跨账户代码流水线

cross account CodePipeline

我正在尝试在另一个 AWS 账户 (AccountB) 中创建管道,而我的代码提交存储库位于另一个 AWS 账户 (AccountA) 中。我通过这些链接做了完全相同的方式:

https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html https://cloudfornoobs.com/aws-codepipeline-with-cross-account-codecommit-repo/

然而,在执行管道后,我的构建总是失败。我的 pipeline.json 如下:

PS:我只想使用 codecommit 和 codebuild 我没有使用 CodeDeploy

 > {
    >     "pipeline": {
    >         "name": "newpipeline",
    >         "roleArn": "arn:aws:iam::AccountB:role/AccountBRole",
    >         "artifactStore": {
    >             "type": "S3",
    >             "location": "BucketForArtifactsFromAccountB",
    >             "encryptionKey": {
    >                 "id": "AccountB_KMS"
    >                 "type": "KMS"
    >             }
    >         },
    >         "stages": [
    >             {
    >                 "name": "Source",
    >                 "actions": [
    >                     {
    >                         "name": "Source1",
    >                         "actionTypeId": {
    >                             "category": "Source",
    >                             "owner": "AWS",
    >                             "provider": "CodeCommit",
    >                             "version": "1"
    >                         },
    >                         "runOrder": 1,
    >                         "configuration": {
    >                             "BranchName": "dev",
    >                             "PollForSourceChanges": "false",
    >                             "RepositoryName": "backend"
    >                         },
    >                         "outputArtifacts": [
    >                             {
    >                                 "name": "Source1"
    >                             }
    >                         ],
    >                         "inputArtifacts": [],
    >                         "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
    >                     }
    >                 ]
    >             },
    >             {
    >                 "name": "Build",
    >                 "actions": [
    >                     {
    >                         "name": "Build",
    >                         "actionTypeId": {
    >                             "category": "Build",
    >                             "owner": "AWS",
    >                             "provider": "CodeBuild",
    >                             "version": "1"
    >                         },
    >                         "runOrder": 1,
    >                         "configuration": {
    >                             "EnvironmentVariables": "[{\"name\":\"STAGE_NAME\",\"value\":\"dev\",\"type\":\"PLAINTEXT\"}]",
    >                             "PrimarySource": "Source1",
    >                             "ProjectName": "backend"
    >                         },
    >                     

         "outputArtifacts": [
            {
              "name": "BuildArtifact"
            } 
          ],
            "runOrder": 1,
            "roleArn": "arn:aws:iam::AccountA:role/AccountARole"
          } 
        ] 
      } 
    ],
        "artifactStore": {
          "type": "S3",
          "location": "BucketForArtifactsFromAccountB",
          "encryptionKey": {
            "id": "AccountB_KMS",
            "type": "KMS"
          }
        },
        "version": 19
      }
    }

在不同账户中使用 CodeCommit 时,触发管道启动的默认 CloudWatch 事件将因跨账户而不起作用。此胶水由 CloudWatch 的 Event bus 功能提供,可以将消息从帐户 A 发送到 B。

步骤

在账户 A 中创建 Cloudwatch 事件规则,将事件转发到账户 B 的默认总线(存在管道)

Cloudwatch > 规则 > 新建 > 服务名称 - Codecommit 和事件类型是 Codecommit 存储库状态更改

事件模式如下所示:

{
  "source": [
    "aws.codecommit"
  ],
  "detail-type": [
    "CodeCommit Repository State Change"
  ],
  "resources": [
    "arn:aws:codecommit:us-east-1:AccountAid:RepoName"         #Account A's codecommit repo ARN
  ]
}

Select 指向“另一个帐户的默认事件总线”的目标。

目标 > select 目标 > 另一个账户中的事件总线 > 输入账户 ID >(管道账户的 ID,账户 B)

Select /创建一个新角色,该角色有权将事件发送到另一个帐户。我已将 CloudwatchEventsFull Access 角色附加到它。

在账户 B 中(存在 Codepipeline 的地方)

允许默认事件总线接收来自账户 A 的事件

Cloudwatch > 事件总线 > 权限 > 添加权限 > AWS 账户 > 输入账户 A ID

一旦收到事件,创建一个将触发管道的新规则

Cloudwatch > rules > create new > Service name - Codecommit 和 Event type 是 Codecommit Repository State Change,输入账户 A 的代码管道的 ARN。

事件模式和以前一样,

{
  "source": [
    "aws.codecommit"
  ],
  "detail-type": [
    "CodeCommit Repository State Change"
  ],
  "resources": [
    "arn:aws:codecommit:us-east-1:AccountAid:RepoName"      #Account A's codecommit repo ARN
  ]

使用管道 ARN 创建目标。您可以使用现有角色或新角色,此角色只需要访问即可触发管道。

至此我们已经完成了Cloudwatch Events的创建。测试提交并验证管道是否已触发。