diff --git a/README.md b/README.md
index 3d56f5f..fa7a65a 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ It also emphasizes on how to monitor and manage the entire lifecycle of a Java a
The diagram shows the following workflow:
-1. Developer will update the Java application code in the base branch of the AWS CodeCommit repository, creating a Pull Reqeust (PR).
+1. Developer will update the Java application code in the base branch of the GitHub repository, creating a Pull Reqeust (PR).
2. Amazon CodeGuru Reviewer automatically reviews the code as soon as a PR is submitted and does a analysis of java code as per the best practices and gives recommendations to users.
@@ -50,7 +50,7 @@ The diagram shows the following workflow:
│ └── buildspec_secscan.yaml
├── cf_templates
│ ├── build_deployment.yaml
-│ ├── codecommit_ecr.yaml
+│ ├── ecr.yaml
│ └── kube_aws_auth_configmap_patch.sh
├── code
│ └── app
@@ -99,7 +99,7 @@ buildspec
```bash
cf_templates
├── build_deployment.yaml (Pipeline Stack Setup)
-├── codecommit_ecr.yaml (Codecommit and ECR Setup)
+├── ecr.yaml (ECR Setup)
└── kube_aws_auth_configmap_patch.sh (Providing access to Pipeline to deploy helm charts to EKS cluster)
```
@@ -149,55 +149,49 @@ securityhub
**Setup Procedure:**
-1) **Upload code zip to S3 Bucket**:
- (Ensure git and python 3.x are installed in your local workstation)
-- Clone the repository to your local workstation
+1) **Code repository preparation**:
+- Create new repository in GitHub.
+- Clone this repository to your local workstation
`git clone `
-- Navigate to the repository and execute the commands in order as indicated below. This will create compressed version of the entire code with .zip extension(**cicdstack.zip**) and will validate the zip file too:
-**Note:** you may need to use python3 for the following command(s).
+- Navigate to the work directory and execute the commands in order as indicated below. This will bring content of the work directory to your new GitHub repository
```bash
cd
- python -m zipfile -c cicdstack.zip *
- python -m zipfile -t cicdstack.zip
+ git remote rename origin upstream
+ git remote add origin
+ git push -u origin main
```
- We have cicdstack.zip file ready and this will be used in next step.
-
-- Sign in to the AWS Management Console, open the Amazon S3 console, and then create an S3 bucket.
- Create a folder in the S3 bucket. We recommend naming this folder **code**.
- Upload **cicdstack.zip** created in earlier step to the code folder in the S3 bucket.
+ **Note:** Alternatively follow [Duplicating a repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/duplicating-a-repository).
-
-2) **CodeCommitECR Creation**:
- Ensure you have previously created AWS CodeCommit and Amazon ECR and that you have retrieved the necessary parameter values. If not, you can run the CloudFormation template **cf_templates/codecommit_ecr.yaml** via AWS Console. Ensure the code in zip format is uploaded as per step 1.
+2) **ECR Creation**:
+ Ensure you have previously created Amazon ECR and that you have retrieved the necessary parameter values. If not, you can run the CloudFormation template **cf_templates/ecr.yaml** via AWS Console.
Give the parameter and their values:
| Parameter | Description |
|--|--|
- |CodeCommitRepositoryBranchName |Branch-name where the code resides. Put it as main for default |
- | CodeCommitRepositoryName | Preferred Name of AWS CodeCommit repo to be created |
- |CodeCommitRepositoryS3Bucket|S3 BucketName where the code zipfile resides|
- | CodeCommitRepositoryS3BucketObjKey | code/cicdstack.zip |
| ECRRepositoryName | Preferred Name of ECR repo to be created |
3) **Setup Java CICD Pipeline**:
Run the cloudformation template **cf_templates/build_deployment.yaml** and give the parameter accordingly as mentioned below. Ensure you have the required parameter values ready with you.
- **Note:** To retrieve your **EksWorkerNodeRoleARN**, browse to the EC2 AWS Console and select one of your EKS Worker Node. Navigate to **Security** tab panel and click on **IAM Role** - follow that link to the Role Summary which will have display the Node IAM role and IAM role ARN.
