CODEWITHSUNDEEP
gitamazon-web-servicesaws-codebuildinfrastructure-as-code
conner.xyz
conner.xyz

Reputation: 7275

How to get AWS CodeBuild to perform full clone?

What field can I set in my IAC definition (i.e., codebuild.yaml and/or buildspec.yaml files) to get my AWS CodeBuild process to perform a full git clone?

I have a use case where the last updated dates of each file are employed during the build process, and these dates are not available with a shallow clone.

Upvotes: 2

Views: 4229

Answers (4)

Sander Bollen
Sander Bollen

Reputation: 815

You can set the following in your buildspec.yml which allows you to unshallow your clone.

env:
  git-credential-helper: yes

Upvotes: 0

Michael Aicher
Michael Aicher

Reputation: 901

To get Codebuild clone a CodeCommit repository in a different account (cross-account) within the buildspec.yml you need the CodeBuild service-role to have permission to assume a role in the CodeCommit account, you need that role in the CodeCommit account with permissions to access the related CodeCommit repository and you need to assume the role in the CodeCommit account within the buildspec.yml file before executing git clone.
In detail this looks like the following (Please consider restricting the policies to the actual actions / resources required and dont use *. I just use the wildcards to keep the policies short in the example):

  • CodeCommit account IAM role policy:
    Attach the following policy to your IAM role in the CodeCommit account (grants CodeCommit permissions, including GitPull)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codecommit:*
            ],
            "Resource": "*"
        }
    ]
}
  • CodeCommit account IAM role trust relationship:
    Attach the following policy as trust relationship to your IAM role in the CodeCommit account (ensures that the role can only be assumed by the CodeBuild service role from the CodeBuild account)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/role-in-code-build-account"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

CodeBuild account IAM role policy:
Attach the following policy to your CodeBuild service role in the CodeBuild account (grants permission to assume the role in the CodeCommit account)

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::YYYYYYYYYYYY:role/role-in-code-commit-account"
        }
    ],
    "Version": "2012-10-17"
}
  • CodeBuild account IAM role trust relationship:
    Attach the following policy as trust relationship to your CodeBuild service role in the CodeBuild account (ensures that the role can only be assumed by the CodeBuild Service)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "codebuild.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

CodeBuild account buildspec.yml: The buildspec ensures that git-remote-codecommit is available, assumes the role in the CodeCommit account and then clones the repository.

version: 0.2
env:
  git-credential-helper: yes
phases:
  install:
    runtime-versions:
      python: 3.8
    commands:
      - pip install git-remote-codecommit
  pre_build:
    commands:
      - ASSUME_ROLE_ARN="arn:aws:iam::YYYYYYYYYYYY:role/role-in-code-commit-account"
      - SERVICE_ROLE=$(aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name <session-name>)
      - export SERVICE_ROLE
      - export AWS_ACCESS_KEY_ID=$(echo "${SERVICE_ROLE}" | jq -r '.Credentials.AccessKeyId')
      - export AWS_SECRET_ACCESS_KEY=$(echo "${SERVICE_ROLE}" | jq -r '.Credentials.SecretAccessKey')
      - export AWS_SESSION_TOKEN=$(echo "${SERVICE_ROLE}" | jq -r '.Credentials.SessionToken')
      - echo "${AWS_ACCESS_KEY_ID}"
      - echo "${AWS_SESSION_TOKEN}"
      - git clone codecommit::<region>://<codecommit-repo-name>
      - ls -lrt
  post_build:
    commands:
      - echo "git clone completed successfully on `date`"

Upvotes: 1

Maxamis4
Maxamis4

Reputation: 188

I finally figured out how to do the full clone. I posted it in this link here. Check it out I thnk it will give you what you are looking for: Setting credentials for https git clone in AWS CodeBuild

Upvotes: 0

Maxamis4
Maxamis4

Reputation: 188

If you are looking to leverage codecommit you can perform the clone by adding the remote clone function:

phases:
  install:
    commands:
      - pip install git-remote-codecommit

  pre_build:
    commands:
      - echo CLONE DIRECTORIES
      - git clone codecommit://[repo name] [target folder name]

You will nee to make sure your IAM role has the proper permissions to access Codecommit. If your looking for Github cloning see this link:

https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials-github-gitclone.html

Upvotes: 0

Related Questions