是否可以在同一管道中进行跨账户和同一账户部署?
Is it possible to do a cross account and same account deployment in the same pipeline?
我正在 AWS 中进行从我的部署账户到暂存账户的跨账户部署,我有 2 个单独的管道用于 API 和前端应用程序。
在 API 的代码管道中,我正在创建一些我想在前端代码管道的构建阶段重复使用的资源。现在我需要通过 运行 单个管道
实现以下步骤
- 部署 API 从部署帐户到暂存帐户的云形成堆栈 - 已成功完成。
- 在部署帐户本身中部署一个云形成堆栈 - 不成功,这可能吗?如果可能怎么办?
提前致谢
CodePipeline 由阶段(逻辑)和操作(Source/Build/Deploy 等)组成。
每个动作都可以在本地账户或跨账户中运行。这种魔法是如何发生的?
每个动作都有一个角色Arn 属性。这是 CodePipeline "assumes" 在执行该操作时的作用。如果 'roleArn' 属性 中指定的角色在本地帐户中(或 属性 为空),则操作 运行s 在本地帐户中。如果 'roleArn' 属性 中指定的角色是跨账户,则操作将 运行 在另一个账户中。
运行以下命令检查:
$ aws codepipeline get-pipeline --name <name> --region us-east-1
结果类似于(见倒数第二行):
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "CloudFormation",
"version": "1"
},
"runOrder": 1,
"configuration": {
"ActionMode": "CREATE_UPDATE",
"Capabilities": "CAPABILITY_IAM,CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND",
"RoleArn": "arn:aws:iam::0123456789012:role/CrossAccount_Role",
"StackName": "Cx-Account",
"TemplatePath": "SourceArtifact::template.json"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"roleArn": "arn:aws:iam::0123456789012:role/CrossAccount_Role",
"region": "us-east-1"
}
Deploy One cloud formation stack in deploy account itself - Not succesful, Is it possible? If it is possible how to do it?
现在您拥有了 运行在您想要的任何帐户中执行操作的密钥。正常创建操作并且不在操作本身上指定 roleArn,CodePipeline 将在部署帐户本身(管道所在的位置)中执行 cloudformation 操作。
我有一些用例,我需要在 AWS 代码构建中执行操作,从我的管理账户(我 运行 我的管道所在的账户)到我要部署到的目标账户。例如,这在需要将 Angler 应用程序部署到 S3 时很有用。这是我的解决方案,希望对您有所帮助:)
BuildAngulerProjectAndUploadToS3:
Type: AWS::CodeBuild::Project
Properties:
Name: !Sub '${UniqueId}-build-anguler-project-upload-to-s3'
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0
Type: LINUX_CONTAINER
ServiceRole: !Sub '{{resolve:ssm:/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/pipeline_role_arn/mgmt:1}}'
EncryptionKey: !Sub '{{resolve:ssm:/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/artefact_encryption_key/arn:1}}'
Source:
Type: CODEPIPELINE
BuildSpec: !Sub |2 # Only use ${...} for substituted variables, not environment variables, to avoid issues with !Sub
version: 0.2
env:
parameter-store:
artifactory_username: "/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/python-pip/username"
artifactory_password: "/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/python-pip/api"
phases:
pre_build:
commands:
# Assume the cross account role in the Target Account
# CrossAccountDeploymentRoleArn is passed in as an environment variable
- output=$(aws sts assume-role
--role-arn $CrossAccountDeploymentRoleArn
--role-session-name "x-account-code-build"
--query 'Credentials.[SecretAccessKey,AccessKeyId,SessionToken]'
--output text)
- export AWS_ACCESS_KEY_ID=$(echo $output | cut -f2 -d ' ')
- export AWS_SECRET_ACCESS_KEY=$(echo $output | cut -f1 -d ' ')
- export AWS_SESSION_TOKEN=$(echo $output | cut -f3 -d ' ')
install:
runtime-versions:
nodejs: 10
commands:
- echo Installing source NPM dependencies...
- cd $CODEBUILD_SRC_DIR/client/app
- echo Setting up artifactory...
