Merge pull request #590 from amazonlinux/host-containers-pipeline

host-containers-pipeline: buildspecs, pipeline cfn, refactor paths

extras/dogswatch/Makefile

@@ -1,12 +1,13 @@
 # This is the NEXT version tag for the Dogswatch container image.
-DOGSWATCH_VERSION=v0.1.2
+DOGSWATCH_VERSION=`cat VERSION`
 
 GOPKG = github.com/amazonlinux/thar/dogswatch
 GOPKGS = $(GOPKG) $(GOPKG)/pkg/... $(GOPKG)/cmd/...
 GOBIN = ./bin/
 DOCKER_IMAGE := dogswatch
 DOCKER_IMAGE_REF_RELEASE := $(DOCKER_IMAGE):$(DOGSWATCH_VERSION)
-DOCKER_IMAGE_REF := $(DOCKER_IMAGE):$(shell git rev-parse --short=8 HEAD)
+SHORT_SHA ?= $(shell git rev-parse --short=8 HEAD)
+DOCKER_IMAGE_REF := $(DOCKER_IMAGE):$(SHORT_SHA)
 DEBUG_LDFLAGS := -X $(GOPKG)/pkg/logging.DebugEnable=true
 
 build: $(GOBIN)
@@ -22,17 +23,19 @@ test:
 
 container:
 	docker build --network=host \
-		--tag $(DOCKER_IMAGE_REF)\
+		--tag $(DOCKER_IMAGE_REF) \
 		--build-arg BUILD_LDFLAGS='' \
 		.
 
+container-simple-test:
+	docker run --rm $(DOCKER_IMAGE_REF) -help 2>&1 | grep -C 10 'dogswatch'
+
 debug-container:
 	docker build --network=host \
 		--tag $(DOCKER_IMAGE_REF)\
 		--build-arg BUILD_LDFLAGS='$(DEBUG_LDFLAGS)' \
 		.
 
-
 release-container: container
 	docker tag $(DOCKER_IMAGE_REF) $(DOCKER_IMAGE_REF_RELEASE)
 

extras/dogswatch/VERSION

@@ -0,0 +1 @@
+v0.1.2

extras/admin-container/Dockerfile → extras/host-containers/thar-admin/Dockerfile

@@ -21,6 +21,11 @@ RUN cp bash /opt/bash
 
 FROM amazonlinux:2
 
+ARG IMAGE_VERSION
+# Make the container image version a mandatory build argument
+RUN test -n "$IMAGE_VERSION"
+LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
+
 RUN yum -y update && yum -y install openssh-server sudo util-linux && yum clean all
 RUN rm -f /etc/motd /etc/issue
 

extras/host-containers/thar-admin/Makefile

@@ -0,0 +1,19 @@
+IMAGE_VERSION=`cat VERSION`
+
+DOCKER_IMAGE := thar-admin
+DOCKER_IMAGE_REF_RELEASE := $(DOCKER_IMAGE):$(ADMIN_CTR_VERSION)
+SHORT_SHA ?= $(shell git rev-parse --short=8 HEAD)
+DOCKER_IMAGE_REF := $(DOCKER_IMAGE):$(SHORT_SHA)
+
+container:
+	docker build --network=host \
+		--tag $(DOCKER_IMAGE_REF) \
+		--build-arg IMAGE_VERSION="$(IMAGE_VERSION)" \
+		--build-arg BUILD_LDFLAGS='' \
+		.
+
+container-simple-test:
+	docker run --rm ${DOCKER_IMAGE_REF} cat /etc/motd
+
+release-container: container
+	docker tag $(DOCKER_IMAGE_REF) $(DOCKER_IMAGE_REF_RELEASE)

extras/host-containers/thar-admin/VERSION

@@ -0,0 +1 @@
+v0.2

extras/control-container/Dockerfile → extras/host-containers/thar-control/Dockerfile

@@ -1,4 +1,8 @@
 FROM amazonlinux:2
+ARG IMAGE_VERSION
+# Make the container image version a mandatory build argument
+RUN test -n "$IMAGE_VERSION"
+LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
 
 RUN yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm shadow-utils
 

extras/host-containers/thar-control/Makefile

@@ -0,0 +1,19 @@
+IMAGE_VERSION=`cat VERSION`
+
+DOCKER_IMAGE := thar-control
+DOCKER_IMAGE_REF_RELEASE := $(DOCKER_IMAGE):$(CONTROL_CTR_VERSION)
+SHORT_SHA ?= $(shell git rev-parse --short=8 HEAD)
+DOCKER_IMAGE_REF := $(DOCKER_IMAGE):$(SHORT_SHA)
+
+container:
+	docker build --network=host \
+		--tag $(DOCKER_IMAGE_REF) \
+		--build-arg IMAGE_VERSION="$(IMAGE_VERSION)" \
+		--build-arg BUILD_LDFLAGS='' \
+		.
+
+container-simple-test:
+	docker run --rm ${DOCKER_IMAGE_REF} cat /etc/motd
+
+release-container: container
+	docker tag $(DOCKER_IMAGE_REF) $(DOCKER_IMAGE_REF_RELEASE)

