Creates a pipeline that builds a container, pushes it to ECR and deploys the container to an ECS service
The account that owns the guthub token must have admin access on the repo in order to generate a github webhook
If use_docker_credentials is set to true, the environment variables DOCKERHUB_USER and DOCKERHUB_PASS are exposed via codebuild.
You can add these 2 lines to the beginning of your build phase commands in buildspec.yml to login to Dockerhub
build:
commands:
- echo "Logging into Dockerhub..."
- docker login -u ${DOCKERHUB_USER} -p ${DOCKERHUB_PASS}
...
...The secrets manager environment variable REPO_ACCESS_GITHUB_TOKEN_SECRETS_ID is exposed via codebuild.
You can add the 1 line to the beginning of your build phase commands in buildspec.yml to assign the token's secret value to local variable GITHUB_TOKEN.
build:
commands:
- export GITHUB_TOKEN=${REPO_ACCESS_GITHUB_TOKEN_SECRETS_ID}If use_repo_access_github_token is set to true, the environment variable REPO_ACCESS_GITHUB_TOKEN_SECRETS_ID is exposed via codebuild.
Usage remains the same as v1.9.
If s3_block_public_access is set to true, the block public access setting for the artifact bucket is enabled.
Uses aws-codebuild-project 2.0 for AWS provider 4.x
If use_sysdig_api_token is set to true, the secrets manager environment variable SYSDIG_API_TOKEN_SECRETS_ID is exposed via codebuild.
You can add these 8 lines to the end of your build phase commands in buildspec.yml to run Sysdig image security scans.
build:
commands:
...
...
- echo "Running Sysdig image inline scan..."
- docker run --rm -u $(id -u) -v /var/run/docker.sock:/var/run/docker.sock -v $(pwd)/reports:/staging/reports quay.io/sysdig/secure-inline-scan:2 -s https://us2.app.sysdig.com -k ${SYSDIG_API_TOKEN_SECRETS_ID} --storage-type docker-daemon --storage-path /var/run/docker.sock -r /staging/reports ${REPOSITORY_URI}:${IMAGE_TAG} || true
- echo "Downloading Sysdig Cli Scanner..."
- curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
- echo "Adding executable permission to sysdig-cli-scanner binary..."
- chmod +x ./sysdig-cli-scanner
- echo "Running Sysdig image cli scan..."
- SECURE_API_TOKEN=${SYSDIG_API_TOKEN_SECRETS_ID} ./sysdig-cli-scanner --apiurl https://us2.app.sysdig.com ${REPOSITORY_URI}:${IMAGE_TAG} --policy sysdig_best_practices || truemodule "ecs_pipeline" {
source = "github.com/globeandmail/aws-codepipeline-ecs?ref=2.1"
name = "app-name"
ecr_name = "ecr-repo-name"
ecs_cluster_name = "cluster-name"
ecs_service_name = "service-name"
github_repo_owner = "github-account-name"
github_repo_name = "github-repo-name"
github_oauth_token = data.aws_ssm_parameter.github_token.value
tags = {
Environment = var.environment
}
use_repo_access_github_token = true
svcs_account_github_token_aws_secret_arn = svcs-account-github-token-aws-secret-arn
svcs_account_aws_kms_cmk_arn = svcs-account-aws-kms-cmk-arn
s3_block_public_access = true
use_sysdig_api_token = true
svcs_account_sysdig_api_token_aws_secret_arn = svcs-account-sysdig-api-token-aws-secret-arn
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | The name associated with the pipeline and assoicated resources. ie: app-name | string | n/a | yes |
| ecr_name | The name of the ECR repo | string | n/a | yes |
| ecs_cluster_name | The name of the ECS cluster | string | n/a | yes |
| ecs_service_name | The name of the ECS service | string | n/a | yes |
| ecs_service_name | The name of the ECS service | string | n/a | yes |
| github_repo_owner | The owner of the GitHub repo | string | n/a | yes |
| task_execution_role | The name of the task execution role | string | "ecsTaskExecutionRole" |
no |
| github_oauth_token | GitHub oauth token | string | n/a | yes |
| codebuild_image | The codebuild image to use | string | "null" |
no |
| build_compute_type | Build environment compute type | string | "null" |
no |
| buildspec | build spec file other than buildspec.yml | string | "buildspec.yml" |
no |
| ecs_artifact_filename | The name of the ECS deploy artifact | string | "null" |
no |
| github_branch_name | The git branch name to use for the codebuild project | string | "master" |
no |
| use_docker_credentials | (Optional) Use dockerhub credentals stored in parameter store | bool | false | no |
| tags | A mapping of tags to assign to the resource | map | {} |
no |
| use_repo_access_github_token | (Optional) Allow the AWS codebuild IAM role read access to the REPO_ACCESS_GITHUB_TOKEN secrets manager secret in the shared service account. Defaults to false. |
bool |
false |
no |
| svcs_account_github_token_aws_secret_arn | (Optional) The AWS secret ARN for the repo access Github token. The secret is created in the shared service account. Required if var.use_repo_access_github_token is true. |
string |
null |
no |
| svcs_account_aws_kms_cmk_arn | (Optional) The us-east-1 region AWS KMS customer managed key ARN for encrypting all AWS secrets. The key is created in the shared service account. Required if var.use_repo_access_github_token or var.use_sysdig_api_token is true. |
string |
null |
no |
| create_github_webhook | Create the github webhook that triggers codepipeline | bool | "true" |
no |
| s3_block_public_access | (Optional) Enable the S3 block public access setting for the artifact bucket. | bool |
false |
no |
| use_sysdig_api_token | (Optional) Allow the AWS codebuild IAM role read access to the SYSDIG_API_TOKEN secrets manager secret in the shared service account. Defaults to false. |
bool |
false |
no |
| svcs_account_sysdig_api_token_aws_secret_arn | (Optional) The AWS secret ARN for the sysdig API token. The secret is created in the shared service account. Required if var.use_sysdig_api_token is true. |
string |
null |
no |
| Name | Description |
|---|---|
| artifact_bucket_arn | |
| artifact_bucket_id | |
| codebuild_project_arn | |
| codebuild_project_id | |
| codepipeline_arn | |
| codepipeline_id |
version: 0.2
env:
variables:
IMAGE_REPO_NAME: "ecr-repo-name"
phases:
install:
runtime-versions:
docker: 18
pre_build:
commands:
- echo Logging in to Amazon ECR...
- $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
- AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
- REPOSITORY_URI=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${IMAGE_REPO_NAME}
- COMMIT_HASH=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)
- IMAGE_TAG=${COMMIT_HASH:=latest}
build:
commands:
- echo Build started on `date`
- echo Building the Docker image...
- docker build -t $REPOSITORY_URI:latest .
- docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$IMAGE_TAG
post_build:
commands:
- echo Build completed on `date`
- echo Pushing the Docker images...
- docker push $REPOSITORY_URI:latest
- docker push $REPOSITORY_URI:$IMAGE_TAG
- printf '[{"name":"%s","imageUri":"%s"}]' $IMAGE_REPO_NAME $REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json
artifacts:
files: imagedefinitions.json