CloudFormationTrustRole: From cdebcc5f858fe4f3718c6d407873f034d04a20f2 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 17 Jul 2019 12:17:41 -0400 Subject: [PATCH 15/17] added artifacts for docker image --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index aec61ef3..597b3cf8 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -519,6 +519,12 @@ Resources: - printf '[{"name":"%s","imageUri":"%s"}]' $PROD_CONTAINER_NAME $REPOSITORY_URI:$IMAGE_TAG > imagedefinitionsprod.json - printf $CODEBUILD_RESOLVED_SOURCE_VERSION > sha.txt - printf $REPOSITORY_URI:$IMAGE_TAG > deployed_tag.txt + artifacts: + files: + - imagedefinitionstest.json + - imagedefinitionsprod.json + - sha.txt + - deployed_tag.txt Artifacts: Type: CODEPIPELINE Environment: From 4f6dcfeb2c94d46475ebbb76afd6d27d49588c42 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 17 Jul 2019 14:48:43 -0400 Subject: [PATCH 16/17] Added pwd output --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 597b3cf8..12334416 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -519,6 +519,8 @@ Resources: - printf '[{"name":"%s","imageUri":"%s"}]' $PROD_CONTAINER_NAME $REPOSITORY_URI:$IMAGE_TAG > imagedefinitionsprod.json - printf $CODEBUILD_RESOLVED_SOURCE_VERSION > sha.txt - printf $REPOSITORY_URI:$IMAGE_TAG > deployed_tag.txt + - ls -la + - pwd artifacts: files: - imagedefinitionstest.json @@ -562,6 +564,8 @@ Resources: - REPOSITORY_URI=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME build: commands: + - ls -la + - pwd - DEPLOYED_VERSION=$(cat deployed_tag.txt) - docker pull $DEPLOYED_VERSION - docker tag $DEPLOYED_VERSION $REPOSITORY_URI:current_release @@ -603,6 +607,8 @@ Resources: - echo Pre-build started on `date` build: commands: + - ls -la + - pwd - SOURCE_SHA=$(cat sha.txt) - DATE=$(date) post_build: @@ -800,7 +806,7 @@ Resources: Actions: - Name: "AddDockerTag" InputArtifacts: - - Name: BuiltCode + - Name: BuiltCodeDockerImage ActionTypeId: Owner: AWS Category: Build From 5c693abdbca1238ac3818053534e21cc42dee758 Mon Sep 17 00:00:00 2001 From: Bill Sill Date: Wed, 17 Jul 2019 15:18:03 -0400 Subject: [PATCH 17/17] Removed pwd and corrected input artifact --- deploy/cloudformation/manifest-pipeline-pipeline.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/deploy/cloudformation/manifest-pipeline-pipeline.yml b/deploy/cloudformation/manifest-pipeline-pipeline.yml index 12334416..dec631b8 100644 --- a/deploy/cloudformation/manifest-pipeline-pipeline.yml +++ b/deploy/cloudformation/manifest-pipeline-pipeline.yml @@ -519,8 +519,6 @@ Resources: - printf '[{"name":"%s","imageUri":"%s"}]' $PROD_CONTAINER_NAME $REPOSITORY_URI:$IMAGE_TAG > imagedefinitionsprod.json - printf $CODEBUILD_RESOLVED_SOURCE_VERSION > sha.txt - printf $REPOSITORY_URI:$IMAGE_TAG > deployed_tag.txt - - ls -la - - pwd artifacts: files: - imagedefinitionstest.json @@ -564,8 +562,6 @@ Resources: - REPOSITORY_URI=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME build: commands: - - ls -la - - pwd - DEPLOYED_VERSION=$(cat deployed_tag.txt) - docker pull $DEPLOYED_VERSION - docker tag $DEPLOYED_VERSION $REPOSITORY_URI:current_release @@ -607,8 +603,6 @@ Resources: - echo Pre-build started on `date` build: commands: - - ls -la - - pwd - SOURCE_SHA=$(cat sha.txt) - DATE=$(date) post_build: @@ -818,7 +812,7 @@ Resources: - Name: "AddGitHubStatus" InputArtifacts: - - Name: BuiltCode + - Name: BuiltCodeDockerImage ActionTypeId: Owner: AWS Category: Build