extras/host-containers/thar-control/VERSION

@@ -0,0 +1 @@
+v0.2

tools/infra/stacks/pipelines/admin-container-pipeline.yml

@@ -0,0 +1,161 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Thar admin container pipeline
+Parameters:
+  CodeBuildResourceStack:
+    Type: String
+    Description: 'Enter the name of the CloudFormation stack that sets up the pipeline CodeBuild projects.'
+  BranchName:
+    Description: GitHub branch name
+    Type: String
+    Default: develop
+    AllowedPattern: "[A-Za-z0-9-]+"
+  RepositoryName:
+    Description: Repository name
+    Type: String
+    AllowedPattern: "[A-Za-z0-9-]+"
+  GitHubOwner:
+    Description: Owner of the repository
+    Type: String
+    Default: amazonlinux
+    AllowedPattern: "[A-Za-z0-9-]+"
+  GitHubSecretToken:
+    Description: Github personal access token. (Account must have permission to create webhooks)
+    Type: String
+    NoEcho: true
+    MinLength: 40
+    MaxLength: 40
+    AllowedPattern: '[a-z0-9]*'
+
+Resources:
+  CodePipelineServiceRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - codepipeline.amazonaws.com
+            Action: 'sts:AssumeRole'
+      Path: !Sub "/${AWS::StackName}/"
+      Policies:
+        - PolicyName: HostContainerPipelineRolePolicy
+          PolicyDocument:
+            Version: 2012-10-17
+            Statement:
+              - Effect: Allow
+                Action:
+                  - 'codebuild:BatchGetBuilds'
+                  - 'codebuild:StartBuild'
+                Resource: '*'
+              - Effect: Allow
+                Action:
+                  - s3:PutObject
+                  - s3:GetObject
+                  - s3:GetObjectVersion
+                  - s3:GetBucketAcl
+                  - s3:GetBucketLocation
+                Resource:
+                  Fn::Join:
+                    - '/'
+                    - - Fn::ImportValue: !Sub "${CodeBuildResourceStack}-ArtifactBucketArn"
+                      - '*'
+
+  TharAdminCtrPipeline:
+    Type: 'AWS::CodePipeline::Pipeline'
+    Properties:
+      Name: thar-admin-ctr-pipeline
+      RoleArn: !GetAtt
+        - CodePipelineServiceRole
+        - Arn
+      Stages:
+        - Name: Source
+          Actions:
+            - Name: SourceAction
+              ActionTypeId:
+                Category: Source
+                Owner: ThirdParty
+                Version: '1'
+                Provider: GitHub
+              OutputArtifacts:
+                - Name: SourceOutput
+              Configuration:
+                Owner: !Ref GitHubOwner
+                Repo: !Ref RepositoryName
+                Branch: !Ref BranchName
+                OAuthToken: !Ref GitHubSecretToken
+                PollForSourceChanges: false
+              RunOrder: 1
+        - Name: Build
+          Actions:
+            - Name: BuildAction
+              InputArtifacts:
+                - Name: SourceOutput
+              ActionTypeId:
+                Category: Build
+                Owner: AWS
+                Version: '1'
+                Provider: CodeBuild
+              OutputArtifacts:
+                - Name: BuildArtifact
+              Configuration:
+                ProjectName:
+                  Fn::ImportValue:
+                    !Sub "${CodeBuildResourceStack}-Build"
+              RunOrder: 1
+        - Name: Test
+          Actions:
+            - Name: TestAction
+              InputArtifacts:
+                - Name: SourceOutput
+                - Name: BuildArtifact
+              ActionTypeId:
+                Category: Build
+                Owner: AWS
+                Version: '1'
+                Provider: CodeBuild
+              Configuration:
+                ProjectName:
+                  Fn::ImportValue:
+                    !Sub "${CodeBuildResourceStack}-Test"
+                PrimarySource: SourceOutput
+              RunOrder: 1
+        - Name: BetaDeploy
+          Actions:
+            - Name: BetaDeployAction
+              InputArtifacts:
+                - Name: SourceOutput
+                - Name: BuildArtifact
+              ActionTypeId:
+                Category: Build
+                Owner: AWS
+                Version: '1'
+                Provider: CodeBuild
+              Configuration:
+                ProjectName:
+                  Fn::ImportValue:
+                    !Sub "${CodeBuildResourceStack}-BetaDeploy"
+                PrimarySource: SourceOutput
+              RunOrder: 1
+      ArtifactStore:
+        Type: S3
+        Location:
+          Fn::ImportValue:
+            !Sub "${CodeBuildResourceStack}-ArtifactBucket"
+
+  TharAdminWebhook:
+    Type: 'AWS::CodePipeline::Webhook'
+    Properties:
+      Authentication: GITHUB_HMAC
+      AuthenticationConfiguration:
+        SecretToken: !Ref GitHubSecretToken
+      RegisterWithThirdParty: true
+      Filters:
+        - JsonPath: "$.ref"
+          MatchEquals: refs/heads/{Branch}
+        - JsonPath: "$.head_commit.modified[*]"
+          MatchEquals: "extras/host-containers/thar-admin/VERSION"
+      TargetPipeline: !Ref TharAdminCtrPipeline
+      TargetAction: SourceAction
+      TargetPipelineVersion: !GetAtt TharAdminCtrPipeline.Version