From ff8bf3336eb9331a0f6417f1ebaa41e3d2ce97c6 Mon Sep 17 00:00:00 2001 From: Simon Kok Date: Wed, 17 Apr 2024 15:34:14 +0200 Subject: [PATCH] Improve sample templates and documentation This commit includes several improvements and updates to the ADF sample templates and documentation: - Update README files with additional details, prerequisites, and deployment instructions for various samples. - Upgrade the sample-fargate-node-app to use a public container registry (public.ecr.aws) instead. - Refactor the sample-ec2-with-codedeploy sample to use AWS Launch Templates, a newer and recommended approach instead of Launch Configurations. - Update sample-ec2-with-codedeploy scripts to install newer versions of Amazon Linux 2023, Java, and other dependencies. Also fixed the scripts to be compatible to the recommended IMDSv2 authenticated APIs. - Miscellaneous improvements and bug fixes across various sample templates. These changes aim to improve the overall quality, maintainability, and usability of the ADF sample templates, while also providing better documentation and aligning with the latest AWS best practices. --- samples/sample-cdk-app/README.md | 2 +- samples/sample-cdk-bootstrap/README.md | 23 +++++++ samples/sample-cdk-bootstrap/buildspec.yml | 22 +++++++ .../sample-cdk-bootstrap/params/global.yml | 62 +++++++++++++++++++ .../sample-ec2-java-app-codedeploy/pom.xml | 6 +- samples/sample-ec2-with-codedeploy/README.md | 4 -- .../params/global.yml | 3 +- .../scripts/install-codedeploy.sh | 37 +++-------- .../scripts/install-deps.sh | 23 ++++--- .../sample-ec2-with-codedeploy/template.yml | 62 ++++++++++--------- samples/sample-ecs-cluster/README.md | 5 ++ samples/sample-ecs-cluster/template.yml | 4 +- samples/sample-fargate-node-app/Dockerfile | 2 +- samples/sample-fargate-node-app/README.md | 15 ++++- .../sample-fargate-node-app/build/docker.sh | 21 ++++--- .../params/global_eu-west-1.json | 5 ++ samples/sample-iam/README.md | 9 +++ samples/sample-iam/params/global.yml | 4 ++ samples/sample-iam/template.yml | 22 ++++++- samples/sample-serverless-app/buildspec.yml | 2 +- .../params/global.yml | 2 +- .../adf-build/shared/resolver_upload.py | 2 +- 22 files changed, 242 insertions(+), 95 deletions(-) create mode 100644 samples/sample-cdk-bootstrap/README.md create mode 100644 samples/sample-cdk-bootstrap/buildspec.yml create mode 100644 samples/sample-cdk-bootstrap/params/global.yml create mode 100644 samples/sample-fargate-node-app/params/global_eu-west-1.json diff --git a/samples/sample-cdk-app/README.md b/samples/sample-cdk-app/README.md index 52a498201..1ca20c8db 100644 --- a/samples/sample-cdk-app/README.md +++ b/samples/sample-cdk-app/README.md @@ -1,6 +1,6 @@ # Sample CDK Application to showcase ADF Pipelines -This pipeline is expecting *(in the example case)* a AWS CodeCommit repository +This pipeline is expecting *(in the example case)* an AWS CodeCommit repository on the account `111111111111` in your main deployment region named *sample-cdk-application*. diff --git a/samples/sample-cdk-bootstrap/README.md b/samples/sample-cdk-bootstrap/README.md new file mode 100644 index 000000000..a38f2c2bc --- /dev/null +++ b/samples/sample-cdk-bootstrap/README.md @@ -0,0 +1,23 @@ +# Sample CDK Bootstrap pipeline + +This pipeline is expecting *(in the example case)* an AWS CodeCommit repository +on the account `111111111111` in your main deployment region named +*sample-cdk-bootstrap*. + +## Deployment Map example + +```yaml + - name: sample-cdk-bootstrap + default_providers: + source: + provider: codecommit + properties: + account_id: 111111111111 + build: + provider: codebuild + properties: + image: "STANDARD_7_0" + targets: + - /banking/testing + - /banking/production +``` diff --git a/samples/sample-cdk-bootstrap/buildspec.yml b/samples/sample-cdk-bootstrap/buildspec.yml new file mode 100644 index 000000000..7c7560f00 --- /dev/null +++ b/samples/sample-cdk-bootstrap/buildspec.yml @@ -0,0 +1,22 @@ +# Copyright Amazon.com Inc. or its affiliates. +# SPDX-License-Identifier: Apache-2.0 + +version: 0.2 + +phases: + install: + runtime-versions: + python: 3.12 + nodejs: 20 + commands: + - aws s3 cp s3://$S3_BUCKET_NAME/adf-build/ adf-build/ --recursive --quiet + - pip install -r adf-build/requirements.txt -q + - python adf-build/generate_params.py + + build: + commands: + - npm install aws-cdk -g + - cdk bootstrap --show-template > template.yml + +artifacts: + files: '**/*' diff --git a/samples/sample-cdk-bootstrap/params/global.yml b/samples/sample-cdk-bootstrap/params/global.yml new file mode 100644 index 000000000..bb77230ef --- /dev/null +++ b/samples/sample-cdk-bootstrap/params/global.yml @@ -0,0 +1,62 @@ +# Copyright Amazon.com Inc. or its affiliates. +# SPDX-License-Identifier: Apache-2.0 +# +# Parameters of the CDK Bootstrap stack: +# TrustedAccounts: +# Description: List of AWS accounts that are trusted to publish assets and deploy stacks to this environment +# Default: "" +# Type: CommaDelimitedList +# TrustedAccountsForLookup: +# Description: List of AWS accounts that are trusted to look up values in this environment +# Default: "" +# Type: CommaDelimitedList +# CloudFormationExecutionPolicies: +# Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation deployment role +# Default: "" +# Type: CommaDelimitedList +# FileAssetsBucketName: +# Description: The name of the S3 bucket used for file assets +# Default: "" +# Type: String +# FileAssetsBucketKmsKeyId: +# Description: Empty to create a new key (default), 'AWS_MANAGED_KEY' to use a managed S3 key, or the ID/ARN of an existing key. +# Default: "" +# Type: String +# ContainerAssetsRepositoryName: +# Description: A user-provided custom name to use for the container assets ECR repository +# Default: "" +# Type: String +# Qualifier: +# Description: An identifier to distinguish multiple bootstrap stacks in the same environment +# Default: hnb659fds +# Type: String +# AllowedPattern: "[A-Za-z0-9_-]{1,10}" +# ConstraintDescription: Qualifier must be an alphanumeric identifier of at most 10 characters +# PublicAccessBlockConfiguration: +# Description: Whether or not to enable S3 Staging Bucket Public Access Block Configuration +# Default: "true" +# Type: String +# AllowedValues: +# - "true" +# - "false" +# InputPermissionsBoundary: +# Description: Whether or not to use either the CDK supplied or custom permissions boundary +# Default: "" +# Type: String +# UseExamplePermissionsBoundary: +# Default: "false" +# AllowedValues: +# - "true" +# - "false" +# Type: String +# BootstrapVariant: +# Type: String +# Default: "AWS CDK: Default Resources" + +Parameters: + TrustedAccounts: 'resolve:/adf/deployment_account_id' + TrustedAccountsForLookup: 'resolve:/adf/deployment_account_id' + +Tags: + Repository: sample-codebuild-vpc-repo + App: Sample CodeBuild VPC application diff --git a/samples/sample-ec2-java-app-codedeploy/pom.xml b/samples/sample-ec2-java-app-codedeploy/pom.xml index 750b24e40..25fe8c9fd 100644 --- a/samples/sample-ec2-java-app-codedeploy/pom.xml +++ b/samples/sample-ec2-java-app-codedeploy/pom.xml @@ -1,11 +1,11 @@ - - - 4.0.0 + + + org.springframework