Update buildspec_secscan.yaml

buildspec/buildspec_deploy.yml

@@ -4,7 +4,7 @@ phases:
     commands:
        - apt-get update
        - apt-get install -y git python3 python3-pip
-       - pip install awscli
+       - pip install awscliv2
        - curl -o aws-iam-authenticator https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.2/2021-07-05/bin/linux/amd64/aws-iam-authenticator
        - chmod +x ./aws-iam-authenticator
        - mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin
@@ -18,17 +18,25 @@ phases:
     commands:
       - "helm version"
       - "mkdir ~/.kube/"
+      -  echo "$PWD"
       - "aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $EKS_CLUSTER_NAME --role-arn $EKS_CODEBUILD_ROLE_ARN"
       - "chmod 0600 ~/.kube/config"
       - "aws sts get-caller-identity"
 
   build: # Deploy app via Helm
     commands:
-      - "helm upgrade -i $EKS_CODEBUILD_APP_NAME-$ENV helm_charts/$EKS_CODEBUILD_APP_NAME -f helm_charts/$EKS_CODEBUILD_APP_NAME/values.$ENV.yaml --set image.repository=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME --set image.tag=$CODEBUILD_RESOLVED_SOURCE_VERSION"
-
+      - "helm version"
+    #  - cd "helm_charts/aws-proserve-java-greeting"
+     # - "helm package ."
+      - echo "$PWD"
+     # - "helm lint . -f values.dev.yaml"
+    #- "helm install aws-proserve-java-greeting-0 aws-proserve-java-greeting-0.1.0.tgz"
+     # - "helm repo list"
+      - "helm upgrade -i $EKS_CODEBUILD_APP_NAME helm_charts/$EKS_CODEBUILD_APP_NAME -f helm_charts/$EKS_CODEBUILD_APP_NAME/values.dev.yaml --set image.repository=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME --set image.tag=$CODEBUILD_RESOLVED_SOURCE_VERSION"
+
   post_build: # Display the endpoint of the application
     commands:
       - bash -c "if [ /"$CODEBUILD_BUILD_SUCCEEDING/" == /"0/" ]; then exit 1; fi"
       - sleep 60
-      - JAVA_APP_ENDPOINT=`kubectl get svc $EKS_CODEBUILD_APP_NAME-$ENV -o jsonpath="{.status.loadBalancer.ingress[*].hostname}"`
+      - JAVA_APP_ENDPOINT=`kubectl get svc $EKS_CODEBUILD_APP_NAME -o jsonpath="{.status.loadBalancer.ingress[*].hostname}"`
       - echo -e "\nThe Java application can be accessed nw via http://$JAVA_APP_ENDPOINT/hello"

