From 84b5b9c42ebaf8479599f34094a588b572e7849a Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Mon, 20 Jun 2022 10:33:34 -0700 Subject: [PATCH 1/6] Add missing input parameters --- .../templates/eks-cluster-prework.template.yaml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index db23bd6..550c28b 100644 --- a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -7,6 +7,15 @@ Parameters: JobName: Type: String Default: 'job-example' + AvailabilityZones: + Description: List of Availability Zones to use for the subnets in the VPC. Three + Availability Zones are used for this deployment. + Type: List AvailabilityZones: + NumberOfAZs: + Type: String + AllowedValues: ["2", "3"] + Default: "2" + Description: Number of Availability Zones to use in the VPC. This must match the value entered for the AvailabilityZones parameter. PreworkScriptBucket: Type: String Default: 'aws-quickstart' @@ -24,7 +33,8 @@ Resources: QSS3KeyPrefix: quickstart-amazon-eks/ # Cluster properties ProvisionBastionHost: Enabled - AccessCIDR: !Ref AccessCIDR + RemoteAccessCIDR: !Ref AccessCIDR + NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 @@ -32,7 +42,7 @@ Resources: Type: Custom::GetOIDCProvider Properties: ServiceToken: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:eks-quickstart-ResourceReader" - AwsCliCommand: !Sub "eks describe-cluster --name ${ClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" + AwsCliCommand: !Sub "eks describe-cluster --name ${EKSStack.Outputs.EKSClusterName} --query 'cluster.identity.oidc.{issuer:issuer}'" IdField: 'issuer' PreworkStack: Type: AWS::CloudFormation::Stack From f0fd5fb5053a3317789d2ab840817ec48e659fc3 Mon Sep 17 00:00:00 2001 From: Andrew Gargan Date: Mon, 20 Jun 2022 10:37:28 -0700 Subject: [PATCH 2/6] Add AZ's --- .../templates/eks-cluster-prework.template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml index 550c28b..58571d2 100644 --- a/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml +++ b/blog-assets/eks-cluster-prework/templates/eks-cluster-prework.template.yaml @@ -34,7 +34,7 @@ Resources: # Cluster properties ProvisionBastionHost: Enabled RemoteAccessCIDR: !Ref AccessCIDR - + AvailabilityZones: !Join [ ',', !Ref 'AvailabilityZones' ] NodeInstanceType: t3.large NumberOfNodes: 1 MaxNumberOfNodes: 1 From 339a6321d5751757c9c3c05449e53c37653a4c46 Mon Sep 17 00:00:00 2001 From: Henry Bravo Date: Tue, 4 Apr 2023 11:39:30 +0200 Subject: [PATCH 3/6] adding artifacts for new blog post automate-ami-builds-aws-codepipeline --- .../linux-ami-codepipeline.yaml | 239 +++++++++++++++++ .../linux-ami-imagebuilder.yaml | 253 ++++++++++++++++++ .../stack-configuration.json | 12 + 3 files changed, 504 insertions(+) create mode 100644 blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml create mode 100644 blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml create mode 100644 blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml new file mode 100644 index 0000000..32c831f --- /dev/null +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml @@ -0,0 +1,239 @@ +--- +Description: | + AWS CloudFormation Template for Continuous Delivery: This template builds an AWS CodePipeline pipeline that implements a continuous delivery release process using an AWS CloudFormation stack that builds custom EC2 AMIs using EC2 ImageBuilder. Submit the CloudFormation template to CodeCommit and the pipeline will take the artifacts to automatically create the stack, run the pipeline, put an approval step, and clean up the stack. (qs-1tkj0sj93) +Parameters: + Email: + Default: my@email + Description: The email address where CodePipeline sends pipeline notifications + Type: String + S3BucketName: + Type: String + Default: test-ami-builder-blog-pipeline + Description: The S3 bucket for the temporary artifacts used in CodePipeline + CodeCommitRepositoryName: + Type: String + Default: test-ami-builder-blog-linux-pipeline + Description: name of the codecommit repository that must hold the files "linux-ami-imagebuilder.yaml" and "stack-configuration.json" + PipelineName: + Default: test-ami-builder-blog-linux-pipeline + Description: A name for pipeline + Type: String + TemplateFileName: + Default: linux-ami-imagebuilder.yaml + Description: The file name of the template + Type: String + StackName: + Default: test-amazon-linux2-arm64-ami + Description: A name for the stack which will also be the AMI name to be used in EC2 + Type: String + StackConfig: + Default: stack-configuration.json + Description: The configuration file name for the stack + Type: String +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: CodePipeline Settings + Parameters: + - PipelineName + - S3BucketName + - Email + - Label: + default: Stack Settings + Parameters: + - TemplateFileName + - StackName + - StackConfig +Resources: + S3Bucket: + Type: AWS::S3::Bucket + Properties: + BucketName: + Fn::Join: + - '-' + - - !Ref 'S3BucketName' + - Fn::Select: + - 4 + - Fn::Split: + - '-' + - Fn::Select: + - 2 + - Fn::Split: + - / + - Ref: AWS::StackId + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + DeletionPolicy: Delete + CodeCommitRepo: + Type: AWS::CodeCommit::Repository + Properties: + RepositoryName: !Ref 'CodeCommitRepositoryName' + CodePipelineSNSTopic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: !Ref 'Email' + Protocol: email + Pipeline: + Type: AWS::CodePipeline::Pipeline + Properties: + ArtifactStore: + Location: !Ref 'S3Bucket' + Type: S3 + DisableInboundStageTransitions: [] + Name: !Ref 'PipelineName' + RoleArn: !GetAtt 'PipelineRole.Arn' + Stages: + - Name: Source + Actions: + - Name: Source + ActionTypeId: + Category: Source + Owner: AWS + Provider: CodeCommit + Version: '1' + Configuration: + BranchName: main + OutputArtifactFormat: CODE_ZIP + RepositoryName: !Ref 'CodeCommitRepositoryName' + RunOrder: 1 + OutputArtifacts: + - Name: TemplateSource + - Name: Build + Actions: + - Name: CreateStack + ActionTypeId: + Category: Deploy + Owner: AWS + Provider: CloudFormation + Version: '1' + InputArtifacts: + - Name: TemplateSource + Configuration: + ActionMode: REPLACE_ON_FAILURE + RoleArn: !GetAtt 'CFNRole.Arn' + StackName: !Ref 'StackName' + Capabilities: CAPABILITY_NAMED_IAM + TemplateConfiguration: !Sub 'TemplateSource::${StackConfig}' + TemplatePath: !Sub 'TemplateSource::${TemplateFileName}' + RunOrder: 1 + - Name: ApproveStack + ActionTypeId: + Category: Approval + Owner: AWS + Provider: Manual + Version: '1' + Configuration: + NotificationArn: !Ref 'CodePipelineSNSTopic' + CustomData: !Sub 'Perform checks on the AMI built and after approval the stack ${StackName} will be deleted' + RunOrder: 2 + - Name: DeleteStack + ActionTypeId: + Category: Deploy + Owner: AWS + Provider: CloudFormation + Version: '1' + Configuration: + ActionMode: DELETE_ONLY + RoleArn: !GetAtt 'CFNRole.Arn' + StackName: !Ref 'StackName' + RunOrder: 3 + CFNRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - sts:AssumeRole + Effect: Allow + Principal: + Service: + - cloudformation.amazonaws.com + Version: '2012-10-17' + Path: / + Policies: + - PolicyName: CloudFormationRole + PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - ec2:* + Effect: Allow + Resource: '*' + - PolicyName: AdditionalPerms + PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - iam:GetRole + - iam:CreateRole + - iam:DetachRolePolicy + - iam:AttachRolePolicy + - iam:DeleteRole + - iam:PassRole + - iam:GetPolicy + - iam:ListPolicyVersions + - iam:CreatePolicy + - iam:DeletePolicy + - iam:CreateInstanceProfile + - iam:DeleteInstanceProfile + - iam:AddRoleToInstanceProfile + - iam:RemoveRoleFromInstanceProfile + - imagebuilder:* + Effect: Allow + Resource: '*' + PipelineRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: codepipeline.amazonaws.com + Version: '2012-10-17' + Path: / + Policies: + - PolicyName: CodePipelineAccess + PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - cloudformation:CreateStack + - cloudformation:DescribeStacks + - cloudformation:DeleteStack + - cloudformation:UpdateStack + - cloudformation:CreateChangeSet + - cloudformation:ExecuteChangeSet + - cloudformation:DeleteChangeSet + - cloudformation:DescribeChangeSet + - cloudformation:SetStackPolicy + - iam:PassRole + - sns:Publish + Effect: Allow + Resource: '*' + - PolicyName: codecommit + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - codecommit:Get* + - codecommit:UploadArchive + Resource: + - !GetAtt 'CodeCommitRepo.Arn' + - PolicyName: s3-artifacts + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:ListBucket + - s3:PutObject + Resource: + - !GetAtt 'S3Bucket.Arn' + - !Sub '${S3Bucket.Arn}/*' diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml new file mode 100644 index 0000000..23d9f1d --- /dev/null +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml @@ -0,0 +1,253 @@ +--- +AWSTemplateFormatVersion: '2010-09-09' +Description: | + This template builds an EC2 AMI based on Amazon Linux2 ARM64 and installs software to demonstrate an AWS CodePipeline driven AMI builing use-case using EC2 ImageBuilder. The automatically installed software includes the following packages: amazon-cloudwatch-agent-linux, aws-cli-version-2-linux, the stig-build-linux-high (https://docs.aws.amazon.com/imagebuilder/latest/userguide/toe-stig.html), and two custom components executing bash code. (qs-1tkj0sj93) +Parameters: + AWSRegion: + Type: String + Description: Define in which region you want to build and deploy the pipeline + VpcId: + Type: AWS::EC2::VPC::Id + Description: VpcId of your existing Virtual Private Cloud (VPC) to be used to build the AMI + ConstraintDescription: must be the VPC Id of an existing VPC + SubnetId: + Type: String + Description: SubnetId of an existing subnet in your VPC + ConstraintDescription: must be an existing subnet in the selected VPC + SSHKeyPairName: + Type: AWS::EC2::KeyPair::KeyName + Description: Name of an existing EC2 KeyPair to enable SSH access to the instances + ConstraintDescription: must be the name of an existing EC2 KeyPair + SSHLocation: + Type: String + Description: The IP address range that can be used to SSH to the EC2 instances + MinLength: '9' + MaxLength: '18' + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. + Default: 0.0.0.0/0 + Version: + Type: String + Description: Version number for the ImageBuilder Component, that the service needs, but the components will be removed after pipeline completion. + Default: 0.0.1 + Architecture: + Type: String + Description: Select between x86 and ARM instances + Default: arm64 + AllowedValues: + - x86 + - arm64 + InstanceType: + Type: String + Description: Instance Type for building the instances + Default: t4g.micro + AllowedValues: + - t2.micro + - t3.nano + - t3a.nano + - t3.large + - t3.2xlarge + - t4g.nano + - t4g.micro + - t4g.small + - t4g.medium + - t4g.large + - t4g.xlarge + - t4g.2xlarge + BaseImageId: + Type: String + Description: define the base AMI ID to build upon +Resources: + LinuxImage: + Type: AWS::ImageBuilder::Image + Properties: + ImageRecipeArn: !GetAtt 'LinuxImageRecipe.Arn' + InfrastructureConfigurationArn: !GetAtt 'InfrastructureConfiguration.Arn' + EnhancedImageMetadataEnabled: true + LinuxImageRecipe: + Type: AWS::ImageBuilder::ImageRecipe + Properties: + Name: !Sub + - ${AWS::StackName}-Image-${Uniqueval} + - Uniqueval: !Select + - 2 + - !Split + - / + - !Ref 'AWS::StackId' + Description: !Sub + - ${ShortName} Image (${Architecture}) version ${Version} + - ShortName: !Select + - 0 + - !Split + - '-' + - !Ref 'AWS::StackName' + Components: + - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/amazon-cloudwatch-agent-linux/x.x.x' + - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/aws-cli-version-2-linux/x.x.x' + - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/stig-build-linux-high/x.x.x' + - ComponentArn: !GetAtt 'SetLocaleComponent.Arn' + - ComponentArn: !GetAtt 'YumUpdateComponent.Arn' + ParentImage: !Ref 'BaseImageId' + Version: !Sub '${Version}' + WorkingDirectory: /opt/aws/amibuilder/ + BlockDeviceMappings: + - DeviceName: /dev/sda1 + VirtualName: vol2 + Ebs: + DeleteOnTermination: true + VolumeSize: 20 + VolumeType: gp2 + InfrastructureConfiguration: + Type: AWS::ImageBuilder::InfrastructureConfiguration + Properties: + InstanceProfileName: !Ref 'InstanceProfile' + InstanceTypes: + - !Sub '${InstanceType}' + Name: !Sub + - ${AWS::StackName}-InfraConfig-${Uniqueval} + - Uniqueval: !Select + - 2 + - !Split + - / + - !Ref 'AWS::StackId' + KeyPair: !Ref 'SSHKeyPairName' + TerminateInstanceOnFailure: false + SecurityGroupIds: + - !GetAtt 'InstanceSecurityGroup.GroupId' + SubnetId: !Ref 'SubnetId' + SetLocaleComponent: + Type: AWS::ImageBuilder::Component + Properties: + ChangeDescription: !Sub + - Update ${ShortName} Image (${Architecture}) to version ${Version} + - ShortName: !Select + - 0 + - !Split + - '-' + - !Ref 'AWS::StackName' + Description: !Sub + - ${ShortName} Component configures the LC_CTYPE locale + - ShortName: !Select + - 0 + - !Split + - '-' + - !Ref 'AWS::StackName' + Name: !Sub + - ${AWS::StackName}-Component-Locale-${Uniqueval} + - Uniqueval: !Select + - 2 + - !Split + - / + - !Ref 'AWS::StackId' + Platform: Linux + Version: !Sub '${Version}' + Data: !Sub | + name: setlocale global + description: Current version - ${Version} + schemaVersion: 1.0 + phases: + - name: build + steps: + - name: Locale + action: ExecuteBash + onFailure: Continue + inputs: + commands: + - echo "LANG=en_US.utf-8" >> /etc/environment + - echo "LC_ALL=en_US.utf-8" >> /etc/environment + - localectl set-locale LANG=en_US.UTF-8 + - name: validate + steps: + - name: checkLocale + action: ExecuteBash + inputs: + commands: + - localectl status + YumUpdateComponent: + Type: AWS::ImageBuilder::Component + Properties: + ChangeDescription: !Sub + - Update ${ShortName} Image (${Architecture}) to version ${Version} + - ShortName: !Select + - 0 + - !Split + - '-' + - !Ref 'AWS::StackName' + Description: !Sub + - ${ShortName} Component performs a RPM package update + - ShortName: !Select + - 0 + - !Split + - '-' + - !Ref 'AWS::StackName' + Name: !Sub + - ${AWS::StackName}-Component-YumUpdate-${Uniqueval} + - Uniqueval: !Select + - 2 + - !Split + - / + - !Ref 'AWS::StackId' + Platform: Linux + Version: !Sub '${Version}' + Data: !Sub | + name: setlocale global + description: Current version - ${Version} + schemaVersion: 1.0 + phases: + - name: build + steps: + - name: Fail + onFailure: Continue + action: ExecuteBash + inputs: + commands: + - echo 1 + - name: Locale + action: ExecuteBash + onFailure: Continue + inputs: + commands: + - yum update -y + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref 'VpcId' + GroupName: !Sub + - ${AWS::StackName}-SG-${Uniqueval} + - Uniqueval: !Select + - 2 + - !Split + - / + - !Ref 'AWS::StackId' + GroupDescription: Enable SSH access via port 22 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: !Ref 'SSHLocation' + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Roles: + - !Ref 'EC2Role' + EC2Role: + Type: AWS::IAM::Role + Properties: + RoleName: !Sub '${AWS::StackName}' + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: !Sub 'ec2.${AWS::URLSuffix}' + ManagedPolicyArns: + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/EC2InstanceProfileForImageBuilder' +Outputs: + ImageArn: + Description: Reference to EC2 Image Builder Output Arn + Value: !GetAtt 'LinuxImage.Arn' + ImageId: + Description: Reference to EC2 Image Builder Output ImageId + Value: !GetAtt 'LinuxImage.ImageId' diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json new file mode 100644 index 0000000..d1b71d7 --- /dev/null +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json @@ -0,0 +1,12 @@ +{ + "Parameters" : { + "AWSRegion" : "eu-west-1", + "VpcId" : "vpc-12345678", + "SubnetId" : "subnet-12345678", + "SSHKeyPairName" : "sshkeypairname", + "SSHLocation" : "0.0.0.0/0", + "Architecture" : "arm64", + "InstanceType" : "t4g.large", + "BaseImageId" : "ami-0331b64d8b89b4fef" + } +} From