init repo

.gitignore

@@ -0,0 +1,4 @@
+*.swp
+*.tfstate*
+*.terraform
+*.terraform.lock.hcl

deploy/Makefile

@@ -0,0 +1,11 @@
+sync:
+	echo "Uploading policystream image"
+	docker pull cloudcustodian/policystream:latest
+	docker tag cloudcustodian/policystream:latest $$(terraform output -raw policystream_image_url):latest
+	aws ecr get-login-password | docker login --username AWS --password-stdin $$(terraform output -raw policystream_image_url)
+	docker push $$(terraform output -raw policystream_image_url):latest
+	echo "Uploading c7n image"
+	docker pull cloudcustodian/c7n:$$(terraform output -raw c7n_image_tag)
+	docker tag cloudcustodian/c7n:$$(terraform output -raw c7n_image_tag) $$(terraform output -raw c7n_image_url):$$(terraform output -raw c7n_image_tag)
+	aws ecr get-login-password | docker login --username AWS --password-stdin $$(terraform output -raw c7n_image_url)
+	docker push $$(terraform output -raw c7n_image_url):$$(terraform output -raw c7n_image_tag)

deploy/buildspec.yaml

@@ -0,0 +1,15 @@
+version: 0.2
+
+phases:
+  pre_build:
+    commands:
+      - export C7N_IMAGE = $C7N_IMAGE_URL:$C7N_IMAGE_TAG
+      - c7n-policystream diff $POLICY_DIR --source $CODEBUILD_SOURCE_VERSION --target $POLICYSTREAM_BASE -o /policy.yaml
+      # pull the c7n image and run it
+      - aws ecr get-login-password | docker login --username AWS --password-stdin $C7N_IMAGE
+      - docker pull $C7N_IMAGE
+      - docker run $C7N_IMAGE
+  build:
+    commands: []
+  post_build:
+    commands: []

deploy/codebuild.tf

@@ -0,0 +1,66 @@
+resource "aws_codebuild_project" "policy_ci" {
+  name          = "c7n-policy-ci"
+  description   = "Cloud Custodian poilcy testing"
+  build_timeout = "480"
+  service_role  = aws_iam_role.codebuild_executor.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "${aws_ecr_repository.policystream.repository_url}:latest"
+    type                        = "LINUX_CONTAINER"
+    image_pull_credentials_type = "CODEBUILD"
+    privileged_mode             = true
+
+    environment_variable {
+      name  = "POLICYSTREAM_BASE"
+      value = var.base_branch
+    }
+
+    environment_variable {
+      name  = "C7N_IMAGE_URL"
+      value = aws_ecr_repository.c7n.repository_url
+    }
+
+    environment_variable {
+      name  = "C7N_IMAGE_TAG"
+      value = var.c7n_image_tag
+    }
+
+    environment_variable {
+      name  = "POLICY_DIR"
+      value = var.policy_dir
+    }
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      status = "ENABLED"
+    }
+  }
+
+  source {
+    type            = "GITHUB"
+    location        = var.repository_url
+    git_clone_depth = 2
+    buildspec       = "deploy/buildspec.yaml"
+  }
+}
+
+resource "aws_codebuild_webhook" "policy_ci" {
+  project_name = aws_codebuild_project.policy_ci.name
+  build_type   = "BUILD"
+  filter_group {
+    filter {
+      type    = "EVENT"
+      pattern = "PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED"
+    }
+    filter {
+      type    = "BASE_REF"
+      pattern = "^refs/heads/${var.base_branch}$"
+    }
+  }
+}

deploy/ecr.tf

@@ -0,0 +1,17 @@
+resource "aws_ecr_repository" "policystream" {
+  name                 = "policystream"
+  image_tag_mutability = "MUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_repository" "c7n" {
+  name                 = "c7n"
+  image_tag_mutability = "MUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}

deploy/iam.tf

@@ -0,0 +1,25 @@
+resource "aws_iam_role" "codebuild_executor" {
+  name = "C7NPolicyCIRole"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "codebuild.amazonaws.com"
+        ]
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "codebuild_executor" {
+  role       = aws_iam_role.codebuild_executor.name
+  policy_arn = var.ci_policy_arn
+}

deploy/output.tf

@@ -0,0 +1,11 @@
+output "c7n_image_url" {
+  value = aws_ecr_repository.c7n.repository_url
+}
+
+output "policystream_image_url" {
+  value = aws_ecr_repository.policystream.repository_url
+}
+
+output "c7n_image_tag" {
+  value = var.c7n_image_tag
+}

deploy/provider.tf

@@ -0,0 +1,8 @@
+provider "aws" {
+  default_tags {
+    tags =var.tags
+  }
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}

deploy/settings.tfvars.example

@@ -0,0 +1,2 @@
+repository_url = "https://github.com/thisisshi/gitops-policy-rollout.git"
+base_branch = "main"

deploy/vars.tf

@@ -0,0 +1,33 @@
+variable "repository_url" {
+  type        = string
+  description = "Policy Repository URL"
+}
+
+variable "ci_policy_arn" {
+  type        = string
+  description = "CI Role Policy ARN, defaults to ReadOnlyAccess"
+  default     = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+variable "base_branch" {
+  type        = string
+  description = "Base Branch"
+}
+
+variable "c7n_image_tag" {
+  type        = string
+  description = "C7N Image Tag"
+  default     = "latest"
+}
+
+variable tags {
+  type = map(string)
+  description  = "Tags"
+  default = {}
+}
+
+variable policy_dir {
+  type = string
+  description = "Policies Directory (relative path from repo root)"
+  default = "policies"
+}