Home

Awesome

CodePipeline Governance

Ensure all AWS CodePipelines have mandatory actions being run in the Orchestration Pipeline.

Description

This solution will be initiated through a pipeline action and will parse through the CodePipeline CloudFormation template to ensure all governance rules are met before updating the CloudFormation Stack. This allows the Security or Governance teams to mandate certain stages and/or actions to being ran in a particular order. But more importantly, this will allow developers to update their own CI/CD Pipeline.

Folder Structure

Folder/FileDescription
cloudformation/sam-bootstrap.yamlAWS Cloudformation template that will create the required AWS Resources for the solution to work properly. It will create an IAM Role, KMS Key/Alias and S3 Bucket. All of these AWS Resources are required for an AWS Serverless Application Model (SAM) deployment to successful.
cloudformation/function.yamlSAM template that will deploy the AWS Lambda Function along with all dependant infrastructure.
srcSource code for AWS Lambda Functions.
testTest code for AWS Lambda Functions.
scriptsDirectory that has the scripts that will be ran from a CodeBuild BuildSpec file
scripts/main.shAn orchestration script that will run the all other linting/scanning scripts before building/deploying the SAM Function(s).
scripts/pylint.shShell script that will run the pylint command against all python files.
scripts/pyscan.shRuns Bandit (python lib) against all python code within the repository to identify any security vulnerabilities.
scripts/sam.shRuns a number of SAM commands to package / build / deploy the SAM Function to a specified account.
scripts/test.shShell script that will run the tox command to build a virtual environment and the pytest command to run any unit tests found in the repository.
pytest.iniini files are the configuration files of the tox project, and can also be used to hold pytest configuration if they have a [pytest] section.
test_requirements.txtPip requirements file for test environment.
tox.iniConfigured file for Tox. Tox is a command-line driven automated testing tool for Python, based on the use of virtualenv.

Pre-requisite Steps:

Solution Architecture

There are 2 ways of deploying the CodePipeline Governance solution.

Separate Accounts AWS Resource Diagram (Option 1)

alt text

The first deployment method uses AWS Organizations and Centralized Shared Services account to manage the CodePipeline Governance Lambda Function. This method allows other AWS Accounts within the Organization the ability to call the Lambda Function using a specific IAM Role. This eases the management of the CodePipeline Governance Lambda Function and enables CodePipeline's within multiple AWS Accounts to invoke the function.

Single Account AWS Resource Diagram (Option 2)

alt text

The second deployment method installs the CodePipeline Governance Lambda Function in the same account as your deployment of AWS CodePipeline. This method is typically chosen when a Centralized Shared Services account or AWS Organization isn't used.

How to deploy Option 1 (Function and Codepipeline exist in separate accounts)

Deploy to Shared Services Account

Deploy to AWS CodePipeline Account

Deploy/Run CodePipeline Example

How to deploy Option 2 (Function and Codepipeline exist in the same account)

Deploy to AWS Account

Deploy/Run CodePipeline Example

What the Pipeline should look like

alt text

Deploy New / Update CodePipeline Governance Rules

End Result - Rule Example (located in DynamoDB):

alt text

What can NOT be added to a Governance Rule

How does ScanCodepipeline Function get used in CodePipeline

Example code from CodePipeline.yaml:

...
    - Name: BuildAndPackage
      Actions:
        - Name: Scan-CodePipeline
          ActionTypeId:
            Category: Invoke
            Owner: AWS
            Provider: Lambda
            Version: "1"
          Configuration:
            FunctionName: ScanCodePipeline
            UserParameters: !Sub |
              {
                "cfn_template": "iac/cloudformation/codepipeline-example.yaml"
              }
          InputArtifacts:
            - Name: Source
          OutputArtifacts: []
          RunOrder: 1
...

Failure Definitions

CodePipeline action output of CloudFormation deployment failure

alt text

CodePipeline action output of CloudFormation deployment failure with output being over 500 characters

alt text

CodePipeline action output of CloudFormation validation failure

alt text

CodePipeline action output of CloudFormation Security Scan

alt text

License

This project is licensed under the Apache-2.0 License.