dbca9a9eeee62394dbbffdd6029b2701a34d2b46 Mon Sep 17 00:00:00 2001 From: Henry Bravo Date: Tue, 4 Apr 2023 15:30:17 +0200 Subject: [PATCH 4/6] updating base AMI image and stig level --- .../linux-ami-imagebuilder.yaml | 12 ++++++------ .../stack-configuration.json | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml index 23d9f1d..3d038f4 100644 --- a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml @@ -82,11 +82,11 @@ Resources: - '-' - !Ref 'AWS::StackName' Components: - - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/amazon-cloudwatch-agent-linux/x.x.x' - - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/aws-cli-version-2-linux/x.x.x' - - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/stig-build-linux-high/x.x.x' - - ComponentArn: !GetAtt 'SetLocaleComponent.Arn' - ComponentArn: !GetAtt 'YumUpdateComponent.Arn' + - ComponentArn: !GetAtt 'SetLocaleComponent.Arn' + - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/aws-cli-version-2-linux/x.x.x' + - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/amazon-cloudwatch-agent-linux/x.x.x' + - ComponentArn: !Sub 'arn:${AWS::Partition}:imagebuilder:${AWSRegion}:aws:component/stig-build-linux-low/x.x.x' ParentImage: !Ref 'BaseImageId' Version: !Sub '${Version}' WorkingDirectory: /opt/aws/amibuilder/ @@ -190,7 +190,7 @@ Resources: Platform: Linux Version: !Sub '${Version}' Data: !Sub | - name: setlocale global + name: rpm update description: Current version - ${Version} schemaVersion: 1.0 phases: @@ -207,7 +207,7 @@ Resources: onFailure: Continue inputs: commands: - - yum update -y + - dnf update -y InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json index d1b71d7..3e05829 100644 --- a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/stack-configuration.json @@ -7,6 +7,6 @@ "SSHLocation" : "0.0.0.0/0", "Architecture" : "arm64", "InstanceType" : "t4g.large", - "BaseImageId" : "ami-0331b64d8b89b4fef" + "BaseImageId" : "ami-08182e5c2a7db8405" } } From a334b5e627a1013ab2a15536714868192324cabe Mon Sep 17 00:00:00 2001 From: Henry Bravo Date: Fri, 14 Apr 2023 10:17:35 +0200 Subject: [PATCH 5/6] updating iam policies and ssh securitygroups rules with more granular security --- .../linux-ami-codepipeline.yaml | 102 +++++++++++++++--- .../linux-ami-imagebuilder.yaml | 5 + 2 files changed, 93 insertions(+), 14 deletions(-) diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml index 32c831f..f957cfd 100644 --- a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml @@ -145,29 +145,63 @@ Resources: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: + Version: '2012-10-17' Statement: - - Action: - - sts:AssumeRole - Effect: Allow + - Effect: Allow Principal: Service: - cloudformation.amazonaws.com - Version: '2012-10-17' + Action: + - sts:AssumeRole Path: / Policies: - PolicyName: CloudFormationRole PolicyDocument: Version: '2012-10-17' - Statement: - - Action: - - ec2:* - Effect: Allow - Resource: '*' + Statement: + - Effect: Allow + Action: + - ec2:ImportKeyPair + - ec2:ImportVolume + - ec2:ImportImage + - ec2:RegisterImage + - ec2:CreateImage + - ec2:ExportImage + - ec2:DescribeImages + - ec2:DescribeVpcs + - ec2:DescribeVolumeAttribute + - ec2:DescribeInstances + - ec2:DescribeKeyPairs + - ec2:DescribeSecurityGroups + - ec2:DescribeSecurityGroupRules + - ec2:DescribeSecurityGroupReferences + - ec2:DescribeIamInstanceProfileAssociations + - ec2:GetResourcePolicy + - ec2:GetConsoleOutput + - ec2:ModifyInstanceAttribute + - ec2:ModifyVolumeAttribute + - ec2:ModifySecurityGroupRules + - ec2:ModifyVolume + - ec2:ReportInstanceStatus + - ec2:ReplaceIamInstanceProfileAssociation + - ec2:AssociateIamInstanceProfile + - ec2:DisassociateIamInstanceProfile + - ec2:DeleteSecurityGroup + - ec2:ModifySecurityGroupRules + - ec2:CreateSecurityGroup + - ec2:AuthorizeSecurityGroupIngress + - ec2:AuthorizeSecurityGroupEgress + - ec2:UpdateSecurityGroupRuleDescriptionsEgress + - ec2:RevokeSecurityGroupIngress + - ec2:RevokeSecurityGroupEgress + - ec2:UpdateSecurityGroupRuleDescriptionsIngress + Resource: "*" - PolicyName: AdditionalPerms PolicyDocument: Version: '2012-10-17' Statement: - - Action: + - Effect: Allow + Action: - iam:GetRole - iam:CreateRole - iam:DetachRolePolicy @@ -180,11 +214,48 @@ Resources: - iam:DeletePolicy - iam:CreateInstanceProfile - iam:DeleteInstanceProfile + - iam:GetInstanceProfile - iam:AddRoleToInstanceProfile - iam:RemoveRoleFromInstanceProfile - - imagebuilder:* - Effect: Allow - Resource: '*' + - imagebuilder:GetDistributionConfiguration + - imagebuilder:GetComponent + - imagebuilder:GetComponentPolicy + - imagebuilder:GetInfrastructureConfiguration + - imagebuilder:GetImage + - imagebuilder:GetImageRecipe + - imagebuilder:ListDistributionConfigurations + - imagebuilder:ListInfrastructureConfigurations + - imagebuilder:ListImagePipelines + - imagebuilder:ListComponents + - imagebuilder:ListImageRecipes + - imagebuilder:ListImages + - imagebuilder:ListComponentBuildVersions + - imagebuilder:ListTagsForResource + - imagebuilder:CreateDistributionConfiguration + - imagebuilder:CreateComponent + - imagebuilder:CreateImageRecipe + - imagebuilder:CreateImage + - imagebuilder:CreateInfrastructureConfiguration + - imagebuilder:DeleteDistributionConfiguration + - imagebuilder:DeleteComponent + - imagebuilder:DeleteImage + - imagebuilder:DeleteImageRecipe + - imagebuilder:DeleteInfrastructureConfiguration + - imagebuilder:UntagResource + - imagebuilder:ImportComponent + - imagebuilder:PutComponentPolicy + - imagebuilder:TagResource + - imagebuilder:UpdateDistributionConfiguration + Resource: + - !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:*' + - !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:instance-profile/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*' + - !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:component/*' + - !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::Partition}:component/*/*/*' + - !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:image/*' + - !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:image-recipe/*/*' + - !Sub 'arn:${AWS::Partition}:imagebuilder:${AWS::Region}:${AWS::AccountId}:infrastructure-configuration/*' PipelineRole: Type: AWS::IAM::Role Properties: @@ -214,7 +285,10 @@ Resources: - iam:PassRole - sns:Publish Effect: Allow - Resource: '*' + Resource: + - !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*/*' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:*' + - !Sub 'arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:*' - PolicyName: codecommit PolicyDocument: Version: '2012-10-17' diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml index 3d038f4..30af48f 100644 --- a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-imagebuilder.yaml @@ -225,6 +225,11 @@ Resources: FromPort: 22 ToPort: 22 CidrIp: !Ref 'SSHLocation' + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 0 + ToPort: 65535 + CidrIp: !Ref 'SSHLocation' InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: From 6d1debecc2fc91778beb2dfa88915af1644557f7 Mon Sep 17 00:00:00 2001 From: Henry Bravo Date: Mon, 8 May 2023 15:39:09 +0200 Subject: [PATCH 6/6] adding missing AWSTemplateFormatVersion --- .../linux-ami-codepipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml index f957cfd..c930c40 100644 --- a/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml +++ b/blog-assets/automate-ami-builds-aws-codepipeline-D35708869/linux-ami-codepipeline.yaml @@ -1,4 +1,5 @@ --- +AWSTemplateFormatVersion: '2010-09-09' Description: | AWS CloudFormation Template for Continuous Delivery: This template builds an AWS CodePipeline pipeline that implements a continuous delivery release process using an AWS CloudFormation stack that builds custom EC2 AMIs using EC2 ImageBuilder. Submit the CloudFormation template to CodeCommit and the pipeline will take the artifacts to automatically create the stack, run the pipeline, put an approval step, and clean up the stack. (qs-1tkj0sj93) Parameters: