Skip to content

Commit

Permalink
feat(codebuild): add functionality to allow using private registry an…
Browse files Browse the repository at this point in the history 
…d cross-account ECR repository as build image.

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerHub()

Fixes aws#2175
  • Loading branch information
@Kaixiang-AWS @skinny85
Kaixiang-AWS authored and skinny85 committed Jul 5, 2019
1 parent 6a79180 commit c85f204
Show file tree
Hide file tree
Showing 8 changed files with 423 additions and 133 deletions.
7 changes: 5 additions & 2 deletions packages/@aws-cdk/aws-codebuild/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,7 @@ of the constants such as `WindowsBuildImage.WIN_SERVER_CORE_2016_BASE` or
Alternatively, you can specify a custom image using one of the static methods on
`XxxBuildImage`:

* Use `.fromDockerHub(image)` to reference an image publicly available in Docker
Hub.
* Use `.fromDockerRegistry(image[, secretsManagerCredential])` to reference an image in any public or private Docker registry.
* Use `.fromEcrRepository(repo[, tag])` to reference an image available in an
ECR repository.
* Use `.fromAsset(directory)` to use an image created from a
Expand All @@ -201,6 +200,10 @@ The following example shows how to define an image from an ECR repository:

[ECR example](./test/integ.ecr.lit.ts)

The following example shows how to define an image from a private docker registry:

[Docker Registry example](./test/integ.docker-registry.lit.ts)

## Events

CodeBuild projects can be used either as a source for events or be triggered
Expand Down
2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-codebuild/allowed-breaking-changes-0.37.0.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
removed:@aws-cdk/aws-codebuild.LinuxBuildImage.fromDockerHub
removed:@aws-cdk/aws-codebuild.WindowsBuildImage.fromDockerHub
237 changes: 166 additions & 71 deletions packages/@aws-cdk/aws-codebuild/lib/project.ts
View file

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-codebuild/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@
"@aws-cdk/aws-kms": "^0.37.0",
"@aws-cdk/aws-s3": "^0.37.0",
"@aws-cdk/aws-s3-assets": "^0.37.0",
"@aws-cdk/aws-secretsmanager": "^0.37.0",
"@aws-cdk/core": "^0.37.0"
},
"homepage": "https://github.com/awslabs/aws-cdk",
Expand All @@ -105,6 +106,7 @@
"@aws-cdk/aws-kms": "^0.37.0",
"@aws-cdk/aws-s3": "^0.37.0",
"@aws-cdk/aws-s3-assets": "^0.37.0",
"@aws-cdk/aws-secretsmanager": "^0.37.0",
"@aws-cdk/core": "^0.37.0"
},
"engines": {
Expand All @@ -118,4 +120,4 @@
]
},
"stability": "stable"
}
}
69 changes: 41 additions & 28 deletions packages/@aws-cdk/aws-codebuild/test/integ.docker-asset.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,33 +39,6 @@
]
}
]
},
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"codebuild.",
{
"Ref": "AWS::URLSuffix"
}
]
]
}
},
"Sid": "CodeBuild"
}
],
"Version": "2012-10-17"
}
},
"DependsOn": [
Expand Down Expand Up @@ -262,6 +235,45 @@
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":ecr:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":repository/",
{
"Fn::GetAtt": [
"MyImageAdoptRepository6CA902F6",
"RepositoryName"
]
}
]
]
}
},
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogGroup",
Expand Down Expand Up @@ -439,6 +451,7 @@
]
]
},
"ImagePullCredentialsType": "SERVICE_ROLE",
"PrivilegedMode": false,
"Type": "LINUX_CONTAINER"
},
Expand All @@ -455,4 +468,4 @@
}
}
}
}
}
148 changes: 148 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"Resources": {
"MyProjectRole9BBE5233": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"codebuild.",
{
"Ref": "AWS::URLSuffix"
}
]
]
}
}
}
],
"Version": "2012-10-17"
}
}
},
"MyProjectRoleDefaultPolicyB19B7C29": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "MyProject39F7B0AE"
}
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:/aws/codebuild/",
{
"Ref": "MyProject39F7B0AE"
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyProjectRoleDefaultPolicyB19B7C29",
"Roles": [
{
"Ref": "MyProjectRole9BBE5233"
}
]
}
},
"MyProject39F7B0AE": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"Type": "NO_ARTIFACTS"
},
"Environment": {
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "my-registry/my-repo",
"ImagePullCredentialsType": "SERVICE_ROLE",
"PrivilegedMode": false,
"RegistryCredential": {
"Credential": {
"Fn::Join": [
"",
[
"arn:aws:secretsmanager:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":secret:my-secrets-123456"
]
]
},
"CredentialProvider": "SECRETS_MANAGER"
},
"Type": "LINUX_CONTAINER"
},
"ServiceRole": {
"Fn::GetAtt": [
"MyProjectRole9BBE5233",
"Arn"
]
},
"Source": {
"BuildSpec": "{\n \"version\": \"0.2\",\n \"phases\": {\n \"build\": {\n \"commands\": [\n \"ls\"\n ]\n }\n }\n}",
"Type": "NO_SOURCE"
}
}
}
}
}
36 changes: 36 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
import secretsmanager = require('@aws-cdk/aws-secretsmanager');
import cdk = require('@aws-cdk/core');
import codebuild = require('../lib');

class TestStack extends cdk.Stack {
constructor(scope: cdk.App, id: string) {
super(scope, id);

const secrets = secretsmanager.Secret.fromSecretArn(this, "MySecrets",
`arn:aws:secretsmanager:${this.region}:${this.account}:secret:my-secrets-123456`);

new codebuild.Project(this, 'MyProject', {
buildSpec: codebuild.BuildSpec.fromObject({
version: "0.2",
phases: {
build: {
commands: [ 'ls' ]
}
}
}),
/// !show
environment: {
buildImage: codebuild.LinuxBuildImage.fromDockerRegistry('my-registry/my-repo', {
secretsManagerCredential: secrets,
}),
},
/// !hide
});
}
}

const app = new cdk.App();

new TestStack(app, 'test-codebuild-docker-asset');

app.synth();
Loading

0 comments on commit c85f204

Please sign in to comment.