-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build & CI - Containerized Environments #633
Conversation
Additional tools are required to run the AMI building stage and are common enough to merit being installed by default - eg: aws cli.
This uses the commands provided in the build environment instead of performing the on-demand installation for building within.
Create a common builder container
Projects producing images will utilize this tool to push images to ECR repositories as part of their build.
This uses the SSM pointers defined and provisioned in another stack that provides a pre-established parameter with the Container Image and its Tag to use.
This uses the SSM pointers defined and provisioned in another stack that provides a pre-established parameter with the Container Image and its Tag to use.
Related to: #630
Reviewers please note: these changes are incompatible with current PR checks and will fail until switched over to this setup |
Add CodeBuild Infra containers supporting resources
This polyfill implementation of `logger` handles scenarios where the environment isn't fully initialized or where the logger stub isn't able to be run. Falling back to `printf` eliminates logged errors from these places and in their place prints the expected messages.
ci: polyfill logger in edge cases for #541
This adds a CI specific harness for creating AMIs from built disk images. To accomplish the task at hand, the script "create-ami-image" manages the use of build artifacts and kicks off the amiize process according to its build environment. "ensure-key-pair" validates and/or creates an EC2 key pair for its use during automated builds. This key may be rotated (by way of deletion) as needed with additional straightforward & well scoped permissions needed for the build task to manage its own key pair (aside from the overlapping EC2 permissions needed for amiizing): - ssm:PutParameter - ssm:GetParameter - ec2:ImportKey - ec2:DescribeKeyPairs - kms:Encrypt - kms:Decrypt The KMS documentation page regarding SSM Parameter Store has much more outlined on restricting the usage of SSM' AWS-Managed CMK to the SSM Parameters involved as well. Signed-off-by: Jacob Vallejo <[email protected]>
ci: add AMI building harness and supporting tools
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🥇
I may be missing it somewhere, but I don't see the CodeBuild buildspec for the Thar "build" step - does this still live in CodeCommit? |
Tidy buildspecs to use container environment
@zmrow yeah, in fact that step was alternating between using a sideband buildspec (from codecommit as a second source) and using the in-repo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description of changes:
This branch holds, in total, the entire set of changes that need to be made together once related & dependent changes are themselves reviewed and finalized. The PR cannot be merged before changes are reviewed and staged as several scripts, buildspecs, Cloudformation stacks have dependencies tied up until we can flip over.
Related/contained PRs:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.