-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathbuildspec.yaml
128 lines (103 loc) · 4.57 KB
/
buildspec.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
version: 0.2
env:
shell: bash
phases:
install:
commands:
# Install Pulumi and connect to S3 backend
- curl -fsSL https://get.pulumi.com/ | sh
- export PATH=$PATH:$HOME/.pulumi/bin
- PULUMI_STACK_NAME=${REPO_NAME}-resources-${DEPLOY_ACCOUNT_NAME}
# Install static analysis tools
- pip3 install bandit safety
pre_build:
commands:
- export AUTHOR=`aws codecommit get-commit --commit-id $CODEBUILD_RESOLVED_SOURCE_VERSION --repository-name $REPO_NAME | jq -r '.commit.author.name'`
- export EMAIL=`aws codecommit get-commit --commit-id $CODEBUILD_RESOLVED_SOURCE_VERSION --repository-name $REPO_NAME | jq -r '.commit.author.email'`
# Replace repository name, domain and domain owner with your own settings from AWS CodeArtifact Domain and Repository
- aws codeartifact login --tool pip --repository custompolicypack --domain acme --domain-owner 123456789012
build:
commands:
#
# Static Analysis
#
#
# NOTE: When setting up an AWS CodeBuild project, make sure that sample-code/sample-resources/ is passed in
# as the Source Directory to AWS CodeBuild. This can be verified by echoing the value of the
# environment variable 'CODEBUILD_SRC_DIR'
#
- cd $CODEBUILD_SRC_DIR/resources
# Bandit
- mkdir -p target/bandit
- bandit -r ./ -f xml -o target/bandit/output.xml --verbose --exit-zero
# Safety
- safety check
#
# Prepare 'Package-downloadable' CrossGuard Policies
#
- cd $CODEBUILD_SRC_DIR/checks/custom-policy-crossguard
- python3 -m venv ./venv
- source ./venv/bin/activate
- pip3 install --upgrade pip setuptools wheel
- pip3 install -r requirements.txt
# Setup awsguard
- cd $CODEBUILD_SRC_DIR/checks/awsguard
- npm install
#
# Prepare project environment
#
- cd $CODEBUILD_SRC_DIR/resources
- python3 -m venv ./venv
- source ./venv/bin/activate
- pip3 install -r requirements.txt
- pulumi login s3://$PULUMI_STATE_BUCKET_NAME
#
# Pulumi Preview with AWSGuard and CrossGuard Policies
#
- echo "Running AwsGuard"
- awspol_result="$(pulumi preview --policy-pack $CODEBUILD_SRC_DIR/checks/awsguard --stack ${PULUMI_STACK_NAME})"; awspol_exitcode=$?;
- echo "$awspol_result"
- echo "Running CrossGuard"
- cstpol_result="$(pulumi preview --policy-pack $CODEBUILD_SRC_DIR/checks/custom-policy-crossguard --stack ${PULUMI_STACK_NAME})"; cstpol_exitcode=$?;
- echo "$cstpol_result"
- echo "$cstpol_result" > crossguard_output.txt
#
# Pulumi Deployment
#
- |
if [ $awspol_exitcode -eq 0 -a $cstpol_exitcode -eq 0 ];
then
pulumi up --stack ${PULUMI_STACK_NAME} --yes && exit 0;
else
echo "Policy failures found" && exit 1;
fi
post_build:
commands:
#
# Publish Pulumi metrics to CloudWatch
#
- cd $CODEBUILD_SRC_DIR/resources
# Parse the cli output and write CloudWatch metrics data objects to capture policy violations
# Generates a file metrics.json which is later passed as input to 'put-metric-data' command in post-build step
- python3 parser.py crossguard_output.txt
- aws cloudwatch put-metric-data --namespace "Pulumi Policy Metrics" --metric-data file://metrics.json
reports:
# Generate report for 'bandit' run. This output can be seen in AWS CodeBuild console.
bandit_reports:
files:
- output.xml
base-directory: resources/target/bandit
file-format: JUNITXML