This feed does not validate.
In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
... rel="self" type="application/rss+xml" />
^
line 135, column 0: (34 occurrences) [help]
<div class="highlight"><pre tabindex="0" class=" ...
line 1581, column 0: (2 occurrences) [help]
<description>
</script>
line 1724, column 0: (2 occurrences) [help]
The referenced GitHub Repo has to be your Repo with the Hugo source files an ...
<iframe
<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>kbild</title> <link>https://kbild.ch/</link> <description>Recent content on kbild</description> <generator>Hugo -- gohugo.io</generator> <language>en-us</language> <copyright>This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.</copyright> <lastBuildDate>Thu, 12 Nov 2020 14:00:00 +0200</lastBuildDate> <atom:link href="https://kbild.ch/index.xml" rel="self" type="application/rss+xml" /> <item> <title>Create a Custom Source for AWS CodePipeline - How to Use Azure DevOps Repos with AWS Pipelines - Part 1</title> <link>https://kbild.ch/blog/2020-11-11-custom_codepipeline_source/</link> <pubDate>Thu, 12 Nov 2020 14:00:00 +0200</pubDate> <guid>https://kbild.ch/blog/2020-11-11-custom_codepipeline_source/</guid> <description><div class="paragraph"><p>Recently a very interesting blog post on the AWS DevOps blog was published which goes into much detail<br/><a href="https://aws.amazon.com/blogs/devops/event-driven-architecture-for-using-third-party-git-repositories-as-source-for-aws-codepipeline/" target="_blank" rel="noopener">how to use third-party Git repositories as source for your AWS CodePipelines</a>.<br/></p></div><div class="paragraph"><p>Unfortunately, this article came too late for our own integration of Azure DevOps Repos into our AWS CI/CD Pipelines and we had to find our own solution when we started to move our code Repos to Azure DevOps earlier this year.<br/><br/>I’m happy to share some more details how we succeeded with this integration using a custom source for AWS CodePipeline.In this Part 1 of the blog posts I will show you all details of the solution and in a Part 2 I plan to describe every step which is needed to deploy such a solution.<br/><br/></p></div><hr/><h3 id="_solution_overview" class="discrete">Solution Overview</h3><div class="paragraph"><p>Big parts of the solution are equal to the architecture described in the <a href="https://aws.amazon.com/blogs/devops/event-driven-architecture-for-using-third-party-git-repositories-as-source-for-aws-codepipeline/" target="_blank" rel="noopener">Blog post by Kirankumar</a> but there are some small but important differences.<br/></p></div><div class="paragraph"><p>Let’s look at the architecture of our solution:<br/></p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/202011/CustomSourcePipelineArch.png"><img src="https://kbild.ch/202011/CustomSourcePipelineArch.png" alt="SolutionOverview"/></a></div></div><div class="paragraph"><p><br/>Let’s go through all the steps:</p></div><div class="olist arabic"><ol class="arabic"><li><p>A developer commits a code change to the Azure DevOps Repo</p></li><li><p>The commit triggers an Azure DevOps webhook</p></li><li><p>The Azure DevOps webhook calls a CodePipeline webhook</p></li><li><p>The webhook starts the CodePipeline</p></li><li><p>The CodePipeline puts the first stage into &#39;Progress&#39; and starts the source stage</p></li><li><p>A CloudWatch Event Rule is triggered by the stage change to &#39;STARTED&#39;</p></li><li><p>The event rule triggers AWS CodeBuild and submits the pipeline name</p></li><li><p>AWS CodeBuild polls the source stage job details and acknowledges the job</p></li><li><p>The SSH key is received by CodeBuild from the AWS Secrets Manager</p></li></ol></div><div class="paragraph"><p><br/> <span style="background-color:;color:#f37e26;">a) Successful builds</span></p></div><div class="olist arabic"><ol class="arabic" start="10"><li><p>a) CodeBuild uploads the zipped artifact to the S3 artifact bucket</p></li><li><p>a) CodeBuild puts the source stage into &#39;Succeeded&#39;</p></li><li><p>a) CodePipeline executes the next stage<br/></p></li></ol></div><div class="paragraph"><p><br/> <span style="background-color:;color:#f37e26;">b) Failed builds</span></p></div><div class="olist arabic"><ol class="arabic" start="10"><li><p>b) A CloudWatch Event Rule is triggered by the state change to &#39;FAILED&#39;</p></li><li><p>b) The event rule triggers a Lambda function and provides pipeline execution/job details</p></li><li><p>b) Depending where the CodeBuild process failed the source stage is put into &#39;Failed&#39; or the pipeline execution is stopped/abandoned</p></li></ol></div><hr/><div class="paragraph"><p>As you can see the solution is very similar, but we omit a long running Lambda function and put all the logic into CodeBuild. We only need a short running Lambda function for error handling. Whenever CodeBuild fails we interconnect this Lambda function and CodeBuild through a CloudWatch Event Rule.</p></div><div class="paragraph"><p>But let’s do a deep dive into the different parts of the solution.Again, you will find the complete example in my <a href="https://github.com/kbild/AWS_Cloudformation_Examples/tree/master/Azure_CodePipeline_Source" target="_blank" rel="noopener">AWS_Cloudformation_Examples Github</a> Repo.<br/></p></div><hr/><h3 id="_webhooks" class="discrete">Webhooks</h3><div class="paragraph"><p>This part of the solution is pretty straightforward and almost the same configuration for all the different third-party Git repository providers.<br/>You will find the CloudFormation code for the CodePipeline webhook in <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/Azure_CodePipeline_Source/AzureDevopsPipeline.yaml" target="_blank" rel="noopener">AzureDevopsPipeline.yaml</a>.<br/>Let’s look at the Azure DevOps specific parts of the webhook:</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span><span class="nt">Webhook</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;AWS::CodePipeline::Webhook&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span><span class="nt">AuthenticationConfiguration</span><span class="p">:</span><span class="w"> </span>{}<span class="w"></span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span><span class="nt">Filters</span><span class="p">:</span><span class="w"></span></span></span><span class="line hl"><span class="ln">125</span><span class="cl"><span class="w"> </span>- <span class="nt">JsonPath</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;$.resource.refUpdates..name&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span><span class="nt">MatchEquals</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub &#39;refs/heads/${Branch}&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span><span class="nt">Authentication</span><span class="p">:</span><span class="w"> </span><span class="l">UNAUTHENTICATED</span><span class="w"></span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span><span class="nt">TargetPipeline</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref AppPipeline</span><span class="w"></span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span><span class="nt">TargetAction</span><span class="p">:</span><span class="w"> </span><span class="l">Source</span><span class="w"></span></span></span><span class="line"><span class="ln">130</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub AzureDevopsHook-${AWS::StackName}</span><span class="w"></span></span></span><span class="line"><span class="ln">131</span><span class="cl"><span class="w"> </span><span class="nt">TargetPipelineVersion</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${AppPipeline.Version}</span><span class="w"></span></span></span><span class="line"><span class="ln">132</span><span class="cl"><span class="w"> </span><span class="nt">RegisterWithThirdParty</span><span class="p">:</span><span class="w"> </span><span class="kc">False</span></span></span></code></pre></div></div><div class="paragraph"><p>If we look at <code>line 125</code> we see the JSON Path which will be used to find the branch of the Repo which triggered the Azure DevOps branch. For most third-party Git repositories this path equals to <span style="background-color:;color:#f37e26;">&#39;$.ref&#39;</span> but the structure of the request generated by the Azure DevOps Webhook looks different and we will find the branch using <span style="background-color:;color:#f37e26;">&#39;$.resource.refUpdates..name&#39;</span> as JSON path.<br/>Almost every third-party Git repository provider gives you access to the history of webhook executions and you will find the complete requests there. So, whenever you try to integrate a third-party provider look at the webhook requests first and define the correct JSON path for your branch filter.<br/>This filter will now be used to decide if the branch which triggered the AzureDevops Webhook is the one we are using in our Source Stage definition of our pipeline and will trigger the CodePipeline execution (step 4).</p></div><hr/><h3 id="_codepipeline_customactiontype" class="discrete">CodePipeline CustomActionType</h3><div class="paragraph"><p>The CustomActionType for the CodePipeline Source Stage will be created by the <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/Azure_CodePipeline_Source/AzureDevopsPreReqs.yaml" target="_blank" rel="noopener">AzureDevopsPreReqs.yaml</a> CloudFormation template:<br/></p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">AzureDevopsActionType</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::CodePipeline::CustomActionType</span><span class="w"></span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span><span class="nt">Category</span><span class="p">:</span><span class="w"> </span><span class="l">Source</span><span class="w"></span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span><span class="nt">Provider</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;AzureDevOpsRepo&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">ConfigurationProperties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">Description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The name of the MS Azure DevOps Organization&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">Key</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Organization</span><span class="w"></span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">Queryable</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">Required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">Secret</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">String</span><span class="w"></span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">Description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The name of the repository&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">Key</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Repo</span><span class="w"></span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">Queryable</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span><span class="nt">Required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">Secret</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">String</span><span class="w"></span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">Description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The name of the project&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">Key</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Project</span><span class="w"></span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">Queryable</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">Required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">Secret</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">String</span><span class="w"></span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">Description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The tracked branch&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span><span class="nt">Key</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Branch</span><span class="w"></span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span><span class="nt">Queryable</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span><span class="nt">Required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span><span class="nt">Secret</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">String</span><span class="w"></span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span><span class="nt">Description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;The name of the CodePipeline&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">Key</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">PipelineName</span><span class="w"></span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">Queryable</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">Required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span><span class="nt">Secret</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">String</span><span class="w"></span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">InputArtifactDetails</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span><span class="nt">MaximumCount</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"></span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span><span class="nt">MinimumCount</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"></span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span><span class="nt">OutputArtifactDetails</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">MaximumCount</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"></span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">MinimumCount</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"></span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span><span class="nt">Settings</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">EntityUrlTemplate</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://dev.azure.com/{Config:Organization}/{Config:Project}/_git/{Config:Repo}?version=GB{Config:Branch}&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">ExecutionUrlTemplate</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://dev.azure.com/{Config:Organization}/{Config:Project}/_git/{Config:Repo}?version=GB{Config:Branch}&#34;</span></span></span></code></pre></div></div><div class="paragraph"><p>Large parts of the code are self-explanatory.<br/></p></div><div class="paragraph"><p>We need the Azure DevOps <span style="background-color:;color:#f37e26;">Organization, Project, Reponame and Branch</span> to git clone the required repo branch.<br/>All these properties are must fields and as you can see are sufficient to create a back link to the Project in Azure DevOps as seen on <code>line 65</code>.<br/></p></div><div class="paragraph"><p>The property <span style="background-color:;color:#f37e26;">PipelineName</span> isn’t needed to get the Git repo but will be used to identify the correct CodePipeline job which should be processed. Therefore, this property has to be query able, otherwise you will get an error later on when using the query-param parameter on <code>line 148</code> (had to find out this the hard way).</p></div><hr/><h3 id="_cloudwatch_events_rules" class="discrete">CloudWatch Events Rules</h3><div class="paragraph"><p>This part is found in the <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/Azure_CodePipeline_Source/AzureDevopsPreReqs.yaml" target="_blank" rel="noopener">AzureDevopsPreReqs.yaml</a> CloudFormation template as well:<br/></p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">210</span><span class="cl"><span class="w"> </span><span class="nt">CloudWatchEventRule</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">211</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::Events::Rule</span><span class="w"></span></span></span><span class="line"><span class="ln">212</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">213</span><span class="cl"><span class="w"> </span><span class="nt">EventPattern</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">214</span><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">215</span><span class="cl"><span class="w"> </span>- <span class="l">aws.codepipeline</span><span class="w"></span></span></span><span class="line"><span class="ln">216</span><span class="cl"><span class="w"> </span><span class="nt">detail-type</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">217</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;CodePipeline Action Execution State Change&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">218</span><span class="cl"><span class="w"> </span><span class="nt">detail</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">219</span><span class="cl"><span class="w"> </span><span class="nt">state</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">220</span><span class="cl"><span class="w"> </span>- <span class="l">STARTED</span><span class="w"></span></span></span><span class="line"><span class="ln">221</span><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">222</span><span class="cl"><span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">223</span><span class="cl"><span class="w"> </span>- <span class="l">AzureDevOpsRepo</span><span class="w"></span></span></span><span class="line"><span class="ln">224</span><span class="cl"><span class="w"> </span><span class="nt">Targets</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">225</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">226</span><span class="cl"><span class="w"> </span><span class="nt">Arn</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${BuildProject.Arn}</span><span class="w"></span></span></span><span class="line"><span class="ln">227</span><span class="cl"><span class="w"> </span><span class="nt">Id</span><span class="p">:</span><span class="w"> </span><span class="l">triggerjobworker</span><span class="w"></span></span></span><span class="line"><span class="ln">228</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${CloudWatchEventRole.Arn}</span><span class="w"></span></span></span><span class="line"><span class="ln">229</span><span class="cl"><span class="w"> </span><span class="nt">InputTransformer</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">230</span><span class="cl"><span class="w"> </span><span class="nt">InputPathsMap</span><span class="p">:</span><span class="w"> </span>{<span class="s2">&#34;executionid&#34;</span><span class="p">:</span><span class="s2">&#34;$.detail.execution-id&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;pipelinename&#34;</span><span class="p">:</span><span class="s2">&#34;$.detail.pipeline&#34;</span>}<span class="w"></span></span></span><span class="line"><span class="ln">231</span><span class="cl"><span class="w"> </span><span class="nt">InputTemplate</span><span class="p">:</span><span class="w"> </span><span class="nt">&#34;{\&#34;environmentVariablesOverride\&#34;: [{\&#34;name\&#34;: \&#34;executionid\&#34;, \&#34;type\&#34;: \&#34;PLAINTEXT\&#34;, \&#34;value\&#34;: &lt;executionid&gt;},{\&#34;name\&#34;: \&#34;pipelinename\&#34;, \&#34;type\&#34;: \&#34;PLAINTEXT\&#34;, \&#34;value\&#34;: </span><span class="l">&lt;executionid&gt;}]}&#34;</span></span></span></code></pre></div></div><div class="paragraph"><p>I only want to draw your attention to <code>lines 125-126</code> where the event input will be transformed to an output which later will be used by CodeBuild (step 7).<br/></p></div><div class="paragraph"><p>We will hand over two CodeBuild environment variables, <span style="background-color:;color:#f37e26;">executionid</span> and <span style="background-color:;color:#f37e26;">pipelinename</span>. Creating the <code>InputTemplate</code> was challenging, as you can see you have to carefully escape all double quotes and you have to override the CodeBuild environment variables.<br/></p></div><div class="paragraph"><p>Fortunately the <a href="https://docs.aws.amazon.com/codebuild/latest/APIReference/API_StartBuild.html" target="_blank" rel="noopener">API Reference Guide for AWS CodeBuild</a> is very well documented and you find the needed request syntax there → use <code>environmentVariablesOverride</code> and provide an array of <a href="https://docs.aws.amazon.com/codebuild/latest/APIReference/API_EnvironmentVariable.html" target="_blank" rel="noopener">EnvironmentVariable objects</a>, in this case <span style="background-color:;color:#f37e26;">executionid</span> and <span style="background-color:;color:#f37e26;">pipelinename</span>.