From 2a629c23814beef9b9c0cd6d89801cad5a48fea0 Mon Sep 17 00:00:00 2001 From: Simon Kok Date: Fri, 24 Dec 2021 22:41:33 +0100 Subject: [PATCH] Change example email domains and account ids **Why?** To ensure that email addresses or account ids are not exposed by accident, this is the first step to ensure that the same example email addresses and account ids are used. Such that a mechanism can be introduced to prevent accidentally committing email addresses or account ids that are not supposed to be share publicly. **What?** This step updates all the email addresses and account ids in the code and documentation. The instructions for our contributors received an update too. In case you want to specify an example email address, please make use of one of the following email addresses: * `jane@example.com` * `john@example.com` * `janes_team@example.com` * Or another `@example.com` * For tests that could potentially create accounts (if mocks failed to work), please use `test@amazon.com` instead. When you want to write documentation/tests and need an example account id, the following account ids may be used: * `111111111111` * `222222222222` * ... to ... * `999999999999` * or to show the length more easily: * `012345678910` * `012345671234` * `123456789012` --- CONTRIBUTING.md | 32 +++ docs/admin-guide.md | 66 ++--- docs/user-guide.md | 38 +-- .../template.yml | 10 +- .../account/tests/test_main.py | 14 +- .../tests/test_account_alias.py | 2 +- .../tests/test_account_creation.py | 14 +- .../tests/test_account_file_processing.py | 43 ++-- .../adf-accounts/readme.md | 6 +- .../example-deployment_map.yml | 78 +++--- .../tests/adf_codepipeline_test_constants.py | 3 +- ...est_adf_codebuild_determine_build_image.py | 2 +- .../tests/test_pipeline_creation.py | 4 +- .../adf-build/shared/helpers/sts.sh | 2 +- .../shared/python/tests/stubs/stub_event.py | 4 +- .../shared/python/tests/stubs/stub_kms.py | 2 +- .../adf-build/shared/python/tests/test_iam.py | 19 +- .../shared/python/tests/test_organizations.py | 2 +- .../adf-build/shared/schema_validation.py | 4 +- .../tests/stubs/stub_deployment_map.yml | 231 +----------------- .../shared/tests/stubs/stub_target.py | 12 +- .../shared/tests/test_deployment_map.py | 2 +- .../adf-build/shared/tests/test_pipeline.py | 2 +- .../adf-build/shared/tests/test_target.py | 4 +- .../adf-build/tests/stubs/stub_adfconfig.yml | 6 +- .../adf-build/tests/test_config.py | 6 +- .../adf-build/tests/test_main.py | 7 +- .../example-adfconfig.yml | 12 +- src/template.yml | 4 +- 29 files changed, 226 insertions(+), 405 deletions(-) mode change 100644 => 120000 src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_deployment_map.yml diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 712870b32..294bdbeec 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -21,6 +21,7 @@ reported the issue. Please try to include as much information as you can. Detail ## Contributing via Pull Requests + Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 1. You are working against the latest source on the *master* branch. @@ -41,16 +42,47 @@ GitHub provides additional document on [forking a repository](https://help.githu ## Finding contributions to work on + Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/awslabs/aws-deployment-framework/labels/help%20wanted) issues is a great place to start. +## Use of examples + +To ensure that email addresses or account ids are not exposed by accident, +it is recommended to use one of the following examples instead: + +In case you want to specify an example email address, please make use of one of +the following email addresses: + +* `jane@example.com` +* `john@example.com` +* `janes_team@example.com` +* Or another `@example.com` +* For tests that could potentially create accounts (if mocks failed to work), + please use `test@amazon.com` instead. + +When you want to write documentation/tests and need an example account id, the +following account ids may be used: + +* `111111111111` +* `222222222222` +* ... to ... +* `999999999999` +* or to show the length more easily: +* `012345678910` +* `012345671234` +* `123456789012` + + ## Code of Conduct + This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact opensource-codeofconduct@amazon.com with any additional questions or comments. ## Security issue notifications + If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. diff --git a/docs/admin-guide.md b/docs/admin-guide.md index 3b22702b7..5bedfb4dc 100644 --- a/docs/admin-guide.md +++ b/docs/admin-guide.md @@ -49,23 +49,23 @@ roles: regions: deployment-account: - eu-central-1 - targets: # No need to also include 'eu-central-1' in targets as the deployment-account region is also considered a target region by default. + targets: # No need to also include 'eu-central-1' in targets as the deployment-account region is also considered a target region by default. - eu-west-1 config: main-notification-endpoint: - type: email - target: john@doe.com + target: jane@example.com moves: - name: to-root action: safe - protected: # Optional + protected: # Optional - ou-123 - scp: # Service Control Policy - keep-default-scp: enabled # Optional - scm: # Source Control Management - auto-create-repositories: enabled # Optional - default-scm-branch: master # Optional + scp: # Service Control Policy + keep-default-scp: enabled # Optional + scm: # Source Control Management + auto-create-repositories: enabled # Optional + default-scm-branch: master # Optional ``` In the above example the properties are categorized into `roles`, `regions`, @@ -238,14 +238,14 @@ When you enter the *source_account_id* in the *deployment_map.yml**, you are say ```yaml pipelines: - - name: vpc # <-- The CodeCommit repository on the source account would need to have this name + - name: vpc # <-- The CodeCommit repository on the source account would need to have this name default_providers: source: provider: codecommit properties: - account_id: 11111111111111 # <-- This teams AWS account is the only one able to push into this pipeline + account_id: 111111111111 # <-- This teams AWS account is the only one able to push into this pipeline targets: - - /security # Shorthand target example + - /security # Shorthand target example ``` Here is an example of passing in a parameter to a pipeline to override the default branch that is used to trigger the pipeline from, this time using Github as a source *(No need for source_account_id)*. @@ -253,18 +253,18 @@ Here is an example of passing in a parameter to a pipeline to override the defau ```yaml pipelines: - - name: vpc # The Github repo would have this name + - name: vpc # The Github repo would have this name default_providers: source: provider: github properties: branch: dev/feature - repository: example-vpc # Optional, above name property will be used if this is not specified + repository: example-vpc # Optional, above name property will be used if this is not specified owner: bundyfx - oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager - json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token + oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager + json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token targets: - - /security # Shorthand example + - /security # Shorthand example ``` **Note** If you find yourself specifying the same set of parameters over and over through-out the deployment map consider using [Yaml Anchors and Alias](./user-guide.md). @@ -311,10 +311,10 @@ pipelines: source: provider: github properties: - repository: example-vpc-adf # Optional, above name property will be used if this is not specified - owner: bundyfx # Who owns this repository + repository: example-vpc-adf # Optional, above name property will be used if this is not specified + owner: awslabs # Who owns this repository oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager - json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token. example: if we stored {"token": "123secret"} - 'token' would be the json_field