我正在从我的部署帐户到登台帐户的AWS跨帐户部署中,我有2个独立的API和前端应用程序管道。
在API的代码管道中,我正在创建一些我想在前端代码管道的构建阶段中重复使用的资源。现在,我需要通过运行单个管道来实现以下步骤
预先感谢
答案 0 :(得分:0)
CodePipeline由阶段(逻辑)和操作(源/构建/部署等)组成。
每个操作都可以在本地帐户或交叉帐户中运行。这种魔术是如何发生的?
每个动作都有一个roleArn属性。这是CodePipeline在执行该操作时“承担”的角色。如果在'roleArn'属性中指定的角色在本地帐户中(或属性为null),则操作在本地帐户中运行。如果在'roleArn'属性中指定的角色是交叉帐户,则该操作将在另一个帐户中运行。
运行以下命令进行检查:
$ aws codepipeline get-pipeline --name <name> --region us-east-1
结果将类似于(请参阅第二行):
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "CloudFormation",
"version": "1"
},
"runOrder": 1,
"configuration": {
"ActionMode": "CREATE_UPDATE",
"Capabilities": "CAPABILITY_IAM,CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND",
"RoleArn": "arn:aws:iam::0123456789012:role/CrossAccount_Role",
"StackName": "Cx-Account",
"TemplatePath": "SourceArtifact::template.json"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"roleArn": "arn:aws:iam::0123456789012:role/CrossAccount_Role",
"region": "us-east-1"
}
部署在部署帐户本身中部署一个云形成堆栈-不成功,可能吗?如果有可能怎么做?
现在,您具有在所需帐户中运行该操作的关键。正常创建操作,不对操作本身指定roleArn,CodePipeline将在部署帐户本身(管道所在的位置)中执行cloudformation操作。
答案 1 :(得分:0)
我有几个用例,我需要在 AWS 代码构建中从我的管理账户(我运行管道的账户)到我要部署到的目标账户执行操作。例如,当需要将钓鱼应用程序部署到 S3 时,这很有用。这是我的解决方案,希望这会有所帮助:)
BuildAngulerProjectAndUploadToS3:
Type: AWS::CodeBuild::Project
Properties:
Name: !Sub '${UniqueId}-build-anguler-project-upload-to-s3'
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0
Type: LINUX_CONTAINER
ServiceRole: !Sub '{{resolve:ssm:/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/pipeline_role_arn/mgmt:1}}'
EncryptionKey: !Sub '{{resolve:ssm:/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/artefact_encryption_key/arn:1}}'
Source:
Type: CODEPIPELINE
BuildSpec: !Sub |2 # Only use ${...} for substituted variables, not environment variables, to avoid issues with !Sub
version: 0.2
env:
parameter-store:
artifactory_username: "/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/python-pip/username"
artifactory_password: "/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/python-pip/api"
phases:
pre_build:
commands:
# Assume the cross account role in the Target Account
# CrossAccountDeploymentRoleArn is passed in as an environment variable
- output=$(aws sts assume-role
--role-arn $CrossAccountDeploymentRoleArn
--role-session-name "x-account-code-build"
--query 'Credentials.[SecretAccessKey,AccessKeyId,SessionToken]'
--output text)
- export AWS_ACCESS_KEY_ID=$(echo $output | cut -f2 -d ' ')
- export AWS_SECRET_ACCESS_KEY=$(echo $output | cut -f1 -d ' ')
- export AWS_SESSION_TOKEN=$(echo $output | cut -f3 -d ' ')
install:
runtime-versions:
nodejs: 10
commands:
- echo Installing source NPM dependencies...
- cd $CODEBUILD_SRC_DIR/client/app
- echo Setting up artifactory...
- printf _auth="$artifactory_password\nregistry=https://{ARTIFACTORY_ADDRESS}\nemail=$artifactory_username\nalways-auth=true" > .npmrc
- cat .npmrc
- npm i -g @angular/cli
build:
commands:
- npm install
- ng build --prod
- echo uploading artifacts to S3
- aws s3 sync dist/app s3://${UniqueId}-app-bucket-$Account_ID