Reputation: 1149
How to enforce standards and controls when using CDK Pipeline
CDK Pipelines is great, specially for cross-account deployments. It enables the developers to define and customize the CI/CD pipeline for their app to their heart's content.
But to remain SoC compliant, we need to make sure that necessary controls like below are validated/enforced
- A manual approval stage should be present before the stage that does the cross-account deployment to production
- Direct deployment to production bypassing dev/staging environment is not allowed
- Test cases (Unit tests/Integration tests) and InfoSec tests should pass before deployment
I know that above things are straightforward to implement in CDK Pipelines but I am not quite sure about how to ensure that every CDK Pipeline always conforms to these standards.
I can think of below solutions
- Branch restrictions - Merge to master branch (which the CDK pipeline monitors) should be restricted and allowed only via pull requests
- Tests - Add unit tests or integration tests which validate that the generated cloud formation template has specific resources/properties
- Create a standard production stage with all necessary controls defined and wrap it in a library which developers need to use in their definition of the CDK Pipeline if the want to deploy to production
But how to enforce above controls in an automated fashion? Developers can choose to bypass above controls by simply not specifying them while defining the pipeline. And we do not want to rely on an Approver to check these things manually.
So in summary, the question is - When using CDK pipelines, how to give developers maximum customizability and freedom in designing their CI/CD solution while ensuring that SoC restrictions and mandatory controls are validated and enforced in an automated fashion?
Upvotes: 2
Views: 902
Answers (2)
Reputation: 1149
After researching a lot, concluded that implementing these checks via a custom AWS Config rule is the best approach.
Let's say we want to ensure that
A manual approval stage is always present in every pipeline that has a stage that deploys to prod.
We need to
- Enable AWS Config and configure it to record all changes to Codepipeline
- Create a custom AWS Config rule using AWS Lambda function (say pipeline-compliance-checker)
- The lambda function gets triggered on every config change of any codepipeline and receives the latest config of the pipeline in question
- It parses the latest pipeline config and checks whether the pipeline has a manual approval stage before the stage that deploys to prod. If yes, it deems the pipeline as COMPLIANT else NON_COMPLIANT
- Create a AWS EventBridge rule to receive a notification to an SNS topic (say pipeline-non-compliance) when any pipeline is marked as NON_COMPLIANT - (doc)
- Create another AWS Lambda function (say pipeline-compliance-enforcer) that is subscribed to that SNS topic. It stops the non-compliant pipeline in question (if it is in STARTED state) and then disables the incoming transition to the stage that deploys to prod. We can also delete the pipeline here if required.
Have tested the above setup and it fulfils the requirements.
Also learnt later that AWS speaks about the same solution to this problem in this talk - CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices
Upvotes: 0
Reputation: 11
Open Policy Agent might be helpful to check infra against custom policies in the pipeline.
Upvotes: 1
Related Questions
- aws_codepipeline inside cdk-pipelines, how?
- AWS CDK Pipelines using with an existing codepipeline
- AWS CDK Conditional Stage Deployments
- CDK pipelines branching strategy
- In AWS CDK, how should CodeStarConnectionsSourceAction be used as input to a CodePipeline?
- Adding manual approval stage in CDK CodePipelines
- Best way forward to improvise our CI-CD that uses code pipeline and codebuild
- Scope for an enterprise grade CI/CD pipeline
- How can I create a pipeline as code in AWS codepipeline
- Setting up CI/CD for an AWS CDK app using AWS CodeBuild/Deploy/Pipeline