value. + json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token. example: if we stored {"token": "123secret"} - 'token' would be the json_field value. targets: - /security ``` @@ -331,24 +331,24 @@ pipelines: provider: codecommit properties: account_id: 111111111111 - completion_trigger: # <--- When this pipeline finishes it will automatically start sample-iam and sample-ecs-cluster at the same time + completion_trigger: # <--- When this pipeline finishes it will automatically start sample-iam and sample-ecs-cluster at the same time pipelines: - sample-iam - sample-ecs-cluster - targets: &generic_targets # using YAML Anchor + targets: &generic_targets # Using a YAML Anchor, *generic_targets will paste the same value as defined in `targets` here. - /banking/testing - approval - /banking/production - name: sample-iam default_providers: - source: *generic_source # using YAML Alias - targets: *generic_targets # using YAML Alias + source: *generic_source # Using YAML Alias + targets: *generic_targets # Using YAML Alias - name: sample-ecs-cluster default_providers: - source: *generic_source # using YAML Alias - targets: *generic_targets # using YAML Alias + source: *generic_source # Using YAML Alias + targets: *generic_targets # Using YAML Alias ``` ## Service Control Policies @@ -402,9 +402,9 @@ pipelines: source: provider: codecommit properties: - account_id: 111112233332 + account_id: 111111111111 params: - notification_endpoint: team-bugs # This channel will receive pipeline events (success/failures/approvals) + notification_endpoint: team-bugs # This channel will receive pipeline events (success/failures/approvals) restart_execution_on_update: True targets: - path: /banking/testing @@ -539,15 +539,15 @@ Please trace the failed component and dive into/report the debug information. The main components to look at are: 1. In the AWS Management Account in `us-east-1`: - 1. the [CloudFormation aws-deployment-framework stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks?filteringStatus=active&filteringText=aws-deployment-framework&viewNested=true&hideStacks=false). - 1. the [CloudWatch Logs for the Lambda functions deployed by ADF](https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions?f0=true&n0=false&op=and&v0=ADF). - 1. check if the [CodeCommit pull request](https://console.aws.amazon.com/codesuite/codecommit/repositories/aws-deployment-framework-bootstrap/pull-requests?region=us-east-1&status=OPEN) to install the latest version changes of ADF has been merged into your main branch for the `aws-deployment-framework-bootstrap` (ADF Bootstrap) repository. - 1. the [CodePipeline execution of the AWS Bootstrap pipeline](https://console.aws.amazon.com/codesuite/codepipeline/pipelines/aws-deployment-framework-bootstrap-pipeline/view?region=us-east-1). - 1. the [ADF Bootstrapping Step Function State Machine](https://console.aws.amazon.com/states/home?region=us-east-1#/statemachines). + 1. The [CloudFormation aws-deployment-framework stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks?filteringStatus=active&filteringText=aws-deployment-framework&viewNested=true&hideStacks=false). + 1. The [CloudWatch Logs for the Lambda functions deployed by ADF](https://console.aws.amazon.com/lambda/home?region=us-east-1#/functions?f0=true&n0=false&op=and&v0=ADF). + 1. Check if the [CodeCommit pull request](https://console.aws.amazon.com/codesuite/codecommit/repositories/aws-deployment-framework-bootstrap/pull-requests?region=us-east-1&status=OPEN) to install the latest version changes of ADF has been merged into your main branch for the `aws-deployment-framework-bootstrap` (ADF Bootstrap) repository. + 1. The [CodePipeline execution of the AWS Bootstrap pipeline](https://console.aws.amazon.com/codesuite/codepipeline/pipelines/aws-deployment-framework-bootstrap-pipeline/view?region=us-east-1). + 1. The [ADF Bootstrapping Step Function State Machine](https://console.aws.amazon.com/states/home?region=us-east-1#/statemachines). * Look at the previous executions of the State Machine. * When you find one that has a failed execution, check the components that are marked orange/red in the diagram. 1. In the AWS Deployment Account in the deployment region: - 1. the [CodePipeline execution of the `aws-deployment-framework-pipelines` (ADF pipelines) repository](https://eu-west-1.console.aws.amazon.com/codesuite/codepipeline/pipelines/aws-deployment-framework-pipelines/view?region=eu-west-1) <- link points to `eu-west-1`, please change that to your own deployment region. + 1. The [CodePipeline execution of the `aws-deployment-framework-pipelines` (ADF pipelines) repository](https://eu-west-1.console.aws.amazon.com/codesuite/codepipeline/pipelines/aws-deployment-framework-pipelines/view?region=eu-west-1) <- link points to `eu-west-1`, please change that to your own deployment region. ### How to share debug information diff --git a/docs/user-guide.md b/docs/user-guide.md index 9d55050b7..3765d7717 100644 --- a/docs/user-guide.md +++ b/docs/user-guide.md @@ -43,16 +43,16 @@ pipelines: source: provider: codecommit properties: - account_id: 111112233332 # The AWS Account where the source code will be in a CodeCommit Repository + account_id: 111111111111 # The AWS Account where the source code will be in a CodeCommit Repository params: - notification_endpoint: janes_team@doe.com # Optional + notification_endpoint: janes_team@example.com # Optional tags: foo: bar # Pipelines support tagging targets: - path: /security regions: eu-west-1 - - approval # This is a shorthand example of an approval step within a pipeline - - /banking/testing # This is a shorthand example of a step within a pipeline targeting an OU + - approval # This is a shorthand example of an approval step within a pipeline + - /banking/testing # This is a shorthand example of a step within a pipeline targeting an OU - name: vpc default_providers: @@ -64,13 +64,13 @@ pipelines: oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token params: - notification_endpoint: joes_team@company.nl + notification_endpoint: joes_team@example.com targets: - path: /banking/testing name: fancy-name #Optional way to pass a name for this stage in the pipeline ``` -In the above example we are creating two pipelines with AWS CodePipeline. The first one will deploy from a repository named **iam** that lives in the account **123456789101**. This CodeCommit Repository will automatically be created by default in the 123456789101 AWS Account if it does not exist. The automatic repository creation occurs if you enable `'auto-create-repositories'` (which is enabled by default). The `iam` pipeline will use AWS CodeCommit as its source and deploy in 3 steps. The first stage of the deployment will occur against all AWS Accounts that are in the `/security` Organization unit and be targeted to the `eu-west-1` region. After that, there is a manual approval phase which is denoted by the keyword `approval`. The next step will be targeted to the accounts within the `/banking/testing` OU *(in your default deployment account region)* region. By providing a simple path without a region definition it will default to the region chosen as the deployment account region in your [adfconfig](./admin-guide/adfconfig.yml). Any failure during the pipeline will cause it to halt. +In the above example we are creating two pipelines with AWS CodePipeline. The first one will deploy from a repository named **iam** that lives in the account `111111111111`. This CodeCommit Repository will automatically be created by default in the `111111111111` AWS Account if it does not exist. The automatic repository creation occurs if you enable `'auto-create-repositories'` (which is enabled by default). The `iam` pipeline will use AWS CodeCommit as its source and deploy in 3 steps. The first stage of the deployment will occur against all AWS Accounts that are in the `/security` Organization unit and be targeted to the `eu-west-1` region. After that, there is a manual approval phase which is denoted by the keyword `approval`. The