Skip to content

Commit

Permalink
getting rds pwd arn from build job env var
Browse files Browse the repository at this point in the history
  • Loading branch information
Kevin Tinn committed Oct 5, 2021
1 parent fa50e44 commit 3b73324
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 11 deletions.
10 changes: 8 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,14 @@ export GITHUB_REPO=YOUR_GITHUB_BRANCH

*Note:* To deploy application without pipeline locally, change `cdk.json` line 2 from `"app": "npx ts-node --prefer-ts-exts cdk/bin/pipeline.ts",` to `"app": "npx ts-node --prefer-ts-exts cdk/bin/api.ts",`

Deploy pipeline manually one time: `cdk deploy`



`aws iam attach-role-policy --role-name $PIPELINE_ROLE --policy-arn $POLICY_ARN`
`cdk bootstrap --trust $PIPELINE_ACCOUNT_ID --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://$SECONDRY_ACCOUNT_ID/us-west-2`
`cdk bootstrap --trust $PIPELINE_ACCOUNT_ID --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://$SECONDRY_ACCOUNT_ID/us-west-2`
Deploy pipeline manually one time: `cdk deploy`
Cacnel execution of pipeline
Set Env Var `` in CodeBuild step
In source account, add ability to assume cdk roles created by bootstrap command to policy used for cross account access
In source account, add policy to role used to build and deploy that was created when the pipeline was deployed
Create ssm param `rds-password-secret-arn` for arn to secret manager entry with db pwd secret (In account 1)
2 changes: 1 addition & 1 deletion cdk/bin/api.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ const vpcStack = new VpcStack(app, "VPCStack");
const rdsStack = new RDSStack(app, "RDSStack", {
vpc: vpcStack.vpc,
securityGroup: vpcStack.ingressSecurityGroup,
rdsPwdSecretArnSsmParameterName: rdsPasswordArnSsmParamName
rdsPwdSecretArn: process.env.RDS_PWD_ARN || ""
});

// Serverless Lambda/API Gateway Graphql API
Expand Down
14 changes: 9 additions & 5 deletions cdk/lib/cdk-pipeline-stack.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import { RDSStack } from "./rds-stack";

// Define deployable unit of our app in a stage; consider putting this in seperate file
interface AppStageProps extends StageProps {
rdsPasswordSecretArnSsmParamName: string;
rdsPasswordSecretArn: string;
}

class AppStage extends Stage {
Expand All @@ -22,7 +22,7 @@ class AppStage extends Stage {
this.rdsStack = new RDSStack(this, "RDSStack", {
vpc: vpcStack.vpc,
securityGroup: vpcStack.ingressSecurityGroup,
rdsPwdSecretArnSsmParameterName: props?.rdsPasswordSecretArnSsmParamName || ""
rdsPwdSecretArn: props?.rdsPasswordSecretArn || ""
});

this.apiStack = new GraphqlApiStack(this, "APIStack", {
Expand Down Expand Up @@ -51,8 +51,10 @@ export class CdkPipelineStack extends Stack {
const githubOrg = process.env.GITHUB_ORG || "kevasync";
const githubRepo = process.env.GITHUB_REPO || "awsmug-serverless-graphql-api";
const githubBranch = process.env.GITHUB_REPO || "master";
const crossAccountId = process.env.SECONDARY_ACCOUNT_ID || "";
const rdsPasswordArn = process.env.RDS_PWD_ARN || "";
// const crossAccountRole = process.env.CROSS_ACCOUNT_PIPELINE_ROLE || "OrganizationAccountAccessRole";
const crossAccountId = process.env.SECONDARY_ACCOUNT_ID;


const pipeline = new CodePipeline(this, "Pipeline", {
crossAccountKeys: true,
Expand Down Expand Up @@ -83,16 +85,18 @@ export class CdkPipelineStack extends Stack {
// resources: [`arn:aws:iam::${crossAccountRole}:role/${crossAccountRole}`]
// }));



const devStage = new AppStage(this, "dev", {
env: { account: Aws.ACCOUNT_ID, region: Aws.REGION },
rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn"
rdsPasswordSecretArn: rdsPasswordArn
});
const devWave = pipeline.addWave("devWave");
devWave.addStage(devStage);

const prdStage = new AppStage(this, "prd", {
env: { account: crossAccountId, region: "us-west-2" },
rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn"
rdsPasswordSecretArn: rdsPasswordArn
});
const prdWave = pipeline.addWave("prdWave");
prdWave.addStage(prdStage);
Expand Down
6 changes: 3 additions & 3 deletions cdk/lib/rds-stack.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import { SecurityGroup, SubnetType, Vpc } from "@aws-cdk/aws-ec2";
export interface RDSStackProps extends StackProps {
vpc: Vpc;
securityGroup: SecurityGroup;
rdsPwdSecretArnSsmParameterName: string;
rdsPwdSecretArn: string;
}

export class RDSStack extends Stack {
Expand All @@ -31,9 +31,9 @@ export class RDSStack extends Stack {
constructor(scope: Construct, id: string, props: RDSStackProps) {
super(scope, id, props);

const secretArn = StringParameter.valueForStringParameter(this, props.rdsPwdSecretArnSsmParameterName);

this.rdsPassword = Secret.fromSecretAttributes(this, "rdsPassword", {
secretArn: secretArn
secretArn: props.rdsPwdSecretArn
});

this.postgresRDSInstance = new DatabaseInstance(
Expand Down

0 comments on commit 3b73324

Please sign in to comment.