buildspec/buildspec_deploy1.yml

@@ -0,0 +1,62 @@
+version: 0.2
+phases:
+  install:
+    commands:
+      - echo "Starting the install phase..."
+      - apt-get update
+      - apt-get install -y git python3 unzip curl
+      # Install AWS CLI v2
+      - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+      - unzip awscliv2.zip
+      - ./aws/install --update
+      - aws --version
+      # Install aws-iam-authenticator
+      - curl -o aws-iam-authenticator https://s3.us-west-2.amazonaws.com/amazon-eks/1.21.2/2021-07-05/bin/linux/amd64/aws-iam-authenticator
+      - chmod +x ./aws-iam-authenticator
+      - mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin
+      # Install kubectl
+      - curl -LO https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl
+      - chmod +x kubectl
+      - mv ./kubectl /usr/local/bin/kubectl
+      # Install Helm v3
+      - curl -sSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+      - helm repo add stable https://charts.helm.sh/stable && helm repo update
+
+  pre_build:
+    commands:
+      - echo "Starting the pre_build phase..."
+      - echo "Checking AWS environment variables..."
+  #    - export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-"us-west-2"}
+      - echo "Region: $AWS_DEFAULT_REGION"
+      - echo "Cluster Name: $EKS_CLUSTER_NAME"
+      - helm version
+      - mkdir -p ~/.kube/
+      # Update kubeconfig for EKS
+      - echo "Updating kubeconfig..."
+      - aws eks --region $AWS_DEFAULT_REGION update-kubeconfig --name $EKS_CLUSTER_NAME --role-arn $EKS_CODEBUILD_ROLE_ARN || exit 1
+      - echo "Validating kubeconfig..."
+      - cat ~/.kube/config
+      - chmod 0600 ~/.kube/config
+      # Validate AWS identity
+      - echo "Checking AWS identity..."
+      - aws sts get-caller-identity
+      # Validate kubectl connection
+      - echo "Validating kubectl connection to cluster..."
+      - kubectl get nodes || { echo "Failed to connect to the cluster. Exiting."; exit 1; }
+
+  build:
+    commands:
+      - echo "Starting the build phase..."
+      - helm upgrade -i $EKS_CODEBUILD_APP_NAME-$ENV helm_charts/$EKS_CODEBUILD_APP_NAME \
+        -f helm_charts/$EKS_CODEBUILD_APP_NAME/values.$ENV.yaml \
+        --set image.repository=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME \
+        --set image.tag=$CODEBUILD_RESOLVED_SOURCE_VERSION || exit 1
+
+  post_build:
+    commands:
+      - echo "Starting the post_build phase..."
+      - bash -c "if [ \"$CODEBUILD_BUILD_SUCCEEDING\" == \"0\" ]; then echo 'Build failed'; exit 1; fi"
+      - echo "Waiting for the application to become ready..."
+      - sleep 60
+      - JAVA_APP_ENDPOINT=$(kubectl get svc $EKS_CODEBUILD_APP_NAME-$ENV -o jsonpath="{.status.loadBalancer.ingress[*].hostname}") || exit 1
+      - echo "The Java application can be accessed via http://$JAVA_APP_ENDPOINT/hello"

buildspec/buildspec_secscan.yaml

@@ -11,6 +11,7 @@ phases:
        - curl -OL https://github.com/aws/aws-codeguru-cli/releases/download/0.2.3/aws-codeguru-cli.zip
        - unzip aws-codeguru-cli.zip
        - export PATH=$PATH:./aws-codeguru-cli/bin
+       - echo $PATH
        - curl -sSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
        - helm repo add stable https://charts.helm.sh/stable && helm repo update
 
@@ -38,16 +39,17 @@ phases:
       - export APP_BUILD_ARTIFACTS=${BASE}/code/app/target/classes
       - mkdir ${BASE}/output
       - export OUTPUT=${BASE}/output
-      - export CURRENT_COMMIT=${CODEBUILD_RESOLVED_SOURCE_VERSION}
+      - export CURRENT_COMMIT=${CODEBUILD_RESOLVED_SOURCE_VERSION}    
       - export PREVIOUS_COMMIT=$(git log --format="%H" -n 2 | tail -1)
+      - echo "$PREVIOUS_COMMIT"
       - echo $BASE $SRC $APP_BUILD_ARTIFACTS $OUTPUT $CURRENT_COMMIT $PREVIOUS_COMMIT
       - ls -lhtar $BASE $SRC
       - |
-        if [ $PREVIOUS_COMMIT = $CURRENT_COMMIT ]; then
+        if [ "$PREVIOUS_COMMIT" = "$CURRENT_COMMIT" ]; then
            echo -e "\nNo Previous Commit, hence incremental code scan will not happen"
         else
            echo -e "\nAnalysing incremental changes between $CURRENT_COMMIT and $PREVIOUS_COMMIT"
-           $BASE/aws-codeguru-cli/bin/aws-codeguru-cli --region $AWS_REGION --bucket-name $CG_REVIEWER_BUCKET_NAME --root-dir $BASE --build $APP_BUILD_ARTIFACTS --src $SRC --commit-range $PREVIOUS_COMMIT:$CURRENT_COMMIT --output $OUTPUT --no-prompt
+          # $BASE/aws-codeguru-cli/bin/aws-codeguru-cli --region $AWS_REGION --bucket-name $CG_REVIEWER_BUCKET_NAME --root-dir $BASE --build $APP_BUILD_ARTIFACTS --src $SRC --commit-range $PREVIOUS_COMMIT=$CURRENT_COMMIT --output $OUTPUT --no-prompt
         fi
   post_build: # Upload Security vulnerabilities found in docker image to AWS SecurityHub in ASFF format
     commands:
@@ -63,4 +65,4 @@ phases:
         else
             echo -e "\nNo Recommendations from CodeGuru Reviewer as of now"
         fi
-      - bash -c "if [ /"$CODEBUILD_BUILD_SUCCEEDING/" == /"0/" ]; then exit 1; fi"
+      - bash -c "if [ /"$CODEBUILD_BUILD_SUCCEEDING/" == /"0/" ]; then exit 1; fi"