next step will be targeted to the accounts within the `/banking/testing` OU *(in your default deployment account region)* region. By providing a simple path without a region definition it will default to the region chosen as the deployment account region in your [adfconfig](./admin-guide/adfconfig.yml). Any failure during the pipeline will cause it to halt. The second pipeline (*vpc*) example deploys to an OU path `/banking/testing`. You can choose between an absolute path in your AWS Organization, AWS Account ID or an array of OUs or IDs. This pipeline also uses Github as a source rather than AWS CodeCommit. When generating the pipeline, ADF expects [GitHub Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) to be placed in AWS Secrets Manager in a path prefixed with `/adf/`. @@ -83,9 +83,10 @@ Tags on AWS Accounts can also be used to define stages within a pipeline. For ex We do that with the following syntax: ```yaml +pipelines: - name: vpc-for-foo-team default_providers: - ... + # ... targets: - tags: # Using tags to define the stage rather than a path or account id cost-center: foo-team @@ -100,7 +101,7 @@ Adding or Removing Tags to an AWS Account in AWS Organizations will automaticall In most cases, you can target accounts directly by passing the AWS Account Id as an integer, as shown in the example above. However, in case the AWS Account -Id starts with a zero, for example `011112233332`, you will need to pass the +Id starts with a zero, for example `012345678910`, you will need to pass the AWS Account Id as a string instead. Due to the way the YAML file is read, it will automatically transform @@ -123,7 +124,7 @@ pipelines: source: provider: codecommit properties: - account_id: 111112233332 + account_id: 111111111111 build: provider: codebuild image: "STANDARD_4_0" # Use a specific docker image (supports Python 3.7 and Python 3.8) for the build stage in this pipeline -> https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-codebuild.LinuxBuildImage.html @@ -236,6 +237,7 @@ The following are the available pipeline parameters: Pipelines can also trigger other pipelines upon completion. To do this, use the *on_complete* key on the triggers definition. For example: ```yaml +pipelines: - name: ami-builder default_providers: source: @@ -269,6 +271,7 @@ Pipelines can also trigger other pipelines upon completion. To do this, use the Completion triggers can also be defined in a short handed fashion. Take the above example for the ami-builder pipeline. ```yaml +pipelines: - name: ami-builder # Default providers and parameters are the same as defined above. # Only difference: instead of using `triggers` it uses the `completion_triggers` @@ -288,6 +291,7 @@ Completion triggers can also be defined in a short handed fashion. Take the abov Pipelines can also be triggered by other events using the *triggered_by* key on the triggers definition. For example, a new version of a package hosted on CodeArtifact being published: ```yaml +pipelines: - name: ami-builder default_providers: source: @@ -374,14 +378,14 @@ pipelines: - name: example-custom-image default_providers: source: - ... + # ... build: provider: codebuild image: - repository_arn: arn:aws:ecr:region:012345678910:repository/test + repository_arn: arn:aws:ecr:region:111111111111:repository/test tag: latest # optional (defaults to latest) targets: - - ... + - # ... ``` Public images from docker hub can be defined in your deployment map like so: @@ -391,13 +395,13 @@ pipelines: - name: example-custom-image default_providers: source: - ... + # ... build: provider: codebuild properties: image: docker-hub://bitnami/mongodb targets: - - ... + - # ... ``` ### CloudFormation Parameters and Tagging @@ -513,7 +517,7 @@ pipelines: source: provider: codecommit properties: - account_id: 22222222222 + account_id: 222222222222 build: provider: codebuild properties: @@ -550,10 +554,10 @@ Parameter injection is also useful for importing output values from CloudFormati ```yaml Parameters: - BucketInLoggingAccount: 'import:123456789101:eu-west-1:stack_name:output_key' + BucketInLoggingAccount: 'import:111111111111:eu-west-1:stack_name:output_key' ``` -In the above example *123456789101* is the AWS Account Id in which we want to pull a value from, *eu-west-1* is the region, stack_name is the CloudFormation stack name and *output_key* is the output key name *(not export name)*. Again, this concept works with the optional style syntax *(eg, import:123456789101:eu-west-1:stack_name:output_key?)* if the key *output_key* does not exist at the point in time when this specific import is executed, it will return an empty string as the parameter value rather than an error since it is considered optional. +In the above example *111111111111* is the AWS Account Id in which we want to pull a value from, *eu-west-1* is the region, stack_name is the CloudFormation stack name and *output_key* is the output key name *(not export name)*. Again, this concept works with the optional style syntax *(eg, import:111111111111:eu-west-1:stack_name:output_key?)* if the key *output_key* does not exist at the point in time when this specific import is executed, it will return an empty string as the parameter value rather than an error since it is considered optional. #### Uploading assets diff --git a/samples/sample-service-catalog-product/template.yml b/samples/sample-service-catalog-product/template.yml index 7f3d297b0..e6a0d790e 100644 --- a/samples/sample-service-catalog-product/template.yml +++ b/samples/sample-service-catalog-product/template.yml @@ -5,14 +5,14 @@ AWSTemplateFormatVersion: '2010-09-09' Description: ADF CloudFormation Sample Template (Service Catalog Product) Metadata: License: Apache-2.0 -Parameters: +Parameters: ProductXTemplateURL: Type: String Description: Service Catalog CloudFormation Template URL Resources: Portfolio: Type: AWS::ServiceCatalog::Portfolio - Properties: + Properties: AcceptLanguage: en Description: Portfolio containing Cloud9 Development Environment DisplayName: IDE Portfolio @@ -29,7 +29,7 @@ Resources: TagOptionId: !Ref IDETagOption Cloud9Product: Type: AWS::ServiceCatalog::CloudFormationProduct - Properties: + Properties: AcceptLanguage: en Description: CloudFormation Template to deploy Cloud9 Development Environment Distributor: Company @@ -38,11 +38,11 @@ Resources: ProvisioningArtifactParameters: - Info: { "LoadTemplateFromURL": !Ref ProductXTemplateURL } SupportDescription: For help with Cloud9 Dev Environment contact us - SupportEmail: jon@doe.com + SupportEmail: john@example.com SupportUrl: http://example.com Association: Type: AWS::ServiceCatalog::PortfolioProductAssociation - Properties: + Properties: AcceptLanguage: en PortfolioId: !Ref Portfolio ProductId: !Ref Cloud9Product diff --git a/src/lambda_codebase/account/tests/test_main.py b/src/lambda_codebase/account/tests/test_main.py index d9251b453..f5d6b3548 100644 --- a/src/lambda_codebase/account/tests/test_main.py +++ b/src/lambda_codebase/account/tests/test_main.py @@ -32,7 +32,7 @@ def test_deployment_account_given(logger, concur_mod_fn, wait_on_fn, ssm_client, org_client): account_id = "123456789012" account_name = "test-deployment-account" - account_email = "test-deployment@fake-test.domain" + account_email = "test@amazon.com" cross_account_access_role_name = "some-role" ssm_client.exceptions.ParameterNotFound = ParameterNotFound org_client.exceptions.ConcurrentModificationException = \ @@ -64,7 +64,7 @@ def test_deployment_account_found_with_ssm(logger, concur_mod_fn, wait_on_fn, account_id = "123456789012" given_account_id = "" account_name = "test-deployment-account" - account_email = "test-deployment@fake-test.domain" + account_email = "test@amazon.com" cross_account_access_role_name = "some-role" ssm_client.exceptions.ParameterNotFound = ParameterNotFound org_client.exceptions.ConcurrentModificationException = \ @@ -106,7 +106,7 @@ def test_deployment_account_create_success(logger, concur_mod_fn, wait_on_fn, account_id = "123456789012" given_account_id = "" account_name = "test-deployment-account" - account_email = "test-deployment@fake-test.domain" + account_email = "test@amazon.com" cross_account_access_role_name = "some-role" ssm_client.exceptions.ParameterNotFound = ParameterNotFound org_client.exceptions.ConcurrentModificationException = \ @@ -159,7 +159,7 @@ def test_deployment_account_create_failed_concur(logger, concur_mod_fn, account_id = "123456789012" given_account_id = "" account_name = "test-deployment-account" - account_email = "test-deployment@fake-test.domain" + account_email = "test@amazon.com" cross_account_access_role_name = "some-role" ssm_client.exceptions.ParameterNotFound = ParameterNotFound org_client.exceptions.ConcurrentModificationException = \ @@ -216,7 +216,7 @@ def test_deployment_account_create_failed_other(logger, concur_mod_fn, account_id = "123456789012" given_account_id = "" account_name = "test-deployment-account" - account_email = "test-deployment@fake-test.domain" + account_email = "test@amazon.com" cross_account_access_role_name = "some-role" correct_error_message = "Some other exception" ssm_client.exceptions.ParameterNotFound = ParameterNotFound @@ -359,7 +359,7 @@ def test_deployment_account_handle_concurrent_last_try(logger, time_mock, account_id = "123456789012" given_account_id = "" account_name = "test-deployment-account" - account_email = "test-deployment@fake-test.domain" + account_email = "test@amazon.com" cross_account_access_role_name = "some-role" no_retries = MAX_RETRIES org_client.exceptions.ConcurrentModificationException = \ @@ -406,7 +406,7 @@ def test_deployment_account_handle_concurrent_too_many_tries(logger, account_id = "123456789012" given_account_id = "" account_name = "test-deployment-account" - account_email = "test-deployment@fake-test.domain" + account_email = "test@amazon.com" cross_account_access_role_name = "some-role" no_retries = MAX_RETRIES + 1 org_client.exceptions.ConcurrentModificationException = \ diff --git a/src/lambda_codebase/account_processing/tests/test_account_alias.py b/src/lambda_codebase/account_processing/tests/test_account_alias.py index 5e24a7808..30271e732 100644 --- a/src/lambda_codebase/account_processing/tests/test_account_alias.py +++ b/src/lambda_codebase/account_processing/tests/test_account_alias.py @@ -11,7 +11,7 @@ # pylint: disable=W0106 def test_account_alias(): - test_account = {"account_id": 1234567890, "alias": "MyCoolAlias"} + test_account = {"account_id": 123456789012, "alias": "MyCoolAlias"} iam_client = boto3.client("iam") stubber = Stubber(iam_client) create_alias_response = {} diff --git a/src/lambda_codebase/account_processing/tests/test_account_creation.py b/src/lambda_codebase/account_processing/tests/test_account_creation.py index 3770bb112..19ec0c47a 100644 --- a/src/lambda_codebase/account_processing/tests/test_account_creation.py +++ b/src/lambda_codebase/account_processing/tests/test_account_creation.py @@ -16,11 +16,11 @@ class SuccessTestCase(unittest.TestCase): def test_account_creation(self): test_account = { "account_full_name": "ADF Test Creation Account", - "email": "test+account@domain.com", + "email": "test@amazon.com", } test_account_result = { **test_account, - "account_id": "9087564231", + "account_id": "111111111111", } org_client = boto3.client("organizations") stubber = Stubber(org_client) @@ -33,14 +33,14 @@ def test_account_creation(self): describe_account_response = { "CreateAccountStatus": { "State": "IN_PROGRESS", - "AccountId": "9087564231", + "AccountId": "111111111111", "Id": "1234567890", } } describe_account_response_complete = { "CreateAccountStatus": { "State": "SUCCEEDED", - "AccountId": "9087564231", + "AccountId": "111111111111", "Id": "1234567890", } } @@ -78,7 +78,7 @@ class FailuteTestCase(unittest.TestCase): def test_account_creation_failure(self): test_account = { "account_full_name": "ADF Test Creation Account", - "email": "test+account@domain.com", + "email": "test@amazon.com", } org_client = boto3.client("organizations") stubber = Stubber(org_client) @@ -88,14 +88,14 @@ def test_account_creation_failure(self): describe_account_response = { "CreateAccountStatus": { "State": "IN_PROGRESS", - "AccountId": "9087564231", + "AccountId": "111111111111", "Id": "1234567890", } } describe_account_response_complete = { "CreateAccountStatus": { "State": "FAILED", - "AccountId": "9087564231", + "AccountId": "111111111111", "Id": "1234567890", "FailureReason": "ACCOUNT_LIMIT_EXCEEDED", } diff --git a/src/lambda_codebase/account_processing/tests/test_account_file_processing.py b/src/lambda_codebase/account_processing/tests/test_account_file_processing.py index fc7fd76b6..483ecc634 100644 --- a/src/lambda_codebase/account_processing/tests/test_account_file_processing.py +++ b/src/lambda_codebase/account_processing/tests/test_account_file_processing.py @@ -10,53 +10,54 @@ class SuccessTestCase(unittest.TestCase): def test_process_account_when_account_exists(self): test_account = { "alias": "MyCoolAlias", - "account_full_name":"mytestaccountname", + "account_full_name": "mytestaccountname", } - account_lookup = {"mytestaccountname":1234567890} + account_lookup = {"mytestaccountname": 123456789012} self.assertDictEqual( process_account(account_lookup, test_account), { "alias": "MyCoolAlias", - "account_full_name":"mytestaccountname", - "account_id": 1234567890, + "account_full_name": "mytestaccountname", + "account_id": 123456789012, "needs_created": False, } ) - def test_process_account_when_account_doesnt_exist(self): test_account = { "alias": "MyCoolAlias", - "account_full_name":"mytestaccountname", + "account_full_name": "mytestaccountname", } - account_lookup = {"mydifferentaccount":1234567890} + account_lookup = {"mydifferentaccount": 123456789012} self.assertDictEqual( process_account(account_lookup, test_account), { "alias": "MyCoolAlias", - "account_full_name":"mytestaccountname", + "account_full_name": "mytestaccountname", "needs_created": True, } ) - def test_process_account_list(self): - all_accounts = [{"Name":"mytestaccountname", "Id":1234567890}] + all_accounts = [{"Name": "mytestaccountname", "Id": 123456789012}] accounts_in_file = [ {"account_full_name": "mytestaccountname"}, {"account_full_name": "mynewaccountname"}, ] - self.assertListEqual(process_account_list(all_accounts, accounts_in_file), [ - { - "account_full_name":"mytestaccountname", - "needs_created": False, - "account_id": 1234567890, - }, - { - "account_full_name":"mynewaccountname", - "needs_created": True, - } - ]) + self.assertListEqual( + process_account_list(all_accounts, accounts_in_file), + [ + { + "account_full_name": "mytestaccountname", + "needs_created": False, + "account_id": 123456789012, + }, + { + "account_full_name": "mynewaccountname", + "needs_created": True, + } + ] + ) class FailureTestCase(unittest.TestCase): diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md index 7f9e5d298..9665c1b83 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-accounts/readme.md @@ -49,7 +49,7 @@ You can create as many *.yml* files as required and split them up into groups as accounts: - account_full_name: company-prod-1 organizational_unit_path: /business-unit1/prod - email: prod-team-1@company.com + email: prod-team-1@example.com allow_billing: False delete_default_vpc: True support_level: enterprise @@ -65,7 +65,7 @@ accounts: accounts: - account_full_name: company-test-1 organizational_unit_path: /business-unit1/test - email: test-team-1@company.com + email: test-team-1@example.com allow_billing: True delete_default_vpc: False support_level: basic @@ -77,7 +77,7 @@ accounts: - account_full_name: company-test-2 organizational_unit_path: /business-unit1/test - email: test-team-2@company.com + email: test-team-2@example.com allow_billing: True delete_default_vpc: False alias: test-company-12 diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml index 81c7c4b16..83e9279d6 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml @@ -4,44 +4,50 @@ pipelines: source: provider: codecommit properties: - account_id: 