diff --git a/.markdownlint.json b/.markdownlint.json index b8f0977bd..51f582372 100644 --- a/.markdownlint.json +++ b/.markdownlint.json @@ -2,11 +2,11 @@ "emphasis-style": { "style": "consistent" }, - "no-duplicate-header": { - "allow_different_nesting": true + "no-duplicate-heading": { + "siblings_only": true }, "heading-style": { - "style": "consistent" + "style": "atx" }, "ul-style": { "style": "dash" @@ -28,7 +28,9 @@ "ol-prefix": { "style": "one_or_ordered" }, - "no-inline-html": true, + "no-inline-html": { + "allowed_elements": [] + }, "no-emphasis-as-heading": { "punctuation": ".,;:!。,;:" }, diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..76bab46d2 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,786 @@ +# Changelog + +ADF releases follow the [Semantic Versioning +specification](https://semver.org/spec/v2.0.0.html). + +## Unreleased + +### Breaking changes + +#### New installer + +The dependencies that are bundled by the move to the AWS Cloud Development Kit +(CDK) v2 increased the deployment size of ADF. +Unfortunately it increased the deployment size beyond the limit that is +supported by the Serverless Application Repository (SAR). + +Hence a new installation mechanism is required. + +Please read the [installation +instructions](https://github.com/awslabs/aws-deployment-framework/blob/master/docs/installation-guide.md) +carefully. + +In case you are upgrading an existing installation of ADF, please consider +following the [upgrade steps as defined in the admin +guide](https://github.com/awslabs/aws-deployment-framework/blob/master/docs/admin-guide.md#updating-between-versions). + +#### CDK v2 + +ADF v4.0 is built on the AWS Cloud Development Kit (CDK) v2. Which is an +upgrade to CDK v1 that ADF relied on before. + +For most end-users, this change would not have an impact. +If, however, you made customizations to ADF it might require you to upgrade +these customizations to CDK v2 as well. + +#### CodeBuild default image + +As written in the [CodeBuild provider +docs](./docs/providers-guide.md#properties-3), it is a best-practice to define +the exact CodeBuild container image you would like to use for each pipeline. + +However, in case you rely on the default, in prior ADF releases it would +default to `UBUNTU_14_04_PYTHON_3_7_1`. This container image is no longer +supported. With ADF v4.0, the new default is `STANDARD_7_0`. +Also referred to as: `aws/codebuild/standard:7.0`. + +#### ADF Parameters in AWS Systems Manager Parameter Store + +Some of the parameters stored by ADF in AWS Systems Manager Parameter Store +were located at the root of the Parameter Store. This made it hard to maintain +and restrict access to the limited set of ADF specific parameters. + +With ADF v4.0, the parameters used by ADF are located under the `/adf/` prefix. +For example, `/adf/deployment_account_id`. + +If an application or customization to ADF relies on one of these parameters +they will need to be updated to include this prefix. Unless the application +code relies on ADF's ParameterStore class, in that case it will automatically +prefix the `/adf/` to all parameters read or written. + +With the changes in the IAM policies, ADF's access is restricted to the `/adf/` +prefix. This, unfortunately implies that old parameters are not deleted when +you update your installation of ADF. There is no cost associated to these +parameters, so you can leave them as is. +Feel free to delete the old parameters. + +The parameters that are managed by ADF that got their path changed are: + +For the __management account__, in the __AWS Organizations region__ +(`us-east-1`, or `us-gov-west-1`): + +| Old Parameter Path | New Parameter Path | +|------------------------------|-------------------------------------| +| `/adf_log_level` | `/adf/adf_log_level` | +| `/adf_version` | `/adf/adf_version` | +| `/bucket_name` | `/adf/bucket_name` | +| `/confit` | `/adf/config` | +| `/cross_account_access_role` | `/adf/cross_account_access_role` | +| `/deployment_account_id` | `/adf/deployment_account_id` | +| `/deployment_account_region` | `/adf/deployment_account_region` | +| `/kms_arn` | `/adf/kms_arn` | +| `/notification_channel` | `/adf/notification_channel` | +| `/organization_id` | `/adf/organization_id` | +| `/protected` | `/adf/protected` | +| `/scp` | `/adf/scp` | +| `/shared_modules_bucket` | `/adf/shared_modules_bucket` | +| `/tagging-policy` | `/adf/tagging_policy` | +| `/target_regions` | `/adf/target_regions` | + +For the __management account__, in __other ADF regions__: + +| Old Parameter Path | New Parameter Path | +|------------------------------|-------------------------------------| +| `/adf_version` | `/adf/adf_version` | +| `/bucket_name` | `/adf/bucket_name` | +| `/cross_account_access_role` | `/adf/cross_account_access_role` | +| `/deployment_account_id` | `/adf/deployment_account_id` | +| `/kms_arn` | `/adf/kms_arn` | + +For the __deployment account__, in __the deployment region__: + +| Old Parameter Path | New Parameter Path | +|------------------------------|-------------------------------------| +| `/adf_log_level` | `/adf/adf_log_level` | +| `/adf_version` | `/adf/adf_version` | +| `/auto_create_repositories` | `/adf/scm/auto_create_repositories` | +| `/cross_account_access_role` | `/adf/cross_account_access_role` | +| `/default_scm_branch` | `/adf/scm//default_scm_branch` | +| `/deployment_account_bucket` | `/adf/deployment_account_bucket` | +| `/master_account_id` | `/adf/management_account_id` | +| `/notification_endpoint` | `/adf/notification_endpoint` | +| `/notification_type` | `/adf/notification_type` | +| `/organization_id` | `/adf/organization_id` | + +For the __deployment account__, in __other ADF regions__: + +| Old Parameter Path | New Parameter Path | +|------------------------------|-------------------------------------| +| `/adf_log_level` | `/adf/adf_log_level` | +| `/adf_version` | `/adf/adf_version` | +| `/cross_account_access_role` | `/adf/cross_account_access_role` | +| `/deployment_account_bucket` | `/adf/deployment_account_bucket` | +| `/master_account_id` | `/adf/management_account_id` | +| `/notification_endpoint` | `/adf/notification_endpoint` | +| `/notification_type` | `/adf/notification_type` | +| `/organization_id` | `/adf/organization_id` | + +For a __target account__, in __each ADF region__: + +| Old Parameter Path | New Parameter Path | +|------------------------------|-------------------------------------| +| `/bucket_name` | `/adf/bucket_name` | +| `/deployment_account_id` | `/adf/deployment_account_id` | +| `/kms_arn` | `/adf/kms_arn` | + +#### AWS CodeStar Connections OAuth Token support dropped + +ADF v4.0 discontinued the support for the OAuth Token stored in +SSM Parameter Store. As this method is not advised to be used by CodePipeline, +and might leave the OAuth Token accessible to other users of the deployment +account. As this is not a security best practice, ADF v4.0 no longer supports +it. + +To upgrade, please read the [Administrator Guide on Using AWS CodeConnections +for Bitbucket, GitHub, or +GitLab](./docs/admin-guide.md#using-aws-codeconnections-for-bitbucket-github-github-enterprise-or-gitlab). + +#### AWS CodeStar Connections changed to AWS CodeConnections + +The AWS CodeStar Connection service [changed its name to AWS +CodeConnections](https://docs.aws.amazon.com/dtconsole/latest/userguide/rename.html). + +If you configured a CodeStar Connection before, you can continue to use that. +You do not need to update the CodeStar policy as defined in the +`aws-deployment-framework-bootstrap/adf-bootstrap/deployment/global-iam.yml` +stack. + +However, please update the pipeline definitions in your deployment map files. +The changes you need to make are renaming the source +provider from `codestar` to `codeconnections`. +Also update the `codestar_connection_path` source property to +`codeconnections_param_path`. + +Both of these changes can be seen in the following example: + +```yaml +pipelines: + - name: sample-vpc + default_providers: + source: + # provider: codestar + provider: codeconnections + properties: + # codestar_connection_path: /adf/my_connection_arn_param + codeconnections_param_path: /adf/my_connection_arn_param +``` + +If you are upgrading from the GitHub OAuth token or otherwise require a new +source code connection, please proceed with the AWS CodeConnections +configuration as defined in the +[Admin Guide - Using AWS CodeConnections for Bitbucket, GitHub, or +GitLab](./docs/admin-guide.md#using-aws-codeconnections-for-bitbucket-github-or-gitlab). + +--- + +## v3.2.0 + +__Please note__: this update refactored the account creation and pipeline +generation to use Step Functions. Thereby, the process to track how the update +progresses and how you could validate its operation changed. +Please read [the docs on updating +ADF](https://github.com/awslabs/aws-deployment-framework/blob/3ae94baf6908a6f25177ea21cd2f2e0d3a5b808b/docs/admin-guide.md). + +We are thankful to the community that helped enhance ADF. +With this release, we decided to list the contributions per author (listed in +alphabetical order) within each section. Highlighting the great contributions +and enhancements that were made by them. + +### Features + +apogorielov: + +- Add ability to override the default branch for all source code providers #370. + +benbridts: + +- Allow top-level keys starting with `x-` or `x_` in deployment maps to add + support for YAML anchors #347. + +dsudduth: + +- Fix AWS partition reference, adding support for AWS Gov Cloud #381, + closes #332. + +ivan-aws: + +- Add ability to use CodeStar sources in deployment map #312. +- Add support to configure object ACL with S3 put object calls #412. + +pozeus: + +- Add support