Exemple #1
0
class Create_Code_Build:

    def __init__(self,account_id,project_name):
        self.account_id         = account_id
        self.project_name       = project_name
        self.project_repo       = 'https://github.com/pbx-gs/{0}'.format(self.project_name)
        self.service_role       = 'arn:aws:iam::{0}:role/{1}'                  .format(self.account_id, self.project_name)
        self.project_arn        = 'arn:aws:codebuild:eu-west-2:{0}:project/{1}'.format(self.account_id, self.project_name     )
        self.assume_policy      = {'Statement': [{'Action'   : 'sts:AssumeRole'                     ,
                                                  'Effect'   : 'Allow'                              ,
                                                  'Principal': {'Service': 'codebuild.amazonaws.com'}}]}

        self.code_build = CodeBuild(role_name=self.project_name, project_name=self.project_name)

    def create_role_and_policies(self, policies):
        self.code_build.iam.role_create(self.assume_policy)
        policies_arn = self.code_build.policies_create(policies)
        self.code_build.iam.role_policies_attach(policies_arn)
        return self

    def create_project_with_container__docker(self):
        kvargs = {
            'name'        : self.project_name,
            'source'      : { 'type'         : 'GITHUB',
                              'location'     : self.project_repo                 },
            'artifacts'   : {'type'          : 'NO_ARTIFACTS'                    },
            'environment' : {'type'          : 'LINUX_CONTAINER'                  ,
                            'image'          : 'aws/codebuild/docker:18.09.0'     ,
                            'computeType'    : 'BUILD_GENERAL1_LARGE'            },
            'serviceRole' : self.service_role
        }

        return self.code_build.codebuild.create_project(**kvargs)

    def create_project_with_container__gs_docker_codebuild(self):
        kvargs = {
            'name'        : self.project_name,
            'source'      : { 'type'                   : 'GITHUB',
                           'location'                  : self.project_repo                 },
            'artifacts'   : {'type'                    : 'NO_ARTIFACTS'                    },
            'environment' : {'type'                    : 'LINUX_CONTAINER'                  ,
                            'image'                    : '{0}.dkr.ecr.eu-west-2.amazonaws.com/gs-docker-codebuild:latest'.format(self.account_id)     ,
                            'computeType'              : 'BUILD_GENERAL1_LARGE'            ,
                            'imagePullCredentialsType' : 'SERVICE_ROLE'                    },
            'serviceRole' : self.service_role
        }
        return self.code_build.codebuild.create_project(**kvargs)

    def policies__for_docker_build(self):
        cloud_watch_arn = "arn:aws:logs:eu-west-2:{0}:log-group:/aws/codebuild/{1}:log-stream:*".format(self.account_id, self.project_name)
        policies = {"Cloud-Watch-Policy": {"Version": "2012-10-17",
                                           "Statement": [{"Sid": "GsBotPolicy",
                                                          "Effect": "Allow",
                                                          "Action": ["logs:CreateLogGroup",
                                                                     "logs:CreateLogStream",
                                                                     "logs:PutLogEvents"],
                                                          "Resource": [cloud_watch_arn]}]},
                    "Secret-Manager": {
                        "Version": "2012-10-17",
                        "Statement": [{"Sid": "GsBotPolicy",
                                       "Effect": "Allow",
                                       "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"],
                                       "Resource": [
                                           "arn:aws:secretsmanager:eu-west-2:244560807427:secret:slack-gs-bot-*",
                                           "arn:aws:secretsmanager:eu-west-2:244560807427:secret:elastic_gsuite_data-*"]}]},
                    "Create-Docker-Image": {
                        "Version": "2012-10-17",
                        "Statement": [{"Effect": "Allow",
                                       "Action": ["ecr:BatchCheckLayerAvailability",
                                                  "ecr:CompleteLayerUpload",
                                                  "ecr:GetAuthorizationToken",
                                                  "ecr:InitiateLayerUpload",
                                                  "ecr:PutImage",
                                                  "ecr:UploadLayerPart"],
                                       "Resource": "*"}]},
                    "Create-Repository": {
                        "Version": "2012-10-17",
                        "Statement": [{"Effect": "Allow",
                                       "Action": ["ecr:CreateRepository"],
                                       "Resource": "*"}]}}
        return policies

