Right now we are using two AWS accounts with Terraform (INT and PROD). Currently we have the same repositories in both of the accounts, which is obviously not best practice, so I'm trying to set up cross-account access. The goal is to have the repos only on the INT account, and make the CodeBuild project or CodePipeline instance on the PROD account to use those repos.
I have already created the necessary policies and roles on both accounts so lack of permission should not be a problem. However, what I'm struggling with is using the INT repos as source for the PROD CodeBuild project for example.
The project's source block is configured in the following way:
source {
type = "CODECOMMIT"
location = "https://git-codecommit.region.amazonaws.com/v1/repos/example-repo"
buildspec = data.local_file.buildspec_local.content
}
I can't seem to understand how should I proceed here. From my understanding, I should somehow reference the repo in the INT account, but from what I know there's only one way to do that, which is using multiple aws provider blocks with the accounts' access key id and secret key.
This solution is not possible for us, since we have to use the company's SSO tool to generate credentials which are valid for 12 hours to use the AWS accounts.
I am aware that there are loads of questions regarding cross-account access in AWS, but unfortunately I haven't found one that helps me.
Welcome to the world of AWS Terraform! Not sure how far you have gotten on this, but there are two options for you. Option 1 leverages AWS Cross Account Pipeline . Now I am currently in the process of building this out with terraform, but this would be considered the best practice for this type of development.
If you are just looking to pull in the repos from another account, then you can leverage Codebuild to ssh and clone the repository into your build job. to do this, you will need to create an ssh user in the repo account, which we will label A. You will need the ssh users' User Key and the Public Key. You will create two variables in the parameter store called variable_ssh_key and variable_codecommit_user.
Leveraging the buildspec provided here, you can leverage git clone to pull down any repository you need. The only thing you will need is in Account B to create one repo that stores the buildspec and calls the other repos. See buildspec as a reference.
Related
I want a codepipeline to be triggered on a codecommit change of a different AWS account (also owned by me).
I found this tutorial:
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
But the question is, if it is easier to create it (e.g. only using console) when I add both accounts to an AWS organization? Or will the effort be the same?
I have multiple Codebuild projects in an AWS account (which were created by others), with private Github repos as the source, connected via oauth.
I'm creating a new Codebuild project, also looking at a private github repo, however Codebuild fails to create since it "can't access the github repo".
I imagine that whoever in the account originally connected to Github, they don't have access to my the repo I'm trying to connect to.
I'd like to click the "disconnect from Github" and re-authorize, since I have access to the repo I'm trying to connect to, but I'm concerned that will disconnect all Codebuild projects.
I know that my Github credentials don't permit access to all repos that Codebuild projects are currently reading from.
When a connection to Github is made via oauth, does that set it for the entire account?
When a connection to Github is made via oauth, does that set it for the entire account?
Yes it will reset the token for all your CodeBuild projects in that AWS account Id. CodeBuild only supports one token (OAuth or personal access token) per AWS account Id.
We are aware of the limitation this causes on end users and will make this experience better in a future release.
Ok so I have the exact build script to build my nodejs app.
The idea is to setup a CI/CD pipeline that will build our app across different aws accounts such as DEV, STAGING, and PROD.
I have a repo in Account A (Dev) that hosts a nodejs app
I want to be able to create a pipeline in Account B that checks out code from repo in account A
And finally when the pipeline is complete, it should deploy the built/compiled nodejs app to Account C (QA) and D (Prod)
My issue is not on how to build a nodejs app but rather how to allow codepipeline, in account B, to checkout the repo in account A and finally deploy the built app to staging and prod.
My ideas from reading around:
Create IAM roles for the pipeline in Account A which allows to
checkout codecommit repos
Have the pipeline in account B assume the role from account A somehow
It's still not clear to me how to go about doing this; I'm just getting into aws
I will update this post if I come across a solution but maybe someone has a tutorial or could point me to a documentation or list the steps or an example here
From my understanding it is not possible to build a cross account pipeline using codepipeline. What you need to do is build your pipeline in your central account first.
The central account pipeline would include the appropriate number of stages which result in a release candidate for the AWS accounts dev, staging and prod.
As you get to the different account stages, you should push your artifacts to S3 buckets in the related accounts. And these S3 buckets should be the sources of codepipelines the those accounts.
This way you create "deployment" pipelines in each account which start in S3 and end in whatever environment you are thinking of. The S3 buckets of these accounts can be created to have bucket policies to only receive files from your central account.
This is of course, not ideal but its how I solved this issue before hand. Build in one account and deliver to deployment pipelines in other accounts. If someone knows a better solution, I would love to hear it.
Good luck!
AWS provide a guide with source that does something close to what you are trying to do.
It should get you close enough and covers the permissions needed for the account to assume a role to checkout your repo in another account.
Many programmers like to share all their public repos where their code is stored and they can give their unique Github URL to everyone who's interested in it; like potential employers.
If someone sets up an AWS account and AWS CodeCommit, can he then get such a profile URL for himself there also? (Or is AWS CodeCommit more designed for your personal version control etc. and not having a real profile for others?)
AWS CodeCommit is not designed for public anonymous access. Access to CodeCommit requires AWS credentials. The purpose of CodeCommit is for teams to be able to work together and not to provide a public repository.
I have created my aws code commit repository in another account and now I want to use it in a different account in my pipeline.
I found this article:
http://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
But this article is using s3 which will be easy by using bucket policy. However for using codecommit repository created in one account and used in a pipeline in another account I did not find anything. Is it possible at all? I would appreciate any help