<br/><br/><br/>Now let’s look at the second CloudWatch Event Rule which will be triggered if CodeBuild fails (step 10b):<br/></p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">232</span><span class="cl"><span class="w"> </span><span class="nt">CloudWatchEventRuleBuildFailed</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">233</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::Events::Rule</span><span class="w"></span></span></span><span class="line"><span class="ln">234</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">235</span><span class="cl"><span class="w"> </span><span class="nt">EventPattern</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">236</span><span class="cl"><span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">237</span><span class="cl"><span class="w"> </span>- <span class="l">aws.codebuild</span><span class="w"></span></span></span><span class="line"><span class="ln">238</span><span class="cl"><span class="w"> </span><span class="nt">detail-type</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">239</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;CodeBuild Build State Change&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">240</span><span class="cl"><span class="w"> </span><span class="nt">detail</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">241</span><span class="cl"><span class="w"> </span><span class="nt">build-status</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">242</span><span class="cl"><span class="w"> </span>- <span class="l">FAILED</span><span class="w"></span></span></span><span class="line"><span class="ln">243</span><span class="cl"><span class="w"> </span><span class="nt">project-name</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">244</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub ${AWS::StackName}-GetAzureDevOps-Repo</span><span class="w"></span></span></span><span class="line"><span class="ln">245</span><span class="cl"><span class="w"> </span><span class="nt">Targets</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">246</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">247</span><span class="cl"><span class="w"> </span><span class="nt">Arn</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${LambdaCodeBuildFails.Arn}</span><span class="w"></span></span></span><span class="line"><span class="ln">248</span><span class="cl"><span class="w"> </span><span class="nt">Id</span><span class="p">:</span><span class="w"> </span><span class="l">failtrigger</span><span class="w"></span></span></span><span class="line"><span class="ln">249</span><span class="cl"><span class="w"> </span><span class="nt">InputTransformer</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">250</span><span class="cl"><span class="w"> </span><span class="nt">InputPathsMap</span><span class="p">:</span><span class="w"> </span>{<span class="s2">&#34;loglink&#34;</span><span class="p">:</span><span class="s2">&#34;$.detail.additional-information.logs.deep-link&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;environment-variables&#34;</span><span class="p">:</span><span class="s2">&#34;$.detail.additional-information.environment.environment-variables&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;exported-environment-variables&#34;</span><span class="p">:</span><span class="s2">&#34;$.detail.additional-information.exported-environment-variables&#34;</span>}<span class="w"></span></span></span><span class="line"><span class="ln">251</span><span class="cl"><span class="w"> </span><span class="nt">InputTemplate</span><span class="p">:</span><span class="w"> </span><span class="nt">&#34;{\&#34;loglink\&#34;: &lt;loglink&gt;, \&#34;environment-variables\&#34;: &lt;environment-variables&gt;, \&#34;exported-environment-variables\&#34;: </span><span class="l">&lt;exported-environment-variables&gt;}&#34;</span></span></span></code></pre></div></div><div class="paragraph"><p>Again, I want to draw your attention to the <code>InputPathsMap</code> and <code>InputTemplate</code> part.<br/>Here we extract 3 variables:</p></div><div class="ulist"><ul><li><p><span style="background-color:;color:#f37e26;">loglink</span> (single string value) → deeplink to the CloudWatch logs for CodeBuild execution</p></li><li><p><span style="background-color:;color:#f37e26;">environment-variables</span> (array of objects) → <span style="background-color:;color:#f37e26;">execution_id</span> and <span style="background-color:;color:#f37e26;">pipelinename</span>objects</p></li><li><p><span style="background-color:;color:#f37e26;">exported-environment-variables</span> (again array of objects) → <span style="background-color:;color:#f37e26;">jobId</span> object</p></li></ul></div><div class="paragraph"><p>The <code>InputTemplate</code> creates a simple JSON file which will be later used by the Lambda function (step 11b).</p></div><hr/><h3 id="_codebuild" class="discrete">CodeBuild</h3><div class="paragraph"><p>Most of the logic of this solution can be found in the CodeBuild project. The project will have 2 environment variables <span style="background-color:;color:#f37e26;">pipelinename</span> and <span style="background-color:;color:#f37e26;">executionid</span> (<code>lines 127-131</code>) and as seen before will be pre-filled by the Webhook event (step 7).<br/>Now let’s get to the meat of the project, the BuildSpec part:</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">134</span><span class="cl"><span class="w"> </span><span class="nt">BuildSpec</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub |</span><span class="w"></span></span></span><span class="line"><span class="ln">135</span><span class="cl"><span class="w"> </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="m">0.2</span><span class="w"></span></span></span><span class="line"><span class="ln">136</span><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">137</span><span class="cl"><span class="w"> </span><span class="nt">exported-variables</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">138</span><span class="cl"><span class="w"> </span>- <span class="l">jobid</span><span class="w"></span></span></span><span class="line"><span class="ln">139</span><span class="cl"><span class="w"> </span><span class="nt">phases</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">140</span><span class="cl"><span class="w"> </span><span class="nt">pre_build</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">141</span><span class="cl"><span class="w"> </span><span class="nt">commands</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">142</span><span class="cl"><span class="w"> </span>- <span class="l">echo $pipelinename</span><span class="w"></span></span></span><span class="line"><span class="ln">143</span><span class="cl"><span class="w"> </span>- <span class="l">echo $executionid</span><span class="w"></span></span></span><span class="line"><span class="ln">144</span><span class="cl"><span class="w"> </span>- <span class="l">wait_period=0</span><span class="w"></span></span></span><span class="line"><span class="ln">145</span><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"></span></span></span><span class="line"><span class="ln">146</span><span class="cl"><span class="sd"> while true</span></span></span><span class="line"><span class="ln">147</span><span class="cl"><span class="sd"> do</span></span></span><span class="line"><span class="ln">148</span><span class="cl"><span class="sd"> jobdetail=$(aws codepipeline poll-for-jobs --action-type-id category=&#34;Source&#34;,owner=&#34;Custom&#34;,provider=&#34;AzureDevOpsRepo&#34;,version=&#34;1&#34; --query-param PipelineName=$pipelinename --max-batch-size 1)</span></span></span><span class="line"><span class="ln">149</span><span class="cl"><span class="sd"> provider=$(echo $jobdetail | jq &#39;.jobs[0].data.actionTypeId.provider&#39; -r)</span></span></span><span class="line"><span class="ln">150</span><span class="cl"><span class="sd"> wait_period=$(($wait_period+10))</span></span></span><span class="line"><span class="ln">151</span><span class="cl"><span class="sd"> if [ $provider = &#34;AzureDevOpsRepo&#34; ];then</span></span></span><span class="line"><span class="ln">152</span><span class="cl"><span class="sd"> echo $jobdetail</span></span></span><span class="line"><span class="ln">153</span><span class="cl"><span class="sd"> break</span></span></span><span class="line"><span class="ln">154</span><span class="cl"><span class="sd"> fi</span></span></span><span class="line"><span class="ln">155</span><span class="cl"><span class="sd"> if [ $wait_period -gt 300 ];then</span></span></span><span class="line"><span class="ln">156</span><span class="cl"><span class="sd"> echo &#34;Haven&#39;t found a pipeline job for 5 minutes, will stop pipeline.&#34;</span></span></span><span class="line"><span class="ln">157</span><span class="cl"><span class="sd"> exit 1</span></span></span><span class="line"><span class="ln">158</span><span class="cl"><span class="sd"> else</span></span></span><span class="line"><span class="ln">159</span><span class="cl"><span class="sd"> echo &#34;No pipeline job found, will try again in 10 seconds&#34;</span></span></span><span class="line"><span class="ln">160</span><span class="cl"><span class="sd"> sleep 10</span></span></span><span class="line"><span class="ln">161</span><span class="cl"><span class="sd"> fi</span></span></span><span class="line"><span class="ln">162</span><span class="cl"><span class="sd"> done</span><span class="w"> </span></span></span><span class="line"><span class="ln">163</span><span class="cl"><span class="w"> </span>- <span class="l">jobid=$(echo $jobdetail | jq &#39;.jobs[0].id&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">164</span><span class="cl"><span class="w"> </span>- <span class="l">echo $jobid</span><span class="w"></span></span></span><span class="line"><span class="ln">165</span><span class="cl"><span class="w"> </span>- <span class="l">ack=$(aws codepipeline acknowledge-job --job-id $(echo $jobdetail | jq &#39;.jobs[0].id&#39; -r) --nonce $(echo $jobdetail | jq &#39;.jobs[0].nonce&#39; -r))</span><span class="w"></span></span></span><span class="line"><span class="ln">166</span><span class="cl"><span class="w"> </span>- <span class="l">Branch=$(echo $jobdetail | jq &#39;.jobs[0].data.actionConfiguration.configuration.Branch&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">167</span><span class="cl"><span class="w"> </span>- <span class="l">Organization=$(echo $jobdetail | jq &#39;.jobs[0].data.actionConfiguration.configuration.Organization&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">168</span><span class="cl"><span class="w"> </span>- <span class="l">Repo=$(echo $jobdetail | jq &#39;.jobs[0].data.actionConfiguration.configuration.Repo&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">169</span><span class="cl"><span class="w"> </span>- <span class="l">Project=$(echo $jobdetail | jq &#39;.jobs[0].data.actionConfiguration.configuration.Project&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">170</span><span class="cl"><span class="w"> </span>- <span class="l">ObjectKey=$(echo $jobdetail | jq &#39;.jobs[0].data.outputArtifacts[0].location.s3Location.objectKey&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">171</span><span class="cl"><span class="w"> </span>- <span class="l">BucketName=$(echo $jobdetail | jq &#39;.jobs[0].data.outputArtifacts[0].location.s3Location.bucketName&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">172</span><span class="cl"><span class="w"> </span>- <span class="l">aws secretsmanager get-secret-value --secret-id ${SSHKey} --query &#39;SecretString&#39; --output text | base64 --decode &gt; ~/.ssh/id_rsa</span><span class="w"></span></span></span><span class="line"><span class="ln">173</span><span class="cl"><span class="w"> </span>- <span class="l">chmod 600 ~/.ssh/id_rsa</span><span class="w"></span></span></span><span class="line"><span class="ln">174</span><span class="cl"><span class="w"> </span>- <span class="l">ssh-keygen -F ssh.dev.azure.com || ssh-keyscan ssh.dev.azure.com &gt;&gt;~/.ssh/known_hosts</span><span class="w"></span></span></span><span class="line"><span class="ln">175</span><span class="cl"><span class="w"> </span><span class="nt">build</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">176</span><span class="cl"><span class="w"> </span><span class="nt">commands</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">177</span><span class="cl"><span class="w"> </span>- <span class="l">git clone &#34;git@ssh.dev.azure.com:v3/$Organization/$Project/$Repo&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">178</span><span class="cl"><span class="w"> </span>- <span class="l">cd $Repo</span><span class="w"></span></span></span><span class="line"><span class="ln">179</span><span class="cl"><span class="w"> </span>- <span class="l">git checkout $Branch</span><span class="w"></span></span></span><span class="line"><span class="ln">180</span><span class="cl"><span class="w"> </span>- <span class="l">zip -r output_file.zip *</span><span class="w"></span></span></span><span class="line"><span class="ln">181</span><span class="cl"><span class="w"> </span>- <span class="l">aws s3 cp output_file.zip s3://$BucketName/$ObjectKey</span><span class="w"></span></span></span><span class="line"><span class="ln">182</span><span class="cl"><span class="w"> </span>- <span class="l">aws codepipeline put-job-success-result --job-id $(echo $jobdetail | jq &#39;.jobs[0].id&#39; -r)</span><span class="w"></span></span></span><span class="line"><span class="ln">183</span><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">184</span><span class="cl"><span class="w"> </span><span class="nt">files</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">185</span><span class="cl"><span class="w"> </span>- <span class="s1">&#39;**/*&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">186</span><span class="cl"><span class="w"> </span><span class="nt">base-directory</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;$Repo&#39;</span></span></span></code></pre></div></div><div class="paragraph"><p>First of all, we define a custom environment variable which will be filled with the <span style="background-color:;color:#f37e26;">jobid</span> later on (<code>lines 136-128</code>). Defining a custom environment variable for the <span style="background-color:;color:#f37e26;">jobid</span> will ensure that we have a value for the <span style="background-color:;color:#f37e26;">jobid</span> in the CodeBuild response (which will later be received by the CloudWatch Event Rule in case of errors).<br/><br/>Polling CodePipeline for jobs usually needs more than one try to get a result, therefore we use a while loop and poll all 10 seconds (step 8).<br/>As you can see on <code>line 148</code> we only poll for jobs with the correct <span style="background-color:;color:#f37e26;">PipelineName</span> (remember that we defined this property as query able).<br/>If we don’t get a result within 5 minutes we will exit the CodeBuild execution with a non-zero exit code which will lead to &#39;FAILED&#39; state and which will trigger the CloudWatch Event Rule for errors (<code>lines 147-162</code>).<br/><br/>Now we acknowledge the job and we ask the CodePipeline to provide more details on the job (<code>lines 163-171</code>, step 8):</p></div><div class="ulist"><ul><li><p><span style="background-color:;color:#f37e26;">Branch, Organization, Repo, Project</span> → Azure DevOps properties</p></li><li><p><span style="background-color:;color:#f37e26;">ObjectKey, BucketName</span> → these two parameters are very essential for the next CodePipeline step</p></li></ul></div><div class="paragraph"><p><br/>Before we can clone the repo we have to put the decoded base64 ssh key received from the Secrets Manager into the correct file in the CodeBuild container (step 9).<br/>We change the access permissions on the created key file to 600 and add the Azure DevOps public keys to the known_hosts file. (<code>lines 172-174</code>)<br/><br/>Now the actual build process starts, and the repo is cloned using the copied SSH key for authentication. Before zipping all the repo content, the appropriate branch is checked out and the zipped artifact is then uploaded to the artifact store (step 10a).<br/></p></div><div class="paragraph"><p>Here we see again the two parameters <span style="background-color:;color:#f37e26;">ObjectKey and BucketName</span> received earlier from the job details. The artifact has to use the value of <span style="background-color:;color:#f37e26;">ObjectKey</span> as filepath/name and <span style="background-color:;color:#f37e26;">BucketName</span> as S3 bucket name for the upload. It is very crucial to use the correct filepath/name because the next CodePipeline Step/Stage will try to download the artifact form the Artifact Bucket using these two parameters and will fail if you used wrong values during upload.<br/><br/>Last action of the CodeBuild project is to inform the CodePipeline of a successful execution of the job (<code>line 182</code>, step 11a).<br/></p></div><hr/><h3 id="_lambda_function" class="discrete">Lambda Function</h3><div class="paragraph"><p>The Lambda function will only be used for error handling. The logic is pretty simple as you can see here:</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="ln">338</span><span class="cl"> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span></span></span><span class="line"><span class="ln">339</span><span class="cl"> <span class="n">LOGGER</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="n">event</span><span class="p">)</span></span></span><span class="line"><span class="ln">340</span><span class="cl"> <span class="k">try</span><span class="p">:</span></span></span><span class="line"><span class="ln">341</span><span class="cl"> <span class="n">job_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="s1">&#39;exported-environment-variables&#39;</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="s1">&#39;value&#39;</span><span class="p">]</span></span></span><span class="line"><span class="ln">342</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">job_id</span><span class="p">)</span></span></span><span class="line"><span class="ln">343</span><span class="cl"> <span class="n">execution_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="s1">&#39;environment-variables&#39;</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="s1">&#39;value&#39;</span><span class="p">]</span></span></span><span class="line"><span class="ln">344</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">execution_id</span><span class="p">)</span></span></span><span class="line"><span class="ln">345</span><span class="cl"> <span class="n">pipelinename</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="s1">&#39;environment-variables&#39;</span><span class="p">][</span><span class="mi">1</span><span class="p">][</span><span class="s1">&#39;value&#39;</span><span class="p">]</span></span></span><span class="line"><span class="ln">346</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">pipelinename</span><span class="p">)</span></span></span><span class="line"><span class="ln">347</span><span class="cl"> <span class="n">loglink</span> <span class="o">=</span> <span class="n">event</span><span class="p">[</span><span class="s1">&#39;loglink&#39;</span><span class="p">]</span></span></span><span class="line"><span class="ln">348</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">loglink</span><span class="p">)</span></span></span><span class="line"><span class="ln">349</span><span class="cl"> <span class="k">if</span> <span class="p">(</span> <span class="n">job_id</span> <span class="o">!=</span> <span class="s2">&#34;&#34;</span> <span class="p">)</span> <span class="p">:</span></span></span><span class="line"><span class="ln">350</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Found an job id&#34;</span><span class="p">)</span></span></span><span class="line"><span class="ln">351</span><span class="cl"> <span class="n">codepipeline_failure</span><span class="p">(</span><span class="n">job_id</span><span class="p">,</span> <span class="s2">&#34;CodeBuild process failed&#34;</span><span class="p">,</span> <span class="n">loglink</span><span class="p">)</span></span></span><span class="line"><span class="ln">352</span><span class="cl"> <span class="k">else</span> <span class="p">:</span></span></span><span class="line"><span class="ln">353</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;Found NO job id&#34;</span><span class="p">)</span></span></span><span class="line"><span class="ln">354</span><span class="cl"> <span class="n">codepipeline_stop</span><span class="p">(</span><span class="n">execution_id</span><span class="p">,</span> <span class="s2">&#34;CodeBuild process failed&#34;</span><span class="p">,</span> <span class="n">pipelinename</span><span class="p">)</span></span></span><span class="line"><span class="ln">355</span><span class="cl"> <span class="k">except</span> <span class="ne">KeyError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span></span></span><span class="line"><span class="ln">356</span><span class="cl"> <span class="n">LOGGER</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s2">&#34;Could not retrieve CodePipeline Job ID!</span><span class="se">\n</span><span class="si">%s</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">err</span><span class="p">,</span> <span class="n">pipelinename</span><span class="p">)</span></span></span><span class="line"><span class="ln">357</span><span class="cl"> <span class="k">return</span> <span class="kc">False</span></span></span></code></pre></div></div><div class="paragraph"><p>First we get all variable values which were provided by the CloudWatch Event Rule and then we only check if there is a value for <span style="background-color:;color:#f37e26;">job_id</span>.