for CodeBuild to pull from docker hub #349, requested in #196. + +srabidoux: + +- Add support for account-specific SCP deployments #395. + +stemons: + +- Add support for Terraform deployments #397, closes #259, implements #114. + +StewartW: + +- Add ChatBot support for notifications, lifting the limit on pipelines that + notify through Slack #367, closes 257, closes 297. +- Add support for pipeline triggers #392, closes #372. +- Add ability to define CodeCommit artifact format #389, closes #387. +- Add deployment waves for targets, removing the manual effort to spread 50 + accounts per stage #358, closes #290, implements #128, closes #296, + closes #250, closes #427. +- Add support to exclude specific account ids from a target group #358, + closes #145. + +sbkok: + +- Add ability to disable trigger on changes for S3/CC/GH source providers #357: + - Allows starting the pipeline only upon a `completion_trigger` event, + closes #308. + - Allows you to disable reacting to the Github webhook, closes #337. +- Add support to change the default branch on ADF bootstrap and pipelines + repositories #508. +- Add support for CodeBuild to run inside a VPC #517. +- Refactor `generate_params.py` helper, adding support for per parameter/tag + resolution from specific to least specific params file #559, closes #452, + closes #294. +- Add support for CodeStar CodeBuild clone ref, allowing to work on git commits + in CodeBuild in pipelines #563. +- Allow CloudFormation parameter file name configuration per target #565. + +### Fixes + +benbridts: + +- Remove unacceptable characters from CloudFormation Stack names #346. + +dependabot: + +- Bump ejs from 2.6.1 to 3.1.7 in Fargate node sample application #480. +- Bump express from 4.16.4 to 4.17.3 in Fargate node sample application #555. + +javydekoning: + +- Fix resource reference in Step Function state machine policy #461, + closes #460. +- Fix string should be array reference in Event Bridge Rule #456, closes #455. +- Bump Jinja2 and Boto3 versions to 3.1.1 and 1.21.31 respectively #457, + closes #454. +- Ensure account alias is configured or fail #465, closes #242. +- Fix account file processing and add debug logging #459, closes #458. + +mhdaehnert: + +- Separate artifact storage bucket for CodePipeline and CodeBuild to improve + parallel execution #271, closes #270. + +Nr18: + +- Fix S3 object ownership controls #448, closes #447. +- Fix param overrides functionality to support using the same source #446, + closes #445. + +rickardl: + +- Support paginator for parameters and empty descriptions in moved to root + lambda #273, fixes #272. + +tylergohl: + +- Add retry for InvalidTemplateError and GenericAccountConfigureError #384, + closes #383. + +StewartW: + +- Fix deployment account Step Function time outs #401, closes #400. +- Fix incorrect step name in step function #406. +- Update get account region function to use opted-in regions to #423, + closes #420. +- Reduce adf-codepipeline-role policy size when ADF deploys to many regions + #475, closes #474. + +sbkok: + +- Add missing requirements file for shared python helpers, fixes use of + `retrieve_organization_accounts.py` helper #352. +- Fix duplicate notification endpoint setup in pipeline generation #362. +- Fix specifying the tag on CodeBuild repository image to use #377, + closes #374. +- Fix permission to set Support Subscription upon account creation #402, + closes #379. +- Fix duplicated steps in Account Bootstrap Step Function #414. +- Fix global-iam example comment explaining where it is deployed #421. +- Fix use of correct region for AWS Organizations API depending on the + partition it runs in #485. +- Fix correct use of build/deploy parameters for CodeBuild provider #489, + closes #488. +- Fix account processing to be part of our SAR distribution #487. +- Fix Makefile use of find command on macOS #497, closes #473. +- Fix update process to only flag helpers as executable #499. +- Fix correct use of partitions #502. +- Fix use of NodeJS 14 with Standard 5.0 CodeBuild containers #500, + closes #385. +- Fix MarkupSafe to v2.0.1 as v2.1 breaks compatibility with Jinja2<3.0.0 #498, + closes #467, closes #441. +- Fix use of separate container image per target #501, closes #382. +- Fix wrapt version dependency #504. +- Fix syncing deployment map files to S3 when needed #506. +- Fix missing permission on cross-account org read-only role #509. +- Fix permission to update termination protection on pipeline stacks #511. +- Fix ADF state machines #514, closes #513. +- Fix updating account alias when needed #515. +- Fix tenacity version dependency #520. +- Fix Step Function input file syncing to upload only when content changed + #530, part of #518. +- Fix pipeline generation policies #533. +- Fix repository creation permission in pipeline management #536. +- Fix stale pipeline deletion #535. +- Fix account creation wait for bootstrap to complete #537, closes #518. +- Fix initial commit implementation #534. +- Fix account bootstrap on organization unit move #539. +- Fix IAM Tag permissions #545. +- Fix initial commit on new/fresh install #544. +- Fix ADF Config storage, needs to be stored before used the first time #548. +- Fix pipeline regeneration upon account move #550, closes #549. +- Fix syncing to S3 in the root of the bucket #558. +- Fix CodePipeline source account id lookup to support missing account id for + providers like CodeStar #561. +- Fix CreateRolePolicy permissions on global.yml bootstrap stacks #564. +- Fix clean-up of stale deployment map files in the pipeline bucket #562. +- Fix CodePipeline references to a specific config per stage over a default + provider config #565. +- Fix executable flags of helper scripts #573. +- Fix CloudFormation permissions to update the pipeline notification SNS topic + subscriptions #572. +- Fix permissions to enable CodeBuild as a deployment provider #571. +- Fix typos in pipeline management logical id #567. +- Fix generate_params.py pipeline regions lookup #584. +- Fix bootstrapping in non-protected OUs only #590. + +### Improvements + +benbridts: + +- Clean up of protected organization unit error message #353. +- Improvements to the Serverless Application Repository template #343, + closes #342. + +javydekoning: + +- Add CloudFormation linting using cfn-lint #466, closes #464. +- Replace Travis with GitHub Actions #481. +- Add YAML linting using yamllint #470, closes #463. +- Fix yamllint findings #482. +- Upgrade to CDK v1.168, pylint v2.13 and others #486. +- Add MegaLint to organize execution of all linters configured #492, part of + #491. +- Fix linting issues in RDK sample #495. +- Fix editor config linting #516, part of #491. +- Improve docs, add markdown linting, and change master account to management + account in docs #521, part of #491. +- Improve code and docs by adding CSpell checks to enforce correct spelling + #574. +- Improve CSpell linter output #578. + +Nr18: + +- Encrypt SNS topic using ADF's CMK KMS Key #429, closes #422. +- Define CodeCommit description in deployment maps #469, closes #468. + +ntwobike: + +- Add RDK sample to deploy custom Config rules #451. + +skycolangelom: + +- Fix retry logic for DescribeRegions while creating new accounts #238, + rebased and improved in #348. +- Fix deleting default VPC when it is non-empty #238, rebased + improved in + #348. + +StewartW: + +- Add pipeline type parameters to enable support for other pipelines in the + future #285, closes #185. +- Add Bootstrap Repository Pipeline high-level overview documentation from a + tech perspective #393, closes #211. +- Refactor Account management to use a Step Function #394. +- Reduce number of IAM API calls during cross-account access setup process + #408. +- Refactor Pipeline management to use a Step Function, added tech diagrams + #424, closes #211. +- Add in role paths for new account management roles #523. +- Fix MegaLint style error #531. +- Add deployment map source to SSM Params to identify out-of-date pipelines + #525. +- Add retry logic on pipeline generation RunCDK stage when CodeBuild is + throttled #580. + +sbkok: + +- Upgrade urlize from v2.11.2 to v2.11.3 #341. +- Lock down buckets created by ADF, block public access #350. +- Improve ADF version references in the main template #351. +- Upgrade dependencies (CDK to v1.105, Pylint to v2.8.2, SAM CLI to v1.23.0, + and others) #364. +- Upgrade dependencies (CDK to v1.114, Pylint to v2.9.3, SAM CLI to v1.26.0, + and others) #376, closes #388. +- Improved error message with accounts yaml read failures #403, closes #213. +- Enable setting the log level when deploying from the SAR + adding a + troubleshoot ADF guide #409. +- Update docs to state the default branch used as the source #418. +- Change example email domains and account ids #416. +- Update to CDK v1.137, pylint v2.12, and others to latest available #417. +- Upgrade to Python 3.9 #415. +- Add editorconfig to repository #483. +- Refactor line lengths and code style #490. +- Update CDK, use of NodeJS 16 where possible, and CodeBuild Standard 5.0 + images #496, closes #291. +- Only invoke pipeline deletion when needed #510. +- Add reference to Step Function Pipeline Management state machine from + pipelines CodeBuild execution #512. +- Add retry logic to Step Function Lambda invocations and improved log messages + #513, closes #371. +- Make consistent use of Id in pipeline management implementation #532. +- Add account creation in-progress retry logic, fixes + SubscriptionRequiredException #540, closes #519, fixes #366. +- Add retries to account bootstrap process #543, closes #366. +- Update to CDK v1.181.1 and others #553. +- Improve readability of pipeline generation executions in the newly introduced + pipeline