aws codepipeline创建跨账户的cicd

参考资料

• Building a Cross-account CI/CD Pipeline

• Create a pipeline in CodePipeline that uses resources from another AWS account

通常来说，我们会将代码和pipeline配置不同的账户中，在codepipeline的source阶段指定为另一个账号的codecommit仓库。但codepipeline通常由三个阶段组成，本次模拟极端情况，将三个阶段分别放置在两个账号进行测试。

本次测试的逻辑图示图下

先决条件

a账户

• pipeline的s3桶（授权b账号访问）

• 用户管理kms（授权pipeline，codebuild和codedeploy）

  {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
          "AWS": [
              "arn:aws-cn:iam:::role/AWSCodePipelineServiceRole",
              "arn:aws-cn:iam:::root"
          ]
      },
      "Action": [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:DescribeKey"
      ],
      "Resource": "*"
  }
  

• 创建管道（使用用户管理kms）

• piprline服务角色，允许codepipeline角色的assume行为

b账号

• 创建codecommit存储库
• 创建codebuild项目，codepipeline会直接覆盖build的source，codebuild角色允许使用kms权限
• 创建codedeploy应用，部署组（如ec2实例），codedeploy角色允许使用kms权限
• 创建crossaccount角色允许a账户assume
• 创建ec2角色允许访问a账号s3桶，获取revision

在b账号配置项目

创建codecommit仓库，这里创建一个简单的javaweb项目，包括完整buildspec.yml和appspec.yml

$ tree -L 2
├── appspec.yml
├── buildspec.yml
├── scripts
│   ├── install_dependencies.sh
│   ├── start_server.sh
│   └── stop_server.sh
├── src
│   └── main
└── pom.xml

创建codebuild项目，一直下一步即可，构建平台需要选择aws/codebuild/amazonlinux2-x86_64-standard:3.0

创建codedeploy项目，简单部署到ec2实例即可

创建cross角色，信任策略如下，允许a账号assume

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-cn:iam::037047667284:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

在a账号创建pipeline

source，build和deploy阶段先写a账号下的

配置a账号下对应的pipeline存储桶策略

{
      "Sid": "allowputobject",
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws-cn:iam::442337510176:root"
      },
      "Action": [
          "s3:Get*",
          "s3:Put*"
      ],
      "Resource": "arn:aws-cn:s3:::codepipeline-cn-north-1-482183469511/*"
  },
  {
      "Sid": "allowlistbuckets",
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws-cn:iam::442337510176:root"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws-cn:s3:::codepipeline-cn-north-1-482183469511"
  }

通过awscli获取pipeline完整配置

pipeline:
  artifactStore:
    encryptionKey:
      id: arn:aws-cn:kms:cn-north-1:-A>:key/19841203-6504-4918-b5d8-d7ff47195135 # 指定用户管理kms
      type: KMS
    location: codepipeline-cn-north-1-xxxxxxxxx
    type: S3
  name: test-crossaccount
  roleArn: arn:aws-cn:iam::-A>:role/AWSCodePipelineServiceRole # pipeline角色
  stages:
  - actions:
    - actionTypeId:
        category: Source
        owner: AWS
        provider: CodeCommit
        version: '1'
      configuration:
        BranchName: master
        OutputArtifactFormat: CODE_ZIP
        PollForSourceChanges: 'false'
        RepositoryName: zhaojiew-test
      inputArtifacts: []
      name: Source
      namespace: SourceVariables
      outputArtifacts:
      - name: SourceArtifact
      region: cn-north-1
      roleArn: arn:aws-cn:iam::-B>:role/zhaojiew-cross #添加soruce阶段需要assume的角色
      runOrder: 1
    name: Source
  - actions:
    - actionTypeId:
        category: Build
        owner: AWS
        provider: CodeBuild
        version: '1'
      configuration:
        ProjectName: zhaojiew-test
      inputArtifacts:
      - name: SourceArtifact
      name: Build
      namespace: BuildVariables
      outputArtifacts:
      - name: BuildArtifact
      region: cn-north-1
      roleArn: arn:aws-cn:iam::-B>:role/zhaojiew-cross #添加build阶段需要assume的角色
      runOrder: 1
    name: Build
  - actions:
    - actionTypeId:
        category: Deploy
        owner: AWS
        provider: CodeDeploy
        version: '1'
      configuration:
        ApplicationName: zhaojiew-test
        DeploymentGroupName: ec2-instance
      inputArtifacts:
      - name: BuildArtifact
      name: Deploy
      namespace: DeployVariables
      outputArtifacts: []
      region: cn-north-1
      roleArn: arn:aws-cn:iam::-B>:role/zhaojiew-cross #添加deploy阶段需要assume的角色
      runOrder: 1
    name: Deploy
  version: 1

更新pipeline

aws codepipeline update-pipeline --cli-input-yaml file://pipeline.yaml

之后手动触发pipeline进行构建即可

最后总结

最终的运行逻辑仍旧是这张图的内容，跨账号的pipeline配置只需要注意几个要点即可

涉及到的关键点总结

• codepipeline默认使用pipeline角色进行各项操作
• 无法在控制台对codepipeline进行跨账号配置，必须要通过api调用（如awscli）对codepipeline进行配置
• codepipeline将所有中间步骤存储到固定的s3桶中（pipeline所在的账号），强制使用默认kms加密，但是跨账号必须使用用户托管kms密钥加密解密
• source阶段pipeline角色assume到crossrole上获取codecommit，并将artifact回写到s3桶
• build阶段pipeline角色assume到crossrole触发build项目，build阶段由codebuild角色执行build操作，并由crossrole将build的结果回写到s3桶
• deploy阶段pipeline角色assume到crossrole触发deploy项目，build阶段由codedeploy角色执行deploy操作
• 3个阶段的具体项目信息无法在codepipeline中直接看到，需要登录到b账号中查看

本次测试的完成能够对piepleine的权限和阶段之间的关系了解更加深入