1111111111111 + account_id: 111111111111 build: provider: codebuild deploy: provider: cloudformation params: - notification_endpoint: jon@smith.com # The Notification (user/team/slack) responsible for this pipeline + notification_endpoint: john@example.com # The Notification (user/team/slack) responsible for this pipeline restart_execution_on_update: True targets: # Deployment stages - - /banking/testing # will use action from type defined above, + - /banking/testing # This will use the default deployment action as defined above - path: /banking/production - properties: - stack_name: my-cool-iam-stack # Since no deploy type is defined above this target is assumed type of CloudFormation - change_set_approval: True # override deploy action above and insert a approval in between create + execute change set + # Since the deploy type is not overridden, it uses the CloudFormation as defined by the default provider + # while using specific properties for this target: + properties: + stack_name: my-cool-iam-stack # Override the default stack name to a specific one, useful when adopting a stack into ADF + change_set_approval: True # Override deploy action above and insert an approval in between create + execute change set - provider: lambda - properties: # https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-invoke-lambda-function.html - input: {"name": "jon_doe"} # This input will be passed to the function as a string + properties: # See https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-invoke-lambda-function.html + input: {"name": "jon_doe"} # This input will be passed to the function as a string function_name: my_lambda_function - - name: ami-builder # The name of your pipeline (by default, this will match the name of your repository) + - name: ami-builder # The name of your pipeline (by default, the repository name will match the pipeline name) default_providers: source: provider: codecommit properties: + # When CodeCommit is configured as the source, you should specify the + # account_id where the repository is hosted. account_id: 333333333333 build: provider: codebuild properties: role: packer - size: medium # Resource allocation for the build stage -> small | medium | large + size: medium # Resource allocation for the build stage -> small | medium | large params: - schedule: rate(7 days) # https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html#RateExpressions - completion_trigger: # What should happen when this pipeline completes + schedule: rate(7 days) # Run once every seven days. See expression syntax at: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html#RateExpressions + completion_trigger: # What should happen when this pipeline completes pipelines: - - sample-vpc # run this other pipeline + - sample-vpc # Run this other pipeline - name: sample-vpc - default_providers: # if we omit build and deploy type we get a default of codebuild as the build and cloudformation as the deploy. if using codecommit, account_id is required + default_providers: + # If we omit build and deploy type we get a default of CodeBuild as the build provider. + # and CloudFormation as the deploy provider. source: provider: github properties: @@ -54,39 +60,39 @@ pipelines: properties: action: replace_on_failure params: - notification_endpoint: jon@smith.com - targets: # Long hand syntax including regions and names for stages + notification_endpoint: john@example.com + targets: # Long hand syntax including regions and names for stages - path: /banking/testing name: fancy-name - name: sample-ecs-app - default_providers: # if we omit build and deploy type we get a default of codebuild as the build and cloudformation as the deploy. if using codecommit, account_id is required + default_providers: source: provider: codestar properties: - repository: my-ecs-app # Optional, above name property will be used if this is not specified + repository: my-ecs-app # Optional, the name of the pipeline will be used if this is not specified owner: github-enterprise-team-org - codestar_connection_path: /path/to/parameter # The path in AWS Systems Manager Parameter Store that holds the AWS CodeStar Connection arn + codestar_connection_path: /path/to/parameter # The path in AWS Systems Manager Parameter Store that holds the AWS CodeStar Connection ARN params: - notification_endpoint: team@example.com + notification_endpoint: team@example.com targets: - [ /banking/testing, /banking/production ] - - name: sample-custom # using a custom pipeline, we can execute code within CodeBuild to perform whichever tasks are required. + - name: sample-custom # Using a custom pipeline, we can execute code within CodeBuild to perform whichever tasks are required. default_providers: source: provider: codecommit properties: - account_id: 333333333333 # A different AccountId as this pipeline is owned by a different team + account_id: 333333333333 # A different account id as this pipeline is owned by a different team deploy: provider: codebuild - targets: # targets looks for the deploy defaults above to determine parameters + targets: # Targets looks for the deploy defaults above to determine parameters - properties: spec_filename: custom-spec-one.yml - provider: approval properties: message: plz approve - notification_endpoint: jon@smith.com # Approvals can have their own unique notification endpoint + notification_endpoint: john@example.com # Approvals can have their own unique notification endpoint - properties: spec_filename: custom-spec-two.yml @@ -95,13 +101,13 @@ pipelines: source: provider: codecommit properties: - account_id: 333333333333 # A different AccountId as this pipeline is owned by a different team + account_id: 333333333333 # A different account id as this pipeline is owned by a different team targets: - 222222222222 - name: sample-ec2-java-app-codedeploy default_providers: - source: + source: provider: codecommit properties: account_id: 333333333333 @@ -115,26 +121,26 @@ pipelines: notification_endpoint: deployments targets: - target: 222222222222 - properties: # These are stage specific properties for our deploy action + properties: # These are stage specific properties for our deploy action application_name: sample - deployment_group_name: testing-sample # https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-groups.html + deployment_group_name: testing-sample # See https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-groups.html - name: sample-input-export-pipeline default_providers: source: provider: codecommit properties: - account_id: 1111111111111 + account_id: 111111111111 targets: - target: 222222222222 properties: - outputs: some_param_outputs # Outputs will take Cloudformation Outputs and pass them into a JSON file which can be used in later stages - - target: 1111111111111 + outputs: some_param_outputs # Outputs will take CloudFormation Outputs and pass them into a JSON file which can be used in later stages + - target: 111111111111 properties: param_overrides: - - inputs: some_param_outputs # Which file do we want to use to pass in overrides from - param: s3_bucket # The name of the parameter you wish to override at this stage - key_name: logging_bucket # The key from the output 'some_param_outputs' we want to get the value from + - inputs: some_param_outputs # Which file do we want to use to pass in overrides from + param: s3_bucket # The name of the parameter you wish to override at this stage + key_name: logging_bucket # The key from the output 'some_param_outputs' we want to get the value from - name: sample-s3-pipeline default_providers: @@ -143,9 +149,9 @@ pipelines: properties: bucket_name: packer-bucket-test object_key: input.zip - account_id: 44444444444444 + account_id: 444444444444 build: - enabled: False # if you wish to disable the build phase in a pipeline + enabled: False # If you wish to disable the build phase in a pipeline deploy: provider: s3 targets: diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/adf_codepipeline_test_constants.