gs-spring-boot 0.1.0 diff --git a/samples/sample-ec2-with-codedeploy/README.md b/samples/sample-ec2-with-codedeploy/README.md index 8baec3154..89c37cfd0 100644 --- a/samples/sample-ec2-with-codedeploy/README.md +++ b/samples/sample-ec2-with-codedeploy/README.md @@ -5,10 +5,6 @@ is aimed at showcasing how to deploy a basic Spring Boot application with [AWS CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html) via ADF. -This stack assumes an Amazon EC2 -[Key Pair](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) -has been created in the target accounts. - This stack is a generic stack for applications that run on Amazon EC2. This stack could be extended and used as a base for all line of business type applications that run Amazon EC2. diff --git a/samples/sample-ec2-with-codedeploy/params/global.yml b/samples/sample-ec2-with-codedeploy/params/global.yml index bf195181f..1d6873964 100644 --- a/samples/sample-ec2-with-codedeploy/params/global.yml +++ b/samples/sample-ec2-with-codedeploy/params/global.yml @@ -6,8 +6,7 @@ Parameters: ApplicationName: "sample" InstanceMaxSize: "3" InstanceMinSize: "1" - ImageId: "resolve:/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" + ImageId: "resolve:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64" InstanceType: "t3.micro" CodeDeployAgentInstallScript: "upload:path:scripts/install-codedeploy.sh" JavaInstallScript: "upload:path:scripts/install-deps.sh" - KeyPair: "some_key_pair" diff --git a/samples/sample-ec2-with-codedeploy/scripts/install-codedeploy.sh b/samples/sample-ec2-with-codedeploy/scripts/install-codedeploy.sh index 3523b17db..640d8f748 100755 --- a/samples/sample-ec2-with-codedeploy/scripts/install-codedeploy.sh +++ b/samples/sample-ec2-with-codedeploy/scripts/install-codedeploy.sh @@ -7,10 +7,11 @@ set -xe ## Code Deploy Agent Bootstrap Script ## -exec > >(tee /var/log/user-data.log | logger -t user-data -s 2> /dev/console) 2>&1 +exec > >(sudo tee /var/log/user-data.log | logger -t user-data -s 2> /dev/console) 2>&1 AUTOUPDATE=false function installdep() { + echo "Installing dependencies..." if [ ${PLAT} = "ubuntu" ]; then apt-get -y update # Satisfying even Ubuntu older versions. @@ -19,6 +20,7 @@ function installdep() { yum -y update yum install -y aws-cli ruby jq fi + echo "Done installing dependencies." } function platformize() { @@ -36,39 +38,15 @@ function platformize() { } function execute() { - if [ ${PLAT} = "ubuntu" ]; then - cd /tmp/ - wget https://aws-codedeploy-${REGION}.s3.${REGION}.amazonaws.com/latest/install - chmod +x ./install - - if ./install auto; then - echo "Installation completed" - if ! ${AUTOUPDATE}; then - echo "Disabling Auto Update" - sed -i '/@reboot/d' /etc/cron.d/codedeploy-agent-update - chattr +i /etc/cron.d/codedeploy-agent-update - rm -f /tmp/install - fi - exit 0 - else - echo "Installation script failed, please investigate" - rm -f /tmp/install - exit 1 - fi - - elif [ ${PLAT} = "amz" ]; then + if [[ "${PLAT}" = "ubuntu" ]] || [[ "${PLAT}" = "amz" ]]; then + echo "Downloading CodeDeploy Agent..." cd /tmp/ wget https://aws-codedeploy-${REGION}.s3.