Skip to content

Commit

Permalink
fix: DBTP-1394 - Fix platform-helper environment generate command in …
Browse files Browse the repository at this point in the history 
…environment pipeline apply stage (#236)
  • Loading branch information
@JohnStainsby
JohnStainsby authored Sep 25, 2024
1 parent c3d5bbc commit f0b7bc1
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 12 deletions.
28 changes: 20 additions & 8 deletions environment-pipelines/buildspec-apply.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,23 +19,35 @@ phases:
- terraform apply plan.tfplan
- echo -e "\nGenerating manifests and deploying AWS Copilot environment resources"
- cd "${CODEBUILD_SRC_DIR}"
- |
codebuild_assumed_role=$(aws sts assume-role --role-arn "${CURRENT_CODEBUILD_ROLE}" --role-session-name "environment-pipeline-platform-helper-generate-$(date +%s)")
AWS_ACCESS_KEY_ID=$(echo $codebuild_assumed_role | jq -r .Credentials.AccessKeyId)
AWS_SECRET_ACCESS_KEY=$(echo $codebuild_assumed_role | jq -r .Credentials.SecretAccessKey)
AWS_SESSION_TOKEN=$(echo $codebuild_assumed_role | jq -r .Credentials.SessionToken)
export PROFILE_NAME="${AWS_PROFILE_FOR_COPILOT}"
aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}" --profile "${PROFILE_NAME}"
aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}" --profile "${PROFILE_NAME}"
aws configure set aws_session_token "${AWS_SESSION_TOKEN}" --profile "${PROFILE_NAME}"
aws configure set region "eu-west-2" --profile "${PROFILE_NAME}"
aws configure set output "json" --profile "${PROFILE_NAME}"
export AWS_PROFILE="${PROFILE_NAME}"
- platform-helper environment generate --name "${ENVIRONMENT}"
- |
if [[ "${AWS_PROFILE_FOR_COPILOT}" == *"prod"* ]]
then
echo -e "\nAssuming role to deploy AWS Copilot environment resources in prod account"
assumed_role=$(aws sts assume-role --role-arn "${TRIGGERING_ACCOUNT_CODEBUILD_ROLE}" --role-session-name "trigger-copilot-env-deploy-$(date +%s)")
NON_PROD_AWS_ACCESS_KEY_ID=$(echo $assumed_role | jq -r .Credentials.AccessKeyId)
NON_PROD_AWS_SECRET_ACCESS_KEY=$(echo $assumed_role | jq -r .Credentials.SecretAccessKey)
NON_PROD_AWS_SESSION_TOKEN=$(echo $assumed_role | jq -r .Credentials.SessionToken)
triggering_account_assumed_role=$(aws sts assume-role --role-arn "${TRIGGERING_ACCOUNT_CODEBUILD_ROLE}" --role-session-name "environment-pipeline-copilot-env-deploy-$(date +%s)")
AWS_ACCESS_KEY_ID=$(echo $triggering_account_assumed_role | jq -r .Credentials.AccessKeyId)
AWS_SECRET_ACCESS_KEY=$(echo $triggering_account_assumed_role | jq -r .Credentials.SecretAccessKey)
AWS_SESSION_TOKEN=$(echo $triggering_account_assumed_role | jq -r .Credentials.SessionToken)
export PROFILE_NAME="${TRIGGERING_ACCOUNT_AWS_PROFILE}"
aws configure set aws_access_key_id "${NON_PROD_AWS_ACCESS_KEY_ID}" --profile "${PROFILE_NAME}"
aws configure set aws_secret_access_key "${NON_PROD_AWS_SECRET_ACCESS_KEY}" --profile "${PROFILE_NAME}"
aws configure set aws_session_token "${NON_PROD_AWS_SESSION_TOKEN}" --profile "${PROFILE_NAME}"
aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}" --profile "${PROFILE_NAME}"
aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}" --profile "${PROFILE_NAME}"
aws configure set aws_session_token "${AWS_SESSION_TOKEN}" --profile "${PROFILE_NAME}"
aws configure set region "eu-west-2" --profile "${PROFILE_NAME}"
aws configure set output "json" --profile "${PROFILE_NAME}"
export AWS_PROFILE="${PROFILE_NAME}"
fi
fi
- copilot env init --name "${ENVIRONMENT}" --profile "${AWS_PROFILE_FOR_COPILOT}" --default-config
- copilot env deploy --name "${ENVIRONMENT}"
post_build:
Expand Down
27 changes: 27 additions & 0 deletions environment-pipelines/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,26 @@ data "aws_iam_policy_document" "assume_codebuild_role" {
actions = ["sts:AssumeRole"]
}

statement {
effect = "Allow"

principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}

actions = ["sts:AssumeRole"]

condition {
test = "StringLike"
variable = "sts:RoleSessionName"

values = [
"environment-pipeline-platform-helper-generate-*"
]
}
}

dynamic "statement" {
for_each = toset(local.triggers_another_pipeline ? [""] : [])
content {
Expand Down Expand Up @@ -803,6 +823,13 @@ data "aws_iam_policy_document" "iam" {
]
}
}

statement {
actions = [
"sts:AssumeRole"
]
resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.application}-${var.pipeline_name}-environment-pipeline-codebuild"]
}
}