-
- | Parameter | Description |
- |--|--|
- | CodeBranchName |Branch name of AWS CodeCommit repo, where your code resides |
- | EKSClusterName |Name of your EKS Cluster (not EKSCluster ID) |
- | EKSCodeBuildAppName|in this case name of app helm chart (**aws-proserve-java-greeting**)|
- | EKSWorkerNodeRoleARN | ARN of EKS Worker nodes IAM role |
- | EKSWorkerNodeRoleName | Name of the IAM role assigned to EKS worker nodes |
- |EcrDockerRepository|Name of Amazon ECR repo where the docker images of your code will be stored|
- |EmailRecipient | Email Address where build notifications needs to be sent |
- | EnvType | environment, e.g: dev (since we have values.dev.yaml in helm_charts folder) |
- |SourceRepoName | Name of AWS CodeCommit repo, where your code resides |
+ **Note:** To retrieve your **EksWorkerNodeRoleARN**, browse to the EC2 AWS Console and select one of your EKS Worker Node. Navigate to **Security** tab panel and click on **IAM Role** - follow that link to the Role Summary which will have display the Node IAM role and IAM role ARN.
+ **Note:** To create new connection to GitHub repository created in the step 1) follow [Create a connection to GitHub](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html).
+
+ | Parameter | Description |
+ |-----------------------|------------------------------------------------------------------------------------------------------------|
+ | SourceRepoConnection | ARN of connection to GitHub account where your code resides |
+ | SourceRepoName | GitHub repo name where your code resides. You must maintain the correct case for the SourceRepoName value. |
+ | CodeBranchName | Branch name of GitHub repo, where your code resides |
+ | EKSClusterName | Name of your EKS Cluster (not EKSCluster ID) |
+ | EKSCodeBuildAppName | in this case name of app helm chart (**aws-proserve-java-greeting**) |
+ | EKSWorkerNodeRoleARN | ARN of EKS Worker nodes IAM role |
+ | EKSWorkerNodeRoleName | Name of the IAM role assigned to EKS worker nodes |
+ | EcrDockerRepository | Name of Amazon ECR repo where the docker images of your code will be stored |
+ | EmailRecipient | Email Address where build notifications needs to be sent |
+ | EnvType | environment, e.g: dev (since we have values.dev.yaml in helm_charts folder) |
+
The creation of the Java CICD Pipeline will automatically trigger the CodePipeline too.
Once the cloudformation template **cf_templates/build_deployment.yaml** executes successfully, go to Outputs tab of Java CICD CF Stack in AWS console and get the value of **EksCodeBuildkubeRoleARN** (this ARN needs to be added to configmap aws_auth of EKS cluster).
@@ -210,6 +204,11 @@ securityhub
As of today, there is no support for cloudformation for this integration, hence this process has to be done manually.
Navigate to AWS Security Hub in AWS Console and further navigate to Integrations. Search for Aqua Security and select **Aqua Security: Aqua Security** Integration and click on **Accept findings**
+ **Note: This is an important step !**
+ By failing to carry out this step a very hard to interpret AccessDeniedException occurs during execution of the pipeline even if theCodeBuildServiceRole has full administrative permissions.
+ ```bash
+ An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: arn:aws:sts:::assumed-role// is not authorized to perform: securityhub:BatchImportFindings on resource: arn:aws:securityhub:us-east-1::product/aquasecurity/aquasecurity
+ ```
5) **Patching aws_auth confmap with EksCodeBuildkubeRoleARN received from step3**:
diff --git a/Tools.md b/Tools.md
index f167215..ad3f787 100644
--- a/Tools.md
+++ b/Tools.md
@@ -8,13 +8,13 @@
* [Amazon EventBridge](https://aws.amazon.com/eventbridge/) - Amazon EventBridge Event Bus is a serverless event bus that helps you receive, filter, transform, route, and deliver events.
* [Developer Tools on AWS](https://aws.amazon.com/products/developer-tools/)
* [AWS CodeBuild](https://aws.amazon.com/codebuild/) - AWS CodeBuild is a fully managed build service in the cloud.
- * [AWS CodeCommit](https://aws.amazon.com/codecommit/) – AWS CodeCommit is a version control service hosted that you can use to privately store and manage assets.
* [AWS CodePipeline](https://aws.amazon.com/codepipeline/) - AWS CodePipeline is a continuous delivery service you can use to model, visualize, and automate the steps required to release your software.
* [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/) - Amazon EKS is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
* [Amazon Elastic Container Registry (Amazon ECR)](https://aws.amazon.com/ecr/) - Amazon ECR is an AWS managed container image registry service that is secure, scalable, and reliable.
* [Amazon CodeGuru](https://aws.amazon.com/codeguru/) - Amazon CodeGuru is a developer tool that provides intelligent recommendations to improve code quality and identify an application’s most expensive lines of code.
* [AWS Security Hub](https://aws.amazon.com/security-hub/) - AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
-* [Amazon S3 – Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) - S3 is storage for the internet.
