t # This is a combination of 5 commits.

policies - add s3 policy (#1)

new policies (#2)

remove s3 filters (#3)

filter s3 (#4)

docs - update docs (#5)

.gitignore

@@ -2,3 +2,7 @@
 *.tfstate*
 *.terraform
 *.terraform.lock.hcl
+output/*
+*.auto.tfvars
+*.DS_Store
+accounts.yaml

README.md

@@ -0,0 +1,63 @@
+# Safe Policy Rollouts with GitOps
+KubeCon 2021 - Governance as Code Day with Cloud Custodian hosted by Stacklet
+
+![Example](example.png)
+
+## Installation
+
+Before starting, create a Github personal access token and keep it handy while you
+create the rest of the resources.
+
+Then, create a c7n-org `accounts.yaml` file. This file will determine what accounts and
+regions your policies will run against. For more details on how to create an `accounts.yaml`
+file, click [here](https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens.html).
+
+Example `accounts.yaml`:
+
+```yaml
+accounts:
+  - name: "Sandbox"
+    account_id: "123456789012"
+    role: "arn:aws:iam::123456789012:role/C7NPolicyCIRole"
+    regions:
+      - "us-east-1"
+      - "us-west-2"
+  - name: "Sandbox2"
+    account_id: "98765432101"
+    role: "arn:aws:iam::98765432101:role/C7NPolicyCIRole"
+    regions:
+      - "us-east-1"
+      - "us-west-2"
+```
+
+To install, reference the projects/ci directory. There you will see an example `main.tf`
+that you can use to create your own c7n ci CodeBuild Job.
+
+```bash
+cd projects/ci
+terraform init
+cp settings.tfvars.example settings.tfvars
+# Edit the settings.tfvars file, all vars can be found in deploy/vars.tf
+terraform apply -var-file=settings.tfvars
+```
+
+Once this has completed, navigate to the CodeBuild console in AWS and set up the OAuth
+connection between AWS and Github. This is necessary to enable Webhooks to trigger CodeBuild
+jobs when Pull Requests are created/updated.
+
+To set up OAuth:
+
+1. Navigate to the CodeBuild console
+2. Click on your Project
+3. Click Edit
+4. Click Source
+5. Click Connect to GitHub
+6. Follow the Steps on the pop-up window
+7. Click Update Source
+
+This project uses [c7n-policystream](https://cloudcustodian.io/docs/tools/c7n-policystream.html)
+to detect changes between your commit and the base branch, as defined by `base_branch`. The
+CodeBuild job then runs the changed policies as well as the original ones from `base_branch`
+and compares the results of the two. You can also specify thresholds for the job to fail on,
+with values for both total number of resources (e.g. if the delta is 5 resources for a given
+policy, fail) or for a percentage (e.g. if the delta in percentage is greater than 50% fail).

buildspec.yaml

@@ -0,0 +1,32 @@
+version: 0.2
+
+env:
+  secrets-manager:
+    GITHUB_TOKEN: C7NCIGithubToken
+
+phases:
+  pre_build:
+    commands:
+      # copy over the files to /tmp as we will be doing a checkout to a different branch
+      - aws s3 cp s3://$SCRIPT_BUCKET/scripts/resolve_base.py /tmp/resolve_base.py
+      - aws s3 cp s3://$SCRIPT_BUCKET/scripts/parse_output.py /tmp/parse_output.py
+      - aws s3 cp s3://$SCRIPT_BUCKET/scripts/requirements.txt /tmp/requirements.txt
+      - aws s3 cp s3://$SCRIPT_BUCKET/accounts.yaml /tmp/accounts.yaml
+      # install requirements
+      - pip install c7n-policystream==$POLICYSTREAM_VERSION c7n-org==$C7N_ORG_VERSION c7n==$C7N_VERSION
+      - pip install -r /tmp/requirements.txt
+  build:
+    commands:
+      # run against changed policies
+      - c7n-policystream diff -r $POLICY_DIR --target $CODEBUILD_RESOLVED_SOURCE_VERSION --source $POLICYSTREAM_BASE -o /tmp/policystream.yaml
+      - cat /tmp/policystream.yaml
+      - c7n-org run -u /tmp/policystream.yaml -c /tmp/accounts.yaml -s $OUTPUT_DIR/new -v --dryrun
+      # now run against the original policies
+      - git checkout $POLICYSTREAM_BASE
+      - python3 /tmp/resolve_base.py
+      - cat /tmp/policystream-original.yaml
+      - c7n-org run -u /tmp/policystream-original.yaml -c /tmp/accounts.yaml -s $OUTPUT_DIR/original -v --dryrun
+  post_build:
+    commands:
+      # Now parse the outputs
+      - python3 /tmp/parse_output.py

policies/policy.yaml

@@ -0,0 +1,19 @@
+policies:
+  - name: all-iam-role
+    resource: aws.iam-role
+    conditions:
+      - region: us-east-1
+  - name: all-lambda
+    resource: aws.lambda
+  - name: all-s3
+    resource: aws.s3
+    conditions:
+      - region: us-east-1
+    filters:
+      - type: value
+        key: Name
+        value: 532725030595-us-east-1-sambox-sceptre-artifacts
+  - name: all-iam-policy
+    resource: aws.iam-policy
+    conditions:
+      - region: us-east-1

projects/ci/main.tf

@@ -0,0 +1,26 @@
+variable "github_token" {
+  type = string
+}
+
+module "c7n_ci" {
+  source = "github.com/thisisshi/terraform-aws-c7n-ci"
+
+  # github token
+  github_token   = var.github_token
+  # repository url
+  repository_url = "https://github.com/thisisshi/safe-policy-rollout-gitops.git"
+  # location of buildspec.yaml, defaults to buildspec.yaml
+  buildspec      = "buildspec.yaml"
+  # branch to compare pr results to
+  base_branch    = "main"
+  # repo name
+  github_repo    = "thisisshi/safe-policy-rollout-gitops"
+  # absolute path of the accounts.yaml file you created
+  accounts_yaml  = "/Users/sonny/dev/thisisshi/gitops-policy-rollout/accounts.yaml"
+  # tags to apply to resource
+  tags = {
+    Owner = "sonny@stacklet.io"
+    Env   = "dev"
+  }
+
+}

setup.cfg

@@ -0,0 +1,2 @@
+[flake8]
+max-line-length = 100