Some progress in cross account deployments

Author: ferdingler

workshop/content/buildpipe/pipeline/launch/_index.en.md

@@ -4,7 +4,7 @@ date = 2020-01-03T19:29:29-08:00
 weight = 5
 +++
 
-Open the [AWS CloudFormation console]((https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=sam-app-ci-cd)) to launch a new stack and upload the downloaded template by choosing the _Upload a template_ file option.
+Open the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation/home#/stacks/new?stackName=sam-app-ci-cd) to launch a new stack and upload the downloaded template by choosing the _Upload a template_ file option.
 
 ![PipelineConfiguration](/images/screenshot-pipeline-cfn-1.png)
 

workshop/content/crossaccount/artifactstore/_index.en.md

@@ -0,0 +1,73 @@
++++
+title = "Creating a KMS Key"
+date = 2019-11-11T14:46:02-08:00
+weight = 30
++++
+
+The first thing we are going to do is modify the pipeline [created on Chapter 4](/buildpipe/pipeline.html), to use a symmetric Customer Master Key (CMK) to encrypt artifacts in the bucket. The easiest way to do this is by adding the following CloudFormation snippet at the end of our `pipeline.yml` file: 
+
+```
+KMSKey:
+  Type: AWS::KMS::Key
+  Properties:
+    Description: Used to encrypt artifacts by CodePipeline
+    EnableKeyRotation: true
+    KeyPolicy:
+      Version: "2012-10-17"
+      Id: !Ref AWS::StackName
+      Statement:
+        -
+          Effect: Allow
+          Principal:
+            AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
+          Action:
+            - "kms:Create*"
+            - "kms:Describe*"
+            - "kms:Enable*"
+            - "kms:List*"
+            - "kms:Put*"
+            - "kms:Update*"
+            - "kms:Revoke*"
+            - "kms:Disable*"
+            - "kms:Get*"
+            - "kms:Delete*"
+            - "kms:ScheduleKeyDeletion"
+            - "kms:CancelKeyDeletion"
+          Resource: "*"
+        -
+          Effect: Allow
+          Principal:
+            AWS:
+            - !GetAtt BuildProjectRole.Arn
+          Action:
+            - kms:Encrypt
+            - kms:Decrypt
+            - kms:ReEncrypt*
+            - kms:GenerateDataKey*
+            - kms:DescribeKey
+          Resource: "*"
+
+KMSAlias:
+  Type: AWS::KMS::Alias
+  Properties:
+    AliasName: !Sub alias/codepipeline-sam-app
+    TargetKeyId: !Ref KMSKey
+```
+
+**(Optional)** Or if you prefer, just download the following file that already includes the snippet above.
+
+```
+wget https://cicd.serverlessworkshops.io/assets/chapter6/step1/pipeline.yml
+```
+
+### Update the pipeline using CloudFormation
+
+Unlike previous chapters, where we were using the CloudFormation Console to launch and update stacks, this time we will update our stack using the AWS CLI as we will be doing it multiple times and is much easier to run a command than navigating a user interface over and over.
+
+Run the following command on your terminal, it assumes that your CloudFormation stack for the pipeline is named `sam-app-cicd`. 
+
+```
+aws cloudformation deploy \
+--template-file pipeline.yml \
+--stack-name sam-app-cicd
+```

workshop/content/crossaccount/howitworks/_index.en.md

@@ -14,12 +14,12 @@ The diagram above illustrates what happens when CodePipeline begins a deployment
 
 #### Why encrypt the artifacts?
 
-AWS CodePipeline *always* stores artifacts on S3 with encryption enabled and there is no way to disable it. The default behavior is to use the AWS Managed Key to encrypt them, but this approach doesn't work for granting access to S3 buckets across accounts. Therefore you [3] must create a KMS Customer Managed Key and then give the IAM role in the Production account permissions to use it to decrypt the artifacts. 
+AWS CodePipeline *always* stores artifacts on S3 with encryption enabled and there is no way to disable it. The default behavior is to use the AWS Managed Key to encrypt them, but this approach doesn't work for granting access to S3 buckets across accounts. Therefore you [3] must create a KMS Customer Master Key and then give the IAM role in the Production account permissions to use it to decrypt the artifacts. 
 
 #### Additional reading
 
 If you want to dive deeper into the concepts of Cross Account permissions in regards to Code Pipeline, here are a couple of good reads that might help you understand it better: 
 
-[1] https://aws.amazon.com/blogs/devops/aws-building-a-secure-cross-account-continuous-delivery-pipeline  
-[2] https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html  
-[3] https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3  
+[1] [Building a Secure Cross Account Pipeline](https://aws.amazon.com/blogs/devops/aws-building-a-secure-cross-account-continuous-delivery-pipeline)  
+[2] [AWS Code Pipeline Cross Account Docs](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html)  
+[3] [Cross Account Permissions with S3 Buckets](https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3)  

workshop/content/crossaccount/intro/_index.en.md

@@ -12,5 +12,4 @@ The following diagram illustrates a simple account setup that many customers sta
 
 ![EnvironmentSeparation](/images/environment-separation.png)
 