    def policies__with_ecr(self):
        cloud_watch_arn = "arn:aws:logs:eu-west-2:{0}:log-group:/aws/codebuild/{1}:log-stream:*".format(self.account_id,self.project_name)
        policies = {"Cloud-Watch-Policy"     : { "Version": "2012-10-17",
                                                 "Statement": [{   "Effect": "Allow",
                                                                   "Action": [ "logs:CreateLogGroup"  ,
                                                                               "logs:CreateLogStream" ,
                                                                               "logs:PutLogEvents"   ],
                                                                   "Resource": [ cloud_watch_arn ]}]},
                    "Download_Image"         : { "Version": "2012-10-17",
                                                 "Statement": [{   "Effect": "Allow",
                                                                   "Action": [   "ecr:GetAuthorizationToken",
                                                                                 "ecr:BatchCheckLayerAvailability",
                                                                                 "ecr:GetDownloadUrlForLayer",
                                                                                 "ecr:GetRepositoryPolicy",
                                                                                 "ecr:DescribeRepositories",
                                                                                 "ecr:ListImages",
                                                                                 "ecr:DescribeImages",
                                                                                 "ecr:BatchGetImage"],
                                                                   "Resource": "*"}]}}
        return policies

    def policies__with_ecr_and_3_secrets(self):
        cloud_watch_arn = "arn:aws:logs:eu-west-2:{0}:log-group:/aws/codebuild/{1}:log-stream:*".format(self.account_id,self.project_name)
        policies = {"Cloud-Watch-Policy"     : { "Version": "2012-10-17",
                                                 "Statement": [{   "Sid": "GsBotPolicy",
                                                                   "Effect": "Allow",
                                                                   "Action": [ "logs:CreateLogGroup"  ,
                                                                               "logs:CreateLogStream" ,
                                                                               "logs:PutLogEvents"   ],
                                                                   "Resource": [ cloud_watch_arn ]}]},
                    "Download_Image"         : { "Version": "2012-10-17",
                                                 "Statement": [{   "Effect": "Allow",
                                                                   "Action": [   "ecr:GetAuthorizationToken",
                                                                                 "ecr:BatchCheckLayerAvailability",
                                                                                 "ecr:GetDownloadUrlForLayer",
                                                                                 "ecr:GetRepositoryPolicy",
                                                                                 "ecr:DescribeRepositories",
                                                                                 "ecr:ListImages",
                                                                                 "ecr:DescribeImages",
                                                                                 "ecr:BatchGetImage"],
                                                                   "Resource": "*"}]},
                    "Secret-Manager"        : { "Version"  : "2012-10-17",
                                                "Statement": [{   "Effect"  : "Allow",
                                                                  "Action"  : [ "secretsmanager:GetSecretValue","secretsmanager:DescribeSecret"          ],
                                                                  "Resource": [ "arn:aws:secretsmanager:eu-west-2:244560807427:secret:slack-gs-bot-*"     ,
                                                                                "arn:aws:secretsmanager:eu-west-2:244560807427:secret:elastic*"           ,
                                                                                "arn:aws:secretsmanager:eu-west-2:244560807427:secret:gsuite*"        ]}]}}
        return policies


    def delete_project_role_and_policies(self):
        if self.code_build.iam.role_exists():
            policies_arns = list(self.code_build.iam.role_policies().values())
            self.code_build.iam.role_policies_detach(policies_arns)                 # first detach policies
            self.code_build.iam.policies_delete(policies_arns)                      # then delete the policies
            self.code_build.iam.role_delete()                                       # then delete the role
        if self.code_build.project_exists():
            self.code_build.project_delete()                                        # finally delete the project
class test_CodeBuild(TestCase):

