Ok so I have the exact build script to build my nodejs app.
The idea is to setup a CI/CD pipeline that will build our app across different aws accounts such as DEV, STAGING, and PROD.
I have a repo in Account A (Dev) that hosts a nodejs app
I want to be able to create a pipeline in Account B that checks out code from repo in account A
And finally when the pipeline is complete, it should deploy the built/compiled nodejs app to Account C (QA) and D (Prod)
My issue is not on how to build a nodejs app but rather how to allow codepipeline, in account B, to checkout the repo in account A and finally deploy the built app to staging and prod.
My ideas from reading around:
Create IAM roles for the pipeline in Account A which allows to
checkout codecommit repos
Have the pipeline in account B assume the role from account A somehow
It's still not clear to me how to go about doing this; I'm just getting into aws
I will update this post if I come across a solution but maybe someone has a tutorial or could point me to a documentation or list the steps or an example here
From my understanding it is not possible to build a cross account pipeline using codepipeline. What you need to do is build your pipeline in your central account first.
The central account pipeline would include the appropriate number of stages which result in a release candidate for the AWS accounts dev, staging and prod.
As you get to the different account stages, you should push your artifacts to S3 buckets in the related accounts. And these S3 buckets should be the sources of codepipelines the those accounts.
This way you create "deployment" pipelines in each account which start in S3 and end in whatever environment you are thinking of. The S3 buckets of these accounts can be created to have bucket policies to only receive files from your central account.
This is of course, not ideal but its how I solved this issue before hand. Build in one account and deliver to deployment pipelines in other accounts. If someone knows a better solution, I would love to hear it.
Good luck!
AWS provide a guide with source that does something close to what you are trying to do.
It should get you close enough and covers the permissions needed for the account to assume a role to checkout your repo in another account.
Related
Right now we are using two AWS accounts with Terraform (INT and PROD). Currently we have the same repositories in both of the accounts, which is obviously not best practice, so I'm trying to set up cross-account access. The goal is to have the repos only on the INT account, and make the CodeBuild project or CodePipeline instance on the PROD account to use those repos.
I have already created the necessary policies and roles on both accounts so lack of permission should not be a problem. However, what I'm struggling with is using the INT repos as source for the PROD CodeBuild project for example.
The project's source block is configured in the following way:
source {
type = "CODECOMMIT"
location = "https://git-codecommit.region.amazonaws.com/v1/repos/example-repo"
buildspec = data.local_file.buildspec_local.content
}
I can't seem to understand how should I proceed here. From my understanding, I should somehow reference the repo in the INT account, but from what I know there's only one way to do that, which is using multiple aws provider blocks with the accounts' access key id and secret key.
This solution is not possible for us, since we have to use the company's SSO tool to generate credentials which are valid for 12 hours to use the AWS accounts.
I am aware that there are loads of questions regarding cross-account access in AWS, but unfortunately I haven't found one that helps me.
Welcome to the world of AWS Terraform! Not sure how far you have gotten on this, but there are two options for you. Option 1 leverages AWS Cross Account Pipeline . Now I am currently in the process of building this out with terraform, but this would be considered the best practice for this type of development.
If you are just looking to pull in the repos from another account, then you can leverage Codebuild to ssh and clone the repository into your build job. to do this, you will need to create an ssh user in the repo account, which we will label A. You will need the ssh users' User Key and the Public Key. You will create two variables in the parameter store called variable_ssh_key and variable_codecommit_user.
Leveraging the buildspec provided here, you can leverage git clone to pull down any repository you need. The only thing you will need is in Account B to create one repo that stores the buildspec and calls the other repos. See buildspec as a reference.
I am setting up a amplify project for a certain project. In near future, I would want the project to be transferred to different AWS account but with exact configuration. What's the best way to achieve so? Is there any way I can create some sort of script that would set up same project in different AWS account?
I do something very similar leveraging AWS Organizations with multiple member accounts and AWS SSO. At a high level, here are some things you will want to think about...
You can find a high level architecture diagram about this here: https://aws.amazon.com/blogs/mobile/fintech-startup-creditgenie-ultimate-speed-from-mvp-to-growth/
I've been meaning to write a blog post about this, but at a high level...