<br/><br/>If there is a value we will trigger the <code>codepipeline_failure</code> function which then will inform CodePipeline of a failure result of this job (<code>lines 312-323</code>).<br/>Whenever CodeBuild fails without getting a <span style="background-color:;color:#f37e26;">job_id</span> before the error occurs the Lambda function will call the <code>codepipeline_stop</code> part. The <span style="background-color:;color:#f37e26;">execution_id</span> and <span style="background-color:;color:#f37e26;">pipelinename</span> is then used to stop and abandon the correct CodePipeline execution (<code>lines 324-337</code>).</p></div><hr/><h2 id="_summary" class="discrete">Summary</h2><div class="paragraph"><p>I hope this post showed you how you can create your own CodePipeline sources and how the different parts of such a solution are playing together. This was my first time creating a custom CodePipeline source and I’m fascinated how powerful this is. You may include completely different sources into your CodePipelines, not limited to Repos at all. Wherever you have a solution which can trigger a Webhook and provide some input you are fine to use it as your own CodePipeline source.<br/><br/><br/></p></div></description> </item> <item> <title>AWS Step Functions as CloudFormation Custom Resources - Automatic Certificate Creation Across AWS Accounts</title> <link>https://kbild.ch/blog/2020-6-10-custom_resource_certificate_creation/</link> <pubDate>Fri, 24 Jul 2020 13:00:00 +0200</pubDate> <guid>https://kbild.ch/blog/2020-6-10-custom_resource_certificate_creation/</guid> <description><div class="paragraph"><p>Last year I wrote a CloudFormation example which deployed a <a href="https://kbild.ch/blog/2019-02-25-pipeline_cloudformation/" target="_blank" rel="noopener">CodePipeline for the Hugo CMS</a>.This was an almost fully automated solution for a Hugo deployment, the only manual step was to create the needed certificate with the Amazon Certificate Manager.</p></div><div class="paragraph"><p><br/>Some weeks ago AWS added the possibility of fully automated <a href="https://aws.amazon.com/blogs/security/how-to-use-aws-certificate-manager-with-aws-cloudformation/" target="_blank" rel="noopener">certificate creation via CloudFormation</a> if you add the HostedZoneId to your CloudFormation certificate resource.</p></div><div class="paragraph"><p><br/>This solution is neat but will not work on our company accounts because we have all Route 53 DNS Zones in a different AWS account.Therefore I needed a solution which works fully automated across different AWS accounts.</p></div><div class="paragraph"><p><br/>Searching for examples gave me a good starting point to create my own solution, a custom CloudFormation resource.Here are some examples which will help you to understand custom CloudFormation resources:</p></div><div class="paragraph"><p><a href="https://www.cloudar.be/awsblog/validate-acm-certificates-in-cloudformation" target="_blank" rel="noopener">Validate ACM certificates in Cloudformation</a></p></div><div class="paragraph"><p><a href="https://github.com/binxio/cfn-certificate-provider" target="_blank" rel="noopener">Custom Certificate Provider with DNS validation support</a></p></div><div class="paragraph"><p><a href="https://www.dwolla.com/updates/certificate-validator/" target="_blank" rel="noopener">Automatic Certificate Validation with Certificate Validator</a></p></div><div class="paragraph"><p><br/>All these examples work perfectly and can be easily modified to work across different AWS accounts but the fact that they use long running Lambda Functions didn’t satisfy me.<br/>Occasionally executing long running Lambda Functions doesn’t cost much but nevertheless I always prefer short running ones and to use AWS Step Functions for the Workflow logic combined with Lambda Functions with a single purpose.</p></div><div class="paragraph"><p><br/></p></div><hr/><div class="paragraph"><p>Challenge accepted, let’s create a CloudFormation Custom Resource which will work with Step Functions.</p></div><hr/><div class="paragraph"><p><br/>Unfortunately only <strong>Lambda Functions</strong> or <strong>SNS topics</strong> may be used as Custom Resource in CloudFormation, so we first have to create a Lambda Function which can be used as Custom Resource in CloudFormation and which interconnects CloudFormation with our Step Functions.<br/><br/></p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/202006/CF_Custom_Resource.png"><img src="https://kbild.ch/202006/CF_Custom_Resource.png" alt="SolutionOverview"/></a></div></div><div class="paragraph"><p><br/>We have 3 components:</p></div><div class="ulist"><ul><li><p><strong>CustomResourceCertificate</strong> → The custom resource in the CloudFormation template</p></li><li><p><strong>LambdaCallStateMachine</strong> → The Lambda Function which will be triggered by the CloudFormation custom resource and which will call the Step Functions</p></li><li><p><strong>CertificateStateMachine</strong> → The actual Step Functions which consists of some logic and Lambda Functions</p></li></ul></div><div class="paragraph"><p><br/></p></div><hr/><div class="paragraph"><p>You will find all the examples explained below in this <a href="https://github.com/kbild/AWS_Cloudformation_Examples/tree/master/stepFunctionCertCreation" target="_blank" rel="noopener">AWS_Cloudformation_Examples Github</a> Repo.<br/></p></div><div class="paragraph"><p>The Custom Resource including <strong>CertificateStateMachine</strong> Step Functions with all Lambda Functions and Roles/Policies can be found in the <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/stepFunctionCertCreation/certificate_xaccount_customresource.yaml" target="_blank" rel="noopener">certificate_xaccount_customresource.yaml</a><br/>CloudFormation template.</p></div><hr/><h3 id="_certificatestatemachine" class="discrete">CertificateStateMachine</h3><div class="paragraph"><p>Most of the work is done by the Step Functions called <strong>CertificateStateMachine</strong>:</p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/202006/stepfunctions_graph.png"><img src="https://kbild.ch/202006/stepfunctions_graph.png" alt="CertificateStateMachine" width="800" height="622"/></a></div></div><div class="paragraph"><p><br/><strong>CertificateStateMachine</strong> starts with a <span style="background-color:;color:#f37e26;">Choice Action</span> and if you look at the CloudFormation template which creates this Step Functions you see that the variable <code>$.RequestType</code> is used as switch. This variable is sent by AWS CloudFormation and will give us the information if this is a <code>Create</code>, <code>Update</code> or <code>Delete</code> request.<br/></p></div><h4 id="_create_or_update_path" class="discrete">Create or Update Path</h4><div class="paragraph"><p>Following the <code>Create</code> or <code>Update</code> path will first call the <span style="background-color:;color:#f37e26;">Create</span> step which triggers a Lamba Function called <strong>LambdaCreateCertificateRequest</strong>. As the name suggests this simple Function calls ACM and requests to create a certificate. We use the parameters <code>HostedZoneId</code>, <code>WebSiteURL</code> and <code>Region</code> which we will get from <strong>CustomResourceCertificate</strong> whenever this Custom Resource is used in a CloudFormation template<br/>→ find more details later in this post<br/>As response we will get the <code>CertificateArn</code> which we will need in the next steps.<br/><br/></p></div><div class="paragraph"><p>After <span style="background-color:;color:#f37e26;">Wait_10_seconds</span> another Lambda Function <strong>LambdaDescribeCertificateRequest</strong> is called in step <span style="background-color:;color:#f37e26;">DescribeCert</span>. This function takes the <code>CertificateArn</code> as input and calls ACM again to get the needed DNS <code>CNAME entries</code> for the validation and the <code>ValidationStatus</code>.<br/><br/></p></div><div class="paragraph"><p><span style="background-color:;color:#f37e26;">CreateDNS</span> triggers <strong>LambdaCreateDNSEntry</strong> Lambda Function and takes the CNAME entries as input. Here the magic for the cross account creation happens. The Lambda Function will use the ARN of the Role which is created in our Route 53 Domain AWS Account and will call Route 53 to create the DNS Record Set.<br/><br/></p></div><div class="paragraph"><p><span style="background-color:;color:#f37e26;">CheckCert</span> will again use <strong>LambdaDescribeCertificateRequest</strong> to get the ValidationStatus of the Cert creation. <span style="background-color:;color:#f37e26;">Cert Ready?</span> will loop using <span style="background-color:;color:#f37e26;">Wait_100_seconds_for_certificate</span> until the <code>ValidationStatus</code> equals <code>SUCCESS</code><br/><br/></p></div><div class="paragraph"><p>Last Step <span style="background-color:;color:#f37e26;">SendResultCreation</span> calls the Lambda Function <strong>LambdaSendResult</strong>. This Function returns a success response to AWS CloudFormation via the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-lambda-function-code-cfnresponsemodule.html" target="_blank" rel="noopener">cfn-response</a> module. This module knows the AWS CloudFormation Endpoint for the response through the variable <code>responseUrl</code>. This variable is provided when AWS CloudFormation calls the ServiceToken of the Custom Resource.<br/>The <code>CertificateArn</code> is used as <code>physicalResourceId</code> for the Custom Resource, so this will be the Return value of the Custom Resource.<br/></p></div><h4 id="_delete_path" class="discrete">Delete Path</h4><div class="paragraph"><p>The <code>Delete</code> Path starts with the Lambda Function <strong>LambdaDescribeCertificateRequest</strong> in step <span style="background-color:;color:#f37e26;">DescribeCertDeletion</span>. In contrast to the use of the same Function in the Create Path the CertificateArn is provided via the variable <code>PhysicalResourceId</code>. The response includes the DNS <code>CNAME entries</code> which were used for the validation.<br/><br/></p></div><div class="paragraph"><p><span style="background-color:;color:#f37e26;">Delete</span> step will call the Lambda Function <strong>LambdaDeleteResource</strong>. This Function will first delete the DNS Entries in our Route 53 Domain AWS Account, again done via assuming a Role in this Account. Second the Function deletes the according Certificate in ACM.<br/><br/></p></div><div class="paragraph"><p>Last Step <span style="background-color:;color:#f37e26;">SendResultDeletion</span> calls the Lambda Function <strong>LambdaSendResult</strong> and returns a success response to AWS CloudFormation equal to the use in the Create Path.<br/><br/></p></div><hr/><h3 id="_lambdacallstatemachine" class="discrete">LambdaCallStateMachine</h3><div class="paragraph"><p>Next let’s look at the <strong>LambdaCallStateMachine</strong> Python Function. The Function can as well be found in the CloudFormation template <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/stepFunctionCertCreation/certificate_xaccount_customresource.yaml" target="_blank" rel="noopener">certificate_xaccount_customresource.yaml</a>.<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="ln">246</span><span class="cl"> <span class="kn">from</span> <span class="nn">botocore.exceptions</span> <span class="kn">import</span> <span class="n">ClientError</span></span></span><span class="line"><span class="ln">247</span><span class="cl"> <span class="kn">import</span> <span class="nn">boto3</span></span></span><span class="line"><span class="ln">248</span><span class="cl"> <span class="kn">import</span> <span class="nn">cfnresponse</span></span></span><span class="line"><span class="ln">249</span><span class="cl"> <span class="kn">import</span> <span class="nn">os</span></span></span><span class="line"><span class="ln">250</span><span class="cl"> <span class="kn">import</span> <span class="nn">json</span></span></span><span class="line"><span class="ln">251</span><span class="cl"></span></span><span class="line"><span class="ln">252</span><span class="cl"> <span class="n">statemachineARN</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">getenv</span><span class="p">(</span><span class="s1">&#39;statemachineARN&#39;</span><span class="p">)</span></span></span><span class="line"><span class="ln">253</span><span class="cl"></span></span><span class="line"><span class="ln">254</span><span class="cl"> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span></span></span><span class="line"><span class="ln">255</span><span class="cl"> <span class="n">sfn_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;stepfunctions&#39;</span><span class="p">)</span></span></span><span class="line"><span class="ln">256</span><span class="cl"> <span class="k">try</span><span class="p">:</span></span></span><span class="line"><span class="ln">257</span><span class="cl"> <span class="n">response</span> <span class="o">=</span> <span class="n">sfn_client</span><span class="o">.</span><span class="n">start_execution</span><span class="p">(</span><span class="n">stateMachineArn</span><span class="o">=</span><span class="n">statemachineARN</span><span class="p">,</span><span class="nb">input</span><span class="o">=</span><span class="p">(</span><span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">(</span><span class="n">event</span><span class="p">)))</span></span></span><span class="line"><span class="ln">258</span><span class="cl"> <span class="n">sfn_arn</span> <span class="o">=</span> <span class="n">response</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">&#39;executionArn&#39;</span><span class="p">)</span></span></span><span class="line"><span class="ln">259</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">sfn_arn</span><span class="p">)</span></span></span><span class="line"><span class="ln">260</span><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span><span class="p">:</span></span></span><span class="line"><span class="ln">261</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;Could not run the Step Functions&#39;</span><span class="p">)</span></span></span><span class="line"><span class="ln">262</span><span class="cl"> <span class="n">responseData</span> <span class="o">=</span> <span class="p">{}</span></span></span><span class="line"><span class="ln">263</span><span class="cl"> <span class="n">responseData</span><span class="p">[</span><span class="s1">&#39;Error&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="s2">&#34;CouldNotCallStateMachine&#34;</span></span></span><span class="line"><span class="ln">264</span><span class="cl"> <span class="n">response</span><span class="o">=</span><span class="n">cfnresponse</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">,</span> <span class="n">FAILED</span><span class="p">,</span> <span class="n">responseData</span><span class="p">)</span></span></span><span class="line"><span class="ln">265</span><span class="cl"> <span class="k">return</span><span class="p">(</span><span class="n">response</span><span class="p">)</span></span></span><span class="line"><span class="ln">266</span><span class="cl"> <span class="k">return</span><span class="p">(</span><span class="n">sfn_arn</span><span class="p">)</span></span></span></code></pre></div></p></div><div class="paragraph"><p>As you can see on line 252 we will get the ARN of the <strong>CertificateStateMachine</strong> Step Functions (aka statemachineARN) as environment variable.<br/>This ARN will be automatically filled with the correct ARN of the <strong>CertificateStateMachine</strong> Step Functions during CloudFormation deployment (Line 242 → statemachineARN : !Ref CertificateStateMachine).<br/></p></div><div class="paragraph"><p>In line 257 we call the Step Functions and provide the Lambda Function input event unchanged as json string to the Step Functions. This event input will be provided by AWS CloudFormation during Custom Resource Creation/Update/Deletion.<br/></p></div><div class="paragraph"><p>This is an example what you can expect in such an input event:</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;StackId&#34;</span><span class="p">:</span> <span class="s2">&#34;arn:aws:cloudformation:eu-central-1:700000000000:stack/cloudeecms/6g300000-cc00-00ea-aaba-0a0f000aced0&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;ResponseURL&#34;</span><span class="p">:</span> <span class="s2">&#34;https://cloudformation-custom-resource-response-eucentral1.s3.eu-central-1.amazonaws.com/arn%3Aaws%3Acloudformation%3Aeu-central-1%3A711632663682%3Astack/cloudeecms/6f371890-cc16-11ea-bbab-0a3f741aced4%7CCustomResourceCertificate%7C4dfd25c6-43c4-4a38-97f5-c14845f454ee?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Date=20200722T122539Z&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Expires=7200&amp;X-Amz-Credential=BLGBZZHSTLS2MMALHGQI%3G30400000%2Feu-central-1%2Fs3%2Faws4_request&amp;X-Amz-Signature=3c2424f204c3e935024046g3fd28ld42hs04hd2b1ad2jegw25ls1f924hsf2lsr&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;ResourceProperties&#34;</span><span class="p">:</span> <span class="p">{</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;HostedZoneId&#34;</span><span class="p">:</span> <span class="s2">&#34;Z00000000AZD0FWVZH0RA&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;WebSiteURL&#34;</span><span class="p">:</span> <span class="s2">&#34;www.cloudee-cms.biz&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;Region&#34;</span><span class="p">:</span> <span class="s2">&#34;us-east-1&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;ServiceToken&#34;</span><span class="p">:</span> <span class="s2">&#34;arn:aws:lambda:eu-central-1:700000000000:function:CallStateMachine-700000000000&#34;</span></span></span><span class="line"><span class="cl"> <span class="p">},</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;RequestType&#34;</span><span class="p">:</span> <span class="s2">&#34;Create&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;ServiceToken&#34;</span><span class="p">:</span> <span class="s2">&#34;arn:aws:lambda:eu-central-1:700000000000:function:CallStateMachine-700000000000&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;ResourceType&#34;</span><span class="p">:</span> <span class="s2">&#34;Custom::CreateCertificate&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;RequestId&#34;</span><span class="p">:</span> <span class="s2">&#34;5ehq93f9-28d2-9d20-53g5-d63926g294dw&#34;</span><span class="p">,</span></span></span><span class="line"><span class="cl"> <span class="nt">&#34;LogicalResourceId&#34;</span><span class="p">:</span> <span class="s2">&#34;CustomResourceCertificate&#34;</span></span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div></div><div class="paragraph"><p>If everything works as expected the Lambda will be terminated and the Step Functions will take care of returning a response to the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-lambda-function-code-cfnresponsemodule.html" target="_blank" rel="noopener">cfn-response</a> module.If the Step Functions can’t be triggered we will return an error (line 264) through the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-lambda-function-code-cfnresponsemodule.html" target="_blank" rel="noopener">cfn-response</a> module.<br/><br/></p></div><hr/><h3 id="_customresourcecertificate" class="discrete">CustomResourceCertificate</h3><div class="paragraph"><p>A custom resource in CloudFormation is defined by a <code>Type</code> starting with <code>&#39;Custom::&#39;</code> and the custom resource name, here <code>&#39;CreateCertificate&#39;</code>.<br/>The resource must have a <code>ServiceToken</code>. This token represents the ARN of the Lambda Function or SNS Topic which should be called. In this case we import the ARN of the Lambda Function <code>LambdaCallStateMachine</code> (which was already created by the certificate_xaccount_customresource.yaml CloudFormation template).<br/>This custom resource needs 3 additional properties, the <code>WebSiteURL</code> for which the certificate should be created, the <code>HostedZoneId</code> of the Route 53 domain in which the needed DNS entry for validation will be created and the <code>Region</code> where the certificate should be created.<br/>We already saw these 3 properties inside the Step Functions where <strong>LambdaCreateCertificateRequest</strong> is called.<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">CustomResourceCertificate</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;Custom::CreateCertificate&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span><span class="nt">ServiceToken</span><span class="p">:</span><span class="w"> </span>!<span class="l">ImportValue LambdaCallStateMachineCertArn</span><span class="w"></span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">WebSiteURL</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref WebSiteURL</span><span class="w"></span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">HostedZoneId</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref HostedZoneId</span><span class="w"></span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span><span class="nt">Region</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref Region</span></span></span></code></pre></div></p></div><div class="paragraph"><p>You can find the full version of the CloudFormation template which creates the certificate <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/stepFunctionCertCreation/deploycert.yaml" target="_blank" rel="noopener">here</a>.