${REGION}.amazonaws.com/latest/install chmod +x ./install + echo "Installing CodeDeploy Agent..." if ./install auto; then echo "Installation completed" - if ! ${AUTOUPDATE}; then - echo "Disabling auto update" - sed -i '/@reboot/d' /etc/cron.d/codedeploy-agent-update - chattr +i /etc/cron.d/codedeploy-agent-update - rm -f /tmp/install - fi exit 0 else echo "Installation script failed, please investigate" @@ -83,5 +61,6 @@ function execute() { platformize installdep -REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r ".region") +export TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") +export REGION=$(curl -H "X-aws-ec2-metadata-token: ${TOKEN}" -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r ".region") execute diff --git a/samples/sample-ec2-with-codedeploy/scripts/install-deps.sh b/samples/sample-ec2-with-codedeploy/scripts/install-deps.sh index 08d8d0e3c..f2b425ab0 100755 --- a/samples/sample-ec2-with-codedeploy/scripts/install-deps.sh +++ b/samples/sample-ec2-with-codedeploy/scripts/install-deps.sh @@ -1,8 +1,10 @@ -#!/bin/bash +#!/usr/bin/env bash # Copyright Amazon.com Inc. or its affiliates. # SPDX-License-Identifier: Apache-2.0 +set -xe + # install apache httpd sudo yum install httpd -y @@ -10,15 +12,12 @@ sudo yum install httpd -y curl -s "https://get.sdkman.io" | bash source "$HOME/.sdkman/bin/sdkman-init.sh" -# install Java 8 -sudo yum install java-1.8.0 -y -# remove Java 1.7 -sudo yum remove java-1.7.0-openjdk -y +# install Java +sudo yum install -y java-17-amazon-corretto-headless # install Maven -sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo -sudo sed -i s/\$releasever/7/g /etc/yum.repos.d/epel-apache-maven.repo -sudo yum install -y apache-maven +yum -y update +sudo yum install -y maven # sdk version java -version @@ -30,7 +29,7 @@ sdk install springboot # create a springboot user to run the app as a service sudo useradd springboot # springboot login shell disabled -sudo chsh -s /sbin/nologin springboot +sudo usermod --shell /sbin/nologin springboot # forward port 80 to 8080 echo " @@ -42,8 +41,8 @@ echo " " | sudo tee -a /etc/httpd/conf/httpd.conf > /dev/null # start the httpd service now and stop it until userdata -sudo service httpd start -sudo service httpd stop +sudo systemctl start httpd +sudo systemctl stop httpd # ensure httpd stays on -sudo chkconfig httpd on +sudo systemctl enable httpd diff --git a/samples/sample-ec2-with-codedeploy/template.yml b/samples/sample-ec2-with-codedeploy/template.yml index ab1dddd04..dacc06e07 100644 --- a/samples/sample-ec2-with-codedeploy/template.yml +++ b/samples/sample-ec2-with-codedeploy/template.yml @@ -52,10 +52,6 @@ Parameters: ConstraintDescription: "Must be one of the values from the list." Description: "Instance type for the EC2 instances." - KeyPair: - Description: "Amazon EC2 Key Pair" - Type: "AWS::EC2::KeyPair::KeyName" - Resources: AutoScalingGroup: Type: "AWS::AutoScaling::AutoScalingGroup" @@ -71,7 +67,9 @@ Resources: AvailabilityZones: !GetAZs "" MinSize: !Ref "InstanceMinSize" MaxSize: !Ref "InstanceMaxSize" - LaunchConfigurationName: !Ref "LaunchConfiguration" + LaunchTemplate: + LaunchTemplateId: !GetAtt LaunchTemplate.LaunchTemplateId + Version: !GetAtt LaunchTemplate.LatestVersionNumber MetricsCollection: - Granularity: "1Minute" TerminationPolicies: @@ -108,32 +106,40 @@ Resources: AutoScalingGroups: - !Ref "AutoScalingGroup" - LaunchConfiguration: - Type: "AWS::AutoScaling::LaunchConfiguration" + LaunchTemplate: + Type: "AWS::EC2::LaunchTemplate" Properties: - AssociatePublicIpAddress: false - IamInstanceProfile: !ImportValue "GlobalInstanceProfileArn" - ImageId: !Ref "ImageId" - InstanceType: !Ref "InstanceType" - KeyName: !Ref "KeyPair" - SecurityGroups: - - !Ref "PrivateSecurityGroup" - UserData: - "Fn::Base64": !Sub | - #!/bin/bash - BUCKET_NAME=$(echo ${CodeDeployAgentInstallScript} | sed 's/^.*adf-global-base/adf-global-base/' |sed 's/\/.*//') - KEY=$(echo ${CodeDeployAgentInstallScript} | sed 's/^.