Codecommit deprecation

README.md

@@ -13,7 +13,7 @@ It also emphasizes on how to monitor and manage the entire lifecycle of a Java a
 
 The diagram shows the following workflow:
 
-1. Developer will update the Java application code in the base branch of the AWS CodeCommit repository, creating a Pull Reqeust (PR).
+1. Developer will update the Java application code in the base branch of the GitHub repository, creating a Pull Reqeust (PR).
 
 2. Amazon CodeGuru Reviewer automatically reviews the code as soon as a PR is submitted and does a analysis of java code as per the best practices and gives recommendations to users.
 
@@ -50,7 +50,7 @@ The diagram shows the following workflow:
 │   └── buildspec_secscan.yaml
 ├── cf_templates
 │   ├── build_deployment.yaml
-│   ├── codecommit_ecr.yaml
+│   ├── ecr.yaml
 │   └── kube_aws_auth_configmap_patch.sh
 ├── code
 │   └── app
@@ -99,7 +99,7 @@ buildspec
 ```bash
 cf_templates
 ├── build_deployment.yaml (Pipeline Stack Setup)
-├── codecommit_ecr.yaml (Codecommit and ECR Setup)
+├── ecr.yaml (ECR Setup)
 └── kube_aws_auth_configmap_patch.sh (Providing access to Pipeline to deploy helm charts to EKS cluster)
 ```
 
@@ -149,55 +149,49 @@ securityhub
 
 **Setup Procedure:**
 
-1) **Upload code zip to S3 Bucket**:  
-   (Ensure git and python 3.x are installed in your local workstation)
-- Clone the repository to your local workstation<br/>
+1) **Code repository preparation**:
+- Create new repository in GitHub.
+- Clone this repository to your local workstation<br/>
 
      `git clone <GitHub-Url>`
 
-- Navigate to the repository and execute the commands in order as indicated below. This will create compressed version of the entire code with .zip extension(**cicdstack.zip**) and will validate the zip file too:<br/>
-**Note:**  you may need to use python3 for the following command(s).
+- Navigate to the work directory and execute the commands in order as indicated below. This will bring content of the work directory to your new GitHub repository<br/>
 
      ```bash
     cd <cloned-repository>
-    python -m zipfile -c cicdstack.zip *
-    python -m zipfile -t cicdstack.zip
+    git remote rename origin upstream
+    git remote add origin <new GitHub-Url>
+    git push -u origin main
    ```
-   We have cicdstack.zip file ready and this will be used in next step.<br/>
-
-- Sign in to the AWS Management Console, open the Amazon S3 console, and then create an S3 bucket.
-   Create a folder in the S3 bucket. We recommend naming this folder **code**.
-   Upload **cicdstack.zip** created in earlier step to the code folder in the S3 bucket.  
+  **Note:** Alternatively follow [Duplicating a repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/duplicating-a-repository).
 
-
-2) **CodeCommitECR Creation**:  
-   Ensure you have previously created AWS CodeCommit and Amazon ECR and that you have retrieved the necessary parameter values. If not, you can run the CloudFormation template **cf_templates/codecommit_ecr.yaml** via AWS Console. Ensure the code in zip format is uploaded as per step 1.
+2) **ECR Creation**:  
+   Ensure you have previously created Amazon ECR and that you have retrieved the necessary parameter values. If not, you can run the CloudFormation template **cf_templates/ecr.yaml** via AWS Console.
    Give the parameter and their values:
 
    | Parameter | Description |
    |--|--|
-   |CodeCommitRepositoryBranchName  |Branch-name  where  the  code  resides.  Put  it  as  main  for  default  |
-   | CodeCommitRepositoryName | Preferred  Name  of  AWS  CodeCommit  repo  to  be  created |
-   |CodeCommitRepositoryS3Bucket|S3  BucketName  where  the  code  zipfile  resides|
-   | CodeCommitRepositoryS3BucketObjKey | code/cicdstack.zip |
    | ECRRepositoryName | Preferred  Name  of  ECR  repo  to  be  created |
 
 3) **Setup Java CICD Pipeline**:
 
