AWS CodePipeLine 跨賬号部署ECS

簡述:

A 賬号codepipeline 部署業務到B賬号上的ECS Fargate

下面的資源沒有的話請手動建立一下，預設建立即可

A賬号資源：

1、codepipeline  project

2、KMS KEY

3、S3  （臨時共享KMS用）

B賬号資源：

1、ECS Fargate

步驟：

1、B賬号建立跨賬号角色

XXXXXXXX為A賬号的數字ID

codepipeline-1234567890為A賬号的存儲桶

"arn:aws:kms:us-east-1:XXXXXXXX:key/mrk-7fae67a03XXXX5d1e0b5625"  為A賬号的KMS KEY ARN

建立B賬号的跨賬号角色（CrossAccount_Role）

crossAccout_role.tf

resource "aws_iam_role" "crossrole" {
  name = "CrossAccount_Role"

  assume_role_policy = jsonencode(
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{{A賬号的數字ID}}:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
})

 inline_policy {
    name = "cross_role_inline_policy"

    policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:*",
                "ecs:*",
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:Put*",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::codepipeline-1234567890/*",
                "arn:aws:s3:::codepipeline-1234567890"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:us-east-1:{{A賬号的數字ID}}:key/mrk-7fae67a03XXXX5d1e0b5625"
            ]
        }
    ]
})
}
}      

terraform apply .

2、給A賬号的S3增加CrossAccount_Role權限：

Amazon S3/Buckets/codepipeline-1234567890

選擇permissions菜單，

在

Bucket policy菜單裡輸入下面的權限規則儲存

{
    "Version": "2012-10-17",
    "Id": "SSEAndSSLPolicy",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::{{B賬号的數字ID}}:root",
                ]
            },
            "Action": [
                "s3:Get*",
                "s3:Put*",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::codepipeline-1234567890/*"
        }
    ]
}      

3、給A賬号的KMS KEY增加跨賬号權限：

打開KMS 選找到對應的KEY頁面，沒有KEY則建立一個，在key Policy下的

Other AWS accounts  ，點選下面的菜單add other AWS accounts

輸入B的數字ID 儲存：

• arn:aws:iam::{{B賬号的數字ID}}:root

4、導出codepipeline資訊：

aws codepipeline get-pipeline --name ecs-pipeline  >pipeline.json      

vim pipeline.js

{
            "name": "Deploy",
            "actions": [
                {
                    "name": "Deploy",
                    "actionTypeId": {
                        "category": "Deploy",
                        "owner": "AWS",
                        "provider": "ECS",
                        "version": "1"
                    },
                    "runOrder": 3,
                    "roleArn": "arn:aws:iam::{{B賬号的資料ID}}:role/CrossAccount_Role",
                    "configuration": {
                        "ClusterName": "fargate-cluster",
                        "DeploymentTimeout": "30",
                        "FileName": "imagedefinitions.json",
                        "ServiceName": "webservice"
                    },
                    "outputArtifacts": [],
                    "inputArtifacts": [
                        {
                            "name": "BuildArtifact"
                        }
                    ],
                    "region": "us-east-1",
                    "namespace": "DeployVariables"
                }
            ]
        }
        
        

主要是增加了執行角色：
       "roleArn": "arn:aws:iam::{{B賬号的資料ID}}:role/CrossAccount_Role"      

5、更新一下codepipeline

aws codepipeline update-pipeline --cli-input-json file://pipeline.json      

至此，Pipeline 跨賬号部署完畢，點選測試

注意：ECS的task-execution角色需要有讀取KMS權限及執行權限