|
| 1 | +CICD Pipeline blog templates |
| 2 | +============================ |
| 3 | + |
| 4 | +If you haven't read the `blog article <https://blog.ecs-composex.lambda-my-aws.io>`_ yet, have a look to get more context |
| 5 | +around the following templates. |
| 6 | + |
| 7 | +Otherwise, these templates can generally be re-used in order to build simple CI pipelines for your applications and a |
| 8 | +multi-accounts deployment pipeline, driven by CodePipeline, across multiple accounts. |
| 9 | + |
| 10 | +If you intend to follow the structure of the pipeline and its accounts, create the stacks in the right order and right account. |
| 11 | + |
| 12 | + |
| 13 | +.. note:: |
| 14 | + |
| 15 | + To make things super easy, I am exporting into SSM Parameters the output of shared resources created in the account |
| 16 | + where the pipeline lives. |
| 17 | + |
| 18 | +ecr_repos.yml |
| 19 | +------------- |
| 20 | + |
| 21 | +Template for the ECR repositories, allows the dev and shared accounts IAM profiles to perform ecr: actions against it. |
| 22 | + |
| 23 | + |
| 24 | +shared-kms-cmk.yml |
| 25 | +-------------------- |
| 26 | + |
| 27 | +This template creates |
| 28 | + |
| 29 | +* KMS CMK to encrypt/decrypt artifacts in S3. |
| 30 | + |
| 31 | +We need to create it first to have the Key ID (aliases are not always very functional in IAM policies for encrypt/decrypt. |
| 32 | + |
| 33 | +.. note:: |
| 34 | + |
| 35 | + This is not mandatory. You could run codepipeline and have your artifacts stored in S3 without any specific encryption |
| 36 | + but default object encryption (using AES-256 for example). |
| 37 | + |
| 38 | +.. warning:: |
| 39 | + |
| 40 | + Refer to the `KMS API reference page`_ for supported definition in IAM policies based on actions. This will save |
| 41 | + you a lot of pain troubleshooting your IAM policies. Trust me ... |
| 42 | + |
| 43 | +As the output, we are only going to use the Key ARN |
| 44 | + |
| 45 | +shared-buckets.yml |
| 46 | +------------------- |
| 47 | + |
| 48 | +Creates one bucket for the artifacts generated by CodePipeline/Codebuild and a bucket to store the CloudFormation templates to. |
| 49 | +It by default does not create the bucket policies as the bucket policies are trying to evaluate that the IAM principals do exist |
| 50 | +prior to creating the bucket. |
| 51 | + |
| 52 | +Once we have the information we need, we will update the stack parameters accordingly and it will create the bucket policies. |
| 53 | + |
| 54 | + |
| 55 | +crossaccounts-roles.yml |
| 56 | +----------------------- |
| 57 | + |
| 58 | +This template creates 2 Roles: |
| 59 | + |
| 60 | +* A Role for CloudFormation to create the resources of the stack. |
| 61 | + PowerUserAccess is plenty with procurement for IAM roles creation. |
| 62 | + |
| 63 | +* A Role for CodePipeline in the Shared/Central account to assume. |
| 64 | + Provides permissions to RW objects into the shared bucket and to decrypt/encrypt objects with a KMS CMK for artifacts. |
| 65 | + |
| 66 | +The outputs are the ARN and RoleID of these two roles. We are going to use the RoleId in the shared. |
| 67 | + |
| 68 | +.. note:: |
| 69 | + |
| 70 | + Using RoleIds makes sure that these will be correctly formatted in the Bucket policy. |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +.. _KMS API reference page: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html |
0 commit comments