- printf _auth="$artifactory_password\nregistry=https://{ARTIFACTORY_ADDRESS}\nemail=$artifactory_username\nalways-auth=true" > .npmrc
- cat .npmrc
- npm i -g @angular/cli
build:
commands:
- npm install
- ng build --prod
- echo uploading artifacts to S3
- aws s3 sync dist/app s3://${UniqueId}-app-bucket-$Account_ID
我正在 AWS 中进行从我的部署账户到暂存账户的跨账户部署,我有 2 个单独的管道用于 API 和前端应用程序。
在 API 的代码管道中,我正在创建一些我想在前端代码管道的构建阶段重复使用的资源。现在我需要通过 运行 单个管道
实现以下步骤- 部署 API 从部署帐户到暂存帐户的云形成堆栈 - 已成功完成。
- 在部署帐户本身中部署一个云形成堆栈 - 不成功,这可能吗?如果可能怎么办?
提前致谢
CodePipeline 由阶段(逻辑)和操作(Source/Build/Deploy 等)组成。
每个动作都可以在本地账户或跨账户中运行。这种魔法是如何发生的?
每个动作都有一个角色Arn 属性。这是 CodePipeline "assumes" 在执行该操作时的作用。如果 'roleArn' 属性 中指定的角色在本地帐户中(或 属性 为空),则操作 运行s 在本地帐户中。如果 'roleArn' 属性 中指定的角色是跨账户,则操作将 运行 在另一个账户中。
运行以下命令检查:
$ aws codepipeline get-pipeline --name <name> --region us-east-1
结果类似于(见倒数第二行):
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "CloudFormation",
"version": "1"
},
"runOrder": 1,
"configuration": {
"ActionMode": "CREATE_UPDATE",
"Capabilities": "CAPABILITY_IAM,CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND",
"RoleArn": "arn:aws:iam::0123456789012:role/CrossAccount_Role",
"StackName": "Cx-Account",
"TemplatePath": "SourceArtifact::template.json"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"roleArn": "arn:aws:iam::0123456789012:role/CrossAccount_Role",
"region": "us-east-1"
}
Deploy One cloud formation stack in deploy account itself - Not succesful, Is it possible? If it is possible how to do it?
现在您拥有了 运行在您想要的任何帐户中执行操作的密钥。正常创建操作并且不在操作本身上指定 roleArn,CodePipeline 将在部署帐户本身(管道所在的位置)中执行 cloudformation 操作。
我有一些用例,我需要在 AWS 代码构建中执行操作,从我的管理账户(我 运行 我的管道所在的账户)到我要部署到的目标账户。例如,这在需要将 Angler 应用程序部署到 S3 时很有用。这是我的解决方案,希望对您有所帮助:)
BuildAngulerProjectAndUploadToS3:
Type: AWS::CodeBuild::Project
Properties:
Name: !Sub '${UniqueId}-build-anguler-project-upload-to-s3'
Artifacts:
Type: CODEPIPELINE
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0
Type: LINUX_CONTAINER
ServiceRole: !Sub '{{resolve:ssm:/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/pipeline_role_arn/mgmt:1}}'
EncryptionKey: !Sub '{{resolve:ssm:/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/artefact_encryption_key/arn:1}}'
Source:
Type: CODEPIPELINE
BuildSpec: !Sub |2 # Only use ${...} for substituted variables, not environment variables, to avoid issues with !Sub
version: 0.2
env:
parameter-store:
artifactory_username: "/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/python-pip/username"
artifactory_password: "/${SSMNamespace}/${PipelineSSMConfigId}/pipeline/python-pip/api"
phases:
pre_build:
commands:
# Assume the cross account role in the Target Account
# CrossAccountDeploymentRoleArn is passed in as an environment variable
- output=$(aws sts assume-role
--role-arn $CrossAccountDeploymentRoleArn
--role-session-name "x-account-code-build"
--query 'Credentials.[SecretAccessKey,AccessKeyId,SessionToken]'
--output text)
- export AWS_ACCESS_KEY_ID=$(echo $output | cut -f2 -d ' ')
- export AWS_SECRET_ACCESS_KEY=$(echo $output | cut -f1 -d ' ')
- export AWS_SESSION_TOKEN=$(echo $output | cut -f3 -d ' ')
install:
runtime-versions:
nodejs: 10
commands:
- echo Installing source NPM dependencies...
- cd $CODEBUILD_SRC_DIR/client/app
- echo Setting up artifactory...
- printf _auth="$artifactory_password\nregistry=https://{ARTIFACTORY_ADDRESS}\nemail=$artifactory_username\nalways-auth=true" > .npmrc
- cat .npmrc
- npm i -g @angular/cli
build:
commands:
- npm install
- ng build --prod
- echo uploading artifacts to S3
- aws s3 sync dist/app s3://${UniqueId}-app-bucket-$Account_ID