AWS CodeDeploy Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
Line 22: Line 22:


First create a service role with CodeDeploy permissions that grants AWS CodeDeploy access to the target instances. This is how to crate a Service Role: {{Internal|AWS_Security_Operations#Create_an_IAM_Role|Create an IAM Role}}
First create a service role with CodeDeploy permissions that grants AWS CodeDeploy access to the target instances. This is how to crate a Service Role: {{Internal|AWS_Security_Operations#Create_an_IAM_Role|Create an IAM Role}}
Name: themyscira-unity-codedeploy-role
After creation, which can be done through a standard IAM wizard, it contains an AWSCodeDeployRoleForECS policy that looks like this:
<syntaxhighlight lang='json'>
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeServices",
                "ecs:CreateTaskSet",
                "ecs:UpdateServicePrimaryTaskSet",
                "ecs:DeleteTaskSet",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:ModifyRule",
                "lambda:InvokeFunction",
                "cloudwatch:DescribeAlarms",
                "sns:Publish",
                "s3:GetObject",
                "s3:GetObjectMetadata",
                "s3:GetObjectVersion"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
</syntaxhighlight>

Revision as of 18:04, 28 February 2019

Internal

Create an Application

Application Configuration

Application name

Compute platform

Amazon ECS.

Crete a Deployment Group

Application

Deployment Group Name

Service Role

First create a service role with CodeDeploy permissions that grants AWS CodeDeploy access to the target instances. This is how to crate a Service Role:

Create an IAM Role

Name: themyscira-unity-codedeploy-role

After creation, which can be done through a standard IAM wizard, it contains an AWSCodeDeployRoleForECS policy that looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeServices",
                "ecs:CreateTaskSet",
                "ecs:UpdateServicePrimaryTaskSet",
                "ecs:DeleteTaskSet",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:ModifyRule",
                "lambda:InvokeFunction",
                "cloudwatch:DescribeAlarms",
                "sns:Publish",
                "s3:GetObject",
                "s3:GetObjectMetadata",
                "s3:GetObjectVersion"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        }
    ]
}