data "aws_iam_policy_document" "codepipeline" {
Expand Down
2 changes: 2 additions & 0 deletions environment-pipelines/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ locals {
triggering_pipeline_name = local.triggered_by_another_pipeline ? one(local.list_of_triggering_pipelines).name : null
triggering_pipeline_codebuild_role = local.triggered_by_another_pipeline ? "arn:aws:iam::${local.triggering_account_id}:role/${var.application}-${local.triggering_pipeline_name}-environment-pipeline-codebuild" : null

current_codebuild_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.application}-${var.pipeline_name}-environment-pipeline-codebuild"

initial_stages = [for env in local.environment_config : [
# The first element of the inner list for an env is the Plan stage.
Expand Down Expand Up @@ -94,6 +95,7 @@ locals {
{ name : "SLACK_CHANNEL_ID", value : var.slack_channel, type : "PARAMETER_STORE" },
{ name : "SLACK_REF", value : "#{slack.SLACK_REF}" },
{ name : "SLACK_THREAD_ID", value : "#{variables.SLACK_THREAD_ID}" },
{ name : "CURRENT_CODEBUILD_ROLE", value : local.current_codebuild_role_arn },
local.triggered_by_another_pipeline ? { name : "TRIGGERING_ACCOUNT_CODEBUILD_ROLE", value : local.triggering_pipeline_codebuild_role } : null,
local.triggered_by_another_pipeline ? { name : "TRIGGERING_ACCOUNT_AWS_PROFILE", value : local.triggering_pipeline_account_name } : null,
])
Expand Down
8 changes: 4 additions & 4 deletions environment-pipelines/tests/unit.tftest.hcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1094,12 +1094,12 @@ run "test_triggered_pipelines" {
}

assert {
condition = aws_codepipeline.environment_pipeline.stage[3].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"dev\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"sandbox\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},{\"name\":\"TRIGGERING_ACCOUNT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::000123456789:role/my-app-my-pipeline-environment-pipeline-codebuild\"},{\"name\":\"TRIGGERING_ACCOUNT_AWS_PROFILE\",\"value\":\"sandbox\"}]"
condition = aws_codepipeline.environment_pipeline.stage[3].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"dev\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"sandbox\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},{\"name\":\"CURRENT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/my-app-triggered-pipeline-environment-pipeline-codebuild\"},{\"name\":\"TRIGGERING_ACCOUNT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::000123456789:role/my-app-my-pipeline-environment-pipeline-codebuild\"},{\"name\":\"TRIGGERING_ACCOUNT_AWS_PROFILE\",\"value\":\"sandbox\"}]"
error_message = "Configuration Env Vars incorrect"
}

assert {
condition = aws_codepipeline.environment_pipeline.stage[6].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"prod\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"prod\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},{\"name\":\"TRIGGERING_ACCOUNT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::000123456789:role/my-app-my-pipeline-environment-pipeline-codebuild\"},{\"name\":\"TRIGGERING_ACCOUNT_AWS_PROFILE\",\"value\":\"sandbox\"}]"
condition = aws_codepipeline.environment_pipeline.stage[6].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"prod\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"prod\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},{\"name\":\"CURRENT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/my-app-triggered-pipeline-environment-pipeline-codebuild\"},{\"name\":\"TRIGGERING_ACCOUNT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::000123456789:role/my-app-my-pipeline-environment-pipeline-codebuild\"},{\"name\":\"TRIGGERING_ACCOUNT_AWS_PROFILE\",\"value\":\"sandbox\"}]"
error_message = "Configuration Env Vars incorrect"
}
}
Expand Down Expand Up @@ -1255,7 +1255,7 @@ run "test_stages" {
error_message = "Configuration PrimarySource incorrect"
}
assert {
condition = aws_codepipeline.environment_pipeline.stage[3].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"dev\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"sandbox\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},null,null]"
condition = aws_codepipeline.environment_pipeline.stage[3].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"dev\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"sandbox\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},{\"name\":\"CURRENT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/my-app-my-pipeline-environment-pipeline-codebuild\"},null,null]"
error_message = "Configuration Env Vars incorrect"
}

Expand Down Expand Up @@ -1405,7 +1405,7 @@ run "test_stages" {
error_message = "Configuration PrimarySource incorrect"
}
assert {
condition = aws_codepipeline.environment_pipeline.stage[6].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"prod\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"prod\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},null,null]"
condition = aws_codepipeline.environment_pipeline.stage[6].action[0].configuration.EnvironmentVariables == "[{\"name\":\"ENVIRONMENT\",\"value\":\"prod\"},{\"name\":\"AWS_PROFILE_FOR_COPILOT\",\"value\":\"prod\"},{\"name\":\"SLACK_CHANNEL_ID\",\"type\":\"PARAMETER_STORE\",\"value\":\"/codebuild/slack_pipeline_notifications_channel\"},{\"name\":\"SLACK_REF\",\"value\":\"#{slack.SLACK_REF}\"},{\"name\":\"SLACK_THREAD_ID\",\"value\":\"#{variables.SLACK_THREAD_ID}\"},{\"name\":\"CURRENT_CODEBUILD_ROLE\",\"value\":\"arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/my-app-my-pipeline-environment-pipeline-codebuild\"},null,null]"
error_message = "Configuration Env Vars incorrect"
}
}
Expand Down

0 comments on commit f0b7bc1

Please sign in to comment.