-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
t # This is a combination of 5 commits.
policies - add s3 policy (#1) new policies (#2) remove s3 filters (#3) filter s3 (#4) docs - update docs (#5)
- Loading branch information
Showing
16 changed files
with
146 additions
and
188 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,3 +2,7 @@ | |
*.tfstate* | ||
*.terraform | ||
*.terraform.lock.hcl | ||
output/* | ||
*.auto.tfvars | ||
*.DS_Store | ||
accounts.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
# Safe Policy Rollouts with GitOps | ||
KubeCon 2021 - Governance as Code Day with Cloud Custodian hosted by Stacklet | ||
|
||
![Example](example.png) | ||
|
||
## Installation | ||
|
||
Before starting, create a Github personal access token and keep it handy while you | ||
create the rest of the resources. | ||
|
||
Then, create a c7n-org `accounts.yaml` file. This file will determine what accounts and | ||
regions your policies will run against. For more details on how to create an `accounts.yaml` | ||
file, click [here](https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens.html). | ||
|
||
Example `accounts.yaml`: | ||
|
||
```yaml | ||
accounts: | ||
- name: "Sandbox" | ||
account_id: "123456789012" | ||
role: "arn:aws:iam::123456789012:role/C7NPolicyCIRole" | ||
regions: | ||
- "us-east-1" | ||
- "us-west-2" | ||
- name: "Sandbox2" | ||
account_id: "98765432101" | ||
role: "arn:aws:iam::98765432101:role/C7NPolicyCIRole" | ||
regions: | ||
- "us-east-1" | ||
- "us-west-2" | ||
``` | ||
To install, reference the projects/ci directory. There you will see an example `main.tf` | ||
that you can use to create your own c7n ci CodeBuild Job. | ||
|
||
```bash | ||
cd projects/ci | ||
terraform init | ||
cp settings.tfvars.example settings.tfvars | ||
# Edit the settings.tfvars file, all vars can be found in deploy/vars.tf | ||
terraform apply -var-file=settings.tfvars | ||
``` | ||
|
||
Once this has completed, navigate to the CodeBuild console in AWS and set up the OAuth | ||
connection between AWS and Github. This is necessary to enable Webhooks to trigger CodeBuild | ||
jobs when Pull Requests are created/updated. | ||
|
||
To set up OAuth: | ||
|
||
1. Navigate to the CodeBuild console | ||
2. Click on your Project | ||
3. Click Edit | ||
4. Click Source | ||
5. Click Connect to GitHub | ||
6. Follow the Steps on the pop-up window | ||
7. Click Update Source | ||
|
||
This project uses [c7n-policystream](https://cloudcustodian.io/docs/tools/c7n-policystream.html) | ||
to detect changes between your commit and the base branch, as defined by `base_branch`. The | ||
CodeBuild job then runs the changed policies as well as the original ones from `base_branch` | ||
and compares the results of the two. You can also specify thresholds for the job to fail on, | ||
with values for both total number of resources (e.g. if the delta is 5 resources for a given | ||
policy, fail) or for a percentage (e.g. if the delta in percentage is greater than 50% fail). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
version: 0.2 | ||
|
||
env: | ||
secrets-manager: | ||
GITHUB_TOKEN: C7NCIGithubToken | ||
|
||
phases: | ||
pre_build: | ||
commands: | ||
# copy over the files to /tmp as we will be doing a checkout to a different branch | ||
- aws s3 cp s3://$SCRIPT_BUCKET/scripts/resolve_base.py /tmp/resolve_base.py | ||
- aws s3 cp s3://$SCRIPT_BUCKET/scripts/parse_output.py /tmp/parse_output.py | ||
- aws s3 cp s3://$SCRIPT_BUCKET/scripts/requirements.txt /tmp/requirements.txt | ||
- aws s3 cp s3://$SCRIPT_BUCKET/accounts.yaml /tmp/accounts.yaml | ||
# install requirements | ||
- pip install c7n-policystream==$POLICYSTREAM_VERSION c7n-org==$C7N_ORG_VERSION c7n==$C7N_VERSION | ||
- pip install -r /tmp/requirements.txt | ||
build: | ||
commands: | ||
# run against changed policies | ||
- c7n-policystream diff -r $POLICY_DIR --target $CODEBUILD_RESOLVED_SOURCE_VERSION --source $POLICYSTREAM_BASE -o /tmp/policystream.yaml | ||
- cat /tmp/policystream.yaml | ||
- c7n-org run -u /tmp/policystream.yaml -c /tmp/accounts.yaml -s $OUTPUT_DIR/new -v --dryrun | ||
# now run against the original policies | ||
- git checkout $POLICYSTREAM_BASE | ||
- python3 /tmp/resolve_base.py | ||
- cat /tmp/policystream-original.yaml | ||
- c7n-org run -u /tmp/policystream-original.yaml -c /tmp/accounts.yaml -s $OUTPUT_DIR/original -v --dryrun | ||
post_build: | ||
commands: | ||
# Now parse the outputs | ||
- python3 /tmp/parse_output.py |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
policies: | ||
- name: all-iam-role | ||
resource: aws.iam-role | ||
conditions: | ||
- region: us-east-1 | ||
- name: all-lambda | ||
resource: aws.lambda | ||
- name: all-s3 | ||
resource: aws.s3 | ||
conditions: | ||
- region: us-east-1 | ||
filters: | ||
- type: value | ||
key: Name | ||
value: 532725030595-us-east-1-sambox-sceptre-artifacts | ||
- name: all-iam-policy | ||
resource: aws.iam-policy | ||
conditions: | ||
- region: us-east-1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
variable "github_token" { | ||
type = string | ||
} | ||
|
||
module "c7n_ci" { | ||
source = "github.com/thisisshi/terraform-aws-c7n-ci" | ||
|
||
# github token | ||
github_token = var.github_token | ||
# repository url | ||
repository_url = "https://github.com/thisisshi/safe-policy-rollout-gitops.git" | ||
# location of buildspec.yaml, defaults to buildspec.yaml | ||
buildspec = "buildspec.yaml" | ||
# branch to compare pr results to | ||
base_branch = "main" | ||
# repo name | ||
github_repo = "thisisshi/safe-policy-rollout-gitops" | ||
# absolute path of the accounts.yaml file you created | ||
accounts_yaml = "/Users/sonny/dev/thisisshi/gitops-policy-rollout/accounts.yaml" | ||
# tags to apply to resource | ||
tags = { | ||
Owner = "sonny@stacklet.io" | ||
Env = "dev" | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
[flake8] | ||
max-line-length = 100 |