aws-samples / aws-cross-account-cicd-pipeline Goto Github PK

Example of how to use CDK to create a CodePipeline CI/CD pipeline, and how to configure it to deploy resources on different AWS Accounts.

License: MIT No Attribution

JavaScript 10.77% TypeScript 64.41% PowerShell 24.82%

aws-cross-account-cicd-pipeline's Introduction

Cross-account CI/CD Pipeline

This is an example of a CodePipeline cross-account CI/CD pipeline. The pipeline leverages CodeCommit as a Git repository, CodeBuild to package the source code for a sample Lambda and to build a CloudFormation template for our application. Moreover, the pipeline uses CodeDeploy to deploy the sample application. In this example, the pipeline is provisioned on a development account, and deploys the sample application on both the development (the same as the pipeline) and the production account (specified by the user).

This example also configures the S3 bucket ArtifactStore to be accessed from a different AWS account, and the AWS Key Management Service (KMS) key to decrypt the artifacts.

The CDK consists of the following stacks:

DevApplicationStack: the sample application to be deployed by the pipeline on the dev environment
ProdApplicationStack: the sample application to be deployed by the pipeline on the prod environment
CrossAccountPipelineStack: the pipeline itself, along with other resources like CodeBuild, S3, KMS, etc.
RepositoryStack: a CodeCommit Git repository

Build

To build this app, you need to be in this example's root folder. Then run the following:

npm install -g aws-cdk
npm install
npm run build

This will install the necessary CDK, then this example's dependencies, and then build your TypeScript files and your CloudFormation template.

Create Production IAM Roles

On the production AWS Account:

Create an IAM Role named CodePipelineCrossAccountRole
Create an IAM Role named CloudFormationDeploymentRole

Deploy CodeCommit Repository

Run cdk deploy RepositoryStack. This will deploy / redeploy your RepositoryStack to your AWS Account.

Deploy CI/CD Pipeline

Set a variable named PROD_ACCOUNT_ID with the production AWS Account ID

Run cdk deploy CrossAccountPipelineStack --context prod-account=${PROD_ACCOUNT_ID}. This will deploy / redeploy your CrossAccountPipelineStack to your AWS Account.

After the deployment, you will see the KMS key used to encrypt / decrypt the objects on the ArtifactStore.

Configure Production IAM Policies

On the production AWS Account:

Add an Inline Policy to the CodePipelineCrossAccountRole with this value:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:*",
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:Get*",
                "s3:Put*",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::artifact-bucket-{DEV_ACCOUNT_ID}",
                "arn:aws:s3:::artifact-bucket-{DEV_ACCOUNT_ID}/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [ 
                "kms:DescribeKey", 
                "kms:GenerateDataKey*", 
                "kms:Encrypt", 
                "kms:ReEncrypt*", 
                "kms:Decrypt" 
            ], 
            "Resource": "{KEY_ARN}",
            "Effect": "Allow"
        }
    ]
}

Add an Inline Policy to the CloudFormationDeploymentRole with this value:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::{PROD_ACCOUNT_ID}:role/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:GetRole",
                "iam:CreateRole",
                "iam:AttachRolePolicy"
            ],
            "Resource": "arn:aws:iam::{PROD_ACCOUNT_ID}:role/*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "apigateway:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "codedeploy:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ssm:GetParameters",
            "Resource": "arn:aws:ssm:*:*:parameter/cdk-bootstrap/hnb659fds/version",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject*",
                "s3:GetBucket*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::artifact-bucket-{DEV_ACCOUNT_ID}",
                "arn:aws:s3:::artifact-bucket-{DEV_ACCOUNT_ID}/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "{KEY_ARN}",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DescribeStack*",
                "cloudformation:GetStackPolicy",
                "cloudformation:GetTemplate*",
                "cloudformation:SetStackPolicy",
                "cloudformation:UpdateStack",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "arn:aws:cloudformation:us-east-2:{PROD_ACCOUNT_ID}:stack/ProdApplicationDeploymentStack/*",
            "Effect": "Allow"
        }
    ]
}

License

This library is licensed under the MIT-0 License. See the LICENSE file.

aws-cross-account-cicd-pipeline's People

Contributors

Stargazers

Watchers

aws-cross-account-cicd-pipeline's Issues

Access denied from production to develop SSM

The pipeline stop on the production deploy with error

AccessDenied. User doesn't have permission to call ssm:GetParameters (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: xoxoxoxoxox ; Proxy: null)

The fix was grant the SSM access on policy CloudFormationDeploymentPolicy

{
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath",
                "ssm:GetParameterHistory"
            ],
            "Resource": "arn:aws:ssm:*:235613696152:parameter/*"
}

Initial Pipeline Run failing in CodeBuild

I am not sure what is going wrong here.

[Container] 2022/11/08 19:00:43 Running command npm run cdk synth
> [email protected] cdk /codebuild/output/src720320611/src
> cdk "synth"
/codebuild/output/src720320611/src/node_modules/aws-cdk/lib/index.js:12413
home = path.join((os.userInfo().homedir ?? os.homedir()).trim(), ".cdk");
^
SyntaxError: Unexpected token '?'
at wrapSafe (internal/modules/cjs/loader.js:915:16)
at Module._compile (internal/modules/cjs/loader.js:963:27)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
at Module.load (internal/modules/cjs/loader.js:863:32)
at Function.Module._load (internal/modules/cjs/loader.js:708:14)
at Module.require (internal/modules/cjs/loader.js:887:19)
at require (internal/modules/cjs/helpers.js:74:18)
at Object.<anonymous> (/codebuild/output/src720320611/src/node_modules/aws-cdk/bin/cdk.js:3:15)
at Module._compile (internal/modules/cjs/loader.js:999:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] cdk: `cdk "synth"`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] cdk script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2022-11-08T19_00_44_272Z-debug.log
[Container] 2022/11/08 19:00:44 Command did not exit successfully npm run cdk synth exit status 1

Following the "Building a Cross-account CI/CD Pipeline" workshop. The npm build is failing

Hello,

I am following along with the Building a Cross-account CI/CD Pipeline. I am at the Build CDK project stage. Looks like whenever run the npm run build it is showing the following errors.

Then when I run cdk ls it also shows an error. I guess that is also expected after the npm build issue

I have the following versions

CrossAccountPipelineStack failed due to KMS policy

| CREATE_FAILED | AWS::KMS::Key | ArtifactKey8D84C5F0
Resource handler returned message: "Policy contains a statement with one or more invalid principals. (Service: Kms, Status Code: 400, Request ID: 254dc5b5-87ee-4a48-84fe-99
3e5f524150)" (RequestToken: 41b9c277-055c-64f0-8e74-f58d6922239a, HandlerErrorCode: InvalidRequest)

Workshop should include step to bootstrap cdk

cdk bootstrap is never mentioned in the Workshop instructions but is required before the cdk deploy will run.

Should be updated here:
https://catalog.us-east-1.prod.workshops.aws/v2/workshops/00bc829e-fd7c-4204-9da1-faea3cf8bd88/en-US/repository-stack/deploy-code-commit

The production environment should also be bootstrapped.

npm install command failing

When running npm install I get the following error:

npm WARN conflict A git conflict was detected in package-lock.json. Attempting to auto-resolve.
npm WARN conflict To make this happen automatically on git rebase/merge, consider using the npm-merge-driver:
npm WARN conflict $ npx npm-merge-driver install -g
npm ERR! conflict Automatic conflict resolution failed. Please manually resolve conflicts in package-lock.json and try again.
npm ERR! Unexpected token < in JSON at position 119 while parsing near '...kages": {
npm ERR!     "": {
npm ERR! <<<<<<< HEAD
npm ERR!       "...'

Here are the versions in my environment:
npm: 6.14.7
cdk: 2.50.0
tsc: 4.8.4

"Unable to fetch parameters" exception during deployment on production

Observed this during the last step of the pipeline, when deploying to the production account. Full error message is "Unable to fetch parameters [/cdk-bootstrap/hnb659fds/version] from parameter store for this account."

Not investigated the root cause, but was able to workaround it by manually creating the mentioned parameter in Parameter Store on the production account, using the same name and value as in the developer account.

INVALID PRINCIPAL

Resource handler returned message: "An ARN in the specified key policy is invalid. (Service: Kms, Status Code: 400, Request ID: a560acfa-b83a-4ce1-955c-11de0405f217)" (RequestToken: ddc1b756-fd31-8df3-32bf-5a86610a1d10, HandlerErrorCode: InvalidRequest)

I have follow same but still no luck.

Also, have provide cross account details in cdk.json and get in stack but getting same error as above.

Any one can please take look once.

This need to be updated with CDK v2

The code example here are using CDK v1.
Now CDK v2 is out and CDK v1 is in maintenance mode.

CDK Bootstrap roles

Thank you @rafaelgsr for the example,

I was actually led here by my stackoverflow question at: https://stackoverflow.com/questions/69806861/add-permissions-to-aws-cdk-pipelines-cross-account-execution-role/69965471#69965471

In your example the roles are "manually" setup. I was looking for a solution more inline with my current cdk pipeline model.

Would it be possible to use the existing bootstrapping roles?

CDK Synth pipeline step fails because of old version of Node used in the build image

LinuxBuildImage.AMAZON_LINUX_2_ARM_2 is the build image used for the CodePipeline pipelines CDK_Synth & Application_Build. This image includes Node 10.24.1 & Node 12.22.2 (please see the Dockerfile) but not Node 14, as is required in the README and the pipeline build fails.

This causes the CDK Synth step to fail because of an unsupported language feature (the ?? operator) being used in the code. The code should probably use another image which provides the required Node version.

Stack Failed due to crossaccount role not FOUND.

Hello ,

I have face below error,

CodepipelineStack | 19/33 | 9:17:22 am | CREATE_FAILED | AWS::IAM::Policy | ProdCrossAccountRole/PolicyCodepipelineStackProdCrossAccountRoleB6C33F0B (ProdCrossAccountRolePolicyCodepipelineStackProdCrossAccountRoleB6C33F0B8880DEDA) The role with name MyCrossAccountRole cannot be found. (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 5df526d0-5f35-4d64-9b39-1adc08b3383f; Proxy: null)

package-lock.json has a merge conflict

e571ea0 introduced a merge conflict in package-lock.json

Newer versions of npm will, apparently, ignore the file altogether in this case and re-resolve the dependencies, but older versions will just fail.

Missing Trust Relationship definition in readme

In the readme the documentation is incomplete for the IAM roles that need to be created. I would replace:

Create an IAM Role named CodePipelineCrossAccountRole
Create an IAM Role named CloudFormationDeploymentRole

with:

Create an IAM Role named CodePipelineCrossAccountRole with Trusted entities:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{ROOT_ACCOUNT_ID}:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create an IAM Role named CloudFormationDeploymentRole with Trusted entities:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudformation.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Use CDKv2

AccessDenied. User doesn't have permission to call ssm:GetParameters

Hello,

Getting Error like above when code pipeline deploy stage start execution for cross account deploy.

AnyOne have any idea...

Why both DeploymentRole and CrossAccountRole need to access the ArtifactBucket in DevAcc?

Thanks for this great workshop. I could not figure out whey both the DeploymentRole and CrossAccountRole need to access the ArtifactBucket in the Development Account? I think that only the DeploymentRole needs access to the artifact bucket. So could you add some explanation?