0

Ok so I have the exact build script to build my nodejs app. The idea is to setup a CI/CD pipeline that will build our app across different aws accounts such as DEV, STAGING, and PROD.

I have a repo in Account A (Dev) that hosts a nodejs app I want to be able to create a pipeline in Account B that checks out code from repo in account A And finally when the pipeline is complete, it should deploy the built/compiled nodejs app to Account C (QA) and D (Prod)

My issue is not on how to build a nodejs app but rather how to allow codepipeline, in account B, to checkout the repo in account A and finally deploy the built app to staging and prod.

My ideas from reading around:

  1. Create IAM roles for the pipeline in Account A which allows to checkout codecommit repos
  2. Have the pipeline in account B assume the role from account A somehow

It's still not clear to me how to go about doing this; I'm just getting into aws

I will update this post if I come across a solution but maybe someone has a tutorial or could point me to a documentation or list the steps or an example here

pelican
  • 5,846
  • 9
  • 43
  • 67

2 Answers2

0

From my understanding it is not possible to build a cross account pipeline using codepipeline. What you need to do is build your pipeline in your central account first.

The central account pipeline would include the appropriate number of stages which result in a release candidate for the AWS accounts dev, staging and prod.

As you get to the different account stages, you should push your artifacts to S3 buckets in the related accounts. And these S3 buckets should be the sources of codepipelines the those accounts.

This way you create "deployment" pipelines in each account which start in S3 and end in whatever environment you are thinking of. The S3 buckets of these accounts can be created to have bucket policies to only receive files from your central account.

This is of course, not ideal but its how I solved this issue before hand. Build in one account and deliver to deployment pipelines in other accounts. If someone knows a better solution, I would love to hear it.

Good luck!

hynespm
  • 641
  • 4
  • 17
  • Thank you for your response; it's really been a challenge to achieve this cross account stuff; I'm still working on it and hope to come up with a solution by end of this week and if I do I will post my steps on here but thank you! – pelican Apr 09 '18 at 18:19
  • Yeah, bear in mind though that if you create a deployment pipeline in any of the accounts (staging and prod) for example. You can create and repeat these easily. All you need to do is create one pipeline and then use the CLI to get a cloudformation template of the pipeline you want to repeat. aws codepipeline get-pipeline --name --output json this gives you the outline of your pipeline and it can then be repeated easily enough. – hynespm Apr 09 '18 at 18:30
  • Oh that's a neat trick, using the CLI to generate the cfn template for an existing pipeline. I'll look into that later. For now, my biggest challenge is building a pipeline in account A, which checks out a repo from Account B, and deploys the built nodejs app to Account C and D. I updated my question above to clarify. I know it's doable just gotta figure it out, I'm gonna use this link: https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html and I'll update this post if I figure out so others can benefit bc I'm sure I"m not the only one with this issue – pelican Apr 09 '18 at 18:37
0

AWS provide a guide with source that does something close to what you are trying to do.

It should get you close enough and covers the permissions needed for the account to assume a role to checkout your repo in another account.

enter image description here

Stephen
  • 3,607
  • 1
  • 27
  • 30
  • I actually tried using this project and I'm not sure if I just need to spend more time tweaking things but I ran into permissions nightmare. But I'll keep trying with this project and that doc link above and update this post with my exact process as I'm pretty sure i'm not the only one going through this process. Even if I get it to work by tweaking this project, I'd like to get to a place where I have an exact, clear recipe to achieving this kind of cross-account flow effortlessly – pelican Apr 10 '18 at 12:26