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/adf_codepipeline_test_constants.py index cd3e510bb..3e001c199 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/adf_codepipeline_test_constants.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/adf_codepipeline_test_constants.py @@ -7,7 +7,7 @@ 'default_providers': { 'source': { 'properties': { - 'account_id': 123456123456, + 'account_id': 111111111111, } }, 'build': {}, @@ -16,4 +16,3 @@ 'name': 'name', } - diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/test_adf_codebuild_determine_build_image.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/test_adf_codebuild_determine_build_image.py index 61919a979..2da98ec9b 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/test_adf_codebuild_determine_build_image.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_constructs/tests/test_adf_codebuild_determine_build_image.py @@ -18,7 +18,7 @@ SPECIFIC_CODEBUILD_IMAGE_ALT_STR = 'STANDARD_2_0' SPECIFIC_CODEBUILD_IMAGE_ALT2_STR = 'STANDARD_1_0' SPECIFIC_CODEBUILD_IMAGE_ECR = { - 'repository_arn': 'arn:aws:ecr:region:012345678910:repository/test', + 'repository_arn': 'arn:aws:ecr:region:111111111111:repository/test', 'tag': 'specific', } CODEBUILD_SPECIFIC_MAP_PARAMS_STR = { diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py index 20f41a5e8..8c212ecde 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/cdk/cdk_stacks/tests/test_pipeline_creation.py @@ -295,7 +295,7 @@ def test_pipeline_creation_outputs_with_invalid_trigger_type(): with pytest.raises(Exception) as e_info: - PipelineStack(app, stack_input) + PipelineStack(app, stack_input) cloud_assembly = app.synth() error_message = str(e_info.value) @@ -334,7 +334,7 @@ def test_pipeline_creation_outputs_as_expected_when_notification_endpoint_is_cha pipeline_notification = resources['pipelinenoti']['Properties'] target = pipeline_notification["Targets"][0] - + assert resources["pipelinenoti"]["Type"] == "AWS::CodeStarNotifications::NotificationRule" assert target["TargetAddress"] == "arn:aws:chatbot::111111111111:chat-configuration/slack-channel/fake-config" assert target["TargetType"] == "AWSChatbotSlack" diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh index bd6d4985d..3e3cbab8d 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/sts.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Example usage sts 12345678910 adf-terraform-deployment-role +# Example usage sts 123456789012 adf-terraform-deployment-role export ROLE=arn:aws:iam::$1:role/$2 temp_role=$(aws sts assume-role --role-arn $ROLE --role-session-name $2-$ADF_PROJECT_NAME) export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq -r .Credentials.AccessKeyId) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_event.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_event.py index 047b546ff..87f2bb7ac 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_event.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_event.py @@ -10,5 +10,5 @@ class StubEvent(): def __init__(self): self.deployment_account_region = 'us-east-1' self.target_regions = ['region-1', 'region-2'] - self.account_id = '12345678910' - self.deployment_account_id = '9999911111' + self.account_id = '123456789012' + self.deployment_account_id = '111111111111' diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_kms.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_kms.py index 3ee24c7b6..e6684549d 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_kms.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/stubs/stub_kms.py @@ -8,5 +8,5 @@ """ kms_get_policy = { - 'Policy': '{\n "Version" : "2012-10-17",\n "Id" : "key-default-1",\n "Statement" : [ {\n "Sid" : "Enable IAM User Permissions",\n "Effect" : "Allow",\n "Principal" : {\n "AWS" : ["arn:aws:iam::111122223333:root"]\n },\n "Action" : "kms:*",\n "Resource" : "*"\n } ]\n}', + 'Policy': '{\n "Version" : "2012-10-17",\n "Id" : "key-default-1",\n "Statement" : [ {\n "Sid" : "Enable IAM User Permissions",\n "Effect" : "Allow",\n "Principal" : {\n "AWS" : ["arn:aws:iam::111111111111:root"]\n },\n "Action" : "kms:*",\n "Resource" : "*"\n } ]\n}', } diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_iam.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_iam.py index c6d347a76..330f79b2c 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_iam.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_iam.py @@ -39,19 +39,19 @@ def test_update_iam_policy_bucket(cls): def test_update_iam_cfn(cls): cls._update_iam_cfn( - 'kms::12345678910::some_arn' + 'kms::012345678910::some_arn' ) for policy in cls.policy.get('Statement'): if policy["Sid"] == "KMS": - assert 'kms::12345678910::some_arn' in policy["Resource"] + assert 'kms::012345678910::some_arn' in policy["Resource"] def test_update_iam_roles_with_lists(cls): - cls.update_iam_roles(["bucket1", "bucket2"], ["kms::12345678910::kms_key_1", "kms::12345678910::kms_key_2"], {'some_role_name':'some_policy_name'}) + cls.update_iam_roles(["bucket1", "bucket2"], ["kms::012345678910::kms_key_1", "kms::012345678910::kms_key_2"], {'some_role_name':'some_policy_name'}) for policy in cls.policy.get('Statement'): if policy["Sid"] == "KMS": - assert 'kms::12345678910::kms_key_1' in policy["Resource"] - assert 'kms::12345678910::kms_key_2' in policy["Resource"] + assert 'kms::012345678910::kms_key_1' in policy["Resource"] + assert 'kms::012345678910::kms_key_2' in policy["Resource"] if policy["Sid"] == "S3": assert 'arn:aws:s3:::bucket2' in policy["Resource"] assert 'arn:aws:s3:::bucket2/*' in policy["Resource"] @@ -60,11 +60,10 @@ def test_update_iam_roles_with_lists(cls): def test_update_iam_roles_is_backwards_compatible(cls): - cls.update_iam_roles("bucket1", "kms::12345678910::kms_key_1", {'some_role_name':'some_policy_name'}) + cls.update_iam_roles("bucket1", "kms::012345678910::kms_key_1", {'some_role_name':'some_policy_name'}) for policy in cls.policy.get('Statement'): if policy["Sid"] == "KMS": - assert 'kms::12345678910::kms_key_1' in policy["Resource"] - if policy["Sid"] == "S3": + assert 'kms::012345678910::kms_key_1' in policy["Resource"] + if policy["Sid"] == "S3": assert 'arn:aws:s3:::bucket1' in policy["Resource"] - assert 'arn:aws:s3:::bucket1/*' in policy["Resource"] - + assert 'arn:aws:s3:::bucket1/*' in policy["Resource"] diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_organizations.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_organizations.py index 25767d883..ec58c2cf2 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_organizations.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/python/tests/test_organizations.py @@ -17,7 +17,7 @@ def cls(): return Organizations( boto3, - '12345678910' + '123456789012' ) diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/schema_validation.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/schema_validation.py index f71475864..81c9f3551 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/schema_validation.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/schema_validation.py @@ -104,8 +104,8 @@ # CodeBuild CODEBUILD_IMAGE_PROPS = { - "repository_arn": str, # arn:aws:ecr:region:012345678910:repository/test - Optional("tag"): str, # defaults to latest + "repository_arn": str, # arn:aws:ecr:region:111111111111:repository/test + Optional("tag"): str, # defaults to latest } CODEBUILD_PROPS = { Optional("image"): Or(str, CODEBUILD_IMAGE_PROPS), diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_deployment_map.