diff --git a/buildspec.yml b/buildspec.yml new file mode 100644 index 00000000000..8c86a4169a4 --- /dev/null +++ b/buildspec.yml @@ -0,0 +1,21 @@ +version: 0.2 +phases: + install: + runtime-versions: + golang: 1.12 + pre_build: + commands: + - echo Building the AWS for Fluent Bit image + build: + commands: + # Command to build your project + - make release + + # List the docker images + - docker images + + # Push the image to ECR in the same account and same region the pipeline is hosted. + - ecs-cli push amazon/aws-for-fluent-bit-test:latest +artifacts: + files: + - '**/*' diff --git a/buildspec_integ.yml b/buildspec_integ.yml new file mode 100644 index 00000000000..67b0c3f66e8 --- /dev/null +++ b/buildspec_integ.yml @@ -0,0 +1,28 @@ +version: 0.2 +phases: + install: + runtime-versions: + golang: 1.12 + pre_build: + commands: + - echo Running the integration test + build: + commands: + # Get the default credentials and set as environment variables + - 'CREDS=`curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`' + - 'export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .AccessKeyId`' + - 'export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .SecretAccessKey`' + - 'export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Token`' + + # Pull the image that we built and pushed in the `Build` stage + - 'ecs-cli pull amazon/aws-for-fluent-bit-test:latest' + - 'docker tag ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:latest amazon/aws-for-fluent-bit:latest' + + # List the images to do a double check + - 'docker images' + + # Command to run the integration test + - 'make integ' +artifacts: + files: + - '**/*' diff --git a/buildspec_publish_dockerhub.yml b/buildspec_publish_dockerhub.yml new file mode 100644 index 00000000000..d9e9124ccf1 --- /dev/null +++ b/buildspec_publish_dockerhub.yml @@ -0,0 +1,25 @@ +version: 0.2 +phases: + install: + runtime-versions: + golang: 1.12 + pre_build: + commands: + - echo Publish the image to DockerHub + build: + commands: + # Pull the image that we built and pushed in the `Build` stage + - 'ecs-cli pull amazon/aws-for-fluent-bit-test:latest' + - 'docker tag ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:latest amazon/aws-for-fluent-bit:latest' + + # List the docker images + - docker images + + # Push the image to dockerhub + - 'DRY_RUN="false" ./scripts/publish.sh cicd-publish dockerhub' + + # Pull the image from dockerhub and verify + - './scripts/publish.sh cicd-verify dockerhub' +artifacts: + files: + - '**/*' diff --git a/buildspec_publish_ecr.yml b/buildspec_publish_ecr.yml new file mode 100644 index 00000000000..225c21bfee5 --- /dev/null +++ b/buildspec_publish_ecr.yml @@ -0,0 +1,48 @@ +version: 0.2 +phases: + install: + runtime-versions: + golang: 1.12 + pre_build: + commands: + - echo Publish the image to ECR + build: + commands: + # Pull the image that we built and pushed in the `Build` stage + - 'ecs-cli pull amazon/aws-for-fluent-bit-test:latest' + - 'docker tag ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:latest amazon/aws-for-fluent-bit:latest' + + # List the docker images + - docker images + + # Assume role to publish, get the credentials, and set them as environment variables + - | + if [ "${PUBLISH_ROLE_ARN}" != "" ]; then + CREDS=`aws sts assume-role --role-arn ${PUBLISH_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}` + export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId` + export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey` + export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken` + fi + + # Push the image to ECR + - './scripts/publish.sh cicd-publish ${REGION_TO_PUSH}' + + # Nullify