简述:
A 账号codepipeline 部署业务到B账号上的ECS Fargate
下面的资源没有的话请手动创建一下,默认创建即可
A账号资源:
1、codepipeline project
2、KMS KEY
3、S3 (临时共享KMS用)
B账号资源:
1、ECS Fargate
步骤:
1、B账号创建跨账号角色
XXXXXXXX为A账号的数字ID
codepipeline-1234567890为A账号的存储桶
"arn:aws:kms:us-east-1:XXXXXXXX:key/mrk-7fae67a03XXXX5d1e0b5625" 为A账号的KMS KEY ARN
创建B账号的跨账号角色(CrossAccount_Role)
crossAccout_role.tf
resource "aws_iam_role" "crossrole" {
name = "CrossAccount_Role"
assume_role_policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{A账号的数字ID}}:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
})
inline_policy {
name = "cross_role_inline_policy"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*",
"ecs:*",
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::codepipeline-1234567890/*",
"arn:aws:s3:::codepipeline-1234567890"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:{{A账号的数字ID}}:key/mrk-7fae67a03XXXX5d1e0b5625"
]
}
]
})
}
}
terraform apply .
2、给A账号的S3增加CrossAccount_Role权限:
Amazon S3/Buckets/codepipeline-1234567890
选择permissions菜单,
在
Bucket policy菜单里输入下面的权限规则保存
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{{B账号的数字ID}}:root",
]
},
"Action": [
"s3:Get*",
"s3:Put*",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::codepipeline-1234567890/*"
}
]
}
3、给A账号的KMS KEY增加跨账号权限:
打开KMS 选找到对应的KEY页面,没有KEY则创建一个,在key Policy下的
Other AWS accounts ,点击下面的菜单add other AWS accounts
输入B的数字ID 保存:
- arn:aws:iam::{{B账号的数字ID}}:root
4、导出codepipeline信息:
aws codepipeline get-pipeline --name ecs-pipeline >pipeline.json
vim pipeline.js
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 3,
"roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role",
"configuration": {
"ClusterName": "fargate-cluster",
"DeploymentTimeout": "30",
"FileName": "imagedefinitions.json",
"ServiceName": "webservice"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "BuildArtifact"
}
],
"region": "us-east-1",
"namespace": "DeployVariables"
}
]
}
主要是增加了执行角色:
"roleArn": "arn:aws:iam::{{B账号的数据ID}}:role/CrossAccount_Role"
5、更新一下codepipeline
aws codepipeline update-pipeline --cli-input-json file://pipeline.json
至此,Pipeline 跨账号部署完毕,点击测试
注意:ECS的task-execution角色需要有读取KMS权限及执行权限