-As you can tell from the diagram, the Dev account hosts the Code Pipeline, Artifacts Bucket and the Code Repository. The CodePipeline then deploys across the Production account using an [assumed role](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html). 
-
+As you can tell from the diagram, the Dev account hosts the Code Pipeline, Artifacts Bucket and the Code Repository. The CodePipeline then deploys across the Production account using an [assumed role](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).

workshop/content/crossaccount/prodprep/_index.en.md

@@ -1,6 +1,7 @@
 +++
 title = "Prepare Prod account"
 date = 2019-11-11T14:46:02-08:00
-weight = 25
+weight = 35
 +++
 
+As seen in the previous diagram, there are a few resources we need to create in the Production account. 

workshop/static/assets/chapter6/artifacts-store.yml

@@ -0,0 +1,64 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: S3 bucket for CodePipeline artifacts store with KMS Customer Managed Key
+Parameters:
+  ProdAccountNumber:
+    Description: 12-digit AWS account number for production
+    Type: Number
+
+Resources:
+  KMSKey:
+    Type: AWS::KMS::Key
+    Properties:
+      Description: Used to encrypt artifacts by CodePipeline
+      EnableKeyRotation: true
+      KeyPolicy:
+        Version: "2012-10-17"
+        Id: !Ref AWS::StackName
+        Statement:
+          -
+            Effect: Allow
+            Principal:
+              AWS: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:root
+            Action:
+              - "kms:Create*"
+              - "kms:Describe*"
+              - "kms:Enable*"
+              - "kms:List*"
+              - "kms:Put*"
+              - "kms:Update*"
+              - "kms:Revoke*"
+              - "kms:Disable*"
+              - "kms:Get*"
+              - "kms:Delete*"
+              - "kms:ScheduleKeyDeletion"
+              - "kms:CancelKeyDeletion"
+            Resource: "*"
+          -
+            Effect: Allow
+            Principal:
+              AWS:
+                - !Sub arn:aws:iam::${ProdAccountNumber}:root
+                - !Sub arn:aws:iam::485020055381:role/service-role/codebuild-sam-app-build-service-role
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
+              - kms:ReEncrypt*
+              - kms:GenerateDataKey*
+              - kms:DescribeKey
+            Resource: "*"
+
+  KMSAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Sub alias/codepipeline-crossaccounts
+      TargetKeyId: !Ref KMSKey
+
+  # ArtifactsBucket:
+  #   Type: AWS::S3::Bucket
+  #   DeletionPolicy: Retain
+
+Outputs:
+  CMK:
+    Value: !GetAtt [KMSKey, Arn]
+  # ArtifactsBucket:
+  #   Value: !Ref ArtifactsBucket

workshop/static/assets/chapter6/prod-roles.yml

@@ -0,0 +1,107 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Resources needed for CodePipeline to deploy across accounts
+Parameters:
+  ArtifactsBucket:
+    Description: S3 Bucket that holds the pipeline artifacts
+    Type: String
+  ToolsAccount:
+    Description: AWS AccountNumber for Tools
+    Type: Number
+  CMKARN:
+    Description: ARN of the KMS CMK creates in Tools account
+    Type: String
+Resources:
+  CFRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub ToolsAcctCodePipelineCloudFormationRole
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          -
+            Effect: Allow
+            Principal:
+              AWS:
+                - !Ref ToolsAccount
+            Action:
+              - sts:AssumeRole
+      Path: /
+  CFPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: !Sub ToolsAcctCodePipelineCloudFormationPolicy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          -
+            Effect: Allow
+            Action:
+              - cloudformation:*
+              - s3:*
+              - iam:PassRole
+            Resource: "*"
+          -
+             Effect: Allow
+             Action:
+               - kms:*
+             Resource: !Ref CMKARN
+      Roles:
+        -
+          !Ref CFRole
+  CFDeployerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub cloudformationdeployer-role
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          -
+            Effect: Allow
+            Principal:
+              Service:
+                - cloudformation.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Path: /
+  CFDeployerPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: !Sub cloudformationdeployer-policy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          -
+            Effect: Allow
+            Action:
+              - lambda:AddPermission
+              - lambda:CreateFunction
+              - lambda:DeleteFunction
+              - lambda:InvokeFunction
+              - lambda:RemovePermission
+              - lambda:UpdateFunctionCode
+              - lambda:GetFunctionConfiguration
+              - lambda:GetFunction
+              - lambda:UpdateFunctionConfiguration
+              - events:* # Required for the sample lambda function to work
+              - iam:CreateRole
+              - iam:CreatePolicy
+              - iam:GetRole
+              - iam:DeleteRole
+              - iam:PutRolePolicy
+              - iam:PassRole
+              - iam:DeleteRolePolicy
+              - cloudformation:*
+            Resource: "*"
+          -
+            Effect: Allow
+            Action:
+              - s3:PutObject
+              - s3:GetBucketPolicy
+              - s3:GetObject
+              - s3:ListBucket
+            Resource:
+             - !Join ['',['arn:aws:s3:::',!Ref ArtifactsBucket, '/*']]
+             - !Join ['',['arn:aws:s3:::',!Ref ArtifactsBucket]]
+      Roles:
+        -
+          !Ref CFDeployerRole