diff --git a/README.md b/README.md index 4fa04a9..5d965df 100644 --- a/README.md +++ b/README.md @@ -40,8 +40,14 @@ export GITHUB_REPO=YOUR_GITHUB_BRANCH *Note:* To deploy application without pipeline locally, change `cdk.json` line 2 from `"app": "npx ts-node --prefer-ts-exts cdk/bin/pipeline.ts",` to `"app": "npx ts-node --prefer-ts-exts cdk/bin/api.ts",` -Deploy pipeline manually one time: `cdk deploy` + `aws iam attach-role-policy --role-name $PIPELINE_ROLE --policy-arn $POLICY_ARN` -`cdk bootstrap --trust $PIPELINE_ACCOUNT_ID --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://$SECONDRY_ACCOUNT_ID/us-west-2` \ No newline at end of file +`cdk bootstrap --trust $PIPELINE_ACCOUNT_ID --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://$SECONDRY_ACCOUNT_ID/us-west-2` +Deploy pipeline manually one time: `cdk deploy` +Cacnel execution of pipeline +Set Env Var `` in CodeBuild step +In source account, add ability to assume cdk roles created by bootstrap command to policy used for cross account access +In source account, add policy to role used to build and deploy that was created when the pipeline was deployed +Create ssm param `rds-password-secret-arn` for arn to secret manager entry with db pwd secret (In account 1) \ No newline at end of file diff --git a/cdk/bin/api.ts b/cdk/bin/api.ts index 6c57f76..de59d1b 100644 --- a/cdk/bin/api.ts +++ b/cdk/bin/api.ts @@ -15,7 +15,7 @@ const vpcStack = new VpcStack(app, "VPCStack"); const rdsStack = new RDSStack(app, "RDSStack", { vpc: vpcStack.vpc, securityGroup: vpcStack.ingressSecurityGroup, - rdsPwdSecretArnSsmParameterName: rdsPasswordArnSsmParamName + rdsPwdSecretArn: process.env.RDS_PWD_ARN || "" }); // Serverless Lambda/API Gateway Graphql API diff --git a/cdk/lib/cdk-pipeline-stack.ts b/cdk/lib/cdk-pipeline-stack.ts index 48e913b..a2b117b 100644 --- a/cdk/lib/cdk-pipeline-stack.ts +++ b/cdk/lib/cdk-pipeline-stack.ts @@ -7,7 +7,7 @@ import { RDSStack } from "./rds-stack"; // Define deployable unit of our app in a stage; consider putting this in seperate file interface AppStageProps extends StageProps { - rdsPasswordSecretArnSsmParamName: string; + rdsPasswordSecretArn: string; } class AppStage extends Stage { @@ -22,7 +22,7 @@ class AppStage extends Stage { this.rdsStack = new RDSStack(this, "RDSStack", { vpc: vpcStack.vpc, securityGroup: vpcStack.ingressSecurityGroup, - rdsPwdSecretArnSsmParameterName: props?.rdsPasswordSecretArnSsmParamName || "" + rdsPwdSecretArn: props?.rdsPasswordSecretArn || "" }); this.apiStack = new GraphqlApiStack(this, "APIStack", { @@ -51,8 +51,10 @@ export class CdkPipelineStack extends Stack { const githubOrg = process.env.GITHUB_ORG || "kevasync"; const githubRepo = process.env.GITHUB_REPO || "awsmug-serverless-graphql-api"; const githubBranch = process.env.GITHUB_REPO || "master"; + const crossAccountId = process.env.SECONDARY_ACCOUNT_ID || ""; + const rdsPasswordArn = process.env.RDS_PWD_ARN || ""; // const crossAccountRole = process.env.CROSS_ACCOUNT_PIPELINE_ROLE || "OrganizationAccountAccessRole"; - const crossAccountId = process.env.SECONDARY_ACCOUNT_ID; + const pipeline = new CodePipeline(this, "Pipeline", { crossAccountKeys: true, @@ -83,16 +85,18 @@ export class CdkPipelineStack extends Stack { // resources: [`arn:aws:iam::${crossAccountRole}:role/${crossAccountRole}`] // })); + + const devStage = new AppStage(this, "dev", { env: { account: Aws.ACCOUNT_ID, region: Aws.REGION }, - rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn" + rdsPasswordSecretArn: rdsPasswordArn }); const devWave = pipeline.addWave("devWave"); devWave.addStage(devStage); const prdStage = new AppStage(this, "prd", { env: { account: crossAccountId, region: "us-west-2" }, - rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn" + rdsPasswordSecretArn: rdsPasswordArn }); const prdWave = pipeline.addWave("prdWave"); prdWave.addStage(prdStage); diff --git a/cdk/lib/rds-stack.ts b/cdk/lib/rds-stack.ts index cd25629..02ec6c2 100644 --- a/cdk/lib/rds-stack.ts +++ b/cdk/lib/rds-stack.ts @@ -14,7 +14,7 @@ import { SecurityGroup, SubnetType, Vpc } from "@aws-cdk/aws-ec2"; export interface RDSStackProps extends StackProps { vpc: Vpc; securityGroup: SecurityGroup; - rdsPwdSecretArnSsmParameterName: string; + rdsPwdSecretArn: string; } export class RDSStack extends Stack { @@ -31,9 +31,9 @@ export class RDSStack extends Stack { constructor(scope: Construct, id: string, props: RDSStackProps) { super(scope, id, props); - const secretArn = StringParameter.valueForStringParameter(this, props.rdsPwdSecretArnSsmParameterName); + this.rdsPassword = Secret.fromSecretAttributes(this, "rdsPassword", { - secretArn: secretArn + secretArn: props.rdsPwdSecretArn }); this.postgresRDSInstance = new DatabaseInstance(