feat(codebuild): Add support for triggering and monitoring AWS CodeBu…

[Kaixiang-AWS]

…ild builds

Add functionalities to start a build in AWS CodeBuild and monitor the build status. AWS CodeBuild is different from the existing build services (Jenkins, Travis) therefore cannot use the existing architecture. It's more like Google Cloud Build which implements its own authentication strategy.

For CodeBuild account in igor, it uses AWS access key id and secret to authenticate. I don't know if there's way to talk to clouddriver to fetch aws cloud provider credentials. If yes, I can update my implementation later to fetch credentials from clouddriver.

Related Issue: spinnaker/spinnaker#5292

[clareliguori]

Ideally you don't use static credentials, you use a role so that you don't have to store static creds in your hal config. With clouddriver, the 'aws' provider account is configured with a role to assume, and the environment where clouddriver runs is configured with credentials that the SDK default creds provider can pick up to assume that role (like instance creds, ECS creds, env variable creds, etc) using the STSAssumeRoleSessionCredentialsProvider.

So my hal config looks something like this:

      accounts:
      - name: my-aws-devel-acct
        requiredGroupMembership: []
        providerVersion: V1
        accountId: '111111111111'
        regions:
        - name: eu-central-1
        assumeRole: role/SpinnakerManaged

And then clouddriver just uses the role session provider:
https://github.com/spinnaker/clouddriver/tree/master/clouddriver-aws/src/main/groovy/com/netflix/spinnaker/clouddriver/aws/security

[Kaixiang-AWS]

The ideal scenario would be specifying aws account name in codebuild account configuration and then all codebuild operations use the credentials from that aws account associated. However, I couldn't find a way to let igor talk to clouddriver to fetch the credentials. Another way is re-implementing the assume role logic in igor. That will introduce duplicate code in two packages. I can do that if that's really necessary.

[clareliguori]

Yeah agree that would be ideal, but I do think you will need to duplicate the logic unfortunately, though it can probably be simpler in Igor than the way it's implemented in clouddriver

[clareliguori]

When this is a stage in a pipeline, is it common to get any other attributes like the commit ID that needs to be built? I'm surprised not to see sourceVersion as an input

[Kaixiang-AWS]

I will add more advanced use case such as source version and environment variables in later commits. This commit is more focusing on successfully trigger a build from Spinnaker and monitor build status.

[clareliguori]

Would this include ThrottlingException? Should API rate throttling be a build job error or a runtime exception?

[Kaixiang-AWS]

ThrottlingException does not inherit from AWSCodeBuildException so it will be a RuntimeException

[clareliguori]

I'm not sure what the implications of picking build job error vs runtime exception are for how Spinnaker behaves when these are returned; I'm not super familiar with Igor. Why should ThrottlingException be runtime error but AccountLimitExceededException be a build error?

[Kaixiang-AWS]

BuildJobError is returned as 400 while RuntimeException will become an InternalError and return 500. I think throttling exception should probably return 400 instead of 500. I will categorize it as BuildJobError as well.

[clareliguori]

You could also look at the exception error type:
https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/AmazonServiceException.ErrorType.html

[clareliguori]

Ideally this is account ID + role, instead of static credentials that have to be rotated