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_deployment_map.yml deleted file mode 100644 index a6cbec7ea..000000000 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_deployment_map.yml +++ /dev/null @@ -1,230 +0,0 @@ -pipelines: - - name: sample-iam # The name of your pipeline (by default, this will match the name of your repository) - default_providers: - source: - provider: codecommit - properties: - account_id: 111111111111 - build: - provider: codebuild - deploy: - provider: cloudformation - params: - notification_endpoint: bundyf@amazon.nl # The Notification (user/team/slack) responsible for this pipeline - restart_execution_on_update: True - targets: # Deployment stages - - /banking/testing # will use action from type defined above, - - approval - - path: /banking/production - properties: - stack_name: my-cool-iam-stack # Since no deploy type is defined above this target is assumed type of CloudFormation - change_set_approval: True # override deploy action above and insert a approval in between create + execute change set - - provider: lambda - properties: # https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-invoke-lambda-function.html - input: {"name": "jon_doe"} # This input will be passed to the function as a string - function_name: my_lambda_function - - - name: ami-builder # The name of your pipeline (by default, this will match the name of your repository) - default_providers: - source: - provider: codecommit - properties: - account_id: '011111111111' - build: - provider: codebuild - properties: - role: packer - size: medium # Resource allocation for the build stage -> small | medium | large - params: - schedule: rate(7 days) # https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html#RateExpressions - completion_trigger: # What should happen when this pipeline completes - pipelines: - - sample-vpc # run this other pipeline - - - name: sample-vpc - default_providers: # if we omit build and deploy type we get a default of codebuild as the build and cloudformation as the deploy. if using codecommit, account_id is required - source: - provider: github - properties: - repository: example-vpc-adf # Optional, above name property will be used if this is not specified - owner: bundyfx - oauth_token_path: /adf/github_token # The path in AWS Secrets Manager that holds the GitHub Oauth token, ADF only has access to /adf/ prefix in Secrets Manager - json_field: token # The field (key) name of the json object stored in AWS Secrets Manager that holds the Oauth token - deploy: - provider: cloudformation - properties: - action: replace_on_failure - root_dir: infra - template_filename: my_template.yml - params: - notification_endpoint: jon@smith.com - targets: # Long hand syntax including regions and names for stages - - path: /banking/testing - name: fancy-name - - - - name: sample-custom # using a custom pipeline, we can execute code within CodeBuild to perform whichever tasks are required. - default_providers: - source: - provider: codecommit - properties: - account_id: '012345678901' # A different AccountId as this pipeline is owned by a different team - deploy: - provider: codebuild - targets: # targets looks for the deploy defaults above to determine parameters - - properties: - spec_filename: custom-spec-one.yml - - provider: approval - properties: - message: plz approve - notification_endpoint: jon.smith@email.com # Approvals can have their own unique notification endpoint - - properties: - spec_filename: custom-spec-two.yml - - - name: sample-ec2-app-codedeploy - default_providers: - source: - provider: codecommit - properties: - account_id: 111111111111 # A different AccountId as this pipeline is owned by a different team - targets: - - 162738475618 - - '062738475618' - - '012733475612' - - - name: sample-ec2-java-app-codedeploy - default_providers: - source: - provider: codecommit - properties: - account_id: 111111111111 - build: - provider: codebuild - properties: - image: "STANDARD_2_0" # Use a specific docker image (defaults to Python 3.8) for the build stage in this pipeline -> https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-codebuild.LinuxBuildImage.html - deploy: - provider: codedeploy - params: - notification_endpoint: deployments - targets: - - target: 162738475618 - properties: # These are stage specific properties for our deploy action - application_name: sample - deployment_group_name: testing-sample # https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-groups.html - - - name: sample-input-export-pipeline - default_providers: - source: - provider: codecommit - properties: - account_id: 554771589607 - targets: - - target: 162738475618 - properties: - outputs: some_param_outputs # Outputs will take Cloudformation Outputs and pass them into a JSON file which can be used in later stages - - target: 144313290359 - properties: - param_overrides: - - inputs: some_param_outputs # Which file do we want to use to pass in overrides from - param: s3_bucket # The name of the parameter you wish to override at this stage - key_name: logging_bucket # The key from the output 'some_param_outputs' we want to get the value from - - - name: sample-s3-pipeline - default_providers: - source: - provider: s3 - properties: - bucket_name: packer-stub - object_key: input.zip - account_id: 111111111111 - build: - enabled: False # if you wish to disable the build phase in a pipeline - deploy: - provider: s3 - targets: - - target: 162738475618 - properties: - bucket_name: test-adf-bucket-eu - object_key: output.zip - - - name: example-contains-transform - default_providers: - source: - provider: codecommit - properties: - account_id: 222222222222 - build: - provider: codebuild - properties: - environment_variables: - CONTAINS_TRANSFORM: True # If you define this environment variable its expected that you are using the contains_transform helper in your build stage. - targets: - - /banking/testing - - - name: sample-ecs-cluster - default_providers: - source: &example_anchor_source - provider: codecommit - properties: - account_id: 111111111111 - targets: &example_anchor_targets - - /banking/testing - - path: /banking/production - regions: eu-west-1 - name: production - - - name: sample-cdk-application - default_providers: - source: - provider: codecommit - properties: - account_id: 111111111111 - build: - provider: codebuild - properties: - image: "STANDARD_2_0" - regions: eu-west-1 - targets: - - /banking/testing - - /banking/production - - - name: sample-ecr-repository - default_providers: - source: *example_anchor_source - targets: - - /deployment - - - name: sample-service-catalog-product - default_providers: - source: *example_anchor_source - targets: *example_anchor_targets - - - name: sample-node-app - default_providers: - source: *example_anchor_source - build: - provider: codebuild - properties: - image: "STANDARD_2_0" - privileged: true - targets: *example_anchor_targets - - - name: sample-cdk-application - default_providers: - source: - provider: codecommit - properties: - account_id: 111111111111 - build: - provider: codebuild - properties: - image: "STANDARD_2_0" - regions: eu-west-1 - targets: - - tags: - environment: sandbox - regions: eu-west-1 - - tags: - environment: prod - solution: connected-vehicle - diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_deployment_map.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_deployment_map.yml new file mode 120000 index 000000000..1ec4905d7 --- /dev/null +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_deployment_map.yml @@ -0,0 +1 @@ +../../../../adf-bootstrap/deployment/lambda_codebase/initial_commit/pipelines_repository/example-deployment_map.yml \ No newline at end of file diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_target.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_target.py index 8d187a1ae..f9364a906 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_target.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/stubs/stub_target.py @@ -20,7 +20,7 @@ create_target_info_default = { 'name': 'account_name', - 'id': 12345678910, + 'id': 123456789012, 'path': '/thing/path', "properties": {}, "provider": 'cloudformation', @@ -30,7 +30,7 @@ create_target_info_regex_applied = { 'name': 'accountname', - 'id': 12345678910, + 'id': 123456789012, 'path': '/thing/path', "properties": {}, "provider": 'cloudformation', @@ -63,7 +63,7 @@ 'Account': { 'Id': 'fake', 'Arn': 'fake::arn', - 'Email': 'fake@fake.com', + 'Email': 'jane@example.com', 'Name': 'string', 'Status': 'ACTIVE', 'JoinedMethod': 'INVITED', @@ -76,7 +76,7 @@ def organizations_dir_to_ou(): yield { 'Id': 'fake', 'Arn': 'fake::arn', - 'Email': 'fake@fake.com', + 'Email': 'jane@example.com', 'Name': 'string', 'Status': 'ACTIVE', 'JoinedMethod': 'INVITED', @@ -88,9 +88,9 @@ def organizations_list_accounts_for_parent(): yield { 'Id': 'fake', 'Arn': 'fake::arn', - 'Email': 'fake@fake.com', + 'Email': 'jane@example.com', 'Name': 'string', 'Status': 'ACTIVE', 'JoinedMethod': 'CREATED', 'JoinedTimestamp': 2 - } \ No newline at end of file + } diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_deployment_map.