Skip to content

fix/codebuild pattern2 #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rstrahan merged 3 commits into from
Nov 5, 2025
Merged

fix/codebuild pattern2 #122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
07d2158
try fixing buildspec file
kazmer97 Nov 5, 2025
0be7d92
make buildspec validation part of the lint
kazmer97 Nov 5, 2025
d9731bf
pymupdf version pin
kazmer97 Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,9 @@ package-lock.json

# Type checking
pyrightconfig.temp.json
.pyright/
.pyright/

# Python virtual environments
.venv/
.venv-*/
venv/
9 changes: 8 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ test:
cd idp_cli && python -m pytest -v

# Run both linting and formatting in one command
lint: ruff-lint format check-arn-partitions ui-lint
lint: ruff-lint format check-arn-partitions validate-buildspec ui-lint

# Run linting checks and fix issues automatically
ruff-lint:
Expand Down Expand Up @@ -53,6 +53,13 @@ lint-cicd:

@echo -e "$(GREEN)All code quality checks passed!$(NC)"

# Validate AWS CodeBuild buildspec files
validate-buildspec:
@echo "Validating buildspec files..."
@python3 scripts/validate_buildspec.py patterns/*/buildspec.yml || \
(echo -e "$(RED)ERROR: Buildspec validation failed!$(NC)" && exit 1)
@echo -e "$(GREEN)✅ All buildspec files are valid!$(NC)"

# Check CloudFormation templates for hardcoded AWS partition ARNs and service principals
check-arn-partitions:
@echo "Checking CloudFormation templates for hardcoded ARN partitions and service principals..."
Expand Down
2 changes: 1 addition & 1 deletion lib/idp_common_pkg/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ agentic-extraction = [
"jsonpatch==1.33",
"strands-agents>=1.7.1 ; python_full_version >= '3.10'",
"pandas>=2.2.3",
"pymupdf>=1.25.5",
"pymupdf==1.25.5", # Pinned to 1.25.5 - has pre-built ARM64 wheels, 1.26.x requires compilation
"email-validator>=2.3.0",
"tabulate>=0.9.0",
"aws-lambda-powertools>=3.2.0", # Structured logging and observability
Expand Down
2 changes: 1 addition & 1 deletion patterns/pattern-2/buildspec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ phases:
- echo "All Pattern-2 Docker images successfully built and pushed to ECR"
- echo "ECR Repository - $ECR_URI"
- echo "Image Version - $IMAGE_VERSION"
- echo "Note: ECR vulnerability scans initiated (ScanOnPush enabled)"
- 'echo "Note: ECR vulnerability scans initiated (ScanOnPush enabled)"'
- echo "Scans will complete asynchronously. Check ECR console for results."
- echo "For accounts with Amazon Inspector Enhanced Scanning, scans may take 10-30 minutes per image."
- |
Expand Down
193 changes: 193 additions & 0 deletions scripts/README_validate_buildspec.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
# AWS CodeBuild Buildspec Validator

A Python script to validate AWS CodeBuild `buildspec.yml` files for syntax errors, structural issues, and best practices.

## Features

- **YAML Syntax Validation**: Ensures buildspec files are valid YAML
- **Structure Validation**: Checks for required fields (`version`, `phases`)
- **Type Checking**: Validates that commands are strings, not accidentally parsed as objects
- **Best Practices**: Warns about unknown phases or deprecated features
- **Multi-file Support**: Can validate multiple buildspec files at once using glob patterns

## Installation

The validator requires Python 3.6+ and PyYAML:

```bash
pip install pyyaml
```

For development environments with externally-managed Python (like macOS with Homebrew), create a virtual environment:

```bash
python3 -m venv .venv
source .venv/bin/activate
pip install pyyaml
```

## Usage

### Validate a single file

```bash
python3 scripts/validate_buildspec.py patterns/pattern-2/buildspec.yml
```

### Validate multiple files with glob patterns

```bash
python3 scripts/validate_buildspec.py patterns/*/buildspec.yml
```

### Using the Makefile target

```bash
make validate-buildspec
```

This is also included in the `make lint` command.

## Output

The validator provides clear output with:