Usage

A CodeSeeder Seedkit is a set of AWS service resources scoped to a specific project that enables bundling of local projects, files, and libraries and remote execution in AWS CodeBuild. Deploying the Seedkit will configure the AWS CodeBuild Project with an IAM Role and an attached IAM Managed Policy. The Policy is least privilege scoped to grant the CodeBuild Project access to only the AWS resources deployed with the Seedkit. To enable the CodeBuild Project to manage additional resources the user must either attach additional IAM Managed Polices to the Seedkit’s IAM Role, or create a new IAM Role with required permissions and attach the Seedkit’s IAM Managed Policy to it.

Usage consists of:

  1. Installing the AWS CodeSeeder library

  2. Deploying a named CodeSeeder Seedkit for a project

  3. Configuring IAM permissions by either: - Attaching additional IAM Managed Policies to the Seedkit Role. This can be automated during Seedkit deployment or done manually by the User - Creating a new IAM Role and attaching the Seedkit Managed Policy to it. This must be done manually by the User

  4. Decorating project functions for configuration and remote execution

Installation

AWS CodeSeeder can be installed from PyPi

pip install aws-codeseeder

Deploying

A Seedkit can be deployed using the codeseedeer CLI or within the project using the aws_codeseeder.commands module. Optionally, additional IAM Managed Policies can be attached to the Seedkit’s IAM Role during deployment.

Basic CLI Deployment

codeseeder deploy seedkit my-example-deployment

CLI Deployment attaching Managed Policies

codeseeder deploy seedkit my-example-deployment \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
--policy-arn arn:aws:iam::00000000000:policy/YourManagedPolicy

Basic Module Deployment

from aws_codeseeder import commands

commands.deploy_seedkit(seedkit_name="my-example-deployment")

Module Deployment attaching Manage Policies

from aws_codeseeder import commands

commands.deploy_seedkit(seedkit_name=name, managed_policy_arns=[
    "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
    "arn:aws:iam::00000000000:policy/YourManagedPolicy"
])

Configuring IAM Permissions

If IAM Managed Policies are not attached to the Seedkit’s IAM Role during deployment or if another IAM Role is to be used for the CodeBuild Project then manual configuration will be required. Users can use the Console, AWS CLI, or AWS SDKs to attach additional Managed Policies to the Seedkit’s Role. The same tools can be used to create an IAM Role.

If manually attaching additional Managed Polices to the Seedkit’s IAM Role, the Role can be identified by its naming convention: codeseeder-[SEEDKIT_NAME]-[REGION]-codebuild. For example codeseeder-my-example-deployment-us-west-2-codebuild.

If Creating a new IAM Role, the Role will need a Trust Relationship with AWS CodeBuild and the Seedkit’s Managed Policy should be attached to grant access to Seedkit resources. The Seedkit Managed Policy can be identified by its naming convention: codeseeder-[SEEDKIT_NAME]-[REGION]-resources. For example codeseeder-my-example-deployment-us-west-2-resources. An example Trust Retlationship Policy doc:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "codebuild.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Decorating Project Code

Two function decorators are provided: codeseeder.configure and codeseeder.remote_function. The codeseeder.configure decorator identifies a function that globally configures remote executions. The codeseeder.remote_function identifies functions that will be intercepted, wrapped, and executed remotely in AWS CodeBuild. See the example/ project for advanced usage.

Configuration

from aws_codeseeder import codeseeder

@codeseeder.configure("my-example-deployment")
def configure(configuration: codeseeder.CodeSeederConfig) -> None:
    configuration.python_modules = ["boto3~=1.19.0"]
    configuration.local_modules = {
        "my-example": os.path.realpath(os.path.join(CLI_ROOT, "../")),
    }
    configuration.requirements_files = {"my-example": os.path.realpath(os.path.join(CLI_ROOT, "../requirements.txt"))}
    configuration.install_commands = ["npm install -g aws-cdk@1.100.0"]
    configuration.dirs = {"images": os.path.realpath(os.path.join(CLI_ROOT, "../images"))}
    configuration.files = {"README.md": os.path.realpath(os.path.join(CLI_ROOT, "../README.md"))}

Remote Function Execution

from aws_codeseeder import codeseeder

@codeseeder.remote_function("my-example-deployment")
def remote_hello(name: str) -> None:
    # This code will be executed in AWS CodeBuild
    print(f"Hello {name}")