    Run the cloudformation template **cf_templates/build_deployment.yaml** and give the parameter accordingly as mentioned below. Ensure you have the required parameter values ready with you.  
-   **Note:**  To retrieve your **EksWorkerNodeRoleARN**, browse to the EC2 AWS Console and select one of your EKS Worker Node.  Navigate to **Security** tab panel and  click on **IAM Role** - follow that link to the Role Summary which will have display the Node IAM role and IAM role ARN.
-
-   | Parameter | Description |
-   |--|--|
-   | CodeBranchName |Branch  name  of  AWS  CodeCommit  repo,  where  your  code  resides  |
-   | EKSClusterName |Name  of  your  EKS  Cluster (not EKSCluster  ID)  |
-   | EKSCodeBuildAppName|in  this  case  name  of  app  helm  chart (**aws-proserve-java-greeting**)|
-   | EKSWorkerNodeRoleARN | ARN  of  EKS  Worker  nodes  IAM  role |
-   | EKSWorkerNodeRoleName | Name  of  the  IAM  role  assigned  to  EKS  worker  nodes |
-   |EcrDockerRepository|Name  of  Amazon  ECR  repo  where  the  docker  images  of  your  code  will  be  stored|
-   |EmailRecipient  | Email  Address  where  build  notifications  needs  to  be  sent |
-   | EnvType | environment,  e.g:  dev (since we  have  values.dev.yaml  in  helm_charts  folder) |
-   |SourceRepoName  | Name  of  AWS  CodeCommit  repo,  where  your  code  resides |
+   **Note:** To retrieve your **EksWorkerNodeRoleARN**, browse to the EC2 AWS Console and select one of your EKS Worker Node.  Navigate to **Security** tab panel and  click on **IAM Role** - follow that link to the Role Summary which will have display the Node IAM role and IAM role ARN.<br/>
+   **Note:** To create new connection to GitHub repository created in the step 1) follow [Create a connection to GitHub](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html).
+
+   | Parameter             | Description                                                                                                |
+   |-----------------------|------------------------------------------------------------------------------------------------------------|
+   | SourceRepoConnection  | ARN of connection to GitHub account where your code resides                                                |
+   | SourceRepoName        | GitHub repo name where your code resides. You must maintain the correct case for the SourceRepoName value. |
+   | CodeBranchName        | Branch  name  of  GitHub  repo,  where  your  code  resides                                                |
+   | EKSClusterName        | Name  of  your  EKS  Cluster (not EKSCluster  ID)                                                          |
+   | EKSCodeBuildAppName   | in  this  case  name  of  app  helm  chart (**aws-proserve-java-greeting**)                                |
+   | EKSWorkerNodeRoleARN  | ARN  of  EKS  Worker  nodes  IAM  role                                                                     |
+   | EKSWorkerNodeRoleName | Name  of  the  IAM  role  assigned  to  EKS  worker  nodes                                                 |
+   | EcrDockerRepository   | Name  of  Amazon  ECR  repo  where  the  docker  images  of  your  code  will  be  stored                  |
+   | EmailRecipient        | Email  Address  where  build  notifications  needs  to  be  sent                                           |
+   | EnvType               | environment,  e.g:  dev (since we  have  values.dev.yaml  in  helm_charts  folder)                         |
+
 
    The creation of the Java CICD Pipeline will automatically trigger the CodePipeline too.  
    Once the cloudformation template **cf_templates/build_deployment.yaml** executes successfully, go to Outputs tab of Java CICD CF Stack in AWS console and get the value of **EksCodeBuildkubeRoleARN** (this ARN needs to be added to configmap aws_auth of EKS cluster).   
@@ -210,6 +204,11 @@ securityhub
    As of today, there is no support for cloudformation for this integration, hence this process has to be done manually. 
    Navigate to AWS Security Hub in AWS Console and further navigate to Integrations. Search for Aqua Security and select **Aqua Security: Aqua Security** Integration and click on **Accept findings**
 
+   **Note: This is an important step !**<br/>
+   By failing to carry out this step a very hard to interpret AccessDeniedException occurs during execution of the pipeline even if theCodeBuildServiceRole has full administrative permissions.
+     ```bash
+    An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: arn:aws:sts::<account>:assumed-role/<CodeBuildServiceRole>/<SessionId> is not authorized to perform: securityhub:BatchImportFindings on resource: arn:aws:securityhub:us-east-1::product/aquasecurity/aquasecurity
+   ```
 
 5) **Patching aws_auth confmap with EksCodeBuildkubeRoleARN received from step3**:
 