the temporary credentials for the assumed role to publish + - | + if [ "${PUBLISH_ROLE_ARN}" != "" ]; then + export AWS_ACCESS_KEY_ID= + export AWS_SECRET_ACCESS_KEY= + export AWS_SESSION_TOKEN= + fi + + # Assume role to verify, get the credentials, and set them as environment variables + - CREDS=`aws sts assume-role --role-arn ${VERIFY_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}` + - export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId` + - export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey` + - export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken` + + # Verify from the verification account + - './scripts/publish.sh cicd-verify ${REGION_TO_PUSH}' +artifacts: + files: + - '**/*' diff --git a/scripts/publish.sh b/scripts/publish.sh index 95e87b583d2..e7d4fdb0b27 100755 --- a/scripts/publish.sh +++ b/scripts/publish.sh @@ -17,6 +17,8 @@ set -xeuo pipefail scripts=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) cd "${scripts}" +IMAGE_SHA_MATCHED="FALSE" + classic_regions=" us-east-1 eu-west-1 @@ -152,6 +154,50 @@ verify_ecr() { account_id=${2} pull_ecr ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:latest ${region} pull_ecr ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION} ${region} + + # Get the image SHA's + sha1=$(docker inspect --format='{{index .RepoDigests 0}}' ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:latest) + sha2=$(docker inspect --format='{{index .RepoDigests 0}}' ${account_id}.dkr.ecr.${region}.amazonaws.com/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION}) + + verify_sha $sha1 $sha2 +} + +verify_dockerhub() { + # Get the image SHA's + sha1=$(docker pull amazon/aws-for-fluent-bit:latest | grep sha256: | cut -f 3 -d :) + sha2=$(docker pull amazon/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION} | grep sha256: | cut -f 3 -d :) + + verify_sha $sha1 $sha2 +} + +verify_sha() { + sha1=${1} + sha2=${2} + + match_two_sha $sha1 $sha2 + + if [ "$IMAGE_SHA_MATCHED" = "TRUE" ]; then + echo '[Publish Verification] Successfull' + IMAGE_SHA_MATCHED="FALSE" + else + echo '[Publish Verification] Failed' + exit 1 + fi +} + +match_two_sha() { + sha1=${1} + sha2=${2} + + # Get the last 64 chars of the SHA string + last64_1=$(echo $sha1 | egrep -o '.{1,64}$') + last64_2=$(echo $sha2 | egrep -o '.{1,64}$') + + if [ "$last64_1" = "$last64_2" ]; then + IMAGE_SHA_MATCHED="TRUE" + else + IMAGE_SHA_MATCHED="FALSE" + fi } AWS_FOR_FLUENT_BIT_VERSION=$(cat ../AWS_FOR_FLUENT_BIT_VERSION) @@ -313,3 +359,34 @@ if [ "${1}" = "rollback-ssm" ]; then rollback_ssm ${bahrain_region} fi fi + +# Publish using CI/CD pipeline +# Following scripts will be called only from the CI/CD pipeline +if [ "${1}" = "cicd-publish" ]; then + if [ "${2}" = "dockerhub" ]; then + publish_to_docker_hub amazon/aws-for-fluent-bit:latest amazon/aws-for-fluent-bit:${AWS_FOR_FLUENT_BIT_VERSION} + elif [ "${2}" = "aws-us-gov" ]; then + for region in ${gov_regions}; do + gov_cloud_sync ${region} ${gov_regions_account_id} + done + elif [ "${2}" = "${hongkong_region}" ]; then + publish_ecr ${hongkong_region} ${hongkong_account_id} + elif [ "${2}" = "${bahrain_region}" ]; then + publish_ecr ${bahrain_region} ${bahrain_account_id} + else + publish_ecr "${2}" ${classic_regions_account_id} + fi +fi + +# Verify using CI/CD pipeline +if [ "${1}" = "cicd-verify" ]; then + if [ "${2}" = "dockerhub" ]; then + verify_dockerhub + elif [ "${2}" = "${hongkong_region}" ]; then + verify_ecr ${hongkong_region} ${hongkong_account_id} + elif [ "${2}" = "${bahrain_region}" ]; then + verify_ecr ${bahrain_region} ${bahrain_account_id} + else + verify_ecr "${2}" ${classic_regions_account_id} + fi +fi