AWS pipeline with cross-account CodeCommit repo as Source
I need to create a pipeline with CDK that will trigger a deploy in CloudFormation based on a branch in a CodeCommit repo. If the CodeCommit repo was in the same account as the pipeline, I would use something like:
const codecommitRepo = codecommit.Repository.fromRepositoryName(
this,
'AppRepository',
'REPO_NAME'
);
pipeline.addStage({
stageName: 'Source',
actions: [
new codepipeline_actions.CodeCommitSourceAction({
actionName: 'Source',
repository: codecommitRepo,
branch: 'BRANCH_NAME',
output: sourceArtifact,
}),
],
});
However, what if the CodeCommit repo is in a different account?
The architecture I'm trying to recreate is similar to the one shown in this article (image below), but with CDK and CloudFormation.
How can I create that?
If someone has the same problem, I managed to do it with CDK with this example. It's outdated but I applied the same logic. Probably some of the steps mentioned in this answer are not necesary because of recent changes. I found a more recent example here, but I haven't tried it yet.
Important: Make sure the resources in both accounts are in the same region.
Let's call ID_ACC_WITH_REPO to the AWS account ID with the CodeCommit repo and ID_ACC_WITH_PIPELINE to the account ID with the pipeline and where we want to deploy the architecture.
CDK code for the pipeline
ACC_WITH_REPO
- Create a stack in ID_ACC_WITH_REPO. The region must be especified because it's required for cross-account pipelines.
const repoAccStack = new cdk.Stack(app, 'RepoAccStack', {
env: {
account: ID_ACC_WITH_REPO,
region: REPO_REGION
}
});
- Create a cross-account role in ACC_WITH_REPO and attach full access policies for S3 (to store the artifacts), CodeCommit and KMS (encryption). The role will be used by the pipeline in ACC_WITH_PIPELINE and the CodeCommit source action in the source stage. I guess you can restrict them more to be extra secure.
// Create role
const crossAccRole = new iam.Role(repoAccStack, 'OtherAccRole', {
roleName: 'CrossAccountRole',
assumedBy: new iam.AccountPrincipal(pipelineAcc),
});
// Attach policies
const policy = new iam.PolicyStatement();
policy.addAllResources();
policy.addActions('s3:*', 'codecommit:*', 'kms:*');
crossAccRole.addToPolicy(policy);
- Import the repo.
const repo = codecommit.Repository.fromRepositoryArn(
repoAccStack,
'AppRepository',
`arn:aws:codecommit:${REPO_REGION}:${ID_ACC_WITH_REPO}:${REPO_NAME}`
);
ACC_WITH_PIPELINE
- Create a stack for the pipeline in ID_ACC_WITH_PIPELINE.
const pipelineAccStack = new cdk.Stack(app, 'PipelineAccStack', {
env: {
account: ID_ACC_WITH_PIPELINE,
region: REGION_WITH_PIPELINE
}
});
- Create the KMS key. The method
EncryptionKeyused in the example is deprecated, useKeyinstead.
const key = new kms.Key(pipelineAccStack, 'CrossAccountKmsKey');
Actually I got a kms.model.MalformedPolicyDocumentException error when trying to create the key, so I did it manually from the AWS Console and then imported it with kms.Key.fromKeyArn. I probably did something wrong with my account (I got a lot of errors before getting to this solution), but if you get the same error it's a workaround. Just make sure of assigning usage permissions to the pipeline role.
- Create the S3 bucket in ACC_WITH_PIPELINE with the KMS created before. A bucket name is required. The
HackyIdentityused in the example is not necessary, several methods used in the class implementation are now deprecated.
const artifactsBucket = new s3.Bucket(pipelineAccStack, "ArtifactsBucket", {
bucketName: BUCKET_NAME,
encryptionKey: key,
encryption: s3.BucketEncryption.KMS
});
artifactsBucket.grantReadWrite(new iam.ArnPrincipal(crossAccRole.roleArn));
- Create the pipeline and add the cross-account role created in step 5.