Tools.md

@@ -8,13 +8,13 @@
 * [Amazon EventBridge](https://aws.amazon.com/eventbridge/) - Amazon EventBridge Event Bus is a serverless event bus that helps you receive, filter, transform, route, and deliver events.
 * [Developer Tools on AWS](https://aws.amazon.com/products/developer-tools/)
   * [AWS CodeBuild](https://aws.amazon.com/codebuild/) - AWS CodeBuild is a fully managed build service in the cloud.
-  * [AWS CodeCommit](https://aws.amazon.com/codecommit/) – AWS CodeCommit is a version control service hosted that you can use to privately store and manage assets.
   * [AWS CodePipeline](https://aws.amazon.com/codepipeline/) - AWS CodePipeline is a continuous delivery service you can use to model, visualize, and automate the steps required to release your software.
 * [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/) - Amazon EKS is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.
 * [Amazon Elastic Container Registry (Amazon ECR)](https://aws.amazon.com/ecr/) - Amazon ECR is an AWS managed container image registry service that is secure, scalable, and reliable. 
 * [Amazon CodeGuru](https://aws.amazon.com/codeguru/) - Amazon CodeGuru is a developer tool that provides intelligent recommendations to improve code quality and identify an application’s most expensive lines of code.
 * [AWS Security Hub](https://aws.amazon.com/security-hub/) - AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
-* [Amazon S3 – Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) - S3 is storage for the internet. 
+* [Amazon S3 – Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) - S3 is storage for the internet.
+* [GitHub](https://github.com/) - GitHub is a version control service that you can use to privately store and manage assets.
 * [Aqua Security Trivy](https://github.com/aquasecurity/trivy) – Trivy is a simple and comprehensive scanner for vulnerabilities in container images, file systems, and Git repositories, in addition to configuration issues. 
 * [Apache Maven](https://maven.apache.org/) – Apache Maven is a software project management and comprehension tool. 
 * [Helm](https://helm.sh/) - Helm helps you manage Kubernetes applications. 

buildspec/buildspec_deploy.yml

@@ -16,15 +16,15 @@ phases:
 
   pre_build: # Check helm version and Add kubeconfig to access to EKS cluster and check readiness of the cluster
     commands:
-      - "helm version"
-      - "mkdir ~/.kube/"
-      - "aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $EKS_CLUSTER_NAME --role-arn $EKS_CODEBUILD_ROLE_ARN"
-      - "chmod 0600 ~/.kube/config"
-      - "aws sts get-caller-identity"
+      - helm version
+      - mkdir ~/.kube/
+      - aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $EKS_CLUSTER_NAME --role-arn $EKS_CODEBUILD_ROLE_ARN
+      - chmod 0600 ~/.kube/config
+      - aws sts get-caller-identity
 
   build: # Deploy app via Helm
     commands:
-      - "helm upgrade -i $EKS_CODEBUILD_APP_NAME-$ENV helm_charts/$EKS_CODEBUILD_APP_NAME -f helm_charts/$EKS_CODEBUILD_APP_NAME/values.$ENV.yaml --set image.repository=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME --set image.tag=$CODEBUILD_RESOLVED_SOURCE_VERSION"
+      - helm upgrade -i $EKS_CODEBUILD_APP_NAME-$ENV helm_charts/$EKS_CODEBUILD_APP_NAME -f helm_charts/$EKS_CODEBUILD_APP_NAME/values.$ENV.yaml --set image.repository=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME --set image.tag=$CODEBUILD_RESOLVED_SOURCE_VERSION
 
   post_build: # Display the endpoint of the application
     commands:

buildspec/buildspec_secscan.yaml

@@ -10,7 +10,6 @@ phases:
        - apt-get install -y wget apt-transport-https gnupg lsb-release curl
        - curl -OL https://github.com/aws/aws-codeguru-cli/releases/download/0.2.3/aws-codeguru-cli.zip
        - unzip aws-codeguru-cli.zip
-       - export PATH=$PATH:./aws-codeguru-cli/bin
        - curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
        - helm repo add stable https://charts.helm.sh/stable && helm repo update
 

cf_templates/build_deployment.yaml

@@ -4,9 +4,16 @@ AWSTemplateFormatVersion: 2010-09-09
 Description: CFN Template to deploy CodePipeline to build Docker Image of java application and push to ECR and deploy to EKS following DevSecOps Practices
 
 Parameters:
+  SourceRepoConnection:
+    Type: String
+    Description: >
+      ARN of connection to GitHub account where the code resides. Connection can be created via CLI or Console in Pending state but then needs to
+      be activated in Console (https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html).
   SourceRepoName:
     Type: String
-    Description: AWS CodeCommit RepoName where code resides
+    Description: >
+      GitHub RepoName where code resides. You must maintain the correct case for the SourceRepoName value. 
+      For example, if your user name is some-user and repo name is My-Repo, the recommended value of SourceRepoName is some-user/My-Repo.
   CodeBranchName:
     Type: String
     Default: main
@@ -45,13 +52,6 @@ Resources:
         Name: MySecurityHub
         Purpose: Security
 
