Experiment with buildspec.yml file

cfpb · Nov 27, 2024 · 559c2cc · 559c2cc
1 parent 286d94c
commit 559c2cc
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 47 deletions.
diff --git a/.github/workflows/friendly-umbrella-deploy.yml b/.github/workflows/friendly-umbrella-deploy.yml
@@ -13,56 +13,9 @@ jobs:
         uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
-            , ${{ secrets.SECURITY_SCAN_SECRET }}
             , ${{ secrets.RDS_CREDS_SECRET }}
           parse-json-secrets: true
 
-      - name: Build Docker Image
-        run: |
-
-          # Build Friendly-Umbrella Image
-          docker build -t ${{ secrets.ECR_REPO }}:$GITHUB_SHA .
-
-      - name: Security Scan with Twistlock
-        run: |
-
-          curl -k -u "$TL_USER:$TL_PASSWORD" "$TL_CONSOLE_URL/api/v1/util/twistcli" --output twistcli
-          chmod +x twistcli
-
-          ./twistcli images scan --details -address "${TL_CONSOLE_URL}" -u  "${TL_USER}" -p "${TL_PASSWORD}" ${{ secrets.ECR_REPO }}:$GITHUB_SHA tee twistcli.log; EXITCODE=$?
-
-
-      - name: Push to ECR
-        run: |
-
-          # Login to ECR
-          aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username ${{ secrets.AWS_USERNAME }} --password-stdin ${{ secrets.ECR_REGISTRY }}
-
-          # Push to ECR
-          docker push ${{ secrets.ECR_REPO }}:$GITHUB_SHA
-
-      - name: Install K8s/Helm
-        run: |
-
-          # Install Helm
-          curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
-          chmod 700 get_helm.sh
-          ./get_helm.sh
-
-          # Install kubectl
-          curl -o ./kubectl https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl
-          curl -o ./kubectl.sha256 https://s3.us-west-2.amazonaws.com/amazon-eks/1.25.14/2023-10-17/bin/linux/amd64/kubectl.sha256
-          (diff  <(openssl sha256 kubectl | awk {'print $2'}) <(cat kubectl.sha256 | awk {'print $1'}) &&
-            echo 'kubectl checksum matches, enabling usage') || (echo 'kubectl checksum failed, exiting' && exit 1)
-          chmod +x kubectl
-          mkdir -p $HOME/bin && mv kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
-          echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc
-          source ~/.bashrc
-          kubectl version --client
-
-          # Update kubeconfig to point to EKS Cluster
-          aws eks update-kubeconfig --name $CLUSTER_NAME --region us-east-1
-
       - name: Install Helm Chart on EKS
         run: >
           helm upgrade --install friendly-umbrella ./helm

diff --git a/buildspec.yml b/buildspec.yml
@@ -0,0 +1,32 @@
+version: 0.2
+
+env:
+  variables:
+    SERVICE_NAME: friendly-umbrella
+    CONTACTS_SECRET: cfpb/team/cfgov/contact-info
+    IMAGE_SCANNER_SECRET: cfpb/team/cfgov/image-scanner-creds
+    SMTP_CREDS_SECRET: cfpb/team/cfgov/smtp-ses-creds
+  secrets-manager:
+    EMAIL_TO: "${CONTACTS_SECRET}:developers"
+    IMAGE_SCANNER_URL: "${IMAGE_SCANNER_SECRET}:url"
+    IMAGE_SCANNER_USERNAME: "${IMAGE_SCANNER_SECRET}:username"
+    IMAGE_SCANNER_PASSWORD: "${IMAGE_SCANNER_SECRET}:password"
+    SMTP_HOST: "${SMTP_CREDS_SECRET}:smtp_server"
+    SMTP_PORT: "${SMTP_CREDS_SECRET}:smtp_port"
+    SMTP_USERNAME: "${SMTP_CREDS_SECRET}:username"
+    SMTP_PASSWORD: "${SMTP_CREDS_SECRET}:password"
+
+phases:
+  install:
+    commands:
+      - codebuild-init && source ./env.sh
+  pre_build:
+    commands:
+      - export IMAGE_NAME="cfpb/${NAMESPACE}/${SERVICE_NAME}"
+      - export IMAGE_TAG=$GIT_REF
+      - export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"
+  build:
+    commands:
+      - docker build -t $REGISTRY_IMAGE_NAME .
+      - scan-image $REGISTRY_IMAGE_NAME $EMAIL_TO
+      - docker push $REGISTRY_IMAGE_NAME