Last active
February 8, 2022 10:37
-
-
Save zxkane/185e8f7a8cfda58885195ca1820842b2 to your computer and use it in GitHub Desktop.
Those scripts are deprecated, see e2e example for detail, https://github.com/aws-samples/cdk-bootstrapless-synthesizer/tree/main/sample-pipeline for detail. use CDK customize synthesizer to publish assets, https://github.com/aws-samples/cdk-bootstrapless-synthesizer.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -euxo pipefail | |
| publish_s3_assets() { | |
| local name=$1 | |
| local prefix=$2 | |
| aws s3 ls s3://$name/$prefix --recursive | awk '{print $4}' | xargs -I {} -n 1 aws s3api put-object-acl --acl public-read --bucket $name --key {} | |
| } | |
| publish_s3_assets "$BSS_TEMPLATE_BUCKET_NAME" "$BSS_FILE_ASSET_PREFIX" | |
| for i in ${BSS_FILE_ASSET_REGION_SET//,/ } | |
| do | |
| echo "Publish S3 resource in bucket '"$BSS_TEMPLATE_BUCKET_NAME-$i"'" | |
| publish_s3_assets "$BSS_TEMPLATE_BUCKET_NAME-$i" "$BSS_FILE_ASSET_PREFIX" | |
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -euxo | |
| create_repo() { | |
| local name=$1 | |
| local region=$2 | |
| # create ecr repo | |
| aws ecr create-repository --region $region --repository-name "$name" --image-tag-mutability IMMUTABLE --image-scanning-configuration scanOnPush=true --encryption-configuration encryptionType=KMS 2>/dev/null | |
| set +e | |
| # set repo permission | |
| read -r -d '' POLICY_TEXT << EOM | |
| { | |
| "Version": "2008-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "public statement", | |
| "Effect": "Allow", | |
| "Principal": "*", | |
| "Action": [ | |
| "ecr:BatchCheckLayerAvailability", | |
| "ecr:BatchGetImage", | |
| "ecr:GetDownloadUrlForLayer" | |
| ] | |
| } | |
| ] | |
| } | |
| EOM | |
| set -e | |
| aws ecr set-repository-policy --region $region --repository-name "$name" --policy-text "$POLICY_TEXT" 2>/dev/null | |
| } | |
| create_s3_bucket() { | |
| local name=$1 | |
| local region=$2 | |
| EXIT_CODE=0 | |
| aws s3 ls s3://$name --region $region || EXIT_CODE=$? | |
| if [[ $EXIT_CODE -eq 0 ]]; then | |
| echo "The bucket with name '$name' already exists." | |
| else | |
| aws s3 mb "s3://$name" --region $region | |
| echo "The bucket with name '$name' is created in region '$region'." | |
| fi | |
| } | |
| if [ ! -z "${BSS_FILE_ASSET_PUBLISHING_ROLE_ARN-}" ]; then | |
| json_output=$(aws sts assume-role \ | |
| --role-arn "$BSS_FILE_ASSET_PUBLISHING_ROLE_ARN" \ | |
| --role-session-name "asset-publishing-role" \ | |
| --duration-seconds "3600" \ | |
| 2>&1) | |
| export AWS_ACCESS_KEY_ID=$(echo "${json_output}" | jq --raw-output ".Credentials[\"AccessKeyId\"]") | |
| export AWS_SECRET_ACCESS_KEY=$(echo "${json_output}" | jq --raw-output ".Credentials[\"SecretAccessKey\"]") | |
| export AWS_SESSION_TOKEN=$(echo "${json_output}" | jq --raw-output ".Credentials[\"SessionToken\"]") | |
| fi | |
| create_s3_bucket "$BSS_TEMPLATE_BUCKET_NAME" "us-east-1" | |
| for i in ${BSS_FILE_ASSET_REGION_SET//,/ } | |
| do | |
| echo "Prepase S3 resource in region '$i'" | |
| create_s3_bucket "$BSS_TEMPLATE_BUCKET_NAME-$i" "$i" | |
| done | |
| for i in ${BSS_IMAGE_ASSET_REGION_SET//,/ } | |
| do | |
| echo "Initial ECR repo in region '$i'" | |
| EXISTINGREPO=`aws ecr describe-repositories --region $i --repository-names $BSS_IMAGE_ASSET_REPOSITORY_NAME --query 'repositories[].repositoryName' 2>/dev/null|jq '.[]'|jq '.'` | |
| if [[ -z $EXISTINGREPO ]] | |
| then | |
| create_repo "$BSS_IMAGE_ASSET_REPOSITORY_NAME" "$i" | |
| echo "The repo with name '$BSS_IMAGE_ASSET_REPOSITORY_NAME' is created in region '$i'." | |
| else | |
| echo "The repo with name '$BSS_IMAGE_ASSET_REPOSITORY_NAME' already exists in region '$i'." | |
| fi | |
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| export USE_BSS=true | |
| export BSS_FILE_ASSET_REGION_SET='us-west-1,us-west-2' | |
| export BSS_TEMPLATE_BUCKET_NAME=pipeline-test | |
| export BSS_FILE_ASSET_BUCKET_NAME='pipeline-test-${AWS::Region}' | |
| export BSS_FILE_ASSET_PUBLISHING_ROLE_ARN='arn:aws:iam::123456789012:role/cross-account-publishing-role' | |
| export BSS_FILE_ASSET_PREFIX='anti-fraud/v2.1/' | |
| export BSS_IMAGE_ASSET_REPOSITORY_NAME='fraud-detection' | |
| export BSS_IMAGE_ASSET_ACCOUNT_ID=123456789012 | |
| export BSS_IMAGE_ASSET_TAG_PREFIX='v2.1-' | |
| export BSS_IMAGE_ASSET_REGION_SET='us-west-1,us-west-2' | |
| export BSS_IMAGE_ASSET_PUBLISHING_ROLE_ARN='arn:aws:iam::123456789012:role/cross-account-publishing-role' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Usage:
source setup-bootstrap-env.sh# set env required by cdk-bootstrapless-synthesizerbash prepare-env.sh# create s3 buckets and ecr reposnpx cdk synthnpm i -g cdk-assetscdk-assets publish -p cdk.out/<your app>.assets.json# publish s3 and ecr assetsbash post-publish.sh# change the s3 assets to public read