*adf-upload/adf-upload/') - aws s3api get-object --bucket $BUCKET_NAME --key $KEY /tmp/code_deploy_install.sh + LaunchTemplateName: !Sub ${AWS::StackName}-launch-template + LaunchTemplateData: + IamInstanceProfile: + Arn: !ImportValue IamInstanceProfile + ImageId: !Ref "ImageId" + InstanceType: !Ref "InstanceType" + MetadataOptions: + HttpEndpoint: enabled + HttpPutResponseHopLimit: 2 + HttpTokens: required + NetworkInterfaces: + - AssociatePublicIpAddress: false + DeviceIndex: 0 + Groups: + - !Ref "PrivateSecurityGroup" + UserData: + "Fn::Base64": !Sub | + #!/bin/bash + BUCKET_NAME=$(echo "${CodeDeployAgentInstallScript}" | sed 's/^.*adf-global-base/adf-global-base/' | sed 's/\/.*//') + KEY=$(echo "${CodeDeployAgentInstallScript}" | sed 's/^.*adf-upload/adf-upload/') + aws s3api get-object --bucket "${!BUCKET_NAME}" --key "${!KEY}" /tmp/code_deploy_install.sh - BUCKET_NAME=$(echo ${JavaInstallScript} | sed 's/^.*adf-global-base/adf-global-base/' |sed 's/\/.*//') - KEY=$(echo ${JavaInstallScript} | sed 's/^.*adf-upload/adf-upload/') - aws s3api get-object --bucket $BUCKET_NAME --key $KEY /tmp/java_install.sh + BUCKET_NAME=$(echo "${JavaInstallScript}" | sed 's/^.*adf-global-base/adf-global-base/' |sed 's/\/.*//') + KEY=$(echo "${JavaInstallScript}" | sed 's/^.*adf-upload/adf-upload/') + aws s3api get-object --bucket "${!BUCKET_NAME}" --key "${!KEY}" /tmp/java_install.sh - chmod +x /tmp/java_install.sh - chmod +x /tmp/code_deploy_install.sh - /tmp/code_deploy_install.sh - /tmp/java_install.sh - /opt/aws/bin/cfn-signal -e 0 --stack ${AWS::StackName} --resource AutoScalingGroup --region ${AWS::Region} + chmod +x /tmp/java_install.sh + chmod +x /tmp/code_deploy_install.sh + /tmp/code_deploy_install.sh + /tmp/java_install.sh + /opt/aws/bin/cfn-signal -e 0 --stack "${AWS::StackName}" --resource AutoScalingGroup --region "${AWS::Region}" PrivateSecurityGroup: Type: AWS::EC2::SecurityGroup diff --git a/samples/sample-ecs-cluster/README.md b/samples/sample-ecs-cluster/README.md index d7d6c809a..7e0344a09 100644 --- a/samples/sample-ecs-cluster/README.md +++ b/samples/sample-ecs-cluster/README.md @@ -1,5 +1,10 @@ # Sample ECS Cluster to showcase ADF Pipelines +## Prerequisites + +Please make sure you deploy the `sample-vpc` example before you deploy +this sample. The VPC should be deployed to the same target accounts and region. + ## Deployment Map example ```yaml diff --git a/samples/sample-ecs-cluster/template.yml b/samples/sample-ecs-cluster/template.yml index c9d1a0d7c..ac2ceed18 100644 --- a/samples/sample-ecs-cluster/template.yml +++ b/samples/sample-ecs-cluster/template.yml @@ -170,11 +170,11 @@ Outputs: Export: Name: 'ClusterName' - LoadBalancerExternalUrl: + ECSLoadBalancerExternalUrl: Description: The url of the external load balancer Value: !Sub http://${PublicLoadBalancer.DNSName} Export: - Name: 'LoadBalancerExternalUrl' + Name: 'ECSLoadBalancerExternalUrl' ECSRole: Description: The ARN of the ECS role diff --git a/samples/sample-fargate-node-app/Dockerfile b/samples/sample-fargate-node-app/Dockerfile index 09e956fc4..59cddd091 100644 --- a/samples/sample-fargate-node-app/Dockerfile +++ b/samples/sample-fargate-node-app/Dockerfile @@ -1,7 +1,7 @@ # Copyright Amazon.com Inc. or its affiliates. # SPDX-License-Identifier: Apache-2.0 -FROM node:current-alpine +FROM public.ecr.aws/docker/library/node:current-alpine WORKDIR /app COPY . . RUN npm install diff --git a/samples/sample-fargate-node-app/README.md b/samples/sample-fargate-node-app/README.md index 63e39396a..18f3b5197 100644 --- a/samples/sample-fargate-node-app/README.md +++ b/samples/sample-fargate-node-app/README.md @@ -1,9 +1,20 @@ # Sample NodeJS Web Application running on AWS Fargate +## Prerequisites + +Please make sure you deploy the `sample-ecr-repository` and +`sample-ecs-cluster` examples before you deploy this sample. +The ECS cluster should be deployed to the same target accounts and region. + +If you want to change the region to another region, please make sure to rename +the `params/global_eu-west-1.json` file to use the new region name. +For example: `params/global_us-east-1.json`. +Also update the regions list in the deployment map for this example. + ## Deployment Map example ```yaml - - name: sample-node-app + - name: sample-fargate-node-app default_providers: source: provider: codecommit @@ -17,6 +28,8 @@ # ^ Required for Docker in Docker to work as expected (since # CodeBuild will run our docker commands to create and push our # image). + regions: + - eu-west-1 targets: # Example Targets: These accounts/regions have had the sample-vpc deployed - 222222222222 diff --git a/samples/sample-fargate-node-app/build/docker.sh b/samples/sample-fargate-node-app/build/docker.sh index 01a3dc7f0..235b517fa 100755 --- a/samples/sample-fargate-node-app/build/docker.sh +++ b/samples/sample-fargate-node-app/build/docker.sh @@ -5,14 +5,21 @@ set -e -$(aws ecr get-login --region $AWS_REGION --no-include-email) -REPOSITORY_URI=$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$ADF_PROJECT_NAME +aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com +REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ADF_PROJECT_NAME}" IMAGE_TAG=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7) -docker build -t $REPOSITORY_URI:latest . -docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$IMAGE_TAG -docker push $REPOSITORY_URI:latest -docker push $REPOSITORY_URI:$IMAGE_TAG +docker build -t "${REPOSITORY_URI}:latest" . +docker tag "${REPOSITORY_URI}:latest" "${REPOSITORY_URI}:${IMAGE_TAG}" +docker push "${REPOSITORY_URI}:latest" +docker push "${REPOSITORY_URI}:${IMAGE_TAG}" tmp=$(mktemp) -jq --arg REPOSITORY_URI "$REPOSITORY_URI" --arg IMAGE_TAG "$IMAGE_TAG" '.Parameters.Image = $REPOSITORY_URI+":"+$IMAGE_TAG' params/global.json > "$tmp" && mv "$tmp" params/global.json +jq \ + --arg REPOSITORY_URI "$REPOSITORY_URI" \ + --arg IMAGE_TAG "$IMAGE_TAG" \ + '.Parameters.Image = $REPOSITORY_URI+":"+$IMAGE_TAG' \ + "params/global_${AWS_REGION}.json" \ + > "$tmp" + +mv "$tmp" "params/global_${AWS_REGION}.json" diff --git a/samples/sample-fargate-node-app/params/global_eu-west-1.json b/samples/sample-fargate-node-app/params/global_eu-west-1.json new file mode 100644 index 000000000..b2f0829cf --- /dev/null +++ b/samples/sample-fargate-node-app/params/global_eu-west-1.json @@ -0,0 +1,5 @@ +{ + "Parameters": { + "Image": "" + } +} diff --git a/samples/sample-iam/README.md b/samples/sample-iam/README.md index 2e996879c..569fa54ab 100644 --- a/samples/sample-iam/README.md +++ b/samples/sample-iam/README.md @@ -3,6 +3,15 @@ This pipeline is expecting *(in the example case)* a AWS CodeCommit repository on the account `111111111111` in your main deployment region named *sample-iam*. +This sample is configured to deploy to the `eu-west-1` region. +If you would like to deploy it to another region, please update the +parameters in the `params/global.yml` file. Replacing the `eu-west-1` part +with the region you like to deploy to. + +As all resources in this stack are globally accessible, this sample should only +be deployed to a single region per account. It is recommended to leave it +configured to the default deployment region of your ADF installation. + ## Deployment Map example ```yaml diff --git a/samples/sample-iam/params/global.yml b/samples/sample-iam/params/global.yml index d162de483..6ca3fa335 100644 --- a/samples/sample-iam/params/global.yml +++ b/samples/sample-iam/params/global.yml @@ -1,6 +1,10 @@ # Copyright Amazon.com Inc. or its affiliates. # SPDX-License-Identifier: Apache-2.0 +Parameters: + DeploymentAssetS3BucketName: "resolve:/adf/cross_region/s3_regional_bucket/eu-west-1" + DeploymentAssetKMSKeyArn: "resolve:/adf/cross_region/kms_arn/eu-west-1" + Tags: TagKey: "my_tag" MyKey: "new_value" diff --git a/samples/sample-iam/template.yml b/samples/sample-iam/template.yml index aa4ea8a94..b31e63aaf 100644 --- a/samples/sample-iam/template.yml +++ b/samples/sample-iam/template.yml @@ -6,6 +6,15 @@ Description: ADF CloudFormation Sample Template (IAM) Metadata: License: Apache-2.0 +Parameters: + DeploymentAssetS3BucketName: + Type: "String" + Description: "The S3 Bucket name where deployment assets will be located" + + DeploymentAssetKMSKeyArn: + Type: "String" + Description: "The KMS Key Arn with which deployment assets will encrypted" + Resources: DevelopersIAMGroup: Type: AWS::IAM::Group @@ -38,7 +47,7 @@ Resources: Action: - "sts:AssumeRole" ManagedPolicyArns: - - !Ref "DefaultInstanceManagedPolicy" + - !Ref DefaultInstanceManagedPolicy RoleName: "global-instance-role" DefaultInstanceManagedPolicy: @@ -61,11 +70,20 @@ Resources: - "elasticloadbalancing:DescribeTargetGroups" - "elasticloadbalancing:DescribeTargetHealth" - "elasticloadbalancing:RegisterTargets" + Resource: + - "*" + - Effect: "Allow" + Action: - "kms:Decrypt" + Resource: + - !Ref DeploymentAssetKMSKeyArn + - Effect: "Allow" + Action: - "s3:GetObject" - "s3:GetObjectVersion" Resource: - - "*" + - !Sub "arn:${AWS::Partition}:s3:::${DeploymentAssetS3BucketName}/adf-upload/*" + - !Sub "arn:${AWS::Partition}:s3:::${DeploymentAssetS3BucketName}/adf-pipeline-*" CodeDeployServiceRole: Type: "AWS::IAM::Role" diff --git a/samples/sample-serverless-app/buildspec.yml b/samples/sample-serverless-app/buildspec.yml index 5d80bc131..48c5253ef 100644 --- a/samples/sample-serverless-app/buildspec.yml +++ b/samples/sample-serverless-app/buildspec.yml @@ -15,6 +15,6 @@ phases: artifacts: files: - - 'template.yml' + - 'template*.yml' - 'params/*.json' - 'params/*.yml' diff --git a/samples/sample-service-catalog-product/params/global.yml b/samples/sample-service-catalog-product/params/global.yml index 3eea1324a..86f21ea29 100644 --- a/samples/sample-service-catalog-product/params/global.yml +++ b/samples/sample-service-catalog-product/params/global.yml @@ -2,4 +2,4 @@ # SPDX-License-Identifier: Apache-2.0 Parameters: - ProductXTemplateURL: "upload:eu-central-1:productX/template.yml" + ProductXTemplateURL: "upload:path:productX/template.yml" diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/resolver_upload.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/resolver_upload.py index 65eebee51..114c57754 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/resolver_upload.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/resolver_upload.py @@ -58,7 +58,7 @@ def resolve(self, lookup_str: str, random_filename: str) -> str: for item in S3.supported_path_styles() ): raise ValueError( - 'When uploading to S3 you need to specify a path style' + 'When uploading to S3 you need to specify a path style ' 'to use for the returned value to be used. ' f'Supported path styles include: {S3.supported_path_styles()}' ) from None