in terraform/cicd/Base.py [0:0]
def __init__(self, app: core.App, id: str, props, **kwargs) -> None:
super().__init__(app, id, **kwargs)
# pipeline requires versioned bucket
bucket = aws_s3.Bucket(
self, "SourceBucket",
#bucket_name=f"{props['namespace'].lower()}-{core.Aws.ACCOUNT_ID}",
versioned=True,
removal_policy=core.RemovalPolicy.DESTROY)
# ssm parameter to get bucket name later
bucket_param = aws_ssm.StringParameter(
self, "ParameterB",
parameter_name=f"/{props['namespace']}/bucket",
string_value=bucket.bucket_name,
description='terraform pipeline bucket'
)
# codebuild project meant to run in pipeline
cb_docker_build = aws_codebuild.PipelineProject(
self, "DockerBuild",
project_name=f"{props['namespace']}-setup",
build_spec=aws_codebuild.BuildSpec.from_source_filename(
filename='terraform/cicd/pipeline_delivery/docker_build_buildspec.yml'),
environment=aws_codebuild.BuildEnvironment(
privileged=False,
#build_image=aws_codebuild.LinuxBuildImage.from_ecr_repository(repository=docker_asset.repository, tag=docker_asset.asset_hash)
build_image=aws_cdk.aws_codebuild.LinuxBuildImage.from_docker_registry(name='public.ecr.aws/f3n2w4j5/policy-as-code:latest')
),
# pass the ecr repo uri into the codebuild project so codebuild knows where to push
environment_variables={
'tag': aws_codebuild.BuildEnvironmentVariable(
value='terraform')
},
description='Pipeline for CodeBuild',
timeout=core.Duration.minutes(15),
)
scan = aws_codebuild.PipelineProject(
self, "scan",
project_name=f"{props['namespace']}-scan",
build_spec=aws_codebuild.BuildSpec.from_source_filename(
filename='scan_buildspec.yml'),
environment=aws_codebuild.BuildEnvironment(
privileged=False,
#build_image=aws_codebuild.LinuxBuildImage.from_ecr_repository(repository=docker_asset.repository, tag=docker_asset.asset_hash)
build_image=aws_cdk.aws_codebuild.LinuxBuildImage.from_docker_registry(
name='public.ecr.aws/f3n2w4j5/policy-as-code:latest')
),
# pass the ecr repo uri into the codebuild project so codebuild knows where to push
environment_variables={
'tag': aws_codebuild.BuildEnvironmentVariable(
value='terraform')
},
description='Codebuild Scan',
timeout=core.Duration.minutes(15),
)
# repo
# codebuild iam permissions to read write s3
bucket.grant_read_write(cb_docker_build)
# codebuild permissions to interact with ecr
core.CfnOutput(
self, "S3Bucket",
description="S3 Bucket",
value=bucket.bucket_name
)
# cb_docker_build.role.add_managed_policy(
# aws_iam.ManagedPolicy.from_aws_managed_policy_name('AmazonS3FullAccess'))
cb_docker_build.role.add_to_policy(aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=['s3:CreateBucket'],
resources=["*"]
)
)
#
# Uncomment if using terraform and regula
#
scan.role.add_managed_policy(
aws_iam.ManagedPolicy.from_aws_managed_policy_name('AmazonS3FullAccess')
)
scan.role.add_managed_policy(
aws_iam.ManagedPolicy.from_aws_managed_policy_name('AWSKeyManagementServicePowerUser')
)
scan.role.add_to_policy(aws_iam.PolicyStatement(
effect=aws_iam.Effect.ALLOW,
actions=[
'kms:EnableKeyRotation',
'kms:GetKeyRotationStatus'
],
resources=["*"]
)
)
self.output_props = props.copy()
self.output_props['bucket'] = bucket
self.output_props['cb_docker_build'] = cb_docker_build
self.output_props['cb_scan'] = scan