</p></div><hr/><h2 id="_outlook" class="discrete">Outlook</h2><div class="paragraph"><p>I tried to write the Lambda Functions generic so that they can be reused in other Step Functions. This gives us the freedom to use them in a second Step Functions example called <strong>DNSStateMachine</strong>.These Step Functions will be used for a Custom CloudFormation Resource which creates DNS entries in our Route 53 Domain AWS Account.</p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/202006/stepfunctions_graph2.png"><img src="https://kbild.ch/202006/stepfunctions_graph2.png" alt="DNSStateMachine" width="800" height="517"/></a></div></div><div class="paragraph"><p><br/></p></div><div class="paragraph"><p>As you can see we reuse the same Lambda Functions <strong>LambdaCreateDNSEntry</strong>, <strong>LambdaDeleteResource</strong> and <strong>LambdaSendResult</strong>. You find the <strong>DNSStateMachine</strong> example in the CloudFormation template <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/stepFunctionCertCreation/certificate_xaccount_customresource.yaml" target="_blank" rel="noopener">certificate_xaccount_customresource.yaml</a> as well.</p></div><hr/><h2 id="_summary" class="discrete">Summary</h2><div class="paragraph"><p>This example showed how you can combine a Custom CloudFormation Resource with Step Functions and automatically create an ACM certificate even if the Route 53 Domain for validation is in another AWS account. This gives you an idea how you can start using Step Functions for your own CloudFormation resources.<br/><br/><br/></p></div></description> </item> <item> <title>AWS CodePipeline Example which deploys to multiple AWS Accounts - Part2</title> <link>https://kbild.ch/blog/2020-5-8-cf_multiple_accounts_regions_part2/</link> <pubDate>Tue, 12 May 2020 13:30:10 +0000</pubDate> <guid>https://kbild.ch/blog/2020-5-8-cf_multiple_accounts_regions_part2/</guid> <description><div class="paragraph"><p>In <a href="https://kbild.ch/blog/2020-5-4-CF_multiple_accounts_regions/" target="_blank" rel="noopener">Part 1</a> you find CloudFormation templates which help you to create an AWS CodePipeline that deploys to multiple AWS Accounts. In this Part 2 we will go into some more details how these CF templates work.</p></div><hr/><h3 id="_cloudformation01central_prereqs_yaml" class="discrete">cloudformation/01central-prereqs.yaml</h3><div class="paragraph"><p>Let’s first look at the <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/01central-prereqs.yaml" target="_blank" rel="noopener">01central-prereqs.yaml</a> template which creates:</p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/202005/arch1.png"><img src="https://kbild.ch/202005/arch1.png" alt="01central-prereqs.yaml" width="800" height="199"/></a></div></div><div class="ulist"><ul><li><p>S3 Artifact Bucket<br/></p></li><li><p>KMS Key for encryption<br/></p></li><li><p>IAM Roles/Policies<br/></p></li><li><p>CodeCommit Repo for the App<br/></p></li><li><p>CodeBuild Project for App</p></li></ul></div><div class="paragraph"><p>Looking at the template reveals that the <strong>Dev/Test/Prod accounts</strong> get access to the <strong>KMS Key</strong>.<br/>In the <strong>Central Account</strong> CodeBuild/CodePipeline roles will create the output artifacts, which will be <strong>encrypted</strong> with the help of the <strong>KMS Key</strong>.<br/>Later on these artifacts will be used to deploy the application in your <strong>Dev/Test/Prod accounts</strong>, therefore the root in these accounts needs access to the <strong>KMS Key</strong> to <strong>decrypt</strong> the artifacts.</p></div><div class="imageblock"><div class="content"><img src="https://kbild.ch/202005/code01.png" alt="AWS CodePipeline Example"/></div></div><div class="paragraph"><p><br/>Same is needed for the artifact S3 bucket, but here the roles that will be created by the other template <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/02prereqs-accounts.yaml" target="_blank" rel="noopener">02prereqs-accounts.yaml</a> will need access to the bucket.</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span><span class="nt">S3BucketPolicy</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">Condition</span><span class="p">:</span><span class="w"> </span><span class="l">AddPolicies</span><span class="w"></span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::S3::BucketPolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span><span class="nt">Bucket</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref ArtifactBucket</span><span class="w"></span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span><span class="nt">PolicyDocument</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span><span class="nt">Statement</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span>- <span class="l">s3:GetObject</span><span class="w"></span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="w"> </span>- <span class="l">s3:PutObject</span><span class="w"></span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:s3:::${ArtifactBucket}</span><span class="w"></span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:s3:::${ArtifactBucket}/*</span><span class="w"></span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span><span class="nt">Principal</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span><span class="nt">AWS</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${TestAccount}:role/${Project}-CentralAcctCodePipelineCFRole</span><span class="w"></span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${TestAccount}:role/${Project}-cloudformationdeployer-role</span><span class="w"></span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${ProductionAccount}:role/${Project}-CentralAcctCodePipelineCFRole</span><span class="w"></span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${ProductionAccount}:role/${Project}-cloudformationdeployer-role</span><span class="w"></span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${DevAccount}:role/${Project}-CentralAcctCodePipelineCFRole</span><span class="w"></span></span></span><span class="line"><span class="ln">130</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${DevAccount}:role/${Project}-cloudformationdeployer-role</span><span class="w"></span></span></span><span class="line"><span class="ln">131</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${AWS::AccountId}:role/${Project}-codepipeline-Role</span><span class="w"></span></span></span><span class="line"><span class="ln">132</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:iam::${AWS::AccountId}:role/${Project}-codebuild-Role</span></span></span></code></pre></div></div><div class="paragraph"><p><br/>As you can see this policy is only added if the Condition &#34;AddPolicies&#34; is true, so for the first run of <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/01central-prereqs.yaml" target="_blank" rel="noopener">01central-prereqs.yaml</a> this S3 bucket policy will NOT be created.<br/>Reason for this is that <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/02prereqs-accounts.yaml" target="_blank" rel="noopener">02prereqs-accounts.yaml</a> has to be deployed on the <strong>Dev/Test/Prod accounts</strong> first to create all these needed roles.<br/>Right afterwards <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/01central-prereqs.yaml" target="_blank" rel="noopener">01central-prereqs.yaml</a> has to be run a second time with &#34;AddPolicies&#34; parameter set to true.</p></div><div class="paragraph"><p><br/></p></div><div class="quoteblock"><blockquote><div class="paragraph"><p>The template would fail to run if these roles are not present in the other accounts.</p></div></blockquote></div><div class="paragraph"><p><br/></p></div><div class="paragraph"><p>There are two roles per Account which will get access to the bucket, the <strong>CentralAcctCodePipelineCFRole</strong> and the <strong>cloudformationdeployer-role</strong>. Let’s switch to the next template <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/02prereqs-accounts.yaml" target="_blank" rel="noopener">02prereqs-accounts.yaml</a> and look at these roles.</p></div><hr/><h3 id="_cloudformation02prereqs_accounts_yaml" class="discrete">cloudformation/02prereqs-accounts.yaml</h3><div class="paragraph"><p>Here you find the <strong>CentralAcctCodePipelineCFRole</strong> and as you can see, this will be the role which will be assumed by the <strong>Central Account</strong> CodePipeline to execute the CloudFormation commands.</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">17</span><span class="cl"><span class="nt">Resources</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">CFRole</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::IAM::Role</span><span class="w"></span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="w"> </span><span class="nt">RoleName</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${Project}-CentralAcctCodePipelineCFRole</span><span class="w"></span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="w"> </span><span class="nt">AssumeRolePolicyDocument</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="ld">2012-10-17</span><span class="w"></span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="w"> </span><span class="nt">Statement</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="w"> </span><span class="nt">Principal</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="w"> </span><span class="nt">AWS</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="w"> </span>- !<span class="l">Ref CentralAccount</span><span class="w"></span></span></span><span class="line"><span class="ln">30</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">31</span><span class="cl"><span class="w"> </span>- <span class="l">sts:AssumeRole</span><span class="w"></span></span></span><span class="line"><span class="ln">32</span><span class="cl"><span class="w"> </span><span class="nt">Path</span><span class="p">:</span><span class="w"> </span><span class="l">/</span></span></span></code></pre></div></div><div class="paragraph"><p>Looking at the policy used for this role we can see that CloudFormation, S3, IAM and KMS actions are added.</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">33</span><span class="cl"><span class="w"> </span><span class="nt">CFPolicy</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">34</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::IAM::Policy</span><span class="w"></span></span></span><span class="line"><span class="ln">35</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">36</span><span class="cl"><span class="w"> </span><span class="nt">PolicyName</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${Project}-CentralAcctCodePipelineCloudFormationPolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">37</span><span class="cl"><span class="w"> </span><span class="nt">PolicyDocument</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">38</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="ld">2012-10-17</span><span class="w"></span></span></span><span class="line"><span class="ln">39</span><span class="cl"><span class="w"> </span><span class="nt">Statement</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">40</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">41</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">42</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">43</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:CreateStack</span><span class="w"></span></span></span><span class="line"><span class="ln">44</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DeleteStack</span><span class="w"></span></span></span><span class="line"><span class="ln">45</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:UpdateStack</span><span class="w"></span></span></span><span class="line"><span class="ln">46</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DescribeStacks</span><span class="w"></span></span></span><span class="line"><span class="ln">47</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:CreateChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">48</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:ExecuteChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">49</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:ListChangeSets</span><span class="w"></span></span></span><span class="line"><span class="ln">50</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DescribeChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">51</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DeleteChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">52</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub &#34;arn:aws:cloudformation:${AWS::Region}:*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">53</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">54</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">55</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">56</span><span class="cl"><span class="w"> </span>- <span class="l">s3:PutObject</span><span class="w"></span></span></span><span class="line"><span class="ln">57</span><span class="cl"><span class="w"> </span>- <span class="l">s3:GetObject</span><span class="w"></span></span></span><span class="line"><span class="ln">58</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">59</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:s3:::${S3Bucket}/*</span><span class="w"></span></span></span><span class="line"><span class="ln">60</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub arn:aws:s3:::${S3Bucket}</span><span class="w"></span></span></span><span class="line"><span class="ln">61</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">62</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">63</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">64</span><span class="cl"><span class="w"> </span>- <span class="l">iam:PassRole</span><span class="w"></span></span></span><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub &#34;arn:aws:iam::${AWS::AccountId}:*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span>- <span class="l">kms:Decrypt</span><span class="w"></span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span>- <span class="l">kms:Encrypt</span><span class="w"></span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="w"> </span>- !<span class="l">Ref CMKARN</span><span class="w"></span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="w"> </span><span class="nt">Roles</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span>!<span class="l">Ref CFRole</span></span></span></code></pre></div></div><div class="paragraph"><p>The CF actions are used to deploy the CF templates into this account, S3 actions are needed to get the artifacts from the <strong>Central Account</strong> and KMS actions are needed to decrypt the artifact.</p></div><div class="paragraph"><p>Looking at the <strong>cloudformationdeployer-role</strong> or better the according policy we see that this role gets similar actions like <strong>CentralAcctCodePipelineCFRole</strong>. Supplementary some IAM, Lambda and API Gateway actions are added.</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span><span class="nt">CFDeployerPolicy</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::IAM::Policy</span><span class="w"></span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span><span class="nt">PolicyName</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${Project}-cloudformationdeployer-policy</span><span class="w"></span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span><span class="nt">PolicyDocument</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="ld">2012-10-17</span><span class="w"></span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">Statement</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">cf</span><span class="w"></span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:CreateStack</span><span class="w"></span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DeleteStack</span><span class="w"></span></span></span><span class="line"><span class="ln">103</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:UpdateStack</span><span class="w"></span></span></span><span class="line"><span class="ln">104</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DescribeStacks</span><span class="w"></span></span></span><span class="line"><span class="ln">105</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:CreateChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">106</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:ExecuteChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">107</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:ListChangeSets</span><span class="w"></span></span></span><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DescribeChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span>- <span class="l">cloudformation:DeleteChangeSet</span><span class="w"></span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub &#34;arn:aws:cloudformation:${AWS::Region}:*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">s3</span><span class="w"></span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span>- <span class="l">s3:PutObject</span><span class="w"></span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span>- <span class="l">s3:GetBucketPolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"> </span>- <span class="l">s3:GetObject</span><span class="w"></span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span>- <span class="l">s3:ListBucket</span><span class="w"></span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub &#34;arn:aws:s3:::${S3Bucket}/*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub &#34;arn:aws:s3:::${S3Bucket}&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">iam</span><span class="w"></span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span>- <span class="l">iam:CreateRole</span><span class="w"></span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span>- <span class="l">iam:DeleteRole</span><span class="w"></span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span>- <span class="l">iam:AttachRolePolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span>- <span class="l">iam:DetachRolePolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span>- <span class="l">iam:getRolePolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span>- <span class="l">iam:PutRolePolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">130</span><span class="cl"><span class="w"> </span>- <span class="l">iam:DeleteRolePolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">131</span><span class="cl"><span class="w"> </span>- <span class="l">iam:GetRole</span><span class="w"></span></span></span><span class="line"><span class="ln">132</span><span class="cl"><span class="w"> </span>- <span class="l">iam:PassRole</span><span class="w"></span></span></span><span class="line"><span class="ln">133</span><span class="cl"><span class="w"> </span>- <span class="l">iam:CreateServiceLinkedRole</span><span class="w"></span></span></span><span class="line"><span class="ln">134</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">135</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub &#34;arn:aws:iam::${AWS::AccountId}:role/*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">136</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">ssm</span><span class="w"></span></span></span><span class="line"><span class="ln">137</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">138</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">139</span><span class="cl"><span class="w"> </span>- <span class="l">ssm:GetParameters</span><span class="w"></span></span></span><span class="line"><span class="ln">140</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">141</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub &#34;arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">142</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">lambda</span><span class="w"></span></span></span><span class="line"><span class="ln">143</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">144</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">145</span><span class="cl"><span class="w"> </span>- <span class="l">lambda:CreateFunction</span><span class="w"></span></span></span><span class="line"><span class="ln">146</span><span class="cl"><span class="w"> </span>- <span class="l">lambda:DeleteFunction</span><span class="w"></span></span></span><span class="line"><span class="ln">147</span><span class="cl"><span class="w"> </span>- <span class="l">lambda:GetFunctionConfiguration</span><span class="w"></span></span></span><span class="line"><span class="ln">148</span><span class="cl"><span class="w"> </span>- <span class="l">lambda:AddPermission</span><span class="w"></span></span></span><span class="line"><span class="ln">149</span><span class="cl"><span class="w"> </span>- <span class="l">lambda:RemovePermission</span><span class="w"></span></span></span><span class="line"><span class="ln">150</span><span class="cl"><span class="w"> </span>- <span class="l">lambda:UpdateFunctionConfiguration</span><span class="w"></span></span></span><span class="line"><span class="ln">151</span><span class="cl"><span class="w"> </span>- <span class="l">lambda:UpdateFunctionCode</span><span class="w"></span></span></span><span class="line"><span class="ln">152</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">153</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub &#34;arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">154</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">apigw</span><span class="w"></span></span></span><span class="line"><span class="ln">155</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">156</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">157</span><span class="cl"><span class="w"> </span>- <span class="l">apigateway:POST</span><span class="w"></span></span></span><span class="line"><span class="ln">158</span><span class="cl"><span class="w"> </span>- <span class="l">apigateway:DELETE</span><span class="w"></span></span></span><span class="line"><span class="ln">159</span><span class="cl"><span class="w"> </span>- <span class="l">apigateway:PATCH</span><span class="w"></span></span></span><span class="line"><span class="ln">160</span><span class="cl"><span class="w"> </span>- <span class="l">apigateway:GET</span><span class="w"></span></span></span><span class="line"><span class="ln">161</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">162</span><span class="cl"><span class="w"> </span>- !