+* [Amazon S3 – Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) - S3 is storage for the internet.
+* [GitHub](https://github.com/) - GitHub is a version control service that you can use to privately store and manage assets.
* [Aqua Security Trivy](https://github.com/aquasecurity/trivy) – Trivy is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, in addition to configuration issues.
* [Apache Maven](https://maven.apache.org/) – Apache Maven is a software project management and comprehension tool.
* [Helm](https://helm.sh/) - Helm helps you manage Kubernetes applications.
diff --git a/buildspec/buildspec_deploy.yml b/buildspec/buildspec_deploy.yml
index ffddfdb..da5908a 100644
--- a/buildspec/buildspec_deploy.yml
+++ b/buildspec/buildspec_deploy.yml
@@ -16,15 +16,15 @@ phases:
pre_build: # Check helm version and Add kubeconfig to access to EKS cluster and check readiness of the cluster
commands:
- - "helm version"
- - "mkdir ~/.kube/"
- - "aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $EKS_CLUSTER_NAME --role-arn $EKS_CODEBUILD_ROLE_ARN"
- - "chmod 0600 ~/.kube/config"
- - "aws sts get-caller-identity"
+ - helm version
+ - mkdir ~/.kube/
+ - aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $EKS_CLUSTER_NAME --role-arn $EKS_CODEBUILD_ROLE_ARN
+ - chmod 0600 ~/.kube/config
+ - aws sts get-caller-identity
build: # Deploy app via Helm
commands:
- - "helm upgrade -i $EKS_CODEBUILD_APP_NAME-$ENV helm_charts/$EKS_CODEBUILD_APP_NAME -f helm_charts/$EKS_CODEBUILD_APP_NAME/values.$ENV.yaml --set image.repository=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME --set image.tag=$CODEBUILD_RESOLVED_SOURCE_VERSION"
+ - helm upgrade -i $EKS_CODEBUILD_APP_NAME-$ENV helm_charts/$EKS_CODEBUILD_APP_NAME -f helm_charts/$EKS_CODEBUILD_APP_NAME/values.$ENV.yaml --set image.repository=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME --set image.tag=$CODEBUILD_RESOLVED_SOURCE_VERSION
post_build: # Display the endpoint of the application
commands:
diff --git a/buildspec/buildspec_secscan.yaml b/buildspec/buildspec_secscan.yaml
index bda4e84..bbbfdeb 100644
--- a/buildspec/buildspec_secscan.yaml
+++ b/buildspec/buildspec_secscan.yaml
@@ -10,7 +10,6 @@ phases:
- apt-get install -y wget apt-transport-https gnupg lsb-release curl
- curl -OL https://github.com/aws/aws-codeguru-cli/releases/download/0.2.3/aws-codeguru-cli.zip
- unzip aws-codeguru-cli.zip
- - export PATH=$PATH:./aws-codeguru-cli/bin
- curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
- helm repo add stable https://charts.helm.sh/stable && helm repo update
diff --git a/cf_templates/build_deployment.yaml b/cf_templates/build_deployment.yaml
index 05a9496..e79d01f 100644
--- a/cf_templates/build_deployment.yaml
+++ b/cf_templates/build_deployment.yaml
@@ -4,9 +4,16 @@ AWSTemplateFormatVersion: 2010-09-09
Description: CFN Template to deploy CodePipeline to build Docker Image of java application and push to ECR and deploy to EKS following DevSecOps Practices
Parameters:
+ SourceRepoConnection:
+ Type: String
+ Description: >
+ ARN of connection to GitHub account where the code resides. Connection can be created via CLI or Console in Pending state but then needs to
+ be activated in Console (https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html).
SourceRepoName:
Type: String
- Description: AWS CodeCommit RepoName where code resides
+ Description: >
+ GitHub RepoName where code resides. You must maintain the correct case for the SourceRepoName value.
+ For example, if your user name is some-user and repo name is My-Repo, the recommended value of SourceRepoName is some-user/My-Repo.
