Book Image

AWS Automation Cookbook

By : Nikit Swaraj
Book Image

AWS Automation Cookbook

By: Nikit Swaraj

Overview of this book

AWS CodeDeploy, AWS CodeBuild, and CodePipeline are scalable services offered by AWS that automate an application's build and deployment pipeline. In order to deliver tremendous speed and agility, every organization is moving toward automating their entire application pipeline. This book will cover all the AWS services required to automate your deployment to your instances. You'll begin by setting up and using one of the AWS services for automation –CodeCommit. Next, you'll learn how to build a sample Maven and NodeJS application using CodeBuild. After you've built the application, you'll see how to use CodeDeploy to deploy the application in EC2/Auto Scaling. You'll also build a highly scalable and fault tolerant Continuous Integration (CI)/Continuous Deployment (CD) pipeline using some easy-to-follow recipes. Following this, you'll achieve CI/CD for a microservice application and reduce the risk within your software development life cycle globally. You'll also learn to set up an infrastructure using CloudFormation templates and Ansible, and see how to automate AWS resources using AWS Lambda. Finally, you'll learn to automate instances in AWS and automate the deployment lifecycle of applications. By the end of this book, you'll be able to minimize application downtime and implement CI/CD, gaining total control over your software development lifecycle.
Table of Contents (11 chapters)

Applying security and restrictions

In an enterprise where a product is being developed, we find lots of developers on different teams working with different repositories but in the same Git-based VCS.

Here in CodeCommit, if we give a user CodeCommitPowerUser access, then the user will have full control over all the repositories, except the deletion of repositories. So, a Power User will be able to see the source code of all other repositories, that is, there won't be any privacy. This is the kind of permission you should avoid giving another user.

In some companies, they have different use cases, for example, they only require a few of their developers to have access to all Git-based commands and on the specific repository. We dive into how to implement this type of scenario.

Getting ready

To implement this scenario, we use AWS IAM services, where we will create a user and attach it to a CodeCommit custom policy, and that policy will have access to only a specific repository with specific Git commands.

How to do it...

Let's get started with that, and perform the following operations:

  1. First of all, let's create a custom policy where we will give the restriction definition.
  2. Go to IAM Console and click on the Policies section. Then, click on Create Policy:
  3. Click on Create Your Own Policy:
  1. You will be redirected to another page where you have to fill in the Policy Name, a description of the policy, and a policy document. The policy document will be the definition, where we will mention the resources and actions:
  1. Insert the following policy definition (x60xxxxxxx39 will be basically your account ID):
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": "arn:aws:codecommit:us-east-1:x60xxxxxxx39:HelloWorld"
  1. Click on Create Policy; then we will have our own custom policy:
  2. Now, let's remove the AWSCodeCommitPowerUser access from the IAM user that we created to clone the repository by clicking on x:
  1. Click on Add permissions, after that click on Attach Existing Policies Directly and search for Policy name in filter, check that, and save it:
  1. We will have a user with only our custom policy, which means the user will only have access to the HelloWorld repository and only two actions, git push and git clone:
    awsstar@awsstar:~$ aws codecommit list-repositories
An error occurred (AccessDeniedException) when calling the ListRepositories operation: User: arn:aws:iam::16xxxxxx139:user/awsccuser is not authorized to perform: codecommit:ListRepositories

The preceding command output shows AccessDeniedException, that is, awsccuser is not authorized to perform codecommit:ListRepositories. The reason for this is we have given access to only two operations or actions: git push and git clone.