forked from aws/aws-for-fluent-bit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
buildspec_publish_ecr.yml
61 lines (55 loc) · 3.12 KB
/
buildspec_publish_ecr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
version: 0.2
phases:
install:
runtime-versions:
golang: 1.13
python: 3.x
pre_build:
commands:
- echo Publish the image to ECR
build:
commands:
# Enforce STS regional endpoints
- export AWS_STS_REGIONAL_ENDPOINTS=regional
# Pull the image that we built and pushed in the `Build` stage
- aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"amd64"
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"arm64"
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"amd64-debug"
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"arm64-debug"
# Image with Init Process
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-amd64"
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-arm64"
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-amd64-debug"
- docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-arm64-debug"
# List the docker images
- docker images
# Assume role to publish, get the credentials, and set them as environment variables
- |
if [ "${PUBLISH_ROLE_ARN}" != "" ]; then
CREDS=`aws sts assume-role --role-arn ${PUBLISH_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}`
export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`
fi
# Push the image to ECR
- './scripts/publish.sh cicd-publish ${REGION_TO_PUSH}'
# Nullify the temporary credentials for the assumed role to publish
- |
if [ "${PUBLISH_ROLE_ARN}" != "" ]; then
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN=
fi
# Assume role to verify, get the credentials, and set them as environment variables.
# Verification should be done using the credentials from a different account. It ensures that
# the images we published are public and accessible from any account.
- CREDS=`aws sts assume-role --role-arn ${VERIFY_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}`
- export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
- export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
- export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`
# Verify from the verification account
- './scripts/publish.sh cicd-verify ${REGION_TO_PUSH}'
artifacts:
files:
- '**/*'