CodeBranchName:
Type: String
Default: main
@@ -45,13 +52,6 @@ Resources:
Name: MySecurityHub
Purpose: Security
- SourceRepositoryAssociation:
- Type: AWS::CodeGuruReviewer::RepositoryAssociation
- Properties:
- Name: !Ref SourceRepoName
- Type: CodeCommit
- BucketName: !Ref CodeGuruReviewerBucket
-
MyProfilingGroup:
Type: AWS::CodeGuruProfiler::ProfilingGroup
Properties:
@@ -341,6 +341,8 @@ Resources:
- s3:GetObject
- s3:GetObjectVersion
- s3:GetBucketVersioning
+ - s3:DeleteObject
+ - s3:DeleteObjectVersion
Effect: Allow
Resource:
- !Sub arn:${AWS::Partition}:s3:::${CodeGuruReviewerBucket}
@@ -408,16 +410,11 @@ Resources:
PolicyDocument:
Version: 2012-10-17
Statement:
- - Resource: !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${SourceRepoName}
+ - Resource: !Ref SourceRepoConnection
Effect: Allow
Action:
- - codecommit:GetBranch
- - codecommit:GetCommit
- - codecommit:ListRepositories
- - codecommit:GetRepository
- - codecommit:UploadArchive
- - codecommit:GetUploadArchiveStatus
- - codecommit:CancelUploadArchive
+ - codeconnections:UseConnection
+ - codestar-connections:UseConnection
- Resource:
- !Sub arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${CodeBuildImageProject}
- !Sub arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${CodeDeployImageProject}
@@ -428,14 +425,6 @@ Resources:
- codebuild:BatchGetBuilds
- codebuild:BatchGetBuildBatches
- codebuild:StartBuildBatch
- - Resource: !GetAtt SourceRepositoryAssociation.AssociationArn
- Effect: Allow
- Action:
- - codeguru-reviewer:List*
- - codeguru-reviewer:Describe*
- - codeguru-reviewer:Get*
- - codeguru:Get*
- - codeguru-reviewer:CreateCodeReview
- Resource: !Sub arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${EcrDockerRepository}
Effect: Allow
Action:
@@ -516,7 +505,8 @@ Resources:
- cloudwatch:DescribeAlarmsForMetric
- iam:GenerateCredentialReport
- iam:GetCredentialReport
- - Resource: !Sub arn:${AWS::Partition}:securityhub:${AWS::Region}::product/aquasecurity/aquasecurity
+ - Sid: MakeSureToManuallyEnableIntegrationForAquasecurityInSecurityHubConsoleOtherwiseThisWontWork
+ Resource: !Sub arn:${AWS::Partition}:securityhub:${AWS::Region}::product/aquasecurity/aquasecurity
Effect: Allow
Action:
- securityhub:BatchImportFindings
@@ -530,17 +520,17 @@ Resources:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- - Resource: !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${SourceRepoName}
+ - Resource: !Ref SourceRepoConnection
Effect: Allow
Action:
- - codecommit:GitPull
- - codecommit:TagResource
+ - codeconnections:UseConnection
+ - codestar-connections:UseConnection
+ - codeconnections:GetConnectionToken
- Resource: "*"
Effect: Allow
Action:
- codeguru-reviewer:AssociateRepository
- Resource:
- - !GetAtt SourceRepositoryAssociation.AssociationArn
- !Sub arn:${AWS::Partition}:codeguru-reviewer:${AWS::Region}:${AWS::AccountId}:*
Effect: Allow
Action:
@@ -618,8 +608,6 @@ Resources:
Artifacts:
Type: CODEPIPELINE
Source:
- Location:
- Fn::Sub: https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${SourceRepoName}
Type: CODEPIPELINE
BuildSpec: "buildspec/buildspec_secscan.yaml"
TimeoutInMinutes: 30
@@ -649,8 +637,6 @@ Resources:
Artifacts:
Type: CODEPIPELINE
Source:
- Location:
- Fn::Sub: https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${SourceRepoName}
Type: CODEPIPELINE
BuildSpec: "buildspec/buildspec.yml"
TimeoutInMinutes: 30
@@ -680,8 +666,6 @@ Resources:
Artifacts:
Type: CODEPIPELINE
Source:
- Location:
- Fn::Sub: https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${SourceRepoName}
Type: CODEPIPELINE
BuildSpec: "buildspec/buildspec_deploy.yml"
TimeoutInMinutes: 30
@@ -729,12 +713,12 @@ Resources:
Category: Source
Owner: AWS
Version: 1
- Provider: CodeCommit
+ Provider: CodeStarSourceConnection
Configuration:
+ ConnectionArn: !Ref SourceRepoConnection