generation state machine #557. +- Improve parameter validation on install/update of ADF, improving + install/update experience #554. +- Update to CDK v1.182.0 #560. +- Improve adf-pipelines CodeBuild permissions to start state machines + and optimized CodeBuild machine type #569. +- Add CodeBuild VPC permissions to default permissions to easy provisioning + pipelines inside VPCs #570. +- Improve policy names in adf-bootstrap example global-iam.yml files to be + unique #568. +- Improve code readability of CodeBuild class through refactoring #566. +- Update ADF update process and troubleshooting documentation #576. +- Improve CloudFormation error reporting in the + aws-deployment-framework-bootstrap pipeline #582. +- Reduce number of cross-account access IAM API calls #581. +- Add exponential back-off retries on Enable Cross-Account Access state + machine #581. +- Refactor and tighten roles used by Enable Cross-Account Access state + machine #581. +- Do not retry pipeline generation if an account is not found or the deployment + map is invalid #583. +- Refactor pipeline management pipeline input generation and execution #584. + +Many thanks to our community for driving this release. And special thanks to +apogorielov, benbridts, dsudduth, ivan-aws, javydekoning, mhdaehnert, Nr18, +ntwobike, pozeus, rickardl, skycolangelom, srabidoux, stemons, StewartW, +and tylergohl for contributing new features and improvements to ADF! + +--- + +## v3.1.2 + +### Fixes + +- Fix use of the `resolve:` intrinsic function on the first parameter + in the parameter files, #336. + +--- + +## v3.1.1 + +### Fixes + +- Fixes `timeout` and `environment_variables` to be used when defined in the + default CodeBuild Deployment provider properties #307, closes #306. +- Fixes intrinsic functions for account_region param files #333, closes #147. +- Fixes use of deployment from source directly when build stage is disabled + #334, closes #236 and closes #318. + +--- + +## v3.1.0 + +### Features + +- Adds Enterprise Support to account creation process #233, closes #232: + - ADF will raise a ticket to add the account to an existing AWS support + subscription when an account is created. As a prerequisite, your + organization management account must already have enterprise support + activated. +- Adds nested deployment map support #266 and #328, closes #265: + - This enables usage of sub directories within the deployment_maps folder. + +### Fixes + +- Fixes specific role usage to be used in Build and Deploy only #295. +- Corrects removing pipelines anchor in docs #279. +- Fixes CI builds due to isort version mismatch #284. +- Fixes error handling of generate_params intrinsic upload function #277, + closes #276. +- Fixes spec_inline attribute of CodeBuild in docs #289. +- Fixes provider spec_inline support of CodeBuild in #293. +- Fixes supported list of intrinsic upload path styles, enables usage of s3-url + and s3-key-only #275, closes #299. +- Fixes create deployment account concurrency failure #287, closes #280. +- Fixes approval stage usage, by limiting specific role usage to Build and + Deploy steps #295. +- Fixes yarnpkg GPG #313, closes #325. +- Removes dependency on botocore.vendored.requests #326, closes #324. + +### Improvements + +- Improves docs on providers and their properties #274. +- Separates pipeline cleanup from input generation script #288. +- Upgrades Python from v3.7 to v3.8 #313. +- Upgrades CodeBuild image from "aws/codebuild/standard:2.0" to + "aws/codebuild/standard:5.0" #313, closes #267, closes #300. +- Upgrades CDK from v1.32 to v1.88 #313, closes #292. + +Many thanks to our community for driving this release. And special thanks to +@StewartW for contributing new features to ADF! + +--- + +## v3.0.6 + +### Fixes + +- Account Alias’ are no longer automatically created as the accounts full name. +- Adding in additional wait time for account creation process (Temporary Fix) + +### Improvements + +- CDK Version 1.25 -> 1.32 +- Adding ability to tag pipelines (example included in docs) +- Adding in CloudFormation:* in global-iam-example.yml for target accounts. + +--- + +## v3.0.5 + +### Fixes + +- Fix CodeBuild use specific image in target stage #253. +- Fix import references of export to output key #248. +- Fix CodeBuild assume role to generate parameters #247. + +### Improvements + +- Adds s3-key-only style #249. + +--- + +## v3.0.4 + +### Fixes + +- Fix CloudFormation deployment role generation. +- Fix overwrite of deployment/global-iam.yml #227. +- Fix IAM for retrieve organization accounts helper #229. +- Fix IAM for package transform helper to function #228. +- Version lock missing CDK dependencies #225. + +### Improvements + +- Add S3-URI and S3-URL as upload path styles #224. +- Allow adf-automation-role policy to grant + cloudformation:UpdateTerminationProtection #222. + +--- + +## v3.0.3 + +### Fixes + +- Fix CodeCommit usage in pipelines. +- Fix CodeBuild usage in pipelines with correct default values. + +--- + +## v3.0.2 [YANKED] + +This release was yanked, as deploying it caused various issues with the default +CodeBuild and CodeCommit pipeline resources. These issues are fixed in v3.0.3. + +--- + +## v3.0.1 + +### Fixes + +- Fixed SCP and Tagging Policy files to use relative paths #212. + +--- + +## v3.0.0 + +This release is specifically focused two main topics: *Security* and +*Account provisioning*. + +### Security + +In this release we are limiting default IAM policies to ensure pipeline phases +such as custom deployments or build phases cannot be used to elevate ones own +permissions. To ensure strict separation of concerns and enforce high standards +around IAM we have created two new IAM Role that lives on each AWS Account +within the organization. These role are created in the global.yml +*(base stack)* of each account and are used for the following purposes: + +**adf-automation-role:** + +> When creating pipelines in ADF there are certain things that are required to +> be setup on multiple different accounts. For example, the source account +> requires a repository on it, and also a CloudWatch event. Previously the +> CodeBuild role would assume the adf-cloudformation-deployment-role in the +> target account and create the required CloudFormation stack. This pattern +> allowed the adf-codebuild-role to much power and thus we have removed this +> link. + +This new role (`adf-automation-role`) is assumed by CodeBuild in the +`aws-deployment-framework-pipelines` pipeline exclusively and cannot be +assumed by the standard *(other)* deployment pipelines. + +**adf-readonly-automation-role:** + +> When CodeBuild runs as part of a standard deployment pipeline +> *(anything other than `aws-deployment-framework-pipelines`)* it uses the +> role: `adf-codebuild-role` by default. +> The `adf-codebuild-role` has access to assume this new role +> (`adf-readonly-automation-role`) on each account within the organization. +> It assumes this role when running certain intrinsic functions +> such as import or resolve which allow values to be retrieved from other +> AWS Accounts within the organization. Previously, CodeBuild would assume the +> adf-cloudformation-deployment-role to retrieve these values which can have +> many actions allowed making it inappropriate to assume. + +This change effectively lowers the amount of permissions the default +`adf-codebuild-role` has. Prior to this release, using CodeBuild as a deployment +stage would also default to the `adf-codebuild-role` which would allow the +deployment stage more accesses than intended. From this release onward, +CodeBuild stages will default to the `adf-codebuild-role`. However, since this +role has very limited access, it will most likely require the user to define a +custom role in order to assume and deploy resources into other accounts. + +For example, if you wanted to deploy some resources with Terraform, or run +"cdk deploy" you would need to provide an IAM role that has been created which +has the required permissions to do so. For more information on how to create +such as role, see the commented out `adf-custom-deploy-role` in the +`example-global-iam.yml`. + +### Account Provisioning + +Until this release ADF has not had a streamlined automated way to create and +move AWS accounts into organizational units. With 3.0.0 we are introducing an +account provisioner concept that handles the creation and OU location of AWS +Accounts in a declarative format. As part of the bootstrap repository we have +created a new root folder titled adf-accounts, this folder contains definition +files *(yaml)* that describe AWS accounts along with an assortment of +properties. The bootstrap pipeline automation component (in CodeBuild) will +parse the files and create or move the accounts into their defined state. +This allows for end to end creation, bootstrapping and pipeline generation of +an AWS account *(all from code!)