-
Notifications
You must be signed in to change notification settings - Fork 133
/
Copy pathbuildspec_sync.yml
66 lines (57 loc) · 2.86 KB
/
buildspec_sync.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
version: 0.2
phases:
install:
runtime-versions:
python: 3.7
pre_build:
commands:
- echo Sync latest image from Amazon ECR Public Gallery
- pip3 uninstall awscli -y
- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
- unzip awscliv2.zip
- ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/bin --update
- which aws
- aws --version
build:
commands:
# Enforce STS regional endpoints
- export AWS_STS_REGIONAL_ENDPOINTS=regional
- './scripts/publish.sh cicd-publish ${AWS_REGION} stable'
# Publish stable tag to Dockerhub when AWS_REGION is us-west-2
- './scripts/publish.sh cicd-publish public-dockerhub-stable ${AWS_REGION}'
# Assume role to publish, get the credentials, and set them as environment variables
- |
if [ "${PUBLISH_ROLE_ARN_PUBLIC_ECR}" != "" ]; then
CREDS=`aws sts assume-role --role-arn ${PUBLISH_ROLE_ARN_PUBLIC_ECR} --role-session-name publicECR`
export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`
fi
# Publish stable tag to Public ECR when AWS_REGION is us-west-2
- './scripts/publish.sh cicd-publish public-ecr-stable ${AWS_REGION}'
# Nullify the temporary credentials for the assumed role to publish
- |
if [ "${PUBLISH_ROLE_ARN_PUBLIC_ECR}" != "" ]; then
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN=
fi
# Assume role to verify, get the credentials, and set them as environment variables.
# Verification should be done using the credentials from a different account. It ensures that
# the images we published are public and accessible from any account.
- CREDS=`aws sts assume-role --role-arn ${VERIFY_ROLE_ARN} --role-session-name ${AWS_REGION} --region ${AWS_REGION}`
- export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
- export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
- export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`
# Verify from the verification account
- './scripts/publish.sh cicd-verify ${AWS_REGION} stable'
- './scripts/publish.sh cicd-verify-ssm ${AWS_REGION} stable'
# Nullify the temporary credentials for the assumed role to verify
- export AWS_ACCESS_KEY_ID=
- export AWS_SECRET_ACCESS_KEY=
- export AWS_SESSION_TOKEN=
# Verify the publishing on Public ECR and Dockerhub when AWS_REGION is us-west-2
- './scripts/publish.sh cicd-verify stable ${AWS_REGION}'
artifacts:
files:
- '**/*'