-  SourceRepositoryAssociation:
-    Type: AWS::CodeGuruReviewer::RepositoryAssociation
-    Properties:
-      Name: !Ref SourceRepoName
-      Type: CodeCommit
-      BucketName: !Ref CodeGuruReviewerBucket
-
   MyProfilingGroup:
     Type: AWS::CodeGuruProfiler::ProfilingGroup
     Properties:
@@ -341,6 +341,8 @@ Resources:
               - s3:GetObject
               - s3:GetObjectVersion
               - s3:GetBucketVersioning
+              - s3:DeleteObject
+              - s3:DeleteObjectVersion
             Effect: Allow
             Resource:
               - !Sub arn:${AWS::Partition}:s3:::${CodeGuruReviewerBucket}
@@ -408,16 +410,11 @@ Resources:
           PolicyDocument:
             Version: 2012-10-17
             Statement:
-              - Resource: !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${SourceRepoName}
+              - Resource: !Ref SourceRepoConnection
                 Effect: Allow
                 Action:
-                  - codecommit:GetBranch
-                  - codecommit:GetCommit
-                  - codecommit:ListRepositories
-                  - codecommit:GetRepository
-                  - codecommit:UploadArchive
-                  - codecommit:GetUploadArchiveStatus
-                  - codecommit:CancelUploadArchive
+                  - codeconnections:UseConnection
+                  - codestar-connections:UseConnection
               - Resource:
                   - !Sub arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${CodeBuildImageProject}
                   - !Sub arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${CodeDeployImageProject}
@@ -428,14 +425,6 @@ Resources:
                   - codebuild:BatchGetBuilds
                   - codebuild:BatchGetBuildBatches
                   - codebuild:StartBuildBatch
-              - Resource: !GetAtt SourceRepositoryAssociation.AssociationArn
-                Effect: Allow
-                Action:
-                  - codeguru-reviewer:List*
-                  - codeguru-reviewer:Describe*
-                  - codeguru-reviewer:Get*
-                  - codeguru:Get*
-                  - codeguru-reviewer:CreateCodeReview
               - Resource: !Sub arn:${AWS::Partition}:ecr:${AWS::Region}:${AWS::AccountId}:repository/${EcrDockerRepository}
                 Effect: Allow
                 Action:
@@ -516,7 +505,8 @@ Resources:
                   - cloudwatch:DescribeAlarmsForMetric
                   - iam:GenerateCredentialReport
                   - iam:GetCredentialReport
-              - Resource: !Sub arn:${AWS::Partition}:securityhub:${AWS::Region}::product/aquasecurity/aquasecurity
+              - Sid: MakeSureToManuallyEnableIntegrationForAquasecurityInSecurityHubConsoleOtherwiseThisWontWork
+                Resource: !Sub arn:${AWS::Partition}:securityhub:${AWS::Region}::product/aquasecurity/aquasecurity
                 Effect: Allow
                 Action:
                   - securityhub:BatchImportFindings
@@ -530,17 +520,17 @@ Resources:
                   - logs:CreateLogGroup
                   - logs:CreateLogStream
                   - logs:PutLogEvents
-              - Resource: !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${SourceRepoName}
+              - Resource: !Ref SourceRepoConnection
                 Effect: Allow
                 Action:
-                  - codecommit:GitPull
-                  - codecommit:TagResource
+                  - codeconnections:UseConnection
+                  - codestar-connections:UseConnection
+                  - codeconnections:GetConnectionToken
               - Resource: "*"
                 Effect: Allow
                 Action:
                   - codeguru-reviewer:AssociateRepository
               - Resource: 
-                  - !GetAtt SourceRepositoryAssociation.AssociationArn
                   - !Sub arn:${AWS::Partition}:codeguru-reviewer:${AWS::Region}:${AWS::AccountId}:*
                 Effect: Allow
                 Action:
@@ -618,8 +608,6 @@ Resources:
       Artifacts:
         Type: CODEPIPELINE
       Source:
-        Location:
-          Fn::Sub: https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${SourceRepoName}
         Type: CODEPIPELINE
         BuildSpec: "buildspec/buildspec_secscan.yaml"
       TimeoutInMinutes: 30
@@ -649,8 +637,6 @@ Resources:
       Artifacts:
         Type: CODEPIPELINE
       Source:
-        Location:
-          Fn::Sub: https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${SourceRepoName}
         Type: CODEPIPELINE
         BuildSpec: "buildspec/buildspec.yml"
       TimeoutInMinutes: 30
@@ -680,8 +666,6 @@ Resources:
       Artifacts:
         Type: CODEPIPELINE
       Source:
-        Location:
-          Fn::Sub: https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${SourceRepoName}
         Type: CODEPIPELINE
         BuildSpec: "buildspec/buildspec_deploy.yml"
       TimeoutInMinutes: 30
@@ -729,12 +713,12 @@ Resources:
                 Category: Source
                 Owner: AWS
                 Version: 1
-                Provider: CodeCommit
+                Provider: CodeStarSourceConnection
               Configuration:
+                ConnectionArn: !Ref SourceRepoConnection
+                FullRepositoryId: !Ref SourceRepoName
                 BranchName: !Ref CodeBranchName
                 OutputArtifactFormat: CODEBUILD_CLONE_REF
-                RepositoryName:
-                  Ref: SourceRepoName
               OutputArtifacts:
                 - Name: SourceCodeApp
               RunOrder: 1