*. For more information on this process and a +breakdown of the file properties and syntax itself see the admin guide +*(also see `readme.md` in the `adf-accounts` folder)*. + +### Inter OU Moving of AWS Accounts + +Moving accounts between two OU's will now trigger the previous base stack to be +removed and the new base stack aligned with that Organizational Unit to be +applied. + +### Tagging Policies + +With this release, ADF enables streamlined automation and management of Tagging +Policies via AWS Organizations. Tagging Policies can now be applied to OU's in +the same manner as Service Control Policies could be in prior versions. +Using a tagging-policy.json file in a specific folder of the bootstrap +repository that matches to your organization structure enables the tagging +policy for the specific OU. Read more about how tagging policies work +[here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html) +and see the example-tagging-policy.json in the bootstrap repo for a simple +reference. + +### Separation of adf-cloudformation-deployment-role IAM Policy + +Moving forward we have decided to move the adf-cloudformation-deployment-role +policy out of the global.yml and into a new file called `global-iam.yml`, +this change hopes to simplify and create a separation between the global.yml +which contains resources related to ADF in general as opposed to the new file +(global-iam.yml) which relates to what can and cannot be deployed into the +account that applies that specific base stack. The new global-iam.yml file is +searched for recursively in the same fashion other global.yml or regional.yml +files. + +### Other changes + +- Resolved #196 - Support for custom CodeBuild images *(You can now use custom + build images in your build or deploy actions with CodeBuild. See user-guide + for more information and examples.)* +- Resolved #198 - Parameter Store is no longer used for the state of the + pipeline definition, this has been moved to S3. +- Resolved #191 - Simple check to determine region is correct when deploying + from SAR. +- Resolved #189 - Enable flag for build stage bug fixed, now works as intended. +- Resolved #180 - error handling has been fixed to correct this. +- Resolved #178 - ADF Account provisioning is here! +- Resolved #177 - Upgrades will not touch the global-iam.yml file which holds + the cloudformation-deployment-role-policy. +- Resolved #188 - Removed hard-coded branch name from source account CloudWatch + event. +- Resolved #148 - Base stack *(iam and bootstrap)* are removed and re-added + based on inter OU account moves. +- cdk version bumped to 1.2.0 +- removed hard coding of master branch on PR event action on source accounts. + +### Upgrading from 2.x to 3.x + +With the change to 3.0 we have decided to move the bootstrap content +(`templates/scps`) in the bootstrap repository into its own folder +(`adf-bootstrap`). Since the bootstrap folder path is changing from the root of +the repository into the `adf-bootstrap` folder, you will need to move your +existing folder structure (`.yml/scp` files) into the new format. When +deploying ADF 3.x from the SAR a Pull Request will get made against the +bootstrap repository as per normal upgrade process. The 3.0 PR will move the +ADF specific content including the deployment folder into the new structure, +if you have significantly altered the `global/regional.yml` for the deployment +account be sure to adjust this as intended prior to merging it to the main +branch. + +If you require to make alterations to the structure of the folders/templates +simply pull the 3.0 branch down and add in your existing folder/OU structure +as desired with the `adf-bootstrap` folder as the new root and push back into +the branch. + +With the 3.0 change there is also an `example-global-iam.yml` file that is +included in the root of the `adf-bootstrap` folder. This file should be renamed +to `global-iam.yml` and distributed into the folders/OUs that you intend to +have CloudFormation deploy resources into. This is required in order to define +what actions the role on the target accounts will have access to when deploying +CloudFormation resources via CodePipeline. + +Steps to perform for the upgrade process: + +- Deploy ADF. +- Once deployed, navigate to CodeCommit, pull down the branch for 3.0. + In your editor, update your folder organizational structure *(if you have + one)* into the `adf-bootstrap` folder. *(this folder is the new "root" for + bootstrapping)*. Ensure you are getting the new content from the deployment + folder. +- Ensure you are bringing in the new content from the global.yml file in 3.0 + release, the two roles and their associated policies (`adf-automation-role`, + `adf-readonly-automation-role`). +- Rename the `example-global-iam.yml` to `global-iam.yml` and ensure its policy + suits your needs and that it is in the correct folder structure that suits + your organization security requirements. *(this file now holds the policy for + what CFN can do on target accounts)* +- Push the updated content back to the branch and merge if all looks to be + correct. diff --git a/docs/admin-guide.md b/docs/admin-guide.md index be88a8f58..5cb9acfa0 100644 --- a/docs/admin-guide.md +++ b/docs/admin-guide.md @@ -20,9 +20,9 @@ - [Bootstrapping Recommendations](#bootstrapping-recommendations) - [Pipelines](#pipelines) - [Pipeline Parameters](#pipeline-parameters) - - [Using CodeStar Connections for Bitbucket, GitHub, or GitHub - Enterprise](#using-codestar-connections-for-bitbucket-github-or-github-enterprise) - - [Using GitHub with an OAuth token](#using-github-with-an-oauth-token) + - [Using AWS CodeConnections for Bitbucket, GitHub, or + GitLab](#using-aws-codeconnections-for-bitbucket-github-or-gitlab) + - [AWS CodeStar Connection](#aws-codestar-connection) - [Chaining Pipelines](#chaining-pipelines) - [Service Control Policies](#service-control-policies) - [Tagging Policies](#tagging-policies) @@ -282,7 +282,8 @@ SCPs or CloudFormation templates that ADF will apply. The Deployment Account is the gatekeeper for all deployments throughout an Organization. Once the baselines have been applied to your accounts via the bootstrapping process, the Deployment account connects the dots by taking -source code and resources from a repository _(e.g. GitHub, CodeCommit or S3)_ +source code and resources from a repository _(e.g. CodeCommit, S3, or external +via AWS CodeConnections or an AWS CodeStar Connection)_ and into the numerous target accounts and regions as defined in the deployment map files via AWS CodePipeline. @@ -557,15 +558,15 @@ pipelines: Here is an example of passing in a parameter to a pipeline to override the default branch that is used to trigger the pipeline from, this time using -a CodeStar Connection to Bitbucket, GitHub, or GitHub Enterprise as a source -_(No need for `source_account_id`)_. +an AWS CodeConnections link to Bitbucket, GitHub, or GitLab as a +source _(No need for `source_account_id`)_. ```yaml pipelines: - name: vpc # The GitHub repo would have this name default_providers: source: - provider: codestar + provider: codeconnections properties: branch: dev/feature # Optional, name property will be used if repository is not specified @@ -580,7 +581,7 @@ pipelines: # It is recommended to add a Tag like CreatedBy with the user that # created it. So it is clear this parameter is not managed by ADF # itself. - codestar_connection_path: /adf/my_codestar_connection_param + code_connection_path: /adf/my_aws_codeconnections_param targets: - /security # Shorthand example ``` @@ -629,50 +630,63 @@ globally unique we need some way to define which bucket we want to deploy our `output.zip` into at a stage level. The way we accomplish this is we can pass in `properties` in the form of `key/value` into the stage itself. -#### Using CodeStar Connections for Bitbucket, GitHub, or GitHub Enterprise +#### Using AWS CodeConnections for Bitbucket, GitHub, or GitLab -**Please note:** This is the preferred method to setup GitHub as your source -provider. +**Please note:** This is the preferred method to setup external sources. +If you have configured an AWS CodeStar Connection before and wonder how-to +set it up again, please read the [AWS CodeStar Connection +steps](#aws-codestar-connection). -**Prerequisite:** To enable CodeStar Connections to be used the following step -is required: +**Prerequisite:** To enable AWS CodeConnections to be used the following steps +are required: -- Rename file `example-global-iam.yml` to `global-iam.yml` in the following - path `aws-deployment-framework-bootstrap/adf-bootstrap/deployment/` and - ensure the CloudFormation resources `CodeStarConnectionPolicy` is no longer - commented out. - **Please note:** the use of `deployment` at the end) +- Navigate to the `aws-deployment-framework-bootstrap` repository, specifically + the `/adf-bootstrap/deployment/` folder (notice the `deployment` OU folder at + the end). +- There should be a `global-iam.yml` file in that folder. If not, please rename + or copy the `example-global-iam.yml` file to `global-iam.yml` to proceed. +- Inside the `global-iam.yml` file ensure the CloudFormation resources + named `CodeConnectionsPolicy` is no longer commented out. -**Important note**: `CodeStarConnectionPolicy` IAM policy is a sample. +**Important note**: `CodeConnectionsPolicy` IAM policy is a sample. Please make sure you update this policy and scope it properly for the use cases you want to support. -In order for a pipeline to be connected to Bitbucket, GitHub, or GitHub -Enterprise you will need to setup an CodeStar Connection first. +In order for a pipeline to be connected to Bitbucket, GitHub, or GitLab +you will need to setup AWS CodeConnections first. Please follow the [steps as described in the AWS Developer Tools documentation](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html) -on how-to setup a new Connection with your code repository. +on how-to setup a new connection with your code repository. Once the connection is created you can store the Connection ARN into the Deployment Account with AWS Systems Manager Parameter Store. +Before you proceed, please check the Connection ARN of the connection you +configured. Depending on the method and creation time of the connection it +might have created a CodeStar Connection instead. If it did, the ARN will +include the `codestar` keyword. If so, please proceed with the steps described +in the [AWS CodeStar Connection](#aws-codestar-connection) first before you +continue. + Please use the `/adf/` prefix