+ FullRepositoryId: !Ref SourceRepoName
BranchName: !Ref CodeBranchName
OutputArtifactFormat: CODEBUILD_CLONE_REF
- RepositoryName:
- Ref: SourceRepoName
OutputArtifacts:
- Name: SourceCodeApp
RunOrder: 1
diff --git a/cf_templates/codecommit_ecr.yaml b/cf_templates/ecr.yaml
similarity index 53%
rename from cf_templates/codecommit_ecr.yaml
rename to cf_templates/ecr.yaml
index 77c89b9..1f4c959 100644
--- a/cf_templates/codecommit_ecr.yaml
+++ b/cf_templates/ecr.yaml
@@ -1,40 +1,16 @@
Description: >
- CloudFormation template for creating AWS CodeCommit repository and ECR repository to store cicd java eks code
+ CloudFormation template for creating ECR repository to store cicd java eks docker images
Parameters:
- CodeCommitRepositoryName:
- Type: String
- Description: Name of AWS CodeCommit repo to be created
- CodeCommitRepositoryBranchName:
- Type: String
- Default: main
- Description: Default Branch
- CodeCommitRepositoryS3Bucket:
- Type: String
- Description: Name of S3 Bucket where zip file of initial code will be stored
- CodeCommitRepositoryS3BucketObjKey:
- Type: String
- Description: S3 ObjectKey, example-if intial code zip file is stored inside S3 bucket in this location code/cicdstack.zip, then this will be value
ECRRepositoryName:
Type: String
Description: Name of ECR repo to be created
Resources:
- MyRepo:
- Type: AWS::CodeCommit::Repository
- Properties:
- RepositoryName: !Ref CodeCommitRepositoryName
- RepositoryDescription: This is a repository for my project with code from CodeCommitRepositoryS3Bucket.
- Code:
- BranchName: !Ref CodeCommitRepositoryBranchName
- S3:
- Bucket: !Ref CodeCommitRepositoryS3Bucket
- Key: !Ref CodeCommitRepositoryS3BucketObjKey
-
DockerRepo:
Type: AWS::ECR::Repository
Properties:
- ImageTagMutability: IMMUTABLE
+ ImageTagMutability: MUTABLE
ImageScanningConfiguration:
ScanOnPush: true
EncryptionConfiguration:
@@ -74,13 +50,5 @@ Resources:
RepositoryName: !Ref ECRRepositoryName
Outputs:
- CodeCommitRepoUrl:
- Value:
- Fn::Join:
- - ""
- - - "https://console.aws.amazon.com/codecommit/repositories/home?region="
- - Ref: AWS::Region
- - "#/view/"
- - Ref: MyRepo
ECRUrl:
Value: !Sub https://console.aws.amazon.com/ecr/repositories/private/${AWS::AccountId}/${DockerRepo}?region=${AWS::Region}
diff --git a/code/app/Dockerfile b/code/app/Dockerfile
index a319cf6..09632c5 100644
--- a/code/app/Dockerfile
+++ b/code/app/Dockerfile
@@ -4,14 +4,14 @@ ARG AWS_REGION
ENV CG_PF_GNAME=$AWS_CODEGURU_PROFILER_GROUP_NAME
ENV AWS_REGION=$AWS_REGION
#https://docs.aws.amazon.com/codeguru/latest/profiler-ug/enabling-the-agent-with-command-line.html
-ENV CODEGURU_PROFILER_AGENT_DOWNLOAD_URL 'https://d1osg35nybn3tt.cloudfront.net/com/amazonaws/codeguru-profiler-java-agent-standalone/1.2.2/codeguru-profiler-java-agent-standalone-1.2.2.jar'
+ENV CODEGURU_PROFILER_AGENT_DOWNLOAD_URL='https://d1osg35nybn3tt.cloudfront.net/com/amazonaws/codeguru-profiler-java-agent-standalone/1.2.3/codeguru-profiler-java-agent-standalone-1.2.3.jar'
RUN mkdir -p /opt/target
RUN apk update && apk add wget && wget $CODEGURU_PROFILER_AGENT_DOWNLOAD_URL -O /opt/target/codeguru-profiler-java-agent-standalone.jar
-RUN apk add libcrypto3=3.0.8-r0 libssl3=3.0.8-r0
+RUN apk add --upgrade libcrypto3 libssl3
EXPOSE 8080 5005
COPY target/aws-proserve-java-greeting.war /opt/target/
WORKDIR /opt/target
USER nobody
-ENV _JAVA_OPTIONS '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005'
+ENV _JAVA_OPTIONS='-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005'
CMD ["sh", "-c", "java -javaagent:codeguru-profiler-java-agent-standalone.jar=profilingGroupName:${CG_PF_GNAME},region:${AWS_REGION},heapSummaryEnabled:true -jar aws-proserve-java-greeting.war --debug"]
HEALTHCHECK CMD curl --fail http://localhost:8080/hello || exit 1
\ No newline at end of file