-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 62bfca0
Showing
12 changed files
with
192 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
*.swp | ||
*.tfstate* | ||
*.terraform | ||
*.terraform.lock.hcl |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
sync: | ||
echo "Uploading policystream image" | ||
docker pull cloudcustodian/policystream:latest | ||
docker tag cloudcustodian/policystream:latest $$(terraform output -raw policystream_image_url):latest | ||
aws ecr get-login-password | docker login --username AWS --password-stdin $$(terraform output -raw policystream_image_url) | ||
docker push $$(terraform output -raw policystream_image_url):latest | ||
echo "Uploading c7n image" | ||
docker pull cloudcustodian/c7n:$$(terraform output -raw c7n_image_tag) | ||
docker tag cloudcustodian/c7n:$$(terraform output -raw c7n_image_tag) $$(terraform output -raw c7n_image_url):$$(terraform output -raw c7n_image_tag) | ||
aws ecr get-login-password | docker login --username AWS --password-stdin $$(terraform output -raw c7n_image_url) | ||
docker push $$(terraform output -raw c7n_image_url):$$(terraform output -raw c7n_image_tag) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
version: 0.2 | ||
|
||
phases: | ||
pre_build: | ||
commands: | ||
- export C7N_IMAGE = $C7N_IMAGE_URL:$C7N_IMAGE_TAG | ||
- c7n-policystream diff $POLICY_DIR --source $CODEBUILD_SOURCE_VERSION --target $POLICYSTREAM_BASE -o /policy.yaml | ||
# pull the c7n image and run it | ||
- aws ecr get-login-password | docker login --username AWS --password-stdin $C7N_IMAGE | ||
- docker pull $C7N_IMAGE | ||
- docker run $C7N_IMAGE | ||
build: | ||
commands: [] | ||
post_build: | ||
commands: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
resource "aws_codebuild_project" "policy_ci" { | ||
name = "c7n-policy-ci" | ||
description = "Cloud Custodian poilcy testing" | ||
build_timeout = "480" | ||
service_role = aws_iam_role.codebuild_executor.arn | ||
|
||
artifacts { | ||
type = "NO_ARTIFACTS" | ||
} | ||
|
||
environment { | ||
compute_type = "BUILD_GENERAL1_SMALL" | ||
image = "${aws_ecr_repository.policystream.repository_url}:latest" | ||
type = "LINUX_CONTAINER" | ||
image_pull_credentials_type = "CODEBUILD" | ||
privileged_mode = true | ||
|
||
environment_variable { | ||
name = "POLICYSTREAM_BASE" | ||
value = var.base_branch | ||
} | ||
|
||
environment_variable { | ||
name = "C7N_IMAGE_URL" | ||
value = aws_ecr_repository.c7n.repository_url | ||
} | ||
|
||
environment_variable { | ||
name = "C7N_IMAGE_TAG" | ||
value = var.c7n_image_tag | ||
} | ||
|
||
environment_variable { | ||
name = "POLICY_DIR" | ||
value = var.policy_dir | ||
} | ||
} | ||
|
||
logs_config { | ||
cloudwatch_logs { | ||
status = "ENABLED" | ||
} | ||
} | ||
|
||
source { | ||
type = "GITHUB" | ||
location = var.repository_url | ||
git_clone_depth = 2 | ||
buildspec = "deploy/buildspec.yaml" | ||
} | ||
} | ||
|
||
resource "aws_codebuild_webhook" "policy_ci" { | ||
project_name = aws_codebuild_project.policy_ci.name | ||
build_type = "BUILD" | ||
filter_group { | ||
filter { | ||
type = "EVENT" | ||
pattern = "PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED" | ||
} | ||
filter { | ||
type = "BASE_REF" | ||
pattern = "^refs/heads/${var.base_branch}$" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
resource "aws_ecr_repository" "policystream" { | ||
name = "policystream" | ||
image_tag_mutability = "MUTABLE" | ||
|
||
image_scanning_configuration { | ||
scan_on_push = true | ||
} | ||
} | ||
|
||
resource "aws_ecr_repository" "c7n" { | ||
name = "c7n" | ||
image_tag_mutability = "MUTABLE" | ||
|
||
image_scanning_configuration { | ||
scan_on_push = true | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
resource "aws_iam_role" "codebuild_executor" { | ||
name = "C7NPolicyCIRole" | ||
|
||
assume_role_policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": [ | ||
"codebuild.amazonaws.com" | ||
] | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "codebuild_executor" { | ||
role = aws_iam_role.codebuild_executor.name | ||
policy_arn = var.ci_policy_arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
output "c7n_image_url" { | ||
value = aws_ecr_repository.c7n.repository_url | ||
} | ||
|
||
output "policystream_image_url" { | ||
value = aws_ecr_repository.policystream.repository_url | ||
} | ||
|
||
output "c7n_image_tag" { | ||
value = var.c7n_image_tag | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
provider "aws" { | ||
default_tags { | ||
tags =var.tags | ||
} | ||
} | ||
|
||
data "aws_region" "current" {} | ||
data "aws_caller_identity" "current" {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
repository_url = "https://github.com/thisisshi/gitops-policy-rollout.git" | ||
base_branch = "main" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
variable "repository_url" { | ||
type = string | ||
description = "Policy Repository URL" | ||
} | ||
|
||
variable "ci_policy_arn" { | ||
type = string | ||
description = "CI Role Policy ARN, defaults to ReadOnlyAccess" | ||
default = "arn:aws:iam::aws:policy/ReadOnlyAccess" | ||
} | ||
|
||
variable "base_branch" { | ||
type = string | ||
description = "Base Branch" | ||
} | ||
|
||
variable "c7n_image_tag" { | ||
type = string | ||
description = "C7N Image Tag" | ||
default = "latest" | ||
} | ||
|
||
variable tags { | ||
type = map(string) | ||
description = "Tags" | ||
default = {} | ||
} | ||
|
||
variable policy_dir { | ||
type = string | ||
description = "Policies Directory (relative path from repo root)" | ||
default = "policies" | ||
} |
Empty file.