for this parameter. For example: `/adf/my_source_connection_param` As ADF has read access to parameters that start with `/adf/`. -Once the values are stored, you can create the Repository in GitHub as per -normal. Once its created you no further steps are required on GitHub's side, -just update your [deployment map](user-guide.md#deployment-map) to use the new -source type and push to the deployment account. Here is an example of a -deployment map with a single pipeline from GitHub, in this case the repository -on GitHub must be named 'vpc'. +Once the values are stored, you can create the Repository in your external +source provider (Bitbucket, GitHub, or GitLab) as per normal. +Once the repository is ready, no further steps are required on the external +source provider's side, just update your +[deployment map](user-guide.md#deployment-map) to use the new source type and +push to the deployment account. Here is an example of a +deployment map with a single pipeline from an external source provider, in this +case the external repository must be named 'vpc'. ```yaml pipelines: - name: vpc default_providers: source: - provider: github + provider: codeconnections properties: # Optional, name property will be used if repository is not specified repository: example-vpc @@ -688,56 +702,57 @@ pipelines: # itself. # # Example content of the parameter, plain ARN as a simple string: - # arn:aws:codestar-connections:eu-west-1:111111111111:connection/11111111-2222-3333-4444-555555555555 - codestar_connection_path: /adf/my_github_connection_arn_param + # arn:aws:codeconnections:eu-west-1:111111111111:connection/11111111-2222-3333-4444-555555555555 + codeconnections_param_path: /adf/my_github_connection_arn_param targets: - /security ``` -#### Using GitHub With An OAuth Token - -**Important note:** Before you continue. It is important to understand that -this method is not advised to be used by CodePipeline. Instead, please follow -the instructions to setup a CodeStar connection to pull the code from GitHub. -Please read the [Using CodeStar Connections for Bitbucket, GitHub, or GitHub -Enterprise section](#using-codestar-connections-for-bitbucket-github-or-github-enterprise). - -In order for a pipeline to be connected to GitHub you will need to create a -Personal Access Token in GitHub that allows its connection to AWS CodePipeline. -You can read more about creating a Token -[here](https://docs.aws.amazon.com/codepipeline/latest/userguide/GitHub-rotate-personal-token-CLI.html). -Once the token has been created you can store that in AWS Secrets Manager on -the Deployment Account. The Webhook Secret is a value you define and store in -AWS Secrets Manager with a path of `/adf/my_teams_token`. By Default, ADF only -has read access to Secrets with a path that starts with `/adf/`. - -Once the values are stored, you can create the Repository in GitHub as per -normal. Once its created you do not need to do anything else on GitHub's side -just update your [deployment map](user-guide.md#deployment-map) to use the new -source type and push to the deployment account. Here is an example of a -deployment map with a single pipeline from GitHub, in this case the repository -on GitHub must be named 'vpc'. - -```yaml -pipelines: - - name: vpc - default_providers: - source: - provider: github - properties: - # Optional, name property will be used if repository is not specified - repository: example-vpc - owner: bundyfx - # The path in AWS Secrets Manager that holds the GitHub Oauth token, - # ADF only has access to /adf/ prefix in Secrets Manager - oauth_token_path: /adf/github_token - # The field (key) name of the json object stored in AWS Secrets - # Manager that holds the Oauth token. - # e.g. {"token": "123"} - json_field: token - targets: - - /security -``` +#### AWS CodeStar Connection + +**Please note:** Only proceed with the steps in this document if you have an +existing AWS CodeStar Connection you like to maintain. With the [announcement +of the AWS CodeStar Connection to AWS CodeConnections name +change](https://aws.amazon.com/about-aws/whats-new/2024/03/aws-codeconnections-formerly-codestar-connections/) +the preferred method to link GitHub, GitLab, Bitbucket, and other sources is +AWS CodeConnections. You do not need to replace the AWS CodeStar Connection +with an AWS CodeConnections resource if you have one already. According to the +service documentation it will continue to be supported via the new AWS +CodeConnections API without requiring further changes in ADF's config or the +deployment maps. + +If you are about to setup a new connection to an external source code provider, +please consider following the [AWS CodeConnections +steps](#using-aws-codeconnections-for-bitbucket-github-or-gitlab) +instead. + +**Prerequisite:** To enable an AWS CodeStar Connection to be used the following +steps are required: + +- Navigate to the `aws-deployment-framework-bootstrap` repository, specifically + the `/adf-bootstrap/deployment/` folder (notice the `deployment` OU folder at + the end). +- There should be a `global-iam.yml` file in that folder. If not, please rename + or copy the `example-global-iam.yml` file to `global-iam.yml` to proceed. +- Inside the `global-iam.yml` file ensure the CloudFormation resources + named `CodeConnectionsPolicy` is no longer commented out. +- Also make sure the CodeStar actions are no longer commented out. + +**Important note**: `CodeConnectionsPolicy` IAM policy is a sample. +Please make sure you update this policy and scope it properly for the use cases +you want to support. We recommend that you leave this policy name as +`CodeConnectionsPolicy`, even though you are setting up a +`CodeStar Connection`. This will make it easier to detect required updates if +these would-be introduced by future ADF versions. + +The remaining steps are the same as configuring an AWS CodeConnections +setup. So please follow the next steps as documented in the +[Using AWS CodeConnections for Bitbucket, GitHub, or GitLab +section](#using-aws-codeconnections-for-bitbucket-github-or-gitlab). + +**Please note: While the AWS CodeConnections source provider name is +`codeconnections`, if the configured connection ARN refers to an AWS CodeStar +Connection it will set that up instead. #### Chaining Pipelines diff --git a/docs/providers-guide.md b/docs/providers-guide.md index e7f45f0de..5f4fd6707 100644 --- a/docs/providers-guide.md +++ b/docs/providers-guide.md @@ -1,8 +1,5 @@ # Providers Guide - - - Provider types and their properties can be defined as default config for a pipeline. But also at the stage level of a pipeline to structure the source, build, test, approval, deploy or invoke actions. @@ -20,39 +17,37 @@ Providers and Actions. - [Source](#source) - [CodeCommit](#codecommit) - [Properties](#properties) - - [GitHub](#github) - - [Properties](#properties-1) - [S3](#s3) + - [Properties](#properties-1) + - [CodeConnections](#codeconnections) - [Properties](#properties-2) - - [CodeStar](#codestar) - - [Properties](#properties-3) - [Build](#build) - [CodeBuild](#codebuild) - - [Properties](#properties-4) + - [Properties](#properties-3) - [Jenkins](#jenkins) - - [Properties](#properties-5) + - [Properties](#properties-4) - [Deploy](#deploy) - [Approval](#approval) - - [Properties](#properties-6) + - [Properties](#properties-5) - [CodeBuild](#codebuild-1) - - [Properties](#properties-7) + - [Properties](#properties-6) - [CodeDeploy](#codedeploy) - - [Properties](#properties-8) + - [Properties](#properties-7) - [CloudFormation](#cloudformation) - - [Properties](#properties-9) + - [Properties](#properties-8) - [Lambda](#lambda) - - [Properties](#properties-10) + - [Properties](#properties-9) - [Service Catalog](#service-catalog) - - [Properties](#properties-11) + - [Properties](#properties-10) - [S3](#s3-1) - - [Properties](#properties-12) + - [Properties](#properties-11) ## Source ```yaml default_providers: source: - provider: codecommit|github|s3|codestar + provider: codecommit|s3|codeconnections properties: # All provider specific properties go here. ``` @@ -113,44 +108,6 @@ Provider type: `codecommit`. - NB: The `CODEBUILD_CLONE_REF` value can only be used by CodeBuild downstream actions. -### GitHub - -Use GitHub as a source to trigger your pipeline. -The repository can also be hosted in another account. - -Provider type: `github`. - -#### Properties - -- *repository* - *(String)* defaults to name of the pipeline. - - The GitHub repository name. For example, for the ADF repository it would be - `aws-deployment-framework`. -- *branch* - *(String)* default to configured [adfconfig.yml: - config/scm/default-scm-branch](./admin-guide.md#adfconfig). - - The Branch on the GitHub repository to use to trigger this specific - pipeline. -- *owner* - *(String)* **(required)** - - The name of the GitHub user or organization who owns the GitHub repository. - For example, for the ADF repository that would be: `awslabs`. -- *oauth_token_path* - *(String)* **(required)** - - The OAuth token path in AWS Secrets Manager on the Deployment Account that - holds the GitHub OAuth token used to create the web hook as part of the - pipeline. Read the CodePipeline documentation for more [information on - configuring GitHub - OAuth](https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-GitHub.html#action-reference-GitHub-auth). -- *json_field* - *(String)* **(required)** - - The name of the JSON key in the object that is stored in AWS Secrets Manager - that holds the OAuth Token. -- *trigger_on_changes* - *(Boolean)* default: `True`. - - Whether CodePipeline should release a change and trigger the pipeline. When - set to False, you either need to trigger the pipeline manually, through a - schedule, or