// Create pipeline
const pipeline = new codepipeline.Pipeline(pipelineAccStack, 'Pipeline', {
pipelineName: 'CrossAccountPipeline',
artifactBucket: artifactsBucket
});
// Add cross-account role
const policy = new iam.PolicyStatement();
policy.addResources(crossAccRole.roleArn)
policy.addActions('s3:*', 'codecommit:*', 'kms:*');
pipeline.addToRolePolicy(policy);
- Add the source stage to the pipeline with the CodeCommit repo imported in step 3.
// Create artifact for source code
const sourceArtifact = new codepipeline.Artifact();
// Create source stage with role
pipeline.addStage({
stageName: 'Source',
actions: [
new codepipeline_actions.CodeCommitSourceAction({
actionName: 'CodeCommit_Source',
repository: repo,
output: sourceArtifact,
branch: 'dev',
role: crossAccRole
})
]
});
- And finally add the build stage
// Create CodeBuild project
const buildProject = new codebuild.PipelineProject(this, 'Build', {
environment: { buildImage: codebuild.LinuxBuildImage.AMAZON_LINUX_2_2 }
});
// Create artifact for build
const buildArtifact = new codepipeline.Artifact();
// Add build stage
pipeline.addStage({
stageName: 'Build',
actions: [
new codepipeline_actions.CodeBuildAction({
actionName: 'Build',
project: buildProject,
input: sourceArtifact,
outputs: [buildArtifact],
}),
],
});
Deploy
When the CDK app contains more than one stack you can't just cdk deploy. This is explained in here. However if you try to cdk deploy '*' there's another error: Need to perform AWS calls for account ACCOUNT_ID, but the current credentials are for ACCOUNT_ID.
I managed to deploy the stacks with cdk deploy -e and switching accounts with aws configure.
There are three stacks, not two. An EventBusPolicy stack is automatically generated by CDK to create an event bus. The other two events are added (also automatically) by CDK in PipelineAccStack and RepoAccStack. Marcin's answer explain how cross-account events are configured. The EventBusPolicy stack should be created in ACC_WITH_PIPELINE. To get the exact name of the stack, use cdk list.
Taking all of this into account, in this example I would deploy with:
# with aws configure in ACC_WITH_PIPELINE
cdk deploy -e "PipelineAccStack"
cdk deploy -e "EventBusPolicy-$ID_ACC_WITH_REPO-$REGION-$ID_ACC_WITH_PIPELINE"
# switch aws configure to ACC_WITH_REPO
cdk deploy -e "RepoAccStack"
- Unable to delete cfn stack, role is invalid or cannot be assumed
- How to Set Up Account Linking for a Skill using Alexa API from Amazon?
- GitHub actions "aws: not found" error on ubuntu-latest with Godot CI
- Download file from S3 to Rails 4 app
- Cloudfront (CDN) with Internal Application Load Balancer
- Connecting private load balancer to cloud front distribution?
- Request to Amazon API with delphi : Got HTTP/1.1 403 Forbidden
- Shift Lambda infrastructure to ECS
- IAM policy to allow EC2 instance API access only to modify itself
- How to match these 2 tables?
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- How to query: filtering on multiple primary partition keys and range on primary sort key
- How can I get boto3 script to run as a Lambda function?
- Testing AWS CDK Applications Locally
- Downloading an entire S3 bucket?
- AWS ElastiCache SNS notifications Inactive
- How to set credentials in AWS SDK v3 JavaScript?
- Redis HINCRBY hash field -1 counter for decrementing only till 0 or non negative value
- Error creating mediaconvert job for HLS output with mp4, mp3 and SRT as input
- Firehose Stream Delivers to S3 in Uncompressed Format Despite Compression Enabled
- AWS S3 Bucket Policy - Only Allow Certain File Types In Folder
- couldn't get current server API group list: the server has asked for the client to provide credentials error: You must be logged in to the server
- AWS DotNet SDK Error: Unable to get IAM security credentials from EC2 Instance Metadata Service
- AWS passive failover pricing
- Is there any API available for AWS Pricing Calculator
- Append data to an S3 object
- How to handle UnprocessedItems using AWS JavaScript SDK (dynamoDB)?
- AWS SAM-defined ECS Fargate scheduled task won't start
- How to configure AWS Application Load Balancer to point to multiple ports on the same server