    @classmethod
    def setUpClass(cls):
        code_build = CodeBuild(project_name=project_name, role_name=project_name)
        iam        = IAM(role_name=project_name)
        if delete_on_setup:
            code_build.project_delete()
            iam.role_delete()
        if code_build.project_exists() is False:
            assert code_build.project_exists() is False
            iam.role_create(assume_policy)                                # create role
            assert iam.role_info().get('Arn') == service_role             # confirm the role exists
            sleep(1)
            code_build.project_create(project_repo, service_role)         # in a non-deterministic way, this sometimes throws the error: CodeBuild is not authorized to perform: sts:AssumeRole

    @classmethod
    def tearDownClass(cls):
        code_build = CodeBuild(project_name=project_name,role_name=project_name)
        iam        = IAM(role_name=project_name)
        assert code_build.project_exists() is True
        assert iam.role_exists()           is True
        if delete_on_teardown:
            code_build.project_delete()
            iam       .role_delete()
            assert code_build.project_exists() is False
            assert iam.role_exists()           is False

    def setUp(self):
        self.code_build = CodeBuild(project_name=project_name,role_name=project_name)
        self.iam        = IAM(role_name=project_name)

    def test_all_builds_ids(self):                      # LONG running test
        ids = list(self.code_build.all_builds_ids())
        Assert(ids).size_is(100)
        ids = list(self.code_build.all_builds_ids(use_paginator=True))
        Assert(ids).is_bigger_than(1000)

    #@unittest.skip("Reduce the number of policies created and improve tests")
    def test_create_policies(self):
        policies = {
            "Download_Image"         : { "Version": "2012-10-17",
                                                 "Statement": [{   "Effect": "Allow",
                                                                   "Action": [   "ecr:GetAuthorizationToken",
                                                                                 "ecr:BatchCheckLayerAvailability",
                                                                                 "ecr:GetDownloadUrlForLayer",
                                                                                 "ecr:GetRepositoryPolicy",
                                                                                 "ecr:DescribeRepositories",
                                                                                 "ecr:ListImages",
                                                                                 "ecr:DescribeImages",
                                                                                 "ecr:BatchGetImage"],
                                                                   "Resource": "*"}]},
            "CodeBuildBasePolicy" : {"Version"  : "2012-10-17",
                                     "Statement": [ { "Effect"   :   "Allow",
                                                      "Resource" : [ "arn:aws:logs:eu-west-2:244560807427:log-group:/aws/codebuild/GSBot_code_build",
                                                                     "arn:aws:logs:eu-west-2:244560807427:log-group:/aws/codebuild/GSBot_code_build:*"],
                                                      "Action"   : [ "logs:CreateLogGroup",
                                                                     "logs:CreateLogStream",
                                                                     "logs:PutLogEvents" ]},
                                                    { "Effect"   :   "Allow",
                                                      "Resource" : [ "arn:aws:s3:::codepipeline-eu-west-2-*"],
                                                      "Action"   : [ "s3:PutObject",
                                                                     "s3:GetObject",
                                                                     "s3:GetObjectVersion",
                                                                     "s3:GetBucketAcl",
                                                                     "s3:GetBucketLocation"]}]},
            "Cloud_Watch_Policy": {
                                      "Version": "2012-10-17",
                                      "Statement": [ {  "Effect": "Allow",
                                                        "Action": [ "logs:CreateLogGroup",
                                                                    "logs:CreateLogStream",
                                                                    "logs:PutLogEvents" ],
                                                        "Resource": ["*"]},
                                                     {  "Effect": "Allow",
                                                        "Action": ["codecommit:GitPull"],
                                                        "Resource": ["*"] },
                                                     {  "Effect": "Allow",
                                                                  "Action": [ "s3:GetObject",
                                                                              "s3:GetObjectVersion"],
                                                                  "Resource": ["*"]},
                                        {
                                          "Sid": "S3PutObjectPolicy",
                                          "Effect": "Allow",
                                          "Action": [
                                            "s3:PutObject"
                                          ],
                                          "Resource": [
                                            "*"
                                          ]
                                        }
                                      ]
                                    }
                , "Access_Secret_Manager": {
                                                "Version": "2012-10-17",
                                                "Statement": [
                                                    {
                                                        "Sid": "VisualEditor0",
                                                        "Effect": "Allow",
                                                        "Action": [
                                                            "secretsmanager:GetResourcePolicy",
                                                            "secretsmanager:GetSecretValue",
                                                            "secretsmanager:DescribeSecret",
                                                            "secretsmanager:ListSecretVersionIds"
                                                        ],
                                                        "Resource": "arn:aws:secretsmanager:*:*:secret:*"
                                                    }
                                                ]
                                            },
                "Invoke_Lambda_Functions": {
                                                "Version": "2012-10-17",
                                                "Statement": [
                                                    {
                                                        "Sid": "VisualEditor0",
                                                        "Effect": "Allow",
                                                        "Action": "lambda:InvokeFunction",
                                                        "Resource": "arn:aws:lambda:*:*:function:*"
                                                    }
                                                ]
                                            },
                "Create_Update_Lambda_Functions": { "Version": "2012-10-17",
                                                    "Statement": [ {  "Effect": "Allow",
                                                                      "Action": ["lambda:ListFunctions","lambda:GetFunction","lambda:CreateFunction","lambda:UpdateFunctionCode"],
                                                                      "Resource": "arn:aws:lambda:*:*:function:*" } ]},
                "ECS_Management"                : { "Version": "2012-10-17",
                                                    "Statement": [ {  "Effect": "Allow",
                                                                      "Action": ["ecs:ListClusters", "ecs:ListTaskDefinitions"],
                                                                      "Resource": "*" } ]},
                "Pass_Role": {
                                "Version": "2012-10-17",
                                "Statement": [{
                                    "Effect": "Allow",
                                    "Action": [
                                        "iam:GetRole",
                                        "iam:PassRole"
                                    ],
                                    "Resource": "arn:aws:iam::244560807427:role/lambda_with_s3_access"
                                }]
                            }
            }


