A pipeline that leverage the aws codesuite to deploy templates in multiple accounts.
whitelist-pipeline
|--> deploy
| |----> deploy_templates.sh <-- Used for deploying the templates
|--> pipeline
| |----> pipeline-deploy.sh <-- Used to deploy the pipeline.yaml file
| |----> pipeline.yaml <-- cfn source for pipeline pipeline
|--> templates
| |----> multi-account.yaml <-- The templates that the deploy_templates.sh leverages
|--> validation
| |----> validate_template.sh < -- just some basic validation script for codebuild stage
|--> buildspec.yml <-- Leveraged by codebuild to launch pipeline
|--> README.md <-- the instructions
Download the project source code via git
git clone https://github.com/getsec/aws-multi-account-pipeline
cd whitelist-source
Push the code to an aws codecommit repo of your choice
git push <your repo>
Edit any of the parameters in the pipline/pipeline.yaml file, ensure you have the correct repo (the one you created)
Once you made your changes, run the deploy/deploy_template.sh script.
bash deploy/deploy_templates.sh
Ensure the pipeline deploys succesfully and now any time you make changes to the template/multi-account.yaml file, and push them to master, the pipeline will automatically push these changes after validation.
- Create a new branch and push your changes
git checkout -b 'my-changes'
(make some changes)
- Make a change - lets say you want to add a new IAM Polcy
# Replace <SERVICE_NAME> with your service, for naming sake.
Resources:
<SERVICE_NAME>WhitelistPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub <SERVICE_NAME>-${AWS::StackName}
Roles:
- !Ref RoleNameParam
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "s3:GetObject"
- "s3:DeleteObject"
Resource:
- !Sub arn:aws:s3:*:${AWS::AccountId}:*/*
- !Sub arn:aws:s3:*:${AWS::AccountId}:*
- Save your code and validate your changes locally.
## We will ignore the warning checks, because code pipeline doesnt like non-zero returns
cfn-lint --ignore-checks W2 --template templates/whitelist-policies.yaml
.
.
.
<There should be no response>
- Push your changes upstream
git add <filename>
git commit -m 'my comments'
git push
- At this point you can merge this branch with the master branch and the pipeline will deploy
My pipeline isn't automatically starting after pushing code?
- Ensure you merged the code from your source branch to the master branch.
- Ensure code pipeline is still looking at the master branch
My changes were accepted, however validation failed?
- This could have been fixed if we ran cfn-lint before we commited, it would tell us what the issue is right away. Usage
My changes were accepted, validated, approved, but they fail on the final code build step.
- There are a few posible answers for this every one requires you to inspect the build logs
- Analyze the logs and take a look at the errors
- Based on the error take the appropriate action, or google the error.
- Worst comes to worse, if you cant deploy the template in a certain account do to an error, but it works locally, just connect to that account and remove that template, then redeploy the pipeline.
- Analyze the logs and take a look at the errors
This pipeline runs on codebuild, with only a shell script that assumes roles into each account through this file
deploy/deploy_template.sh
When you run the pipeline you should be able to see all the logs in CodeBuild and troubleshoot from there.
If you are still having issues, please reach out to either