Usage
A CodeSeeder Seedkit is a set of AWS service resources scoped to a specific project that enables bundling of local projects, files, and libraries and remote execution in AWS CodeBuild. Deploying the Seedkit will configure the AWS CodeBuild Project with an IAM Role and an attached IAM Managed Policy. The Policy is least privilege scoped to grant the CodeBuild Project access to only the AWS resources deployed with the Seedkit. To enable the CodeBuild Project to manage additional resources the user must either attach additional IAM Managed Polices to the Seedkit’s IAM Role, or create a new IAM Role with required permissions and attach the Seedkit’s IAM Managed Policy to it.
Usage consists of:
Installing the AWS CodeSeeder library
Deploying a named CodeSeeder Seedkit for a project
Configuring IAM permissions by either: - Attaching additional IAM Managed Policies to the Seedkit Role. This can be automated during Seedkit deployment or done manually by the User - Creating a new IAM Role and attaching the Seedkit Managed Policy to it. This must be done manually by the User
Decorating project functions for configuration and remote execution
Deploying
A Seedkit can be deployed using the codeseedeer
CLI or within the project using the aws_codeseeder.commands
module. Optionally, additional IAM Managed Policies can be attached to the Seedkit’s IAM Role during deployment.
Basic CLI Deployment
codeseeder deploy seedkit my-example-deployment
CLI Deployment attaching Managed Policies
codeseeder deploy seedkit my-example-deployment \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
--policy-arn arn:aws:iam::00000000000:policy/YourManagedPolicy
Basic Module Deployment
from aws_codeseeder import commands
commands.deploy_seedkit(seedkit_name="my-example-deployment")
Module Deployment attaching Manage Policies
from aws_codeseeder import commands
commands.deploy_seedkit(seedkit_name=name, managed_policy_arns=[
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::00000000000:policy/YourManagedPolicy"
])
Configuring IAM Permissions
If IAM Managed Policies are not attached to the Seedkit’s IAM Role during deployment or if another IAM Role is to be used for the CodeBuild Project then manual configuration will be required. Users can use the Console, AWS CLI, or AWS SDKs to attach additional Managed Policies to the Seedkit’s Role. The same tools can be used to create an IAM Role.
If manually attaching additional Managed Polices to the Seedkit’s IAM Role, the Role can be identified by its naming convention: codeseeder-[SEEDKIT_NAME]-[REGION]-codebuild
. For example codeseeder-my-example-deployment-us-west-2-codebuild
.
If Creating a new IAM Role, the Role will need a Trust Relationship with AWS CodeBuild and the Seedkit’s Managed Policy should be attached to grant access to Seedkit resources. The Seedkit Managed Policy can be identified by its naming convention: codeseeder-[SEEDKIT_NAME]-[REGION]-resources
. For example codeseeder-my-example-deployment-us-west-2-resources
. An example Trust Retlationship Policy doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Decorating Project Code
Two function decorators are provided: codeseeder.configure
and codeseeder.remote_function
. The codeseeder.configure
decorator identifies a function that globally configures remote executions. The codeseeder.remote_function
identifies functions that will be intercepted, wrapped, and executed remotely in AWS CodeBuild. See the example/ project for advanced usage.
Configuration
from aws_codeseeder import codeseeder
@codeseeder.configure("my-example-deployment")
def configure(configuration: codeseeder.CodeSeederConfig) -> None:
configuration.python_modules = ["boto3~=1.19.0"]
configuration.local_modules = {
"my-example": os.path.realpath(os.path.join(CLI_ROOT, "../")),
}
configuration.requirements_files = {"my-example": os.path.realpath(os.path.join(CLI_ROOT, "../requirements.txt"))}
configuration.install_commands = ["npm install -g aws-cdk@1.100.0"]
configuration.dirs = {"images": os.path.realpath(os.path.join(CLI_ROOT, "../images"))}
configuration.files = {"README.md": os.path.realpath(os.path.join(CLI_ROOT, "../README.md"))}
Remote Function Execution
from aws_codeseeder import codeseeder
@codeseeder.remote_function("my-example-deployment")
def remote_hello(name: str) -> None:
# This code will be executed in AWS CodeBuild
print(f"Hello {name}")