        policies_arns = list(self.code_build.iam.role_policies().values())
        policies_names = list(self.code_build.iam.role_policies().keys())
        self.code_build.iam.role_policies_detach(policies_arns)
        for policies_name in policies_names:
            self.code_build.iam.policy_delete(policies_name)

        self.code_build.policies_create(policies)



    def test_build_start(self):
        build_id     = self.code_build.build_start()
        build_info   = self.code_build.build_wait_for_completion(build_id,1, 60)
        build_phases = build_info.get('phases')

        phase        = build_phases.pop(-2)

        Dev.pprint(phase.get('phaseType'),phase.get('phaseStatus'),phase.get('contexts')[0].get('message') )


    def test_project_builds(self):
        ids = list(self.code_build.project_builds_ids('GSBot_code_build'))
        assert len(self.code_build.project_builds(ids[0:2])) == 3

    def test_project_builds_ids(self):                  # LONG running test
        assert len(list(self.code_build.project_builds_ids('GSBot_code_build'             )))  > 20
        assert len(list(self.code_build.project_builds_ids('pbx-group-security-site'      ))) == 100
        assert len(list(self.code_build.project_builds_ids('GSBot_code_build'       , True)))  > 20
        assert len(list(self.code_build.project_builds_ids('pbx-group-security-site', True)))  > 1200

    def test_project_info(self):
        project = self.code_build.project_info()
        (
            Assert(project).field_is_equal('arn'        , project_arn )
                           .field_is_equal('name'       , project_name)
                           .field_is_equal('serviceRole', service_role)
        )

    def test_projects(self):
        result = self.code_build.projects()
        Assert(result).is_bigger_than(2).is_smaller_than(100)