Full Blog TOC

Full Blog Table Of Content with Keywords Available HERE

Wednesday, October 6, 2021

Setup CodeBuild Project using CloudFormation


 


In this post we will review a CloudFormation stack to create all the required AWS resources for a new CodeBuild project.


We assume that we already have a GIT repository stored in AWS CodeCommit, and an included Dockerfile that builds the related image.


First we specify the stack parameters: 

  • The AWS account
  • The region
  • The CodeCommit name 
  • The image name to be build from this project



Parameters:

ParameterAccountId:
Type: String
Default: "123456789012"
ParameterRegion:
Type: String
Default: us-east-1
ParameterCodeCommitName:
Type: String
Default: my
ParameterImageName:
Type: String
Default: my-image



The stack now specifies the resources. We will review each resource.



Resources:



The first resource is the ECR. We create a dedicated ECR for this project.



ecrRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: !Ref ParameterImageName



Another requirement is the S3 bucket that is required for storing of the CodeBuild logs. We will use a life-cycle policy to remove logs older than a week.



s3LogsBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join
- "-"
- - my-codebuild-logs
- !Ref ParameterImageName
LifecycleConfiguration:
Rules:
- Id: DeleteOldFiles
Status: Enabled
ExpirationInDays: 7



Now we can create a role that the CodeBuild project uses. It includes a policy allowing the following:

  • Pull image from the ECR (for caching of previous build)
  • Push Image to the ECR
  • Pull the code from the CodeCommit
  • Save logs to the S3 bucket



codebuildProjectRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join
- "-"
- - my-cloudbuild-role
- !Ref ParameterImageName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
Service:
- codebuild.amazonaws.com
Policies:
- PolicyName: !Join
- "-"
- - my-bloudbuild-policy
- !Ref ParameterImageName
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchCheckLayerAvailability
- ecr:BatchGetImage
- ecr:CompleteLayerUpload
- ecr:DescribeImages
- ecr:DescribeRepositories
- ecr:DescribeImageScanFindings
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
- ecr:GetRepositoryPolicy
- ecr:InitiateLayerUpload
- ecr:ListImages
- ecr:ListTagsForResource
- ecr:PutImage
- ecr:UploadLayerPart
Resource:
- "*"
- Effect: Allow
Action:
- codecommit:GitPull
Resource:
- !Join
- ":"
- - arn:aws:codecommit
- !Ref ParameterRegion
- !Ref ParameterAccountId
- !Ref ParameterCodeCommitName
- Effect: Allow
Action:
- s3:*
Resource:
- !Join
- "/"
- - !GetAtt s3LogsBucket.Arn
- "*"



Finally we can configure the actual CodeBuild project, which uses the source from the CodeCommit, and run the actual CodeBuild according to the buildspec.yaml which is located in the root of the CodeCommit Git repository. We send environment variables for the buildspec.yaml, enabling it to use them in its shell commands.



codeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: !Join
- "-"
- - my-codebuild-project
- !Ref ParameterImageName
Source:
Type: CODECOMMIT
Location: !Join
- "/"
- - "https:/"
- !Join
- "."
- - git-codecommit
- !Ref ParameterRegion
- amazonaws.com
- v1/repos
- !Ref ParameterCodeCommitName

BuildSpec: buildspec.yaml
Artifacts:
Type: NO_ARTIFACTS
Environment:
Type: LINUX_CONTAINER
Image: aws/codebuild/standard:4.0
ComputeType: BUILD_GENERAL1_SMALL
PrivilegedMode: true
EnvironmentVariables:
- Name: awsRegion
Value: !Ref ParameterRegion
Type: PLAINTEXT
- Name: awsAccount
Value: !Ref ParameterAccountId
Type: PLAINTEXT
- Name: imageName
Value: !Ref ParameterImageName
Type: PLAINTEXT
- Name: imageVersion
Value: latest
Type: PLAINTEXT
ServiceRole: !GetAtt codebuildProjectRole.Arn
LogsConfig:
CloudWatchLogs:
Status: DISABLED
S3Logs:
Status: ENABLED
Location: !GetAtt s3LogsBucket.Arn
EncryptionDisabled: true


In the next post, I will provide an example for a buildspec.yaml, and an example of how build the image and push it to the ECR.



No comments:

Post a Comment