through the completion of another pipeline. - - This **disables the triggering** of changes when **set to False**. - - It will not deploy the web hook that GitHub would otherwise use to trigger - the pipeline on changes. - - **By default**, it will trigger deploy the web hook and trigger on changes - using web hook call executed by GitHub. - ### S3 S3 can be used as the source for a pipeline too. **Please note:** you can use @@ -180,43 +137,52 @@ Provider type: `s3`. CodePipeline. Monitoring the S3 object so it can trigger a release when an update took place. -### CodeStar +### CodeConnections -Use CodeStar as a source to trigger your pipeline. The source action retrieves +Use CodeConnections as a source to trigger your pipeline. The source action retrieves code changes when a pipeline is manually executed or when a webhook event is -sent from the source provider. CodeStar Connections currently supports the +sent from the source provider. AWS CodeConnections supports various external +source providers: following third-party repositories: -- Bitbucket -- GitHub and GitHub Enterprise Cloud +- Bitbucket Cloud +- GitHub +- GitHub Enterprise Cloud - GitHub Enterprise Server +- GitLab.com +- GitLab self-managed -The AWS CodeStar connection needs to already exist and be in the "Available" -Status. To use the AWS CodeStar Connection with ADF, its arn needs to be stored +You can find an updated list of the +[external source providers AWS CodeConnections supports +here](https://docs.aws.amazon.com/dtconsole/latest/userguide/welcome-connections.html#welcome-connections-supported-providers) + +The AWS CodeConnections needs to exist and be in the "Available" Status. +To use the AWS CodeConnections with ADF, its ARN needs to be stored in AWS Systems Manager Parameter Store in the deployment account's main region (see details below). Read the CodePipeline documentation for more -[information on how to setup the connection](https://docs.aws.amazon.com/dtconsole/latest/userguide/getting-started-connections.html). +[information on how-to setup the connection](https://docs.aws.amazon.com/dtconsole/latest/userguide/getting-started-connections.html). -Provider type: `codestar`. +Provider type: `codeconnections`. #### Properties - *repository* - *(String)* defaults to name of the pipeline. - - The CodeStar repository name. For example, for the ADF repository it would + - The repository name. For example, for the ADF repository it would be `aws-deployment-framework`. - *branch* - *(String)* default to configured [adfconfig.yml: config/scm/default-scm-branch](./admin-guide.md#adfconfig). - - The Branch on the third-party repository to use to trigger this specific - pipeline. + - The Branch on the repository to use to trigger this specific pipeline. - *owner* - *(String)* **(required)** - The name of the third-party user or organization who owns the third-party repository. For example, for the ADF repository that would be: `awslabs`. -- *codestar_connection_path* - *(String)* **(required)** - - The CodeStar Connection ARN token path in AWS Systems Manager Parameter - Store in the deployment account in the main region that holds the CodeStar - Connection ARN that will be used to download the source code and create the - web hook as part of the pipeline. Read the CodeStar Connections +- *codeconnections_param_path* - *(String)* **(required)** + - The CodeConnections ARN path in AWS Systems Manager (SSM) Parameter Store + in the deployment account in the main region that holds the CodeConnections + resource ARN that will be used to download the source code and create the + web hook as part of the pipeline. Read the CodeConnections documentation for more [information](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections.html). + - If you are relying on an existing CodeStar connection, the SSM Parameter + should contain the AWS CodeStar Connection ARN instead. - *output_artifact_format* - *(String)* default: `CODE_ZIP` - The output artifact format. Values can be either `CODEBUILD_CLONE_REF` or `CODE_ZIP`. If unspecified, the default is `CODE_ZIP`. @@ -255,6 +221,9 @@ Provider type: `codebuild`. #### Properties - *image* *(String|Object)* - default: `STANDARD_7_0`. + - It is recommended to specify the container image your pipeline requires. + Relying on the default value might impact the pipeline in future updates + of ADF if the default were to change. - The Image that the AWS CodeBuild will use. Images can be found [here](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-codebuild.LinuxBuildImage.html). - Image can also take an object that contains a reference to a public docker diff --git a/docs/samples-guide.md b/docs/samples-guide.md index bc5e0d39b..a1572b98a 100644 --- a/docs/samples-guide.md +++ b/docs/samples-guide.md @@ -27,7 +27,7 @@ In this guide, we will deploy a foundational VPC with associated resources along with a ECR Repository to hold our shared container images. Once the VPC is in place, we can deploy a ECS Cluster that will run our sample NodeJS application. -ADF supports multiple source types *(Github, CodeCommit, S3, CodeStar)* for +ADF supports multiple source types *(CodeCommit, S3, and CodeConnections)* for pipelines, in this example we will use AWS CodeCommit as the source for our pipelines. diff --git a/docs/user-guide.md b/docs/user-guide.md index d2e7da23d..fe11f003f 100644 --- a/docs/user-guide.md +++ b/docs/user-guide.md @@ -89,18 +89,28 @@ pipelines: - name: vpc default_providers: source: - provider: github + provider: codeconnections properties: # Optional, name property will be used if repository is not specified repository: my-github-vpc # Who owns this Github Repository - owner: bundyfx - # The path in AWS Secrets Manager that holds the GitHub Oauth token, - # ADF only has access to /adf/ prefix in Secrets Manager - oauth_token_path: /adf/github_token - # The field (key) name of the json object stored in AWS Secrets - # Manager that holds the Oauth token - json_field: token + owner: awslabs + # The path in Amazon Systems Manager Parameter Store that holds the + # Connections Arn. + # Please note, by default ADF only has access to read /adf/ + # parameters. You need to create this parameter manually + # in the deployment region in the deployment account once. + # + # It is recommended to add a Tag like CreatedBy with the user that + # created it. So it is clear this parameter is not managed by ADF + # itself. + # + # Example content of the parameter, plain ARN as a simple string: + # arn:aws:codeconnections:eu-west-1:111111111111:connection/11111111-2222-3333-4444-555555555555 + # + # Or in the case of a CodeStar Connection: + # arn:aws:codestar-connections:eu-west-1:111111111111:connection/11111111-2222-3333-4444-555555555555 + codeconnections_param_path: /adf/my_github_connection_arn_param params: notification_endpoint: joes_team@example.com targets: @@ -384,12 +394,11 @@ pipelines: - name: my-web-app-pipeline default_providers: source: - provider: github + provider: codeconnections properties: repository: my-web-app owner: cool_coder - oauth_token_path: /adf/github_token - json_field: token + codeconnections_param_path: /adf/my_github_connection_arn_param targets: - path: /banking/testing name: web-app-testing diff --git a/linters/custom-adf-dict.txt b/linters/custom-adf-dict.txt index 47c467aa4..3399e5425 100644 --- a/linters/custom-adf-dict.txt +++ b/linters/custom-adf-dict.txt @@ -2,8 +2,10 @@ !whitelist adf adfconfig +apogorielov awscli backoff +benbridts binfmt bitnami boto @@ -25,27 +27,37 @@ deregistration devsecops drawio dserver +dsudduth ecrc epel fargate hadolint iname infinidash +javydekoning +mhdaehnert msvs mymodule mypackage norecursedirs +ntwobike ouid oxsecurity pipelinenoti +pozeus pygtk pylintrc rcfile releasever rexec +rickardl runas sarif +sbkok +scps sdkman +skycolangelom +srabidoux stefanzweifel stubber tfapply @@ -58,6 +70,8 @@ tfrun tfstate tfvars toxinidir +tylergohl unconfigured +urlize vpcid zstd diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml index b9cde40be..39e114eac 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/example-global-iam.yml @@ -53,37 +53,39 @@ Resources: - adf-cloudformation-deployment-role ## -# Begin of CodeStar Connection permissions +# Begin of CodeConnections permissions ## -# CodeStarConnectionPolicy: +# CodeConnectionsPolicy: # # This policy defines an example how to grant CodePipeline and CodeBuild -# # access to retrieve code using the CodeStar Connection provider to -# # Bitbucket, GitHub, or GitHub Enterprise -# # NOTE: Make sure you specify the correct CodeStar connections that exist +# # access to retrieve code using the CodeConnections provider to +# # Bitbucket, GitHub, GitHub Enterprise, or GitLab. +# # NOTE: Make sure you specify the correct CodeConnections that exist # # and are active in the deployment account. # # You can check these by navigating to the following URL in your # # deployment region. For example, for eu-west-1: # # https://eu-west-1.console.aws.amazon.com/codesuite/settings/connections # Type: AWS::IAM::Policy # Properties: -# PolicyName: "adf-code-connection-access-policy" +# PolicyName: "adf-codeconnections-access-policy" # PolicyDocument: # Version: "2012-10-17" # Statement: -# - Effect: Allow +# - Sid: AllowAWSCodeConnections +# Effect: Allow # Action: -# - "codestar-connections:UseConnection" +# - "codeconnections:UseConnection" # Resource: -# - !Sub "arn:aws:codestar-connections:${AWS::Region}:${AWS::AccountId}:connection/put-your-connection-id-here" +# - !Sub "arn:aws:codeconnections:${AWS::Region}:${AWS::AccountId}:connection/put-your-connection-id-here" # Condition: # # See https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use -# StringEquals: -# "codestar-connections:ProviderPermissionsRequired": +# StringEqualsIfExists: +# "codeconnections:ProviderPermissionsRequired": # - read_only # # - read_write -# ForAllValues:StringEquals: -# "codestar-connections:ProviderAction": +# ForAllValues:StringEqualsIfExists: +# "codeconnections:ProviderAction": # # - CreatePullRequestDiffComment +# - GenerateReferenceLink # - GetBranch # - GetPullRequest # - GetUploadArchiveToS3Status @@ -97,13 +99,50 @@ Resources: # - ListPullRequestCommits # - ListRepositories # - StartUploadArchiveToS3 -# # StringLike: -# # "codestar-connections:FullRepositoryId": +# # Optional condition to harden it further: +# # StringLikeIfExists: +# # "codeconnections:FullRepositoryId": # # - "your-owner/prefix-repos-allowed-*" +# +# # Only uncomment the following lines if you need to access source +# # repositories via an AWS CodeStar Connection: +# # - Sid: AllowAWSCodeStarConnection +# # Effect: Allow +# # Action: +# # - "codestar-connections:UseConnection" +# # Resource: +# # - !Sub "arn:aws:codestar-connections:${AWS::Region}:${AWS::AccountId}:connection/put-your-connection-id-here" +# # Condition: +# # # See https://docs.aws.amazon.com/dtconsole/latest/userguide/security-iam.html#permissions-reference-connections-use +# # StringEqualsIfExists: +# # "codestar-connections:ProviderPermissionsRequired": +# # - read_only +# # # - read_write +# # ForAllValues:StringEqualsIfExists: +# # "codestar-connections:ProviderAction": +# # # - CreatePullRequestDiffComment +# # - GenerateReferenceLink +# # - GetBranch +# # - GetPullRequest +# # - GetUploadArchiveToS3Status +# # - GitPull +# # # - GitPush +# # - ListBranchCommits +# # - ListBranches +# # - ListCommitFiles +# # - ListOwners +# # - ListPullRequestComments +# # - ListPullRequestCommits +# # - ListRepositories +# # - StartUploadArchiveToS3 +# # # Optional condition to harden it further: +# # # StringLikeIfExists: +# # # "codestar-connections:FullRepositoryId": +# # # - "your-owner/prefix-repos-allowed-*" # Roles: -# # CodePipeline needs access if CodeStar Connections are used as the -# # pipeline source provider to access Bitbucket, GitHub, or -# # GitHub Enterprise repositories. +# # CodePipeline needs access if CodeConnections are used as the +# # pipeline source provider to access Bitbucket, GitHub, +# # GitHub Enterprise or GitLab repositories. # - adf-codepipeline-role # # # The CodeBuild role only needs access when the source provider diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml index 56bd7df2a..9aa2fd522 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/global.yml @@ -321,15 +321,6 @@ Resources: - "sts:AssumeRole" Resource: - "*" - - Effect: Allow - Condition: - StringEquals: - aws:PrincipalOrgID: !Ref OrganizationId - Action: - - "secretsmanager:Get*" - Resource: - # Only allow CodeBuild access to secrets that start with /adf/* - - !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/*" - Effect: Allow Action: - "ssm:GetParameter" @@ -912,14 +903,14 @@ Resources: - ec2.amazonaws.com - ecs-tasks.amazonaws.com - Effect: Allow - Sid: "AllowCodeStarConnections" + Sid: "AllowCodeConnections" Action: - - "codestar-connections:GetConnection" - - "codestar-connections:GetHost" - - "codestar-connections:ListConnections" - - "codestar-connections:ListHosts" - - "codestar-connections:PassConnection" - - "codestar-connections:UseConnection" + - "codeconnections:GetConnection" + - "codeconnections:GetHost" + - "codeconnections:ListConnections" + - "codeconnections:ListHosts" + - "codeconnections:PassConnection" + - "codeconnections:UseConnection" Resource: "*" Roles: - !Ref CodePipelineRole diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml index 2dfde29df..03e1dc34e 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml @@ -53,12 +53,11 @@ pipelines: # If we omit build and deploy type we get a default of CodeBuild as the build provider. # and CloudFormation as the deploy provider. source: - provider: github + provider: codeconnections properties: repository: example-vpc-adf # Optional, above name property will be used if this is not specified - owner: bundyfx - oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager - json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token + owner: awslabs + codeconnections_param_path: /adf/codeconnections_org_wide # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager deploy: provider: cloudformation properties: @@ -72,11 +71,11 @@ pipelines: - name: sample-ecs-app default_providers: source: - provider: codestar + provider: codeconnections properties: repository: my-ecs-app # Optional, the name of the pipeline will be used if this is not specified owner: github-enterprise-team-org - codestar_connection_path: /path/to/parameter # The path in AWS Systems Manager Parameter Store that holds the AWS CodeStar Connection ARN + codeconnections_param_path: /adf/path/to/parameter # The path in AWS Systems Manager Parameter Store that holds the AWS CodeConnections ARN params: notification_endpoint: team@example.com targets: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/pipeline_management/generate_pipeline_inputs.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/pipeline_management/generate_pipeline_inputs.py index 17407af0c..7f25c79b1 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/pipeline_management/generate_pipeline_inputs.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/pipeline_management/generate_pipeline_inputs.py @@ -78,16 +78,16 @@ def fetch_required_ssm_params(pipeline_input, regions): output["default_scm_codecommit_account_id"] = parameter_store.fetch_parameter( "scm/default_scm_codecommit_account_id", ) - codestar_connection_path = ( + codeconnections_param_path = ( pipeline_input .get("default_providers", {}) .get("source") .get("properties", {}) - .get("codestar_connection_path") + .get("codeconnections_param_path") ) - if codestar_connection_path: - output["codestar_connection_arn"] = ( - parameter_store.fetch_parameter(codestar_connection_path) + if codeconnections_param_path: + output["codeconnections_arn"] = ( + parameter_store.fetch_parameter(codeconnections_param_path) ) return output @@ -174,10 +174,10 @@ def generate_pipeline_inputs( data["pipeline_input"], data["pipeline_input"]["regions"], ) - if "codestar_connection_arn" in data["ssm_params"]: + if "codeconnections_arn" in data["ssm_params"]: data["pipeline_input"]["default_providers"]["source"]["properties"][ - "codestar_connection_arn" - ] = data["ssm_params"]["codestar_connection_arn"] + "codeconnections_arn" + ] = data["ssm_params"]["codeconnections_arn"] data["pipeline_input"]["default_scm_branch"] = ( data["ssm_params"] .get("default_scm_branch") diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml index 86769c7fd..9e5f1efd0 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/pipeline_management.yml @@ -882,7 +882,16 @@ Resources: Resource: - "*" - Effect: Allow - Sid: "AllowCodeStarConnection" + Sid: "AllowCodeConnections" + Action: + - "codeconnections:PassConnection" + Resource: + - !Sub arn:${AWS::Partition}:codeconnections:${AWS::Region}:${AWS::AccountId}:connection/* + Condition: + StringEquals: + 'codeconnections:PassedToService': 'codepipeline.amazonaws.com' + - Effect: Allow + Sid: "AllowCodeStarConnections" Action: - "codestar-connections:PassConnection" Resource: @@ -930,11 +939,6 @@ Resources: - "iam:TagPolicy" - "iam:TagRole" Resource: "*" - - Effect: Allow - Action: - - "secretsmanager:GetSecretValue" - Resource: - - !Sub "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/adf/github_token-*" DeploymentMapProcessingFunction: Type: 'AWS::Serverless::Function' diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codestar.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codeconnections.py similarity index 87% rename from src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codestar.py rename to src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codeconnections.py index f7bbc1cab..ab2ac4ddb 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codestar.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codeconnections.py @@ -1,7 +1,7 @@ # Copyright Amazon.com Inc. or its affiliates. # SPDX-License-Identifier: MIT-0 -"""Construct related to CodeStarConnection CodePipeline Input +"""Construct related to CodeConnections CodePipeline Input """ import os @@ -18,11 +18,11 @@ ADF_DEFAULT_BUILD_TIMEOUT = 20 -class CodeStar(Construct): +class CodeConnections(Construct): def __init__(self, scope: Construct, id: str, map_params: dict, **kwargs): #pylint: disable=W0622 super().__init__(scope, id, **kwargs) self.source = _codepipeline.CfnPipeline.StageDeclarationProperty( - name="Source-CodeStar", + name="Source-CodeConnections", actions=[ Action( name="source", diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codepipeline.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codepipeline.py index 5b345bca2..aa2c53cbc 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codepipeline.