Create an AWS organization from your root AWS account and setup AWS SSO.
Create multiple member AWS accounts within the organization. e.g., customer1, customer2, etc.
Create branches in your repository that match your account structure e.g., origin/customer1, origin/customer2.
From each member AWS account, create an Amplify app in the Amplify console with 1 environment that points to the correct branch, e.g, AWS account customer1 should have an Amplify App with 1 environment called customer1 that points to the branch remote/customer1
As you develop and merge changes into your main branch, you will want to also merge main into your "production" branches e.g., merge origin/main -> origin/customer1 etc.
Our AWS accounts are set up so that users login to one account, and then 'assume role' to different accounts to access various services.
We have TravisCI setup so that it runs an integration test against a test account, and then uploads a build artifact into S3.
Currently this is done using a single set of IAM user credentials with the user in the test account. I would like to move the user into a different account, and then have TravisCI assume the correct role in the test account to run the tests, and then assume a different role in another account to upload the build artifact. I do not want to add users to the accounts themselves.
I cannot see this functionality built in to the S3 deployment and have not had any luck finding anyone else trying to do this.
I think that this may be possible by dynamically populating environment variables during a setup phase, and then passing the variable on to later stages, but I cannot work out if this is possible.
Does anyone have assume role working with TravisCI?
I used ask init --hosted-skill-id=<skill_id> to pull a local copy of my skill. Running git remote -v shows the repository is hosted on AWS CodeCommit at https://git-codecommit.us-east-1.amazonaws.com/v1/repos/<skill_id>.
I can't see the CodeCommit repository in my AWS account (when logged in as root user). I also can't see any IAM roles listed in my AWS account. I considered logging in as the ask_cli_default profile generated by ask configure but it only has an access key and secret; no password.
Which AWS account holds the Alexa-hosted CodeCommit repositories? Is there any way to grant access to another account?
Other potentially relevant tidbits
Context: Yesterday I created a skill in the Alexa developer console based on a Hello World template. Now I want to share it with a friend so we can develop it together. Ideally we would both be able to push to a shared git repository, build, deploy, and test using the simulator in Alexa developer console.
ask --version = 2.20.0
I can git clone to another local directory using the (generated) username and password from ask util git-credentials-helper.
a question in the AWS forums Alexa Hosted sets up a CodeCommit repository -- unanswered
official AWS docs for setting up cross-account access to CodeCommit -- Requires access to the CodeCommit repository from AWS console. This is where I want to get to.
Alexa Hosted is hosted in Alexa's AWS account, so it won't show up in your AWS account. Instead, it provides you with a unique (and highly constrained) AWS IAM role within the Alexa Hosted account that is tied to your skill and your Amazon developer account.
What you need to do if you want to bring in other developers is assign them Developer roles on your account so they can access the skill and its resources using their own account.
This is the documentation for adding people to your org's developer account: https://developer.amazon.com/docs/app-submission/manage-account-and-permissions.html#add_other_users
We have two AWS account say as Dev and Prod. In Dev account,our code build,code-pipelines and Code-deploy services is configured with S3. However, In Prod account an auto-scaling group is running for the production websites.
As per our requirement, We want to deploy the code from dev account to Prod account with cross-account deployment. Basically, The code-build and code-pipelines will execute the code and by using code-deployment it will deploy in the Prod account's Auto-scaling group.
Can someone give us some insight about to achieve the same.
Thanks
CodePipeline supports cross-account actions, however it's not currently configurable via the console and requires some extra roles to be configured.
Here's a guide on how to make it work: https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html
As of today, CodeDeploy doesn't support cross-account deployments. Depending on what your goal is, you might be able to achieve it another way.
I want to deploy a bundle in one account to another account
If your S3 bucket allows access to the second account, CodeDeploy doesn't care what account your bundle is in as long as everything can access it. Per #TimB, it looks like CodePipelines can support that behavior.
I need to initiate a deployment in one account to another
If you have a reason why the deployment must be in one account to another, you could set up the instances in the second account to be on-premise instances, though this is not a great solution.