chore: add cfn snippets for bare-boned pre/post deployment actions (a…

…ws#5109) By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
huanjani · Aug 4, 2023 · 7dd974f · 7dd974f
1 parent af736c9
commit 7dd974f
Show file tree

Hide file tree

Showing 10 changed files with 295 additions and 165 deletions.
diff --git a/internal/pkg/deploy/pipeline.go b/internal/pkg/deploy/pipeline.go
@@ -607,6 +607,16 @@ func (stg *PipelineStage) Deployments() ([]DeployAction, error) {
 	return actions, nil
 }
 
+// PreDeployments returns a list of pre-deployment actions for the pipeline stage.
+func (stg *PipelineStage) PreDeployments() ([]Step, error) {
+	return nil, nil
+}
+
+// PostDeployments returns a list of post-deployment actions for the pipeline stage.
+func (stg *PipelineStage) PostDeployments() ([]Step, error) {
+	return nil, nil
+}
+
 func (stg *PipelineStage) buildDeploymentsGraph() *graph.Graph[string] {
 	var names []string
 	for name := range stg.deployments {
@@ -729,3 +739,15 @@ func (a *TestCommandsAction) Name() string {
 func (a *TestCommandsAction) Commands() []string {
 	return a.commands
 }
+
+// Step represents a CodePipeline action backed by a CodeBuild project.
+type Step struct {
+	action
+	Build
+	name string
+}
+
+// Name returns the name of the action.
+func (s *Step) Name() string {
+	return s.name
+}
diff --git a/internal/pkg/template/pipeline.go b/internal/pkg/template/pipeline.go
@@ -14,7 +14,7 @@ const (
 	fmtPipelinePartialsPath = "cicd/partials/%s.yml"
 )
 
-var pipelinePartialTemplateNames = []string{"build", "test"}
+var pipelinePartialTemplateNames = []string{"build-action", "role-policy-document", "role-config", "actions", "action-config", "test"}
 
 // ParsePipeline parses a pipeline's CloudFormation template with the specified data object and returns its content.
 func (t *Template) ParsePipeline(data interface{}) (*Content, error) {

diff --git a/internal/pkg/template/pipeline_test.go b/internal/pkg/template/pipeline_test.go
@@ -20,7 +20,11 @@ Resources:
   {{ logicalIDSafe "this-is-not-safe" }}
   {{ isCodeStarConnection "randomSource" }}
 `), 0644)
-	_ = afero.WriteFile(fs, "templates/cicd/partials/build.yml", []byte("build"), 0644)
+	_ = afero.WriteFile(fs, "templates/cicd/partials/build-action.yml", []byte("build-action"), 0644)
+	_ = afero.WriteFile(fs, "templates/cicd/partials/role-policy-document.yml", []byte("role-policy-document"), 0644)
+	_ = afero.WriteFile(fs, "templates/cicd/partials/role-config.yml", []byte("role-config"), 0644)
+	_ = afero.WriteFile(fs, "templates/cicd/partials/actions.yml", []byte("actions"), 0644)
+	_ = afero.WriteFile(fs, "templates/cicd/partials/action-config.yml", []byte("action-config"), 0644)
 	_ = afero.WriteFile(fs, "templates/cicd/partials/test.yml", []byte("test"), 0644)
 	tpl := &Template{
 		fs: &mockFS{