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/adf_codepipeline.py @@ -11,7 +11,6 @@ aws_codepipeline as _codepipeline, aws_events as _eventbridge, aws_events_targets as _eventbridge_targets, - SecretValue, Fn, ) from constructs import Construct @@ -223,17 +222,17 @@ def _generate_configuration(self): default_source_props .get('repository', self.map_params['name']) ) - if not default_source_props.get('codestar_connection_arn'): + if not default_source_props.get('codeconnections_arn'): raise ValueError( - "The CodeStar Connection Arn could not be resolved for " + "The CodeConnections Arn could not be resolved for " f"the {self.map_params['name']} pipeline. Please check " - "whether the codestar_connection_path is setup correctly " + "whether the codeconnections_param_path is setup correctly " "and validate that the Parameter it points to is properly " "configured in SSM Parameter Store." ) props = { "ConnectionArn": default_source_props.get( - 'codestar_connection_arn', + 'codeconnections_arn', ), "FullRepositoryId": f"{owner}/{repo}", "BranchName": default_source_props.get( @@ -247,44 +246,6 @@ def _generate_configuration(self): if output_artifact_format: props["OutputArtifactFormat"] = output_artifact_format return props - if self.provider == "GitHub": - return { - "Owner": ( - self.map_params - .get('default_providers', {}) - .get('source') - .get('properties', {}) - .get('owner', '') - ), - "Repo": ( - self.map_params - .get('default_providers', {}) - .get('source', {}) - .get('properties', {}) - .get('repository', self.map_params['name']) - ), - "Branch": ( - self.map_params - .get('default_providers', {}) - .get('source', {}) - .get('properties', {}) - .get('branch', self.default_scm_branch) - ), - # pylint: disable=no-value-for-parameter - "OAuthToken": SecretValue.secrets_manager( - ( - self.map_params['default_providers']['source'] - .get('properties', {}) - .get('oauth_token_path') - ), - json_field=( - self.map_params['default_providers']['source'] - .get('properties', {}) - .get('json_field') - ), - ), - "PollForSourceChanges": False - } if self.provider == "Lambda": return { "FunctionName": ( @@ -539,8 +500,6 @@ def _generate_codepipeline_access_role(self): # pylint: disable=R0911 .get('account_id', '') ) - if self.provider == "GitHub": - return None if self.provider == "CodeStarSourceConnection": return None if self.provider == "CodeBuild": diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/adf_default_pipeline.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/adf_default_pipeline.py index e638c5c2b..e7e85fcc0 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/adf_default_pipeline.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/adf_default_pipeline.py @@ -11,8 +11,7 @@ from cdk_constructs import adf_codebuild from cdk_constructs import adf_jenkins from cdk_constructs import adf_codecommit -from cdk_constructs import adf_github -from cdk_constructs import adf_codestar +from cdk_constructs import adf_codeconnections from cdk_constructs import adf_s3 from cdk_constructs import adf_cloudformation from cdk_constructs import adf_notifications @@ -68,13 +67,6 @@ def generate_adf_default_pipeline(scope: Stack, stack_input): stages, ) - if "github" in _get_source_name(stack_input): - adf_github.GitHub.create_webhook_when_required( - scope, - pipeline.cfn, - stack_input["pipeline_input"], - ) - pipeline_triggers = ( stack_input["pipeline_input"] .get("triggers", {}) @@ -117,18 +109,12 @@ def _generate_source_stage_for_pipeline(scope, stack_input): "source", stack_input["pipeline_input"], ).source - if "codestar" in source_name: - return adf_codestar.CodeStar( + if "codeconnections" in source_name: + return adf_codeconnections.CodeConnections( scope, "source", stack_input['pipeline_input'], ).source - if "github" in source_name: - return adf_github.GitHub( - scope, - "source", - stack_input["pipeline_input"], - ).source if "s3" in source_name: return adf_s3.S3( scope, diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/schema_validation.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/schema_validation.py index 4682f0aab..99c9083dc 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/schema_validation.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/schema_validation.py @@ -73,34 +73,20 @@ Optional("properties"): CODECOMMIT_SOURCE_PROPS, } -# GitHub Source -GITHUB_SOURCE_PROPS = { +# CodeConnections Source +CODECONNECTIONS_SOURCE_PROPS = { Optional("repository"): str, Optional("branch"): str, "owner": str, - "oauth_token_path": str, - "json_field": str, - Optional("trigger_on_changes"): bool, -} -GITHUB_SOURCE = { - "provider": 'github', - "properties": GITHUB_SOURCE_PROPS -} - -# CodeStar Source -CODESTAR_SOURCE_PROPS = { - Optional("repository"): str, - Optional("branch"): str, - "owner": str, - "codestar_connection_path": str, + "codeconnections_param_path": str, Optional("output_artifact_format", default=None): ( SOURCE_OUTPUT_ARTIFACT_FORMAT ), } -CODESTAR_SOURCE = { - "provider": 'codestar', - "properties": CODESTAR_SOURCE_PROPS +CODECONNECTIONS_SOURCE = { + "provider": 'codeconnections', + "properties": CODECONNECTIONS_SOURCE_PROPS } # S3 Source @@ -268,9 +254,8 @@ # Core Schema PROVIDER_SOURCE_SCHEMAS = { 'codecommit': Schema(CODECOMMIT_SOURCE), - 'github': Schema(GITHUB_SOURCE), 's3': Schema(S3_SOURCE), - 'codestar': Schema(CODESTAR_SOURCE), + 'codeconnections': Schema(CODECONNECTIONS_SOURCE), } PROVIDER_BUILD_SCHEMAS = { 'codebuild': Schema(DEFAULT_CODEBUILD_BUILD), @@ -288,7 +273,7 @@ 'source': Or( And( { - 'provider': Or('github', 's3', 'codestar'), + 'provider': Or('s3', 'codeconnections'), 'properties': dict, }, # pylint: disable=W0108 diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_deployment_map.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_deployment_map.yml index 60935a07b..3f9bd2c34 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_deployment_map.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_deployment_map.yml @@ -51,12 +51,11 @@ pipelines: # If we omit build and deploy type we get a default of CodeBuild as the build provider. # and CloudFormation as the deploy provider. source: - provider: github + provider: codeconnections properties: repository: example-vpc-adf # Optional, above name property will be used if this is not specified - owner: bundyfx - oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager - json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token + owner: awslabs + codeconnections_param_path: /path/to/parameter # The path in AWS Systems Manager Parameter Store that holds the AWS CodeConnections ARN deploy: provider: cloudformation properties: @@ -70,11 +69,11 @@ pipelines: - name: sample-ecs-app default_providers: source: - provider: codestar + provider: codeconnections properties: repository: my-ecs-app # Optional, the name of the pipeline will be used if this is not specified owner: github-enterprise-team-org - codestar_connection_path: /path/to/parameter # The path in AWS Systems Manager Parameter Store that holds the AWS CodeStar Connection ARN + codeconnections_param_path: /path/to/parameter # The path in AWS Systems Manager Parameter Store that holds the AWS CodeConnections ARN params: notification_endpoint: team@example.com targets: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_deployment_map.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_deployment_map.py index 2aac0d2a9..387dfdbe1 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_deployment_map.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_deployment_map.py @@ -4,10 +4,8 @@ # pylint: skip-file import os -import boto3 -from errors import InvalidDeploymentMapError -from pytest import fixture, raises +from pytest import fixture from mock import Mock from ..pipeline import Pipeline from ..deployment_map import DeploymentMap @@ -82,7 +80,7 @@ def test_update_deployment_parameters_waves(cls): "default_providers": { "source": { "name": "codecommit", - "properties" : { + "properties": { "account_id": 111111111111, } } diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_schema_validation.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_schema_validation.py index 4b4aeef1a..f976a8eeb 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_schema_validation.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_schema_validation.py @@ -140,36 +140,53 @@ def test_codecommit_source_schema(self): ) -class GithubSchemaValidationHappyPaths(unittest.TestCase): - def test_github_source_props_schema_default(self): +class CodeConnectionsSchemaValidationHappyPaths(unittest.TestCase): + def test_codeconnections_source_props_schema_default(self): source_props = { "repository": "a_repo_name", "branch": "mainline", "owner": "a_repo_owner", - "oauth_token_path": "a_token_path", - "json_field": "a_json_field", - "trigger_on_changes": True, + "codeconnections_param_path": "the_ssm_param_connection_path", + "output_artifact_format": "CODE_ZIP", } self.assertDictEqual( - Schema(schema_validation.GITHUB_SOURCE_PROPS).validate(source_props), + Schema(schema_validation.CODECONNECTIONS_SOURCE_PROPS).validate(source_props), source_props, ) - def test_github_source_schema_default(self): + def test_codeconnections_source_schema_default(self): source_props = { "repository": "a_repo_name", "branch": "mainline", "owner": "a_repo_owner", - "oauth_token_path": "a_token_path", - "json_field": "a_json_field", - "trigger_on_changes": True, + "codeconnections_param_path": "the_ssm_param_connection_path", + "output_artifact_format": "CODE_ZIP", } - github_source = {"provider": "github", "properties": source_props} + codeconnections_source = {"provider": "codeconnections", "properties": source_props} self.assertDictEqual( - Schema(schema_validation.GITHUB_SOURCE).validate(github_source), - github_source, + Schema(schema_validation.CODECONNECTIONS_SOURCE).validate(codeconnections_source), + codeconnections_source, + ) + + def test_codeconnections_source_schema_required_only(self): + source_props = { + "owner": "a_repo_owner", + "codeconnections_param_path": "the_ssm_param_connection_path", + } + + codeconnections_source = {"provider": "codeconnections", "properties": source_props} + + self.assertDictEqual( + Schema(schema_validation.CODECONNECTIONS_SOURCE).validate(codeconnections_source), + { + "provider": "codeconnections", + "properties": { + **codeconnections_source["properties"], + "output_artifact_format": None, + } + }, )