Nao San for AWS Community Builders

Posted on Dec 9

[AWS] DevTools Evangelism CodeBuild Edition [CodeBuild]

#aws #devtools #codebuild #codecommit

This article is a machine translation of the contents of the following URL, which I wrote in Japanese:

https://qiita.com/Nana_777/items/4ffe5e508b3eed3ff27d

Introduction

I've introduced several AWS DevTools in previous articles, but this time I'll introduce AWS CodeBuild.
AWS CodeBuild is often used to automate routine tasks before deploying your work, such as testing and compiling source code.
I've previously introduced AWS CodeCommit and AWS CodeDeploy in my articles, and AWS CodeBuild is often mentioned as part of the same Code series.

*Note: Since the Qiita Advent Calendar, held in Japan in December, has already filled up, this article is not related to the Advent Calendar.

Prerequisites

While many people set up automated execution using tools like AWS CodePipeline or GitHub Actions, this article aims to spread the word about DevTools, so I'll introduce the basics of how to use the tool.

What is AWS CodeBuild?

AWS CodeBuild compiles source code stored in S3, AWS CodeCommit, and GitHub, and runs unit tests.
It is often used to update artifact repositories and test and compile code before deployment when implementing CI/CD.

↓ The image looks like this (generated with Google Gemini)

What we'll try in this article

Running CloudFormation tests (AWS CloudFormation Guard) with CodeBuild

What is AWS CloudFormation Guard?

A tool that tests whether the definitions in a CloudFormation template are as intended.
You write definition rules in YAML format and it checks whether the rules match the template contents.
For example, you can define rules such as a Lambda function's "timeout setting" being "90 seconds" or "less than 90 seconds."

Configuring CodeBuild

Creating a CodeBuild Project

In the AWS CodeBuild console, select "Create Project."

Enter a project name and select the default project.

The source provider will use the AWS CodeCommit repository created previously.

Since we want to create a project with minimal configuration, we'll select a managed image for the environment image and Lambda for the compute.

Select "Use buildspec file" to run the build according to the buildspec file managed in the AWS CodeCommit repository.

Creating a Test Object

In this example, we want to test Cfn-Guard against a CloudFormation template, so we'll create a CloudFormation template, a Cfn-Guard rule file, and a BuildSpec file for CodeBuild.

CloudFormation Template

This time, we will only define the Lambda function.
This Lambda function has the following definitions:

Timeout setting: 30 seconds
Runtime version: python3.9
Policy: AWSLambdaBasicExecutionRole

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Lambda function CloudFormation template'

Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: MyLambdaFunction
Runtime: python3.9
Handler: index.lambda_handler
Role: !GetAtt LambdaExecutionRole.Arn
Timeout: 30
Code:
ZipFile: |
def lambda_handler(event, context):
return {
'statusCode': 200,
'body': 'Hello from Lambda!'
}

LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Outputs:
LambdaFunctionArn:
Description: 'Lambda Function ARN'
Value: !GetAtt MyLambdaFunction.Arn

Cfn-guard Rule File

This time, we are checking that the Lambda function has the following definition:

Timeout setting: 900 seconds or less
Runtime version: One of "python3.9", "python3.10", "python3.11", "nodejs18.x", or "nodejs20.x"
Policy: Ensure that overly strict policies such as PowerUserAccess and AdministratorAccess are not set.

# Lambda function security and best practices rules

# Ensure Lambda function has a timeout set
rule lambda_timeout_check {
Resources.*[ Type == "AWS::Lambda::Function" ] {
Properties.Timeout exists
Properties.Timeout <= 900
}
}

# Ensure Lambda function uses supported runtime
rule lambda_runtime_check {
Resources.*[ Type == "AWS::Lambda::Function" ] {
Properties.Runtime in ["python3.9", "python3.10", "python3.11", "nodejs18.x", "nodejs20.x"]
}
}

# Ensure IAM role follows least privilege
rule iam_role_managed_policy_check {
Resources.*[ Type == "AWS::IAM::Role" ] {
Properties.ManagedPolicyArns exists
Properties.ManagedPolicyArns.* != "arn:aws:iam::aws:policy/PowerUserAccess"
Properties.ManagedPolicyArns.* != "arn:aws:iam::aws:policy/AdministratorAccess"
}
}

BuildSpec

The build spec defines what CodeBuild will do.
In this example, the following is defined:

install (Installation Phase)

Install Rust (CloudFormation Guard is written in Rust)
Set environment variables for Cargo (Rust's package manager)
Install cfn-guard

phases:
install:
runtime-versions:
rust: 1.70
commands:
- echo "Installing CloudFormation Guard..."
- cargo install cfn-guard

pre_build (Pre-Build Phase)

Print the start time
Check the cfn-guard version
Verify that it was installed correctly

pre_build:
commands:
- echo "Pre-build phase started on `date`"
- cfn-guard --version

build (build phase)

Run CloudFormation Guard validation
Validate lambda-template.yaml using the rules in lambda-rules.guard
Display a detailed summary with --show-summary all

build:
commands:
- echo "Build phase started on `date`"
- echo "Running CloudFormation Guard validation..."
- cfn-guard validate --rules lambda-rules.guard --data lambda-template.yaml --show-summary all

post_build (post-build phase)

Print the completion time and completion message

post_build:
commands:
- echo "Post-build phase completed on `date`"
- echo "CloudFormation Guard validation completed"

reports section

Generate a report named cfn-guard-report
Include all files in the current directory
Preserve path structure

reports:
cfn-guard-report:
files:
- '**/*'
base-directory: '.'
discard-paths: no

Repository Contents

You can separate template and rule files into separate folders, but in this example, we placed the three files in the same hierarchy.

Run a Build

Run a build using the "Start Build" button.

:::note warn
Runtime error occurred
In my environment, a quota-related error occurred.
I contacted AWS Support and the issue was resolved after a few days (the cause is unknown).

Cannot have more than 0 concurrent builds on LINUX_LAMBDA_CONTAINER machines with the BUILD_LAMBDA_2GB compute type for the account.

:::

Build History

You can check the build status in the "Build History" section, which shows "In Progress," "Succeeded," or "Failed."

Build Log

You can view the build log in the build history details.

↓ The build log confirms that the Cfn-guard check passed.

Conclusion

In this article, we introduced AWS CodeBuild.
It can automatically run pre-defined tests on assets managed in AWS CodeCommit, making it useful for automated testing before deployment.
You can also configure a pipeline that runs tests with AWSCodeBUild in conjunction with changes to assets in AWSCodeCommit and, in some cases, automates deployments with AWSCodeDeploy, but we'll cover that in another article.