diff --git a/internal/pkg/template/templates/cicd/partials/action-config.yml b/internal/pkg/template/templates/cicd/partials/action-config.yml
@@ -0,0 +1,23 @@
+{{- if or (eq .Build.EnvironmentType "LINUX_CONTAINER") (eq .Build.EnvironmentType "ARM_CONTAINER")}}
+Cache:
+  Modes:
+    - LOCAL_DOCKER_LAYER_CACHE
+  Type: LOCAL
+{{- else }}
+Cache:
+  Type: "NO_CACHE"
+{{- end }}
+Environment:
+  Type: {{.Build.EnvironmentType}}
+  ComputeType: BUILD_GENERAL1_SMALL
+  PrivilegedMode: true
+  Image: {{.Build.Image}}
+  EnvironmentVariables:
+    - Name: AWS_ACCOUNT_ID
+      Value: !Sub '${AWS::AccountId}'
+    - Name: PARTITION
+      Value: !Ref AWS::Partition
+Source:
+  Type: CODEPIPELINE
+  BuildSpec: {{.Build.BuildspecPath}}
+TimeoutInMinutes: 60
diff --git a/internal/pkg/template/templates/cicd/partials/actions.yml b/internal/pkg/template/templates/cicd/partials/actions.yml
@@ -0,0 +1,67 @@
+{{- range $stage := .Stages}}
+{{- range $action := $stage.PreDeployments}}
+Pre{{logicalIDSafe $stage.Name}}DeploymentAction{{logicalIDSafe $action.Name}}BuildProjectRole:
+  Type: AWS::IAM::Role
+  Properties:
+    Path: /
+{{ include "role-config" $ | indent 4}}
+    {{- if $.PermissionsBoundary }}
+    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{$.PermissionsBoundary}}'
+    {{- end }}
+    Policies:
+      - PolicyName: assume-env-manager
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          - Effect: Allow
+            Resource: 'arn:aws:iam::{{$stage.AccountID}}:role/{{$.AppName}}-{{$stage.Name}}-EnvManagerRole'
+            Action:
+              - sts:AssumeRole
+      - PolicyName: build-role-policy
+        PolicyDocument:
+{{ include "role-policy-document" $ | indent 10 }}
+
+Pre{{logicalIDSafe $stage.Name}}DeploymentAction{{logicalIDSafe $action.Name}}:
+  Type: AWS::CodeBuild::Project
+  Properties:
+    EncryptionKey: !ImportValue {{$.AppName}}-ArtifactKey
+    ServiceRole: !GetAtt Pre{{logicalIDSafe $stage.Name}}DeploymentAction{{logicalIDSafe $action.Name}}BuildProjectRole.Arn
+    Artifacts:
+      Type: CODEPIPELINE
+{{ include "action-config" $action | indent 4}}
+{{- end}}
+{{- end}}
+
+{{- range $stage := .Stages}}
+{{- range $action := $stage.PostDeployments}}
+Post{{logicalIDSafe $stage.Name}}DeploymentAction{{logicalIDSafe $action.Name}}BuildProjectRole:
+  Type: AWS::IAM::Role
+  Properties:
+    Path: /
+  {{ include "role-config" $ | indent 4}}
+    {{- if $.PermissionsBoundary }}
+    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{$.PermissionsBoundary}}'
+    {{- end }}
+    Policies:
+      - PolicyName: assume-env-manager
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+            - Effect: Allow
+              Resource: 'arn:aws:iam::{{$stage.AccountID}}:role/{{$.AppName}}-{{$stage.Name}}-EnvManagerRole'
+              Action:
+                - sts:AssumeRole
+      - PolicyName: build-role-policy
+        PolicyDocument:
+  {{ include "role-policy-document" $ | indent 10 }}
+
+Post{{logicalIDSafe $stage.Name}}DeploymentAction{{logicalIDSafe $action.Name}}:
+  Type: AWS::CodeBuild::Project
+  Properties:
+    EncryptionKey: !ImportValue {{$.AppName}}-ArtifactKey
+    ServiceRole: !GetAtt Post{{logicalIDSafe $stage.Name}}DeploymentAction{{logicalIDSafe $action.Name}}BuildProjectRole.Arn
+    Artifacts:
+      Type: CODEPIPELINE
+  {{ include "action-config" $action | indent 4}}
+{{- end}}
+{{- end}}
diff --git a/internal/pkg/template/templates/cicd/partials/build-action.yml b/internal/pkg/template/templates/cicd/partials/build-action.yml
@@ -0,0 +1,53 @@
+BuildProjectRole:
+  Type: AWS::IAM::Role
+  Properties:
+    Path: /
+{{ include "role-config" . | indent 4}}
+  {{- if $.PermissionsBoundary }}
+    PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{$.PermissionsBoundary}}'
+  {{- end }}
+    Policies:
+      - PolicyName: assume-env-manager
+        PolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+          {{- range $stage := .Stages}}
+          - Effect: Allow
+            Resource: 'arn:aws:iam::{{$stage.AccountID}}:role/{{$.AppName}}-{{$stage.Name}}-EnvManagerRole'
+            Action:
+              - sts:AssumeRole
+          {{- end }}
+
+BuildProjectPolicy:
+  Type: AWS::IAM::Policy
+  DependsOn: BuildProjectRole
+  Properties:
+    PolicyName: !Sub ${AWS::StackName}-CodeBuildPolicy
+    Roles:
+      - !Ref BuildProjectRole
+    PolicyDocument:
+{{ include "role-policy-document" . | indent 6 }}
+
+{{- if .Build.AdditionalPolicyDocument }}
+BuildProjectAdditionalPolicy:
+  Type: 'AWS::IAM::Policy'
+  Properties:
+    PolicyName: !Sub ${AWS::StackName}-BuildProjectAdditionalPolicy
+    PolicyDocument:
+{{.Build.AdditionalPolicyDocument | indent 8}}
+    Roles:
+      - !Ref BuildProjectRole
+{{- end}}
+
+BuildProject:
+  Type: AWS::CodeBuild::Project
+  Properties:
+    Name: !Sub ${AWS::StackName}-BuildProject
+    Description: !Sub Build for ${AWS::StackName}
+    # ArtifactKey is the KMS key ID or ARN that is used with the artifact bucket
+    # created in the same region as this pipeline.
+    EncryptionKey: !ImportValue {{$.AppName}}-ArtifactKey
+    ServiceRole: !GetAtt BuildProjectRole.Arn
+    Artifacts:
+      Type: CODEPIPELINE
+{{- include "action-config" . | indent 4}}
diff --git a/internal/pkg/template/templates/cicd/partials/build.yml b/internal/pkg/template/templates/cicd/partials/build.yml
diff --git a/internal/pkg/template/templates/cicd/partials/role-config.yml b/internal/pkg/template/templates/cicd/partials/role-config.yml
@@ -0,0 +1,12 @@
+AssumeRolePolicyDocument:
+  Version: '2012-10-17'
+  Statement:
+    - Effect: Allow
+      Principal:
+        Service:
+          - codebuild.amazonaws.com
+      Action:
+        - sts:AssumeRole
+ManagedPolicyArns:
+  - 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess' # for env ls
+  - 'arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess' # for service package