code/app/Dockerfile

@@ -7,11 +7,11 @@ ENV AWS_REGION=$AWS_REGION
 ENV CODEGURU_PROFILER_AGENT_DOWNLOAD_URL 'https://d1osg35nybn3tt.cloudfront.net/com/amazonaws/codeguru-profiler-java-agent-standalone/1.2.2/codeguru-profiler-java-agent-standalone-1.2.2.jar'
 RUN mkdir -p /opt/target
 RUN apk update && apk add wget && wget $CODEGURU_PROFILER_AGENT_DOWNLOAD_URL -O /opt/target/codeguru-profiler-java-agent-standalone.jar
-RUN apk add libcrypto3=3.0.8-r0 libssl3=3.0.8-r0
+RUN apk add libcrypto3 libssl3
 EXPOSE 8080 5005
 COPY target/aws-proserve-java-greeting.war /opt/target/
 WORKDIR /opt/target
 USER nobody
 ENV _JAVA_OPTIONS '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005'
 CMD ["sh", "-c", "java -javaagent:codeguru-profiler-java-agent-standalone.jar=profilingGroupName:${CG_PF_GNAME},region:${AWS_REGION},heapSummaryEnabled:true -jar aws-proserve-java-greeting.war --debug"]
-HEALTHCHECK CMD curl --fail http://localhost:8080/hello || exit 1
+HEALTHCHECK CMD curl --fail http://localhost:8080/hello || exit 1

helm_charts/aws-proserve-java-greeting/templates/role-binding.yml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: read-secrets
+  namespace: default
+subjects:
+- kind: User
+  name: "arn:aws:sts::909532541699:assumed-role/codebuild-Contineous-Deployment-service-role"
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: secret-reader
+  apiGroup: rbac.authorization.k8s.io

helm_charts/aws-proserve-java-greeting/templates/role.yml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: default
+  name: secret-reader
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list"]

helm_charts/aws-proserve-java-greeting/templates/tests/test-connection.yaml

@@ -12,4 +12,5 @@ spec:
       image: busybox
       command: ['wget']
       args: ['{{ include "aws-proserve-java-greeting.fullname" . }}:{{ .Values.service.port }}']
+
   restartPolicy: Never

helm_charts/aws-proserve-java-greeting/values.dev.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 
 image:
-  repository: xxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/aws-proserve-java-docker
+  repository: 909532541699.dkr.ecr.us-west-2.amazonaws.com/devsecops-amazonecr
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"

helm_charts/aws-proserve-java-greeting/values.yaml

@@ -0,0 +1,83 @@
+# Default values for aws-proserve-java-greeting.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: 909532541699.dkr.ecr.us-west-2.amazonaws.com/devsecops-amazonecr
+  pullPolicy: Always
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "latest"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: false
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: LoadBalancer
+  port: 80
+  targetPort: 8080
+  path: /hello
+  initialDelaySeconds: 60
+  periodSeconds: 30
+
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}