<span class="l">Sub &#34;arn:aws:apigateway:${AWS::Region}::/*&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">163</span><span class="cl"><span class="w"> </span><span class="nt">Roles</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">164</span><span class="cl"><span class="w"> </span>-<span class="w"></span></span></span><span class="line"><span class="ln">165</span><span class="cl"><span class="w"> </span>!<span class="l">Ref CFDeployerRole</span></span></span></code></pre></div></div><div class="paragraph"><p>All these actions are needed to create our application:</p></div><div class="ulist"><ul><li><p>IAM actions to create all needed roles/policies</p></li><li><p>Lambda actions to create our serverless functions</p></li><li><p>API Gateway actions to create endpoints of the application</p></li></ul></div><div class="paragraph"><p>If you will use this example to deploy your own applications to multiple AWS accounts this role/policy has to be customized to fit your needs.</p></div><div class="quoteblock"><blockquote><div class="paragraph"><p>All actions which will be needed to deploy your application have to be added here.</p></div></blockquote></div><div class="paragraph"><p>Let’s look at the last template,</p></div><hr/><h3 id="_cloudformation03central_pipeline_yaml" class="discrete">cloudformation/03central-pipeline.yaml</h3><div class="paragraph"><p>This template which will be used in the <strong>Central account</strong> creates only one resource, the CodePipeline.As you can see this CodePipeline will use the KMS Key as encryption key and will use the S3 bucket as artifact store.</p></div><div class="imageblock"><div class="content"><img src="https://kbild.ch/202005/code1.png" alt="AWS CodePipeline Example"/></div></div><div class="paragraph"><p>We see 5 stages:</p></div><div class="ulist"><ul><li><p>Getting the source from CodeCommit</p></li><li><p>Build the templates with CodeBuild</p></li><li><p>Create/deploy change sets to <strong>Dev account</strong></p></li><li><p>Create/deploy change sets to <strong>Test account</strong></p></li><li><p>Create/deploy change sets to <strong>Prod account</strong></p></li></ul></div><div class="paragraph"><p>CodeCommit and CodeBuild stages are easy to understand, no magic there, but let’s look at the create/deploy change sets to the different accounts:</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 57</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Create_Change_Sets_and_Deploy_to_Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 58</span><span class="cl"><span class="w"> </span><span class="nt">Actions</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 59</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">CreateChangeSet_Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 60</span><span class="cl"><span class="w"> </span><span class="nt">ActionTypeId</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 61</span><span class="cl"><span class="w"> </span><span class="nt">Category</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"></span></span></span><span class="line"><span class="ln"> 62</span><span class="cl"><span class="w"> </span><span class="nt">Owner</span><span class="p">:</span><span class="w"> </span><span class="l">AWS</span><span class="w"></span></span></span><span class="line"><span class="ln"> 63</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln"> 64</span><span class="cl"><span class="w"> </span><span class="nt">Provider</span><span class="p">:</span><span class="w"> </span><span class="l">CloudFormation</span><span class="w"></span></span></span><span class="line"><span class="ln"> 65</span><span class="cl"><span class="w"> </span><span class="nt">Configuration</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 66</span><span class="cl"><span class="w"> </span><span class="nt">ChangeSetName</span><span class="p">:</span><span class="w"> </span><span class="l">cicd-codepipeline-ChangeSet-Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 67</span><span class="cl"><span class="w"> </span><span class="nt">ActionMode</span><span class="p">:</span><span class="w"> </span><span class="l">CHANGE_SET_REPLACE</span><span class="w"></span></span></span><span class="line"><span class="ln"> 68</span><span class="cl"><span class="w"> </span><span class="nt">StackName</span><span class="p">:</span><span class="w"> </span><span class="l">cicd-codepipeline-Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 69</span><span class="cl"><span class="w"> </span><span class="nt">Capabilities</span><span class="p">:</span><span class="w"> </span><span class="l">CAPABILITY_IAM</span><span class="w"></span></span></span><span class="line"><span class="ln"> 70</span><span class="cl"><span class="w"> </span><span class="nt">ParameterOverrides</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"></span></span></span><span class="line"><span class="ln"> 71</span><span class="cl"><span class="sd"> {</span></span></span><span class="line"><span class="ln"> 72</span><span class="cl"><span class="sd"> &#34;Environment&#34; : &#34;dev&#34;</span></span></span><span class="line"><span class="ln"> 73</span><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 74</span><span class="cl"><span class="w"> </span><span class="nt">TemplatePath</span><span class="p">:</span><span class="w"> </span><span class="l">BuildArtifact::packaged.yml</span><span class="w"></span></span></span><span class="line"><span class="ln"> 75</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 76</span><span class="cl"><span class="w"> </span><span class="nt">Fn::ImportValue</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 77</span><span class="cl"><span class="w"> </span>!<span class="l">Sub &#34;${Project}-Dev-cloudformationdeployer-role&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln"> 78</span><span class="cl"><span class="w"> </span><span class="nt">InputArtifacts</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 79</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">BuildArtifact</span><span class="w"></span></span></span><span class="line"><span class="ln"> 80</span><span class="cl"><span class="w"> </span><span class="nt">RunOrder</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"></span></span></span><span class="line"><span class="ln"> 81</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 82</span><span class="cl"><span class="w"> </span><span class="nt">Fn::ImportValue</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 83</span><span class="cl"><span class="w"> </span>!<span class="l">Sub &#34;${Project}-Dev-centralacctcodepipelineCFRole&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln"> 84</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">ExecuteChangeSet_Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 85</span><span class="cl"><span class="w"> </span><span class="nt">ActionTypeId</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 86</span><span class="cl"><span class="w"> </span><span class="nt">Category</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"></span></span></span><span class="line"><span class="ln"> 87</span><span class="cl"><span class="w"> </span><span class="nt">Owner</span><span class="p">:</span><span class="w"> </span><span class="l">AWS</span><span class="w"></span></span></span><span class="line"><span class="ln"> 88</span><span class="cl"><span class="w"> </span><span class="nt">Provider</span><span class="p">:</span><span class="w"> </span><span class="l">CloudFormation</span><span class="w"></span></span></span><span class="line"><span class="ln"> 89</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;1&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln"> 90</span><span class="cl"><span class="w"> </span><span class="nt">Configuration</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 91</span><span class="cl"><span class="w"> </span><span class="nt">ActionMode</span><span class="p">:</span><span class="w"> </span><span class="l">CHANGE_SET_EXECUTE</span><span class="w"></span></span></span><span class="line"><span class="ln"> 92</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 93</span><span class="cl"><span class="w"> </span><span class="nt">Fn::ImportValue</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 94</span><span class="cl"><span class="w"> </span>!<span class="l">Sub &#34;${Project}-Dev-cloudformationdeployer-role&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln"> 95</span><span class="cl"><span class="w"> </span><span class="nt">StackName</span><span class="p">:</span><span class="w"> </span><span class="l">cicd-codepipeline-Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 96</span><span class="cl"><span class="w"> </span><span class="nt">ChangeSetName</span><span class="p">:</span><span class="w"> </span><span class="l">cicd-codepipeline-ChangeSet-Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 97</span><span class="cl"><span class="w"> </span><span class="nt">OutputArtifacts</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln"> 98</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">cicd-codepipeline-ChangeSet-Dev</span><span class="w"></span></span></span><span class="line"><span class="ln"> 99</span><span class="cl"><span class="w"> </span><span class="nt">RunOrder</span><span class="p">:</span><span class="w"> </span><span class="m">2</span><span class="w"></span></span></span><span class="line"><span class="ln">100</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">101</span><span class="cl"><span class="w"> </span><span class="nt">Fn::ImportValue</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">102</span><span class="cl"><span class="w"> </span>!<span class="l">Sub &#34;${Project}-Dev-centralacctcodepipelineCFRole&#34;</span></span></span></code></pre></div></div><hr/><div class="paragraph"><p>The key point here are the values used for <strong>RoleArn’s</strong> and that you can define roles for the creation/execution of CloudFormation change sets.</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">81</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">82</span><span class="cl"><span class="w"> </span><span class="nt">Fn::ImportValue</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">83</span><span class="cl"><span class="w"> </span>!<span class="l">Sub &#34;${Project}-Dev-centralacctcodepipelineCFRole&#34;</span></span></span></code></pre></div></div><div class="paragraph"><p>This is the role (<strong>CentralAcctCodePipelineCFRole</strong>) used by the CodePipeline in the <strong>Central account</strong> to execute the CloudFormation template in the <strong>Dev account</strong>.<br/><br/>The role was created on the <strong>Dev account</strong> with the <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/02prereqs-accounts.yaml" target="_blank" rel="noopener">02prereqs-accounts.yaml</a> template but the ARN value can be calculated.<br/><br/>This is done in the <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/01central-prereqs.yaml" target="_blank" rel="noopener">01central-prereqs.yaml</a> template and imported here in this template <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/03central-pipeline.yaml" target="_blank" rel="noopener">03central-pipeline.yaml</a>.<br/><br/>Snippet from <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/01central-prereqs.yaml" target="_blank" rel="noopener">01central-prereqs.yaml</a>:</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">326</span><span class="cl"><span class="w"> </span><span class="nt">DevCodePipelineCloudFormationRole</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">327</span><span class="cl"><span class="w"> </span><span class="nt">Value</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub arn:aws:iam::${DevAccount}:role/${Project}-CentralAcctCodePipelineCFRole</span><span class="w"></span></span></span><span class="line"><span class="ln">328</span><span class="cl"><span class="w"> </span><span class="nt">Export</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">329</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span>!<span class="l">Sub ${Project}-Dev-centralacctcodepipelineCFRole</span></span></span></code></pre></div></div><hr/><div class="paragraph"><p>The second role (<strong>cloudformationdeployer-role</strong>) is used to deploy the resources inside the <strong>Dev account</strong> which are defined in the CloudFormation template. That’s the same IAM Role setting which you will see if you manually deploy a CloudFormation stack under &#34;Configure stack options&#34; → &#34;Permissions&#34;</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">65</span><span class="cl"><span class="w"> </span><span class="nt">Configuration</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">66</span><span class="cl"><span class="w"> </span><span class="nt">ChangeSetName</span><span class="p">:</span><span class="w"> </span><span class="l">cicd-codepipeline-ChangeSet-Dev</span><span class="w"></span></span></span><span class="line"><span class="ln">67</span><span class="cl"><span class="w"> </span><span class="nt">ActionMode</span><span class="p">:</span><span class="w"> </span><span class="l">CHANGE_SET_REPLACE</span><span class="w"></span></span></span><span class="line"><span class="ln">68</span><span class="cl"><span class="w"> </span><span class="nt">StackName</span><span class="p">:</span><span class="w"> </span><span class="l">cicd-codepipeline-Dev</span><span class="w"></span></span></span><span class="line"><span class="ln">69</span><span class="cl"><span class="w"> </span><span class="nt">Capabilities</span><span class="p">:</span><span class="w"> </span><span class="l">CAPABILITY_IAM</span><span class="w"></span></span></span><span class="line"><span class="ln">70</span><span class="cl"><span class="w"> </span><span class="nt">ParameterOverrides</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"></span></span></span><span class="line"><span class="ln">71</span><span class="cl"><span class="sd"> {</span></span></span><span class="line"><span class="ln">72</span><span class="cl"><span class="sd"> &#34;Environment&#34; : &#34;dev&#34;</span></span></span><span class="line"><span class="ln">73</span><span class="cl"><span class="sd"> }</span><span class="w"> </span></span></span><span class="line"><span class="ln">74</span><span class="cl"><span class="w"> </span><span class="nt">TemplatePath</span><span class="p">:</span><span class="w"> </span><span class="l">BuildArtifact::packaged.yml</span><span class="w"></span></span></span><span class="line"><span class="ln">75</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">76</span><span class="cl"><span class="w"> </span><span class="nt">Fn::ImportValue</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">77</span><span class="cl"><span class="w"> </span>!<span class="l">Sub &#34;${Project}-Dev-cloudformationdeployer-role&#34;</span></span></span></code></pre></div></div><div class="paragraph"><p>As you can see the RoleArn is defined inside the <strong>Configuration</strong> part of the Create/Execute change set. This is the role/policy we saw before which has to be customized to fit your needs if you will use this example to deploy your own applications to multiple AWS accounts.</p></div><hr/><div class="paragraph"><p>Hope this Part 2 gave you more details on how this example works &amp; how you can customize it.<br/></p></div><div class="quoteblock"><blockquote><div class="paragraph"><p><strong>The magic happens at the RoleArn that are used at the different CodePipeline stages!</strong><br/></p></div></blockquote></div><div class="paragraph"><p>The beauty of this is that if you have a working solution like this you can reuse it almost everywhere.</p></div><div class="paragraph"><p>Comments and questions are welcome or contact me on <a href="https://www.twitter.com/kbild" target="_blank" rel="noopener">Twitter</a>.<br/><br/><br/></p></div></description> </item> <item> <title>AWS CodePipeline Example which deploys to multiple AWS Accounts - Part1</title> <link>https://kbild.ch/blog/2020-5-4-cf_multiple_accounts_regions/</link> <pubDate>Mon, 04 May 2020 07:30:10 +0000</pubDate> <guid>https://kbild.ch/blog/2020-5-4-cf_multiple_accounts_regions/</guid> <description><div class="paragraph"><p>At <a href="https://webgate.biz" target="_blank" rel="noopener">WebGate</a>, we’re using AWS CodePipeline heavily for CI/CD of our serverless apps and we usually do 3-tier deployments (Dev, Test, Prod).<br/></p></div><div class="paragraph"><p>Therefore we were looking for an example which describes how you have to build such a solution. Unfortunately we didn’t found a source which had a full blown solution matching our needs. Luckily we found some examples which gave us some clues on how to build such a Pipeline.</p></div><div class="paragraph"><p>Especially following two sites helped us to get started:<br/></p></div><div class="paragraph"><p><a href="https://aws.amazon.com/blogs/devops/aws-building-a-secure-cross-account-continuous-delivery-pipeline/" target="_blank" rel="noopener">- Building a Secure Cross-Account Continuous Delivery Pipeline </a><br/><a href="https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-deploy-cloudformation/" target="_blank" rel="noopener">- How do I use CodePipeline to deploy an AWS CloudFormation stack in a different account? </a><br/></p></div><div class="paragraph"><p><br/>In this post I will show you an example which you can use for your own cross-account AWS CodePipelines.<br/></p></div><div class="paragraph"><p>We will have:</p></div><div class="ulist"><ul><li><p>&#34;Central Account&#34; → App Repos, Pipelines…</p></li><li><p>&#34;Dev Account&#34; → Development Account for App</p></li><li><p>&#34;Test Account&#34; → Testing Account for App</p></li><li><p>&#34;Prod Account&#34; → Production Account for App<br/><br/></p></li></ul></div><hr/><h2 id="_how_to_deploy" class="discrete">How to Deploy</h2><div class="paragraph"><p>You will find the source code of this example in <a href="https://github.com/kbild/AWS_Cloudformation_Examples/tree/master/multipleAccountPipeline/" target="_blank" rel="noopener">this Github repo</a>, let’s first deploy the prerequisites and later the sample repo.<br/><br/></p></div><hr/><h3 id="_1_prerequisites" class="discrete">1. Prerequisites</h3><div class="paragraph"><p>There are 3 AWS CloudFormation templates which you will need to deploy this solution, let’s first have a look at them:<br/><br/></p></div><h4 id="_cloudformation01central_prereqs_yaml" class="discrete">cloudformation/01central-prereqs.yaml</h4><div class="paragraph"><p>This <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/01central-prereqs.yaml" target="_blank" rel="noopener">template</a> will deploy all needed resources in the &#34;Central Account&#34;:<br/></p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/arch1.png"><img src="https://kbild.ch/202005/arch1.png" alt="01central-prereqs.yaml" width="800" height="199"/></a></div></div><hr/><div class="ulist"><ul><li><p>S3 Artifact Bucket<br/></p></li><li><p>KMS Key for encryption<br/></p></li><li><p>IAM Roles/Policies<br/></p></li><li><p>CodeCommit Repo for the App<br/></p></li><li><p>CodeBuild Project for App<br/><br/></p></li></ul></div><h4 id="_cloudformation02prereqs_accounts_yaml" class="discrete">cloudformation/02prereqs-accounts.yaml</h4><div class="paragraph"><p>This <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/02prereqs-accounts.yaml" target="_blank" rel="noopener">template</a> will deploy all needed resources in the &#34;Dev Account&#34;, &#34;Test Account&#34; and &#34;Prod Account&#34;:<br/></p></div><table class="tableblock frame-all grid-all stretch tablenoborder"><colgroup><col style="width: 50%;"/><col style="width: 50%;"/></colgroup><tbody><tr><td class="tableblock halign-left valign-top"><div class="content"><div class="imageblock"><div class="content"><img src="https://kbild.ch/202005/arch2.png" alt="01central-prereqs.yaml" width="400" height="215"/></div></div></div></td><td class="tableblock halign-left valign-top"><div class="content"><div class="ulist"><ul><li><p>IAM Roles/Policies</p></li></ul></div></div></td></tr></tbody></table><h4 id="_cloudformation03central_pipeline_yaml" class="discrete">cloudformation/03central-pipeline.yaml</h4><div class="paragraph"><p>This <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/multipleAccountPipeline/cloudformation/03central-pipeline.yaml" target="_blank" rel="noopener">template</a> will deploy the actual Code Pipeline in the &#34;Central Account&#34;.