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_deployment_map.py index aceb3c6cb..b9eae212b 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_deployment_map.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_deployment_map.py @@ -36,7 +36,7 @@ def test_update_deployment_parameters(cls): "source": { "name": "codecommit", "properties" : { - "account_id": 123456789101 + "account_id": 111111111111, } } } diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_pipeline.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_pipeline.py index 29514976b..31cbd2040 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_pipeline.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_pipeline.py @@ -23,7 +23,7 @@ def cls(): "source": { "name": "codecommit", "properties" : { - "account_id": 123456789101 + "account_id": 111111111111, } } } diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_target.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_target.py index 04de79739..6f924480a 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_target.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/shared/tests/test_target.py @@ -58,7 +58,7 @@ def test_fetch_accounts_for_target_ou_path(): def test_fetch_accounts_for_target_account_id(): cls = Target( - path="123456789102", + path="111111111111", regions=["region1", "region2"], target_structure=MockTargetStructure(), organizations=None, @@ -109,7 +109,7 @@ def test_fetch_account_error(): def test_fetch_account_error_invalid_account_id(): cls = Target( - path="12345678910", # 11 digits rather than 12 (invalid account id) + path="12345678901", # 11 digits rather than 12 (invalid account id) regions=["region1", "region2"], target_structure=MockTargetStructure(), organizations=Mock(), diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/stubs/stub_adfconfig.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/stubs/stub_adfconfig.yml index 7b31a36c1..abc302e9e 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/stubs/stub_adfconfig.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/stubs/stub_adfconfig.yml @@ -8,13 +8,13 @@ regions: - us-west-2 config: - main-notification-endpoint: + main-notification-endpoint: - type: email - target: jon@doe.com + target: john@example.com moves: - name: to-root action: remove-base protected: - ou-a9ny-123test scp: - keep-default-scp: enabled \ No newline at end of file + keep-default-scp: enabled diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_config.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_config.py index 89a423290..016b62341 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_config.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_config.py @@ -24,7 +24,7 @@ def cls(): def test_validation(cls): assert cls.config.get( - 'main-notification-endpoint')[0].get('target') == 'jon@doe.com' + 'main-notification-endpoint')[0].get('target') == 'john@example.com' assert cls.config.get('moves')[0].get('action') == 'remove-base' @@ -33,21 +33,25 @@ def test_validation_list_deployment_target(cls): cls._parse_config() assert cls.target_regions == ["target1"] + def test_validation_list_deployment_account_target(cls): cls.config_contents["regions"]["deployment-account"] = "target1" cls._parse_config() assert cls.deployment_account_region == "target1" + def test_raise_validation_remove_moves(cls): cls.config_contents.get('config').pop('moves', None) with raises(InvalidConfigError): assert cls._parse_config() + def test_raise_validation_remove_roles(cls): cls.config_contents.get('roles', None).pop('cross-account-access', None) with raises(InvalidConfigError): assert cls._parse_config() + def test_raise_validation_remove_deployment_target_region(cls): cls.config_contents.get('regions', None).pop('deployment-account', None) with raises(InvalidConfigError): diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_main.py b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_main.py index 6bb1daf37..e0df3fa8f 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_main.py +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/adf-build/tests/test_main.py @@ -22,6 +22,7 @@ def cls(): ) return config + @fixture def sts(): sts = Mock() @@ -43,16 +44,20 @@ def sts(): def test_is_account_valid_state(cls): assert is_account_in_invalid_state('ou-123', cls.__dict__) == False + def test_is_account_in_invalid_state(cls): cls.protected = [] cls.protected.append('ou-123') assert is_account_in_invalid_state('ou-123', cls.__dict__) == 'Is in a protected Organizational Unit ou-123, it will be skipped.' + def test_is_account_is_in_root(cls): assert is_account_in_invalid_state('r-123', cls.__dict__) == 'Is in the Root of the Organization, it will be skipped.' + def test_ensure_generic_account_can_be_setup(cls, sts): - assert ensure_generic_account_can_be_setup(sts, cls, '12345678910') == sts.assume_cross_account_role() + assert ensure_generic_account_can_be_setup(sts, cls, '123456789012') == sts.assume_cross_account_role() + def test_update_deployment_account_output_parameters(cls, sts): cloudformation=Mock() diff --git a/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml b/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml index be25be2d5..67ae1a896 100644 --- a/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml +++ b/src/lambda_codebase/initial_commit/bootstrap_repository/example-adfconfig.yml @@ -8,13 +8,13 @@ regions: config: main-notification-endpoint: - - type: email # slack or email - target: jon.doe@email.com # Email/Slack channel who receives notifications for the main bootstrapping pipeline + - type: email # Options include: slack or email + target: john.doe@example.com # Email/Slack channel who receives notifications for the main bootstrapping pipeline moves: - name: to-root action: safe # Can be safe or remove-base (see docs) scp: - keep-default-scp: enabled # determines if the default AWSFullAccess SCP stays attached to all OU's - scm: # Source control management - auto-create-repositories: enabled # if true and using codecommit as source the repository will be automatically created - default-scm-branch: master # allow to specify custom default branch if a pipeline specific configuration is not provided. If the parameter is not specified it defaults to the "master" branch. + keep-default-scp: enabled # Determines if the default AWSFullAccess SCP stays attached to all OU's + scm: # Source control management + auto-create-repositories: enabled # If true and using CodeCommit as source, the repository will be automatically created + default-scm-branch: master # The default branch is used when the pipeline does not specify a specific branch. If this parameter is not specified, it defaults to the "master" branch. diff --git a/src/template.yml b/src/template.yml index 345898b60..02efa2279 100644 --- a/src/template.yml +++ b/src/template.yml @@ -28,7 +28,7 @@ Parameters: MainNotificationEndpoint: Type: String Default: "" - Description: "Example -> jon@smith.com" + Description: "Example -> jane@example.com" DeploymentAccountName: Type: String Default: "" @@ -44,7 +44,7 @@ Parameters: DeploymentAccountId: Type: String Default: "" - Description: "Example -> 123456789101 (Only required if you have an existing AWS Account that you wish to use as the deployment account.)" + Description: "Example -> 123456789012 (Only required if you have an existing AWS Account that you wish to use as the deployment account.)" DeploymentAccountMainRegion: Type: String Default: ""