terraform-aws-codecommit

Terraform module to provision an AWS Codecommit as part of a CI/CD system, includes SNS and triggers. It also includes a policy and group to restrict/branch protect the master branch.

---

It's 100% Open Source and licensed under the APACHE2.

Usage

Include this repository as a module in your existing Terraform code:

module "codecommit" {
  source          = "JamesWoolfenden/codecommit/aws"
  version         = "v0.3.0"
  default_branch  = var.default_branch
  repository_name = var.repository_name
  developer_group = var.developer_group
}

Costs

✔ Calculating monthly cost estimate

Project: .

Name Monthly Qty Unit Monthly Cost

module.codecommit.aws_sns_topic.notification
└─ Requests Cost depends on usage: $0.50 per 1M requests

PROJECT TOTAL $0.00

Requirements

No requirements.

Providers

Name	Version
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_event_rule.eventrule	resource
aws_cloudwatch_event_target.target	resource
aws_codecommit_approval_rule_template.example	resource
aws_codecommit_approval_rule_template_association.link	resource
aws_codecommit_repository.repo	resource
aws_iam_group_policy_attachment.restrict-attach	resource
aws_iam_policy.restrictmaster	resource
aws_sns_topic.notification	resource
aws_sns_topic_policy.default	resource
aws_caller_identity.current	data source
aws_iam_policy_document.restrictmaster	data source
aws_iam_policy_document.sns_topic_policy	data source

Inputs

Name	Description	Type	Default	Required
approver_role	ARN of approver role	string	n/a	yes
default_branch	The name of the default repository branch	string	"main"	no
developer_group	An existing Iam Group to attach the policy permissions to	string	""	no
kms_master_key_id	The kms key to use	string	n/a	yes
repository_name	The name of your GIT repository	string	n/a	yes
template	n/a	map	{ "approvers": 2, "description": "This is an example approval rule template", "name": "MyExampleApprovalRuleTemplate" }	no

Outputs

Name	Description
clone_url_https	n/a
clone_url_ssh	n/a

Policy Requirement

The Terraform resource required is:

resource "aws_iam_policy" "terraform_pike" {
  name_prefix = "terraform_pike"
  path        = "/"
  description = "Pike Autogenerated policy from IAC"

  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "codecommit:CreateRepository",
                "codecommit:DeleteRepository",
                "codecommit:GetRepository",
                "codecommit:ListBranches",
                "codecommit:ListTagsForResource",
                "codecommit:UpdateRepositoryDescription"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "events:DeleteRule",
                "events:DescribeRule",
                "events:ListTagsForResource",
                "events:ListTargetsByRule",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:AttachGroupPolicy",
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:DetachGroupPolicy",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListAttachedGroupPolicies",
                "iam:ListPolicyVersions"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:GetTopicAttributes",
                "sns:ListTagsForResource",
                "sns:SetTopicAttributes"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
})
}

Instructions

This modules creates a repo with direct updates to the master denied. Its has been a common DevOps process pattern to use the mainline model or trunk-based development https://paulhammant.com/2013/04/05/what-is-trunk-based-development/, however it is with experience that the optimal pattern is of short lived single activity feature branches, YMMV.

To use this repository the expected behaviour is to branch when starting a new piece of work, for example.

git pull

git branch -b feature/JGW-121-Remove-Project-Managers

Do your work, check-in. Push to your feature branch.

git push -u origin feature/JGW-121-Remove-Project-Managers

Then when your done create a PR and request the merge.

Details

Creates a group called developer, to which the policy is attached. To use the repo you need to add the your users to that group.

Using Codecommit

To use codecommit you need to set some git config properties for the credential helper:

git config --global credential.helper '!aws codecommit credential-helper $@'

git config --global credential.UseHttpPath true

And for SSH look at: https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html

Use ssh-keygen and create a key in your home folder called codecommit

publickey=$(<~/.ssh/codecommit.pub)

user=$(aws iam get-user --query 'User.UserName' --output text)

On Windows

$publickey=get-content ~/.ssh/codecommit.pub

$user=aws iam get-user --query 'User.UserName'

On both: aws iam upload-ssh-public-key --user-name $user --ssh-public-key-body $publickey

Get your ssh key id from the previous commands output

SSHPublicKeyId=$(aws iam list-ssh-public-keys --user-name $user --query 'SSHPublicKeys[*].SSHPublicKeyId' --output text)

OR

$SSHPublicKeyId=(aws iam list-ssh-public-keys --user-name $user --query 'SSHPublicKeys[*].SSHPublicKeyId')|convertfrom-json

Update your config file with:

$gitconfigupdate=@" Host git-codecommit.*.amazonaws.com User $SSHPublicKeyId IdentityFile ~/.ssh/codecommit "@ Add-content ~/.ssh/config $gitconfigupdate

linux

cat << EOF > ~/.ssh/config Host git-codecommit.*.amazonaws.com User $SSHPublicKeyId IdentityFile ~/.ssh/codecommit EOF

eval $(ssh-agent -s) ssh-add codecommit

Test with: ssh git-codecommit.us-east-2.amazonaws.com

Related Projects

Check out these related projects.

• terraform-aws-codebuild - Making a Build pipeline

Help

Got a question?

File a GitHub issue.

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Copyrights

Copyright © 2019-2023 James Woolfenden

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contributors

James Woolfenden