In this post we will review a CloudFormation stack to create all the required AWS resources for a new CodeBuild project.
We assume that we already have a GIT repository stored in AWS CodeCommit, and an included Dockerfile that builds the related image.
First we specify the stack parameters:
- The AWS account
- The region
- The CodeCommit name
- The image name to be build from this project
Parameters:
ParameterAccountId:
Type: String
Default: "123456789012"
ParameterRegion:
Type: String
Default: us-east-1
ParameterCodeCommitName:
Type: String
Default: my
ParameterImageName:
Type: String
Default: my-image
The stack now specifies the resources. We will review each resource.
Resources:
The first resource is the ECR. We create a dedicated ECR for this project.
ecrRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: !Ref ParameterImageName
Another requirement is the S3 bucket that is required for storing of the CodeBuild logs. We will use a life-cycle policy to remove logs older than a week.
s3LogsBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join
- "-"
- - my-codebuild-logs
- !Ref ParameterImageName
LifecycleConfiguration:
Rules:
- Id: DeleteOldFiles
Status: Enabled
ExpirationInDays: 7
Now we can create a role that the CodeBuild project uses. It includes a policy allowing the following:
- Pull image from the ECR (for caching of previous build)
- Push Image to the ECR
- Pull the code from the CodeCommit
- Save logs to the S3 bucket
codebuildProjectRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Join
- "-"
- - my-cloudbuild-role
- !Ref ParameterImageName
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
Service:
- codebuild.amazonaws.com
Policies:
- PolicyName: !Join
- "-"
- - my-bloudbuild-policy
- !Ref ParameterImageName
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchCheckLayerAvailability
- ecr:BatchGetImage
- ecr:CompleteLayerUpload
- ecr:DescribeImages
- ecr:DescribeRepositories
- ecr:DescribeImageScanFindings
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
- ecr:GetRepositoryPolicy
- ecr:InitiateLayerUpload
- ecr:ListImages
- ecr:ListTagsForResource
- ecr:PutImage
- ecr:UploadLayerPart
Resource:
- "*"
- Effect: Allow
Action:
- codecommit:GitPull
Resource:
- !Join
- ":"
- - arn:aws:codecommit
- !Ref ParameterRegion
- !Ref ParameterAccountId
- !Ref ParameterCodeCommitName
- Effect: Allow
Action:
- s3:*
Resource:
- !Join
- "/"
- - !GetAtt s3LogsBucket.Arn
- "*"
Finally we can configure the actual CodeBuild project, which uses the source from the CodeCommit, and run the actual CodeBuild according to the buildspec.yaml which is located in the root of the CodeCommit Git repository. We send environment variables for the buildspec.yaml, enabling it to use them in its shell commands.
codeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: !Join
- "-"
- - my-codebuild-project
- !Ref ParameterImageName
Source:
Type: CODECOMMIT
Location: !Join
- "/"
- - "https:/"
- !Join
- "."
- - git-codecommit
- !Ref ParameterRegion
- amazonaws.com
- v1/repos
- !Ref ParameterCodeCommitName
BuildSpec: buildspec.yaml
Artifacts:
Type: NO_ARTIFACTS
Environment:
Type: LINUX_CONTAINER
Image: aws/codebuild/standard:4.0
ComputeType: BUILD_GENERAL1_SMALL
PrivilegedMode: true
EnvironmentVariables:
- Name: awsRegion
Value: !Ref ParameterRegion
Type: PLAINTEXT
- Name: awsAccount
Value: !Ref ParameterAccountId
Type: PLAINTEXT
- Name: imageName
Value: !Ref ParameterImageName
Type: PLAINTEXT
- Name: imageVersion
Value: latest
Type: PLAINTEXT
ServiceRole: !GetAtt codebuildProjectRole.Arn
LogsConfig:
CloudWatchLogs:
Status: DISABLED
S3Logs:
Status: ENABLED
Location: !GetAtt s3LogsBucket.Arn
EncryptionDisabled: true
In the next post, I will provide an example for a buildspec.yaml, and an example of how build the image and push it to the ECR.
No comments:
Post a Comment