<br/>For simplicity I’m only deploying a simple &#34;Hello World&#34; Lambda function and an API Gateway and I’m only using the Build and Deploy Stages in the Pipeline:</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/arch3.png"><img src="https://kbild.ch/202005/arch3.png" alt="AWS CodePipeline Example" width="800" height="499"/></a></div></div><hr/><hr/><h3 id="_2_how_to_deploy_the_prerequisites" class="discrete">2. How to Deploy the Prerequisites</h3><h4 id="_central_account" class="discrete">Central Account</h4><div class="paragraph"><p>First logon to your <strong>Central Account</strong> and open up CloudFormation in the Region of choice.<br/>Now create a new stack with the template <strong>01central-prereqs.yaml</strong> and define:</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/cf1.png"><img src="https://kbild.ch/202005/cf1.png" alt="01central-prereqs.yaml" width="800" height="561"/></a></div></div><hr/><div class="ulist"><ul><li><p>Stack Name i.e. <em>kbild-serverless-prereqs</em></p></li><li><p>AWS Account Numbers for the Dev, Test and Prod Accounts</p></li><li><p>PreReqsOnAccounts, should stay &#34;false&#34;</p></li><li><p>Project name i.e. <em>serverless</em></p></li></ul></div><div class="paragraph"><p><br/>Finish the stack deployment, it will take some minutes. When finished, open up the Outputs tab of the stack and take a note of the &#34;ArtifactBucket&#34; and &#34;CMK&#34; Key values.</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/cf5.png"><img src="https://kbild.ch/202005/cf5.png" alt="01central-prereqs.yaml" width="800" height="244"/></a></div></div><hr/><div class="paragraph"><p><br/></p></div><h4 id="_dev_account" class="discrete">Dev Account</h4><div class="paragraph"><p>Now logon to your <strong>Dev Account</strong> and open up CloudFormation in the same Region as used for the &#34;Central Account&#34;<br/>Here we create a new stack and we will use the template <strong>02prereqs-accounts.yaml</strong>:</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/cf2.png"><img src="https://kbild.ch/202005/cf2.png" alt="01central-prereqs.yaml" width="800" height="568"/></a></div></div><hr/><div class="ulist"><ul><li><p>Stack Name i.e. <em>kbild-serverless-prereqs</em></p></li><li><p>CMKARN → Fill in the value of the &#34;CMK&#34; Key noted before</p></li><li><p>CentralAccount → Fill in the account number of the &#34;Central Account&#34;</p></li><li><p>Project name i.e. <em>serverless</em></p></li><li><p>S3Bucket → Fill in the value of the &#34;ArtifactBucket&#34; Key</p></li></ul></div><div class="paragraph"><p><br/>Wait for the stack deployment to be finished.<br/><br/></p></div><h4 id="_test_account_prod_account" class="discrete">Test Account / Prod Account</h4><div class="paragraph"><p>Now logon to your <strong>Test Account</strong> / <strong>Prod Account</strong> and repeat the steps for <strong>02prereqs-accounts.yaml</strong></p></div><div class="paragraph"><p><br/></p></div><h4 id="_central_account_2" class="discrete">Central Account</h4><div class="paragraph"><p>Now you have to go back to your <strong>Central Account</strong>.</p></div><div class="quoteblock"><blockquote><div class="paragraph"><p>Please ensure that the prerequisites are already deployed to the &#34;Dev/Test Prod Account&#34;,otherwise the following update will fail!</p></div></blockquote></div><div class="paragraph"><p>Do an update on the Prereqs Stack which you created some minutes ago. Choose &#34;Use current template&#34; and change the value of parameter <strong>PreReqsOnAccounts</strong> from <strong>false</strong> to <strong>true</strong> and update the stack:</p></div><div class="paragraph"><p><span class="image"><img src="https://kbild.ch/202005/cf4.png" alt="01central-prereqs.yaml" width="208" height="172"/></span></p></div><div class="paragraph"><p>This will update the S3 Artifact bucket and KMS Policies and will add access for to the &#34;Dev/Test Prod Accounts&#34;.</p></div><div class="paragraph"><p><br/></p></div><hr/><h3 id="_3_deploy_pipeline_and_app" class="discrete">3. Deploy Pipeline and App</h3><h4 id="_pipeline" class="discrete">Pipeline</h4><div class="paragraph"><p>Again in the <strong>Central Account</strong> create a CF stack with the <strong>03central-pipeline.yaml</strong> template:</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/cf3.png"><img src="https://kbild.ch/202005/cf3.png" alt="03central-pipeline.yaml" width="800" height="426"/></a></div></div><hr/><div class="ulist"><ul><li><p>Stack Name i.e. <em>kbild-serverless-pipeline</em></p></li><li><p>Project name i.e. <em>serverless</em></p></li><li><p>RepoBranch → The Repo branch to which the Pipeline Webhook will listen too</p></li></ul></div><div class="paragraph"><p><br/>Again wait for the stack deployment to be finished.</p></div><div class="paragraph"><p>Before we run our Code Pipeline for the first time, we have to add our &#34;Hello World&#34; app to the freshly created CodeCommit Repo.</p></div><div class="paragraph"><p><br/></p></div><h4 id="_app_deployment" class="discrete">App Deployment</h4><div class="paragraph"><p>First clone the newly created CodeCommit Repo locally to your machine.<br/>(If you have never used git with CodeCommit, go to the repo and click on &#34;Clone URL&#34; at the top → &#34;Connection steps&#34;).<br/>I will use SSH:</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash">git clone ssh://git-codecommit.eu-central-1.amazonaws.com/v1/repos/serverless-ProjectRepo</code></pre></div></div><div class="paragraph"><p>Now add the buildspec.yml and sam-app folder from the the <a href="https://github.com/kbild/AWS_Cloudformation_Examples/" target="_blank" rel="noopener">Github repo</a> to your local clone:</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/screen1.png"><img src="https://kbild.ch/202005/screen1.png" alt="03central-pipeline.yaml" width="800" height="139"/></a></div></div><hr/><div class="paragraph"><p><br/>Now commit and push the new files to the CodeCommit Repo:</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash">git add .git commit -agit push</code></pre></div></div><div class="paragraph"><p>This push should trigger the Code Pipeline, so go back to your AWS console of the &#34;Central Account&#34; and open up CodePipeline and the new serverless-Pipeline:</p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/202005/pipe1.png"><img src="https://kbild.ch/202005/pipe1.png" alt="Pipeline" width="400" height="324"/></a></div></div><div class="paragraph"><p>As you can see the pipeline was just triggered and you can follow how the Pipeline goes through all the stages:</p></div><div class="ulist"><ul><li><p>Build_Templates</p></li><li><p>Create_Change_Sets_and_Deploy_to_Dev</p></li><li><p>Create_Change_Sets_and_Deploy_to_Test</p></li><li><p>Create_Change_Sets_and_Deploy_to_Prod</p></li></ul></div><div class="paragraph"><p><br/>If all stages have finished you can logon to your &#34;Dev Account&#34; and go to:<br/></p></div><div class="paragraph"><p><em>CloudFormation → cicd-codepipeline-Dev Stack → Outputs</em><br/><br/>Click on the value for the Key &#34;HelloWorldApi&#34;, this will open the API Gateway Endpoint URL and will show you the &#34;Hello World&#34; example app.<br/></p></div><div class="paragraph"><p>If everything worked as expected you should see:</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/screen3.png"><img src="https://kbild.ch/202005/screen3.png" alt="HelloWorldApp" width="600" height="356"/></a></div></div><hr/><div class="paragraph"><p>Now go to your Test/Prod Account and open the according API Gateway Endpoint URL as well, you should see environment specific &#34;Hello World&#34; pages:</p></div><div class="imageblock left"><div class="content"><a class="image" href="https://kbild.ch/202005/screen4.png"><img src="https://kbild.ch/202005/screen4.png" alt="HelloWorldApp" width="800" height="618"/></a></div></div><hr/><div class="paragraph"><p><br/><br/>I hope that this example helps you on your future CodePipeline journey!<br/><br/>In <a href="https://kbild.ch/blog/2020-5-8-cf_multiple_accounts_regions_part2/" target="_blank" rel="noopener">Part 2</a> of this post I will get into more details how the CloudFormation templates work and how you may customize them.<br/><br/><br/></p></div></description> </item> <item> <title>Search KBild's Blog</title> <link>https://kbild.ch/page/search/</link> <pubDate>Fri, 07 Jun 2019 20:22:57 +0200</pubDate> <guid>https://kbild.ch/page/search/</guid> <description> <script src="https://kbild.ch/js/lunr.js"></script><script type="text/javascript"> // define globale variablesvar idx, searchInput, searchResults = nullvar documents = [] function renderSearchResults(results){ if (results.length > 0) { // show max 10 results if (results.length > 9){ results = results.slice(0,10) } // reset search results searchResults.innerHTML = '' // append results results.forEach(result => { // create result item var article = document.createElement('article') article.innerHTML = ` <a href="${result.ref}"><h3 class="searchtitle">${documents[result.ref].title}</h3></a> <p><a href="${result.ref}">${result.ref}</a></p> <p>${documents[result.ref].summary}</p> <br> ` searchResults.appendChild(article) }) // if results are empty } else { searchResults.innerHTML = '<p>No results found.</p>' }} function registerSearchHandler() { // register on input event searchInput.oninput = function(event) { // remove search results if the user empties the search input field if (searchInput.value == '') { searchResults.innerHTML = '' } else { // get input value var query = event.target.value // run fuzzy search var results = idx.search(query) // render results renderSearchResults(results) } } // set focus on search input and remove loading placeholder searchInput.focus() searchInput.placeholder = 'Search Blog Posts'} window.onload = function() { // get dom elements searchInput = document.getElementById('search-input') searchResults = document.getElementById('search-results') // request and index documents fetch('/blog/index.json', { method: 'get' }).then( res => res.json() ).then( res => { // index document idx = lunr(function() { this.ref('url') this.field('title') this.field('content') this.field('summary') res.forEach(function(doc) { this.add(doc) documents[doc.url] = { 'title': doc.title, 'content': doc.content, 'summary': doc.summary, } }, this) }) // data is loaded, next register handler registerSearchHandler() } ).catch( err => { searchResults.innerHTML = `<p>${err}</p>` } )}</script><div><input id="search-input" type="text" placeholder="Loading..." name="search" value><section id="search-results" class="search"></section></div> </description> </item> <item> <title>CloudFormation example for AWS CodePipeline - Hugo Deployment</title> <link>https://kbild.ch/blog/2019-02-25-pipeline_cloudformation/</link> <pubDate>Tue, 26 Feb 2019 09:30:10 +0000</pubDate> <guid>https://kbild.ch/blog/2019-02-25-pipeline_cloudformation/</guid> <description><div class="paragraph"><p>I recently blogged on how you can use <a href="https://kbild.ch/blog/2019-01-31-codepipeline/">AWS CodePipeline to automatically deploy your Hugo website to AWS S3</a> and promised a CloudFormation template, so here we go.You can find the full template <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/HugoStaticWebpages/Deploy-Pipeline.yaml" target="_blank" rel="noopener">in this GitHub repo</a>.</p></div><div class="paragraph"><p>If you create a new stack with the template you will be asked for following parameters, let’s look at them in detail:</p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/201902/cloudformation.png"><img src="https://kbild.ch/201902/cloudformation.png" alt="AWS CloudFormation" width="800" height="650"/></a></div></div><hr/><div class="admonitionblock important"><table><tbody><tr><td class="icon"><div class="title">Important</div></td><td class="content">The referenced GitHub Repo has to be your Repo with the Hugo source files and the in the previous blog post mentioned <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/HugoStaticWebpages/buildspec.yml" target="_blank" rel="noopener">buildspec.yml</a> file <mark>which has to be in this repo</mark> as well</td></tr></tbody></table></div><h3 id="_needed_parameters" class="discrete">Needed parameters</h3><div class="ulist"><ul><li><p>GitHub OAuth Token → The Token which will be used to create the webhook in the Repo</p></li><li><p>GitHub Owner → The owner of the GitHub Repo</p></li><li><p>GitHub Repo → The name of the GitHub Repo</p></li><li><p>GitHub Branch → The name of the Branch</p></li><li><p>Artifacts S3 BucketName → The name of the S3 bucket where CodePipeline Artifacts will be saved, this bucket will be created!</p></li><li><p>Target S3 Bucket → The name of the S3 bucket where your Hugo Website will be deployed, this bucket will be created!</p></li><li><p>S3 Bucket with Lambda Code ZIP → The existing S3 bucket <mark>which contains the ZIP file</mark> of the python script for the CloudFront invalidation. The file has to be named invalidateCloudFront.zip and can be found <a href="https://github.com/kbild/AWS_Cloudformation_Examples/blob/master/HugoStaticWebpages/invalidateCloudFront.zip" target="_blank" rel="noopener">here</a></p></li><li><p>CertificateArn → The Arn of the Certificate which should be used on CloudFront Distribution (has to be created in US East!)</p></li></ul></div><hr/><div class="admonitionblock note"><table><tbody><tr><td class="icon"><div class="title">Note</div></td><td class="content">I tried to generate the certificate with the Template as well but unfortunately there is no easy way doing this → Looks like Terraform offers this functionality, think I will have a look at Terraform soon</td></tr></tbody></table></div><div class="ulist"><ul><li><p>HostedZoneId → The Id of the hosted Zone on Route53, will be used to create the following 2 subdomains/ WebsiteNames</p></li><li><p>WebsiteName01 → subdomain1 of the HostedZone</p></li><li><p>WebsiteName02 → subdomain2 of the HostedZone</p></li></ul></div><h3 id="_created_aws_resources" class="discrete">Created AWS Resources</h3><div class="paragraph"><p>If you create a Stack out of this Template following resources will be created automatically:</p></div><div class="ulist"><ul><li><p>PipelineArtifactsBucket → AWS::S3::Bucket Artifacts S3 BucketName</p></li><li><p>PipelineWebpageBucket → AWS::S3::Bucket Target S3 Bucket</p></li><li><p>BucketPolicy → AWS::S3::BucketPolicy which will be used for the S3 Bucket with the Hugo source files and allows PublicRead access</p></li><li><p>myCloudfrontDist → AWS::CloudFront::Distribution for the following subdomain names</p></li><li><p>domainDNSRecord1 → AWS::Route53::RecordSet WebsiteName01</p></li><li><p>domainDNSRecord2 → AWS::Route53::RecordSet WebsiteName02</p></li><li><p>CodeBuildProject → AWS::CodeBuild::Project, the actual build project which will be used in the CodePipeline</p></li><li><p>CodePipeline → AWS::CodePipeline::Pipeline</p></li><li><p>GithubWebhook → AWS::CodePipeline::Webhook</p></li><li><p>CreateCodePipelinePolicy → AWS::IAM::ManagedPolicy, the managed policy which will be used for the according role/pipeline</p></li><li><p>CodePipelineRole → AWS::IAM::Role with managed policy for CodePipeline</p></li><li><p>CreateCodeBuildPolicy → AWS::IAM::ManagedPolicy the managed policy which will be used for the according role for CodeBuild</p></li><li><p>CodeBuildRole → AWS::IAM::Role with managed policy for CodeBuild</p></li><li><p>CreateLambdaExecutionPolicy → AWS::IAM::ManagedPolicy</p></li><li><p>LambdaExecutedRole → AWS::IAM::Role with managed policy to give Lambda enough rights</p></li><li><p>LambdaCloudfrontInvalidation → AWS::Lambda::Function python function</p></li></ul></div><h3 id="_code_examples" class="discrete">Code examples</h3><div class="paragraph"><p>Throughout the Template I tried to follow the principle of least privilege.I.e. if you look at the <strong>CodeBuild Policy</strong> you see that CodeBuild is only allowed to work with the created S3 buckets.</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span><span class="nt">CreateCodeBuildPolicy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::IAM::ManagedPolicy</span><span class="w"></span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span><span class="nt">ManagedPolicyName</span><span class="p">:</span><span class="w"> </span><span class="l">CodeBuildAccess_Hugo</span><span class="w"></span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span><span class="nt">Description</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Policy for access to logs and Hugo S3 Buckets&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span><span class="nt">Path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;/&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span><span class="nt">PolicyDocument</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;2012-10-17&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"> </span><span class="nt">Statement</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">VisualEditor0</span><span class="w"></span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"> </span><span class="l">s3:*</span><span class="w"></span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"></span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span>!<span class="l">Join [ &#39;&#39;, [&#39;arn:aws:s3:::&#39;,!Ref TargetS3Bucket] ],</span><span class="w"></span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span>!<span class="l">Join [ &#39;&#39;, [&#39;arn:aws:s3:::&#39;,!Ref TargetS3Bucket, &#39;/*&#39;] ],</span><span class="w"></span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span>!<span class="l">Join [ &#39;&#39;, [&#39;arn:aws:s3:::&#39;,!Ref ArtifactsBucketName] ],</span><span class="w"></span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span>!<span class="l">Join [ &#39;&#39;, [&#39;arn:aws:s3:::&#39;,!Ref ArtifactsBucketName, &#39;/*&#39;] ]</span><span class="w"></span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span><span class="p">]</span><span class="w"></span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span>- <span class="nt">Sid</span><span class="p">:</span><span class="w"> </span><span class="l">VisualEditor1</span><span class="w"></span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span><span class="nt">Effect</span><span class="p">:</span><span class="w"> </span><span class="l">Allow</span><span class="w"></span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span><span class="nt">Action</span><span class="p">:</span><span class="w"> </span><span class="l">logs:*</span><span class="w"></span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span><span class="nt">Resource</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;*&#39;</span></span></span></code></pre></div></div><div class="paragraph"><p>Following part creates the <strong>CodePipeline</strong> with all stages<br/>(Source from GitHub, Build on CodeBuild, Deploy to S3 and call Lambda function)<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">108</span><span class="cl"><span class="w"> </span><span class="nt">CodePipeline</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">AWS::CodePipeline::Pipeline</span><span class="w"></span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"> </span><span class="nt">Properties</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"> </span><span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">PipelineForStaticWebpageWithHugo</span><span class="w"></span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"> </span><span class="nt">ArtifactStore</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"> </span><span class="nt">Type</span><span class="p">:</span><span class="w"> </span><span class="l">S3</span><span class="w"></span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"> </span><span class="nt">Location</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref PipelineArtifactsBucket</span><span class="w"></span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"> </span><span class="nt">RestartExecutionOnUpdate</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"></span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"> </span><span class="nt">RoleArn</span><span class="p">:</span><span class="w"> </span>!<span class="l">GetAtt CodePipelineRole.Arn</span><span class="w"></span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span><span class="nt">Stages</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Source</span><span class="w"></span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="w"> </span><span class="nt">Actions</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Source</span><span class="w"></span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span><span class="nt">InputArtifacts</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"></span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span><span class="nt">ActionTypeId</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span><span class="nt">Category</span><span class="p">:</span><span class="w"> </span><span class="l">Source</span><span class="w"></span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span><span class="nt">Owner</span><span class="p">:</span><span class="w"> </span><span class="l">ThirdParty</span><span class="w"></span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"></span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span><span class="nt">Provider</span><span class="p">:</span><span class="w"> </span><span class="l">GitHub</span><span class="w"></span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span><span class="nt">OutputArtifacts</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">SourceCode</span><span class="w"></span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"> </span><span class="nt">Configuration</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">130</span><span class="cl"><span class="w"> </span><span class="nt">Owner</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref GitHubOwner</span><span class="w"></span></span></span><span class="line"><span class="ln">131</span><span class="cl"><span class="w"> </span><span class="nt">Repo</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref GitHubRepo</span><span class="w"></span></span></span><span class="line"><span class="ln">132</span><span class="cl"><span class="w"> </span><span class="nt">Branch</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref GitHubBranch</span><span class="w"></span></span></span><span class="line"><span class="ln">133</span><span class="cl"><span class="w"> </span><span class="nt">PollForSourceChanges</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"></span></span></span><span class="line"><span class="ln">134</span><span class="cl"><span class="w"> </span><span class="nt">OAuthToken</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref GitHubOAuthToken</span><span class="w"></span></span></span><span class="line"><span class="ln">135</span><span class="cl"><span class="w"> </span><span class="nt">RunOrder</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"></span></span></span><span class="line"><span class="ln">136</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Build</span><span class="w"></span></span></span><span class="line"><span class="ln">137</span><span class="cl"><span class="w"> </span><span class="nt">Actions</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">138</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">CodeBuild</span><span class="w"></span></span></span><span class="line"><span class="ln">139</span><span class="cl"><span class="w"> </span><span class="nt">ActionTypeId</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">140</span><span class="cl"><span class="w"> </span><span class="nt">Category</span><span class="p">:</span><span class="w"> </span><span class="l">Build</span><span class="w"></span></span></span><span class="line"><span class="ln">141</span><span class="cl"><span class="w"> </span><span class="nt">Owner</span><span class="p">:</span><span class="w"> </span><span class="l">AWS</span><span class="w"></span></span></span><span class="line"><span class="ln">142</span><span class="cl"><span class="w"> </span><span class="nt">Provider</span><span class="p">:</span><span class="w"> </span><span class="l">CodeBuild</span><span class="w"></span></span></span><span class="line"><span class="ln">143</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">144</span><span class="cl"><span class="w"> </span><span class="nt">InputArtifacts</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">145</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">SourceCode</span><span class="w"></span></span></span><span class="line"><span class="ln">146</span><span class="cl"><span class="w"> </span><span class="nt">OutputArtifacts</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">147</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">PublicFiles</span><span class="w"></span></span></span><span class="line"><span class="ln">148</span><span class="cl"><span class="w"> </span><span class="nt">Configuration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">149</span><span class="cl"><span class="w"> </span><span class="nt">ProjectName</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref CodeBuildProject</span><span class="w"></span></span></span><span class="line"><span class="ln">150</span><span class="cl"><span class="w"> </span><span class="nt">RunOrder</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"></span></span></span><span class="line"><span class="ln">151</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"></span></span></span><span class="line"><span class="ln">152</span><span class="cl"><span class="w"> </span><span class="nt">Actions</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">153</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">S3Deploy</span><span class="w"></span></span></span><span class="line"><span class="ln">154</span><span class="cl"><span class="w"> </span><span class="nt">ActionTypeId</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">155</span><span class="cl"><span class="w"> </span><span class="nt">Category</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"></span></span></span><span class="line"><span class="ln">156</span><span class="cl"><span class="w"> </span><span class="nt">Owner</span><span class="p">:</span><span class="w"> </span><span class="l">AWS</span><span class="w"></span></span></span><span class="line"><span class="ln">157</span><span class="cl"><span class="w"> </span><span class="nt">Provider</span><span class="p">:</span><span class="w"> </span><span class="l">S3</span><span class="w"></span></span></span><span class="line"><span class="ln">158</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">159</span><span class="cl"><span class="w"> </span><span class="nt">InputArtifacts</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">160</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">PublicFiles</span><span class="w"></span></span></span><span class="line"><span class="ln">161</span><span class="cl"><span class="w"> </span><span class="nt">Configuration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">162</span><span class="cl"><span class="w"> </span><span class="nt">BucketName</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref TargetS3Bucket</span><span class="w"></span></span></span><span class="line"><span class="ln">163</span><span class="cl"><span class="w"> </span><span class="nt">Extract</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;true&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">164</span><span class="cl"><span class="w"> </span><span class="nt">RunOrder</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"></span></span></span><span class="line"><span class="ln">165</span><span class="cl"><span class="w"> </span>- <span class="nt">Name</span><span class="p">:</span><span class="w"> </span><span class="l">LambdaDeploy</span><span class="w"></span></span></span><span class="line"><span class="ln">166</span><span class="cl"><span class="w"> </span><span class="nt">ActionTypeId</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">167</span><span class="cl"><span class="w"> </span><span class="nt">Category</span><span class="p">:</span><span class="w"> </span><span class="l">Invoke</span><span class="w"></span></span></span><span class="line"><span class="ln">168</span><span class="cl"><span class="w"> </span><span class="nt">Owner</span><span class="p">:</span><span class="w"> </span><span class="l">AWS</span><span class="w"></span></span></span><span class="line"><span class="ln">169</span><span class="cl"><span class="w"> </span><span class="nt">Provider</span><span class="p">:</span><span class="w"> </span><span class="l">Lambda</span><span class="w"></span></span></span><span class="line"><span class="ln">170</span><span class="cl"><span class="w"> </span><span class="nt">Version</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="w"></span></span></span><span class="line"><span class="ln">171</span><span class="cl"><span class="w"> </span><span class="nt">Configuration</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">172</span><span class="cl"><span class="w"> </span><span class="nt">FunctionName</span><span class="p">:</span><span class="w"> </span><span class="l">invalidateCloudfront</span><span class="w"></span></span></span><span class="line"><span class="ln">173</span><span class="cl"><span class="w"> </span><span class="nt">UserParameters</span><span class="p">:</span><span class="w"> </span>!<span class="l">Ref myCloudfrontDist</span><span class="w"></span></span></span><span class="line"><span class="ln">174</span><span class="cl"><span class="w"> </span><span class="nt">RunOrder</span><span class="p">:</span><span class="w"> </span><span class="m">2</span></span></span></code></pre></div></p></div><div class="paragraph"><p>This is the Lambda function written in python to create the CloudFront invalidation. I needed quiet some time to get the CodePipeline jobId and to get the Id of the CloudFront Distribution out of the UserParameters.</p></div><div class="paragraph"><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln">108</span><span class="cl"><span class="l">import time</span><span class="w"></span></span></span><span class="line"><span class="ln">109</span><span class="cl"><span class="w"></span><span class="l">import logging</span><span class="w"></span></span></span><span class="line"><span class="ln">110</span><span class="cl"><span class="w"></span><span class="l">from botocore.exceptions import ClientError</span><span class="w"></span></span></span><span class="line"><span class="ln">111</span><span class="cl"><span class="w"></span><span class="l">import boto3</span><span class="w"></span></span></span><span class="line"><span class="ln">112</span><span class="cl"><span class="w"></span></span></span><span class="line"><span class="ln">113</span><span class="cl"><span class="w"></span><span class="l">LOGGER = logging.getLogger()</span><span class="w"></span></span></span><span class="line"><span class="ln">114</span><span class="cl"><span class="w"></span><span class="l">LOGGER.setLevel(logging.INFO)</span><span class="w"></span></span></span><span class="line"><span class="ln">115</span><span class="cl"><span class="w"></span></span></span><span class="line"><span class="ln">116</span><span class="cl"><span class="w"></span><span class="nt">def codepipeline_success(job_id)</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">117</span><span class="cl"><span class="w"> </span><span class="s2">&#34;&#34;&#34;</span></span></span><span class="line"><span class="ln">118</span><span class="cl"><span class="s2"> Puts CodePipeline Success Result</span></span></span><span class="line"><span class="ln">119</span><span class="cl"><span class="s2"> &#34;&#34;&#34;</span><span class="w"></span></span></span><span class="line"><span class="ln">120</span><span class="cl"><span class="w"> </span><span class="nt">try</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">121</span><span class="cl"><span class="w"> </span><span class="l">codepipeline = boto3.client(&#39;codepipeline&#39;)</span><span class="w"></span></span></span><span class="line"><span class="ln">122</span><span class="cl"><span class="w"> </span><span class="l">codepipeline.put_job_success_result(jobId=job_id)</span><span class="w"></span></span></span><span class="line"><span class="ln">123</span><span class="cl"><span class="w"> </span><span class="l">LOGGER.info(&#39;===SUCCESS===&#39;)</span><span class="w"></span></span></span><span class="line"><span class="ln">124</span><span class="cl"><span class="w"> </span><span class="l">return True</span><span class="w"></span></span></span><span class="line"><span class="ln">125</span><span class="cl"><span class="w"> </span><span class="nt">except ClientError as err</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">126</span><span class="cl"><span class="w"> </span><span class="l">LOGGER.error(&#34;Failed to PutJobSuccessResult for CodePipeline!\n%s&#34;, err)</span><span class="w"></span></span></span><span class="line"><span class="ln">127</span><span class="cl"><span class="w"> </span><span class="l">return False</span><span class="w"></span></span></span><span class="line"><span class="ln">128</span><span class="cl"><span class="w"></span></span></span><span class="line"><span class="ln">129</span><span class="cl"><span class="w"></span><span class="nt">def codepipeline_failure(job_id, message)</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">130</span><span class="cl"><span class="w"> </span><span class="nt">try</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">131</span><span class="cl"><span class="w"> </span><span class="l">codepipeline = boto3.client(&#39;codepipeline&#39;)</span><span class="w"></span></span></span><span class="line"><span class="ln">132</span><span class="cl"><span class="w"> </span><span class="l">codepipeline.put_job_failure_result(</span><span class="w"></span></span></span><span class="line"><span class="ln">133</span><span class="cl"><span class="w"> </span><span class="l">jobId=job_id,</span><span class="w"></span></span></span><span class="line"><span class="ln">134</span><span class="cl"><span class="w"> </span><span class="l">failureDetails={&#39;type&#39;: &#39;JobFailed&#39;, &#39;message&#39;: message}</span><span class="w"></span></span></span><span class="line"><span class="ln">135</span><span class="cl"><span class="w"> </span><span class="l">)</span><span class="w"></span></span></span><span class="line"><span class="ln">136</span><span class="cl"><span class="w"> </span><span class="l">LOGGER.info(&#39;===FAILURE===&#39;)</span><span class="w"></span></span></span><span class="line"><span class="ln">137</span><span class="cl"><span class="w"> </span><span class="l">return True</span><span class="w"></span></span></span><span class="line"><span class="ln">138</span><span class="cl"><span class="w"> </span><span class="nt">except ClientError as err</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">139</span><span class="cl"><span class="w"> </span><span class="l">LOGGER.error(&#34;Failed to PutJobFailureResult for CodePipeline!\n%s&#34;, err)</span><span class="w"></span></span></span><span class="line"><span class="ln">140</span><span class="cl"><span class="w"> </span><span class="l">return False</span><span class="w"></span></span></span><span class="line"><span class="ln">141</span><span class="cl"><span class="w"></span></span></span><span class="line"><span class="ln">142</span><span class="cl"><span class="w"></span></span></span><span class="line"><span class="ln">143</span><span class="cl"><span class="w"></span><span class="nt">def lambda_handler(event, context)</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">144</span><span class="cl"><span class="w"> </span><span class="l">LOGGER.info(event)</span><span class="w"></span></span></span><span class="line"><span class="ln">145</span><span class="cl"><span class="w"> </span><span class="nt">try</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">146</span><span class="cl"><span class="w"> </span><span class="l">job_id = event[&#39;CodePipeline.job&#39;][&#39;id&#39;]</span><span class="w"></span></span></span><span class="line"><span class="ln">147</span><span class="cl"><span class="w"> </span><span class="l">distId = event[&#39;CodePipeline.job&#39;][&#39;data&#39;][&#39;actionConfiguration&#39;][&#39;configuration&#39;][&#39;UserParameters&#39;]</span><span class="w"></span></span></span><span class="line"><span class="ln">148</span><span class="cl"><span class="w"> </span><span class="l">client = boto3.client(&#39;cloudfront&#39;)</span><span class="w"></span></span></span><span class="line"><span class="ln">149</span><span class="cl"><span class="w"> </span><span class="l">invalidation = client.create_invalidation(DistributionId=distId,</span><span class="w"></span></span></span><span class="line"><span class="ln">150</span><span class="cl"><span class="w"> </span><span class="l">InvalidationBatch={</span><span class="w"></span></span></span><span class="line"><span class="ln">151</span><span class="cl"><span class="w"> </span><span class="nt">&#39;Paths&#39;</span><span class="p">:</span><span class="w"> </span>{<span class="w"></span></span></span><span class="line"><span class="ln">152</span><span class="cl"><span class="w"> </span><span class="nt">&#39;Quantity&#39;</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="p">,</span><span class="w"></span></span></span><span class="line"><span class="ln">153</span><span class="cl"><span class="w"> </span><span class="nt">&#39;Items&#39;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s1">&#39;/*&#39;</span><span class="p">]</span><span class="w"></span></span></span><span class="line"><span class="ln">154</span><span class="cl"><span class="w"> </span>}<span class="p">,</span><span class="w"></span></span></span><span class="line"><span class="ln">155</span><span class="cl"><span class="w"> </span><span class="nt">&#39;CallerReference&#39;</span><span class="p">:</span><span class="w"> </span><span class="l">str(time.time())</span><span class="w"></span></span></span><span class="line"><span class="ln">156</span><span class="cl"><span class="w"> </span>}<span class="l">)</span><span class="w"></span></span></span><span class="line"><span class="ln">157</span><span class="cl"><span class="w"> </span><span class="l">codepipeline_success(job_id)</span><span class="w"></span></span></span><span class="line"><span class="ln">158</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">159</span><span class="cl"><span class="w"> </span><span class="nt">except KeyError as err</span><span class="p">:</span><span class="w"></span></span></span><span class="line"><span class="ln">160</span><span class="cl"><span class="w"> </span><span class="l">LOGGER.error(&#34;Could not retrieve CodePipeline Job ID!\n%s&#34;, err)</span><span class="w"></span></span></span><span class="line"><span class="ln">161</span><span class="cl"><span class="w"> </span><span class="l">return False</span><span class="w"></span></span></span><span class="line"><span class="ln">162</span><span class="cl"><span class="w"> </span><span class="l">codepipeline_failure(job_id, err)</span></span></span></code></pre></div></div><div class="paragraph"><p>Hope this Template helps you on building your own CodePipelines via CloudFormations.<br/><br/></p></div></description> </item> <item> <title>Proper Monitoring - How to use Prometheus with your AWS EC2 instances</title> <link>https://kbild.ch/blog/2019-02-18-awsprometheus/</link> <pubDate>Mon, 18 Feb 2019 09:00:10 +0000</pubDate> <guid>https://kbild.ch/blog/2019-02-18-awsprometheus/</guid> <description><div class="paragraph"><p>As we are operating a lot of servers we need a proper monitoring solution.AWS offers CloudWatch which is an almost perfect solution for monitoring your AWS cloud infrastructure.</p></div><div class="paragraph"><p>But we also operate servers on other cloud providers (Softlayer, Azure,…) and we need one monitoring solution to track all of these servers.</p></div><div class="paragraph"><p>As you might know, I’m a huge fan of <a href="https://prometheus.io" target="_blank" rel="noopener">Prometheus</a>, the only graduated Monitoring project of <a href="https://www.cncf.io" target="_blank" rel="noopener">CNCF</a>.</p></div><div class="paragraph"><p>If you want to know more what Prometheus is and how you can use it I recommend you to watch this YouTube Movie <a href="https://www.youtube.com/watch?v=PDxcEzu62jk" target="_blank" rel="noopener">&#34;Monitoring, the Prometheus Way&#34; </a> where Julius Volz, Co-Founder Prometheus, gives a very good introduction into the topic.</p></div><div class="paragraph"><p>I also gave a talk on Prometheus and how to use it with IBM Connections last year at the DNUG event in Darmstadt. It’s only available in German but have a look at the presentation if you are interested in how you can monitor IBM Connections with Prometheus: <iframe src="//www.slideshare.net/slideshow/embed_code/key/yCxxxpsRo0YMyr" height="485" width="595" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" style="border: 1px solid #CCC; border-width: 1px; margin-bottom: 20px; width: 82%;" allowfullscreen="true"> </iframe></p></div><div class="paragraph"><p>So how can we use Prometheus together with our AWS Cloud Infrastructure?</p></div><div class="paragraph"><p>We will need following parts:</p></div><div class="ulist"><ul><li><p>Agents on the EC2 instances (called <a href="https://github.com/prometheus/node_exporter" target="_blank" rel="noopener">node_exporter</a>)</p></li><li><p>Prometheus with configured AWS Service Discovery (in this case only for EC2 instances)</p></li></ul></div><div class="sect1"><h2 id="_node_exporter_on_ec2_instances">node_exporter on EC2 instances</h2><div class="sectionbody"><div class="paragraph"><p>Installing the node_exporter on EC2 instances is straight forward, just use following User data script:</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash">useradd -m -s /bin/bash prometheus# (or adduser --disabled-password --gecos &#34;&#34; prometheus) # Download node_exporter release from original repocurl -L -O https://github.com/prometheus/node_exporter/releases/download/v0.17.0/node_exporter-0.17.0.linux-amd64.tar.gz tar -xzvf node_exporter-0.17.0.linux-amd64.tar.gzmv node_exporter-0.17.0.linux-amd64 /home/prometheus/node_exporterrm node_exporter-0.17.0.linux-amd64.tar.gzchown -R prometheus:prometheus /home/prometheus/node_exporter # Add node_exporter as systemd servicetee -a /etc/systemd/system/node_exporter.service &lt;&lt; END[Unit]Description=Node ExporterWants=network-online.targetAfter=network-online.target[Service]User=prometheusExecStart=/home/prometheus/node_exporter/node_exporter[Install]WantedBy=default.targetEND systemctl daemon-reloadsystemctl start node_exportersystemctl enable node_exporter</code></pre></div></div><div class="paragraph"><p>The Prometheus server will scrape the node_exporter on the standard port 9100<br/>→ don’t forget to add this port to your instance Security Group and grant access to the Prometheus Server</p></div><div class="paragraph"><p>You may test if the node_exporter is running as expected by running following command locally on the EC2 instance:curl <a href="http://127.0.0.1:9100/metrics" class="bare">http://127.0.0.1:9100/metrics</a></p></div><div class="paragraph"><p>If everything works you should get back the metrics of your server</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash"># HELP go_gc_duration_seconds A summary of the GC invocation durations.# TYPE go_gc_duration_seconds summarygo_gc_duration_seconds{quantile=&#34;0&#34;} 2.8809e-05go_gc_duration_seconds{quantile=&#34;0.25&#34;} 3.7675e-05go_gc_duration_seconds{quantile=&#34;0.5&#34;} 4.8971e-05go_gc_duration_seconds{quantile=&#34;0.75&#34;} 6.1912e-05go_gc_duration_seconds{quantile=&#34;1&#34;} 0.000266006go_gc_duration_seconds_sum 0.667055045go_gc_duration_seconds_count 11450# HELP go_goroutines Number of goroutines that currently exist.# TYPE go_goroutines gaugego_goroutines 9...</code></pre></div></div><div class="paragraph"><p>The same will be scraped and recorded by the Prometheus server.</p></div></div></div><div class="sect1"><h2 id="_prometheus_aws_service_discovery">Prometheus AWS Service Discovery</h2><div class="sectionbody"><div class="paragraph"><p>The Prometheus server will talk to directly to the AWS API so you need to create a user with programmatic access and add following permission:</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-json" data-lang="json">{ &#34;Version&#34;: &#34;2012-10-17&#34;, &#34;Statement&#34;: [ { &#34;Effect&#34;: &#34;Allow&#34;, &#34;Action&#34;: &#34;ec2:DescribeInstances&#34;, &#34;Resource&#34;: &#34;*&#34; } ]}</code></pre></div></div><div class="paragraph"><p>→ The Prometheus server can get all metadata of the EC2 instances like IP addresses or tags</p></div><div class="paragraph"><p>On the Prometheus server a scrape target has to be added to the <strong>prometheus.yml</strong> file with the access and secret key of the added user.You can do some <a href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config" target="_blank" rel="noopener">relabeling magic</a> which lets you reuse your EC2 tags and metadata in Prometheus which is very nice.<br/>I.e. here we take the <strong>ec2_tag_name</strong> as <strong>instance</strong> value and we add two additional tags (<strong>customer,role</strong>) which we get from the <strong>ec2_tag_customer</strong> and <strong>ec2_tag_role</strong></p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-yaml" data-lang="yaml"> - job_name: &#39;node&#39; ec2_sd_configs: - region: YOURREGION access_key: YOURACCESSKEY secret_key: YOURSECRETKEY port: 9100 refresh_interval: 1m relabel_configs: - source_labels: - &#39;__meta_ec2_tag_Name&#39; target_label: &#39;instance&#39; - source_labels: - &#39;__meta_ec2_tag_customer&#39; target_label: &#39;customer&#39; - source_labels: - &#39;__meta_ec2_tag_role&#39; target_label: &#39;role&#39;</code></pre></div></div><div class="paragraph"><p>The Prometheus server will now get the private IP addresses of all of your EC2 instances<br/>(by default the private IPs, but you can use the public ones as well, see <a href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#ec2_sd_config" target="_blank" rel="noopener">ec2_sd_config documentation</a>)</p></div><div class="paragraph"><p>If you want to see which targets Prometheus gets through the Service Discovery browse to following URL of you Prometheus server:<br/><strong>-https://prometheus.server.com/service-discovery</strong></p></div><div class="paragraph"><p>Here you will see all your EC2 instances with their metadata and which data is reused in Prometheus:<br/></p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/201902/Prometheus_SD.png"><img src="https://kbild.ch/201902/Prometheus_SD.png" alt="Prometheus Service Discovery" width="800" height="400"/></a></div></div><div class="paragraph"><p><br/><br/></p></div></div></div><div class="sect1"><h2 id="_graphs_and_dashboards">Graphs and Dashboards</h2><div class="sectionbody"><div class="paragraph"><p>We defined that the metrics are scraped every minute and after some minutes we can see the results in the Prometheus UI:</p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/201902/Prometheus_Graph.png"><img src="https://kbild.ch/201902/Prometheus_Graph.png" alt="Prometheus Graph" width="800" height="400"/></a></div></div><div class="paragraph"><p>As you can see here we even get the data for the instance memory which we don’t have if we use CloudWatch for Monitoring.If you wan’t to have real dashboards for your monitoring just add Grafana which is natively supporting Prometheus as Data Source and you can create such nice dashboards:</p></div><div class="imageblock"><div class="content"><a class="image" href="https://kbild.ch/201902/Grafana_Dashboard.png"><img src="https://kbild.ch/201902/Grafana_Dashboard.png" alt="Grafana Dashboard" width="800" height="423"/></a></div></div><div class="paragraph"><p><br/>Maybe you know now why I’m a big fan of Prometheus and as someone which is also using Prometheus to monitor his Kubernetes environment I can tell you we just scratched on the surface of what is possible with Prometheus.<br/></p></div></div></div></description> </item> <item> <title>CloudFormation Template: Tag AWS Volumes for Lifecycle Manager Backups </title> <link>https://kbild.ch/blog/2019-02-11-lifecycle/</link> <pubDate>Tue, 12 Feb 2019 15:41:10 +0000</pubDate> <guid>https://kbild.ch/blog/2019-02-11-lifecycle/</guid> <description><div class="paragraph"><p>If you wan’t a simple AWS Backup solution you can use AWS Lifecycle Manager to create snapshots from your AWS EC2 volumes.<br/></p></div><div class="paragraph"><p>Lifecycle Manager is easy to use and even gives you some retention rules, no scripting needed for your Backups at all.</p></div><div class="paragraph"><p>You can easily define which target volumes Lifecycle Manager should snapshot through tags on your volumes.<br/></p></div><div class="sect1"><h2 id="_lifecycle_manager_snapshot_lifecycle_policy">Lifecycle Manager - Snapshot Lifecycle Policy</h2><div class="sectionbody"><div class="paragraph"><p>In following example we will take snapshots all 24h of all volumes which are tagged <code>backupid: AUT01</code> between 09 and 10 UTC and will retain 7 snapshots.</p></div><hr/><div class="imageblock"><div class="content"><img src="https://kbild.ch/201902/Lifecycle.png" alt="AWS Lifecycle Manager"/></div></div><hr/><div class="paragraph"><p>Usually we use CloudFormation to create our AWS environments and our EC2 instances. Unfortunately the tags you use for your EC2 instances are not automatically added to the according volumes of your instance. Bummer!</p></div><div class="paragraph"><p>This means we have to find a way to tag the instance volumes right after creation and of course easiest way to do this is using some magic in a User data script.</p></div></div></div><div class="sect1"><h2 id="_needed_user_data_script">Needed User data script</h2><div class="sectionbody"><div class="paragraph"><p>Following script may be used as User data script:</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash">aws ec2 create-tags --resources $(aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) --query &#39;Volumes[*].[VolumeId]&#39; --region=eu-central-1 --out text | cut -f 1) --tags Key=$Key,Value=$Value --region eu-central-1</code></pre></div></div><div class="paragraph"><p>There are two parts in this script:</p></div><div class="ulist"><ul><li><p>Getting the VolumeIds of the volumes with the help of the local server metadata</p><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash">aws ec2 describe-volumes --filters Name=attachment.instance-id,Values=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) --query &#39;Volumes[*].[VolumeId]&#39; --region=eu-central-1 --out text</code></pre></div></div></li></ul></div><div class="admonitionblock tip"><table><tbody><tr><td class="icon"><div class="title">Tip</div></td><td class="content">You can add a filter for device names as well, i.e. you only want to tag/backup your data volume which is mounted as /dev/xvdb then add following right before the &#34;--query&#34; statement</td></tr></tbody></table></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash">Name=attachment.device,Values=/dev/xvdb</code></pre></div></div><div class="ulist"><ul><li><p>Tag these Volumes with the provided key and value</p><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-bash" data-lang="bash">aws ec2 create-tags --resources VOLUMEIDS --tags Key=$Key,Value=$Value --region eu-central-1</code></pre></div></div></li></ul></div><div class="paragraph"><p>As you can see we are using an EC2 instance in the eu-central-1 region, you have to change this to the region you are using.</p></div><div class="paragraph"><p>The EC2 instance needs an IAM role with sufficient rights to get the volume id’s and to tag the volumes. We will add following policy to this role:</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-json" data-lang="json">{ &#34;Version&#34;: &#34;2012-10-17&#34;, &#34;Statement&#34;: [ { &#34;Action&#34;: &#34;ec2:Describe*&#34;, &#34;Resource&#34;: &#34;*&#34;, &#34;Effect&#34;: &#34;Allow&#34; }, { &#34;Action&#34;: &#34;ec2:CreateTags&#34;, &#34;Resource&#34;: &#34;*&#34;, &#34;Effect&#34;: &#34;Allow&#34; } ]}</code></pre></div></div></div></div><div class="sect1"><h2 id="_lifecycle_policy">Lifecycle Policy</h2><div class="sectionbody"><div class="paragraph"><p>Final step is to add the Snapshot Lifecycle Policy with the needed parameters (TargetTags…)</p></div><div class="listingblock"><div class="content"><pre class="highlight"><code class="language-yaml" data-lang="yaml"> BasicLifecyclePolicy: Type: &#34;AWS::DLM::LifecyclePolicy&#34; Properties: Description: &#34;Lifecycle Policy using CloudFormation&#34; State: &#34;ENABLED&#34; ExecutionRoleArn: !GetAtt - lifecycleRole - Arn PolicyDetails: ResourceTypes: - &#34;VOLUME&#34; TargetTags: - Key: &#34;backupid&#34; Value: &#34;AUT01&#34; Schedules: - Name: &#34;Daily Snapshots&#34; TagsToAdd: - Key: &#34;type&#34; Value: &#34;DailySnapshot&#34; CreateRule: Interval: 24 IntervalUnit: &#34;HOURS&#34; Times: - &#34;09:00&#34; RetainRule: Count: 7 CopyTags: true</code></pre></div></div><div class="paragraph"><p>As you can see an execution role is needed as well (with proper policy attached).You will find this role and all additional needed resources in the full CloudFormation template on <a href="https://github.com/kbild/AWS_Cloudformation_Examples/tree/master/Volume_Tagging" target="_blank" rel="noopener">Github</a>.</p></div><div class="paragraph"><p>Feedback is always welcome!</p></div></div></div></description> </item> <item> <title>Use AWS CodePipeline to automatically deploy your Hugo website to AWS S3</title> <link>https://kbild.ch/blog/2019-01-31-codepipeline/</link> <pubDate>Tue, 05 Feb 2019 10:17:10 +0000</pubDate> <guid>https://kbild.ch/blog/2019-01-31-codepipeline/</guid> <description><div class="paragraph"><p>So I have a <a href="https://gohugo.io/" target="_blank" rel="noopener">Hugo</a> website now but deploying the generated HTML files to my AWS S3 bucket and invalidating my AWS Cloudfront deployment is very time consuming.</p></div><div class="paragraph"><p>Therefore I planned to have a AWS Code Pipeline which helps me in this process.Following steps are needed:</p></div><div class="imageblock"><div class="content"><img src="https://kbild.ch/201902/AWSCodePipeline01.png" alt="AWS CodePipeline"/></div></div><div class="paragraph"><p>Reading guides from other Bloggers (<a href="https://alimac.io/static-websites-with-s3-and-hugo-part-1/" target="_blank" rel="noopener">alimac.io</a>, <a href="https://medium.com/@yagonobre/automatically-invalidate-cloudfront-cache-for-site-hosted-on-s3-3c7818099868" target="_blank" rel="noopener">YagoYns</a>, <a href="https://github.com/symphoniacloud/github-codepipeline" target="_blank" rel="noopener">Symphonia </a>) gave me a good starting point to build my own solution based on AWS CodePipeline.</p></div><div class="paragraph"><p>I will publish a complete CloudFormation script in one of the following blog posts but will only talk about the <a href="https://aws.amazon.com/codebuild/" target="_blank" rel="noopener">AWS CodeBuild</a> part today.</p></div><div class="paragraph"><p>During the Build process I need a functionality which generates the static HTML files based on my Hugo and asciidoc files in my GitHub repo. The easiest way getting this functionality is to use a Docker container which has Hugo and asciidoctor installed.</p></div><div class="paragraph"><p>So let’s start this by creating a build project in AWS CodeBuild by clicking on <code>Create project</code> and defining a ProjectName <code>BuildContainerForHTML</code>.</p></div><div class="paragraph"><p>During the creation of your build project you can choose either if you want to use an AWS Managed Docker Image or if you want to use a Custom Image:</p></div><div class="imageblock"><div class="content"><img src="https://kbild.ch/201902/DockerImage.png" alt="Which Docker Image"/></div></div><div class="paragraph"><p>Here we will choose <code>Managed Image</code> and will use following parameters:</p></div><div class="imageblock"><div class="content"><img src="https://kbild.ch/201902/DockerImage02.png" alt="Image Settings"/></div></div><div class="paragraph"><p>This means we will use the standard AWS Ubuntu 14.04 Base Docker container, so nothing installed per default.</p></div><div class="paragraph"><p>Now we need to install the needed software which is defined through a file called buildspec.yml (which should be placed in the source code root directory → GitHub repo).<br/></p></div><div class="paragraph"><p>Hardest part for me was to find out how the <a href="https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html" target="_blank" rel="noopener">buildspec.yml</a> has to look like. This buildspec file is used to create the build commands which will be used in the docker container.<br/>As you can see I’m only using two phases in this example and define the output artifact:</p></div><div class="listingblock"><div class="title">buildspec.yml</div><div class="content"><pre class="highlight"><code class="language-yaml" data-lang="yaml">version: 0.2 phases: install: commands: - echo Entered the install phase... - apt-get -qq update &amp;&amp; apt-get -qq install curl - apt-get -qq install asciidoctor - curl -s -L https://github.com/gohugoio/hugo/releases/download/v0.53/hugo_0.53_Linux-64bit.deb -o hugo.deb - dpkg -i hugo.deb finally: - echo Installation done build: commands: - echo Entered the build phase ... - echo Build started on `date` - cd $CODEBUILD_SRC_DIR - rm -f buildspec.yml &amp;&amp; rm -f .git &amp;&amp; rm -f README.md - hugo --quiet finally: - echo Building the HTML files finishedartifacts: files: - &#39;**/*&#39; base-directory: $CODEBUILD_SRC_DIR/public/ discard-paths: no</code></pre></div></div><div class="dlist"><dl><dt class="hdlist1"><strong>install:</strong></dt><dd><p>Here we have all commands to install Hugo and asciidoctor</p></dd><dt class="hdlist1"><strong>build:</strong></dt><dd><p>Here we switch to the directory with the source files from GitHub ($CODEBUILD_SRC_DIR) &amp; execute the Hugo build command which will create all static pages in the directory <strong>public</strong></p></dd><dt class="hdlist1"><strong>artifacts:</strong></dt><dd><p>here we define $CODEBUILD_SRC_DIR/public/ as base directory and add all files in this directory to the output artifact</p></dd></dl></div><div class="paragraph"><p>We also have to define a Policy which should be used by the CodeBuild Project. In this example we only need access to the Input (kbil-artifacts) and Output (kbild-yourwebsite) S3 bucket and the CloudWatch logs. Following policy is used:</p></div><div class="listingblock"><div class="title">CodeBuild Policy</div><div class="content"><pre class="highlight"><code class="language-json" data-lang="json">---{ &#34;Version&#34;: &#34;2012-10-17&#34;, &#34;Statement&#34;: [ { &#34;Action&#34;: &#34;s3:*&#34;, &#34;Resource&#34;: [ &#34;arn:aws:s3:::kbild-yourwebsite&#34;, &#34;arn:aws:s3:::kbild-yourwebsite/*&#34;, &#34;arn:aws:s3:::kbil-artifacts&#34;, &#34;arn:aws:s3:::kbil-artifacts/*&#34; ], &#34;Effect&#34;: &#34;Allow&#34;, &#34;Sid&#34;: &#34;VisualEditor0&#34; }, { &#34;Action&#34;: &#34;logs:*&#34;, &#34;Resource&#34;: &#34;*&#34;, &#34;Effect&#34;: &#34;Allow&#34;, &#34;Sid&#34;: &#34;VisualEditor1&#34; } ]}---</code></pre></div></div><div class="paragraph"><p>This Build Project can now be added to the Code Pipeline as Build Stage.<br/><code>SourceCode</code> artifact from GitHub will be used as input and the <strong>public html files</strong> will be exported as <code>PublicFiles</code> artifact which will be send to S3 later on.</p></div><div class="imageblock"><div class="content"><img src="https://kbild.ch/201902/BuildAction.png" alt="Build Action"/></div></div><div class="paragraph"><p>After pushing a new blog post to the GitHub Repo we will see our CodePipeline in full action:<br/></p></div><div class="imageblock"><div class="content"><img src="https://kbild.ch/201902/Buildpipeline.png" alt="Build Pipeline"/></div></div><div class="paragraph"><p>Nice!</p></div><div class="paragraph"><p>Adding additional stages and steps is pretty easy and I guess I will use CodePipelines a lot in future.</p></div><div class="paragraph"><p>Stay tuned for a CloudFormation script which will create the whole pipeline.<br/></p></div></description> </item> <item> <title>Back after a looong Time, Hello World!</title> <link>https://kbild.ch/blog/2019-01-26-backblogging/</link> <pubDate>Sat, 26 Jan 2019 15:06:10 +0000</pubDate> <guid>https://kbild.ch/blog/2019-01-26-backblogging/</guid> <description><div class="paragraph"><p>It was quiet on this blog for a very long time.I was pretty busy in private and business life and lost my blogging/social media mojo completely.</p></div><div class="paragraph"><p>Doing a lot of new stuff recently and changing my <a href="https://kbild.ch/about/">job role</a> I decided to start this blog over again but with some changes:</p></div><div class="sect1"><h2 id="_new_topics">New Topics</h2><div class="sectionbody"><div class="ulist"><ul><li><p>Hybrid Cloud Infrastructures</p></li><li><p>AWS, especially System Engineer stuff</p></li><li><p>MS Azure and how to combine it with other Cloud Services</p></li><li><p>IoT@Home, insights into stuff I do in my free time</p></li><li><p>Stuff that works for me</p></li></ul></div></div></div><div class="sect1"><h2 id="_new_blog_design_framework_thx_stoeps_for_the_idea">New Blog Design &amp; Framework (thx <a href="https://stoeps.de/2018/07/14/2018-07-14-new-blog-engine/" target="_blank" rel="noopener">Stoeps</a> for the idea)</h2><div class="sectionbody"><div class="ulist"><ul><li><p>Hugo and AsciiDoc</p></li><li><p>AWS S3 and Cloudfront</p></li><li><p>Build pipeline</p></li></ul></div><div class="paragraph"><p>Hoping to get my old readers back and finding some new readers in the future.Comments always welcome (Blog, Twitter, Email)</p></div><div class="paragraph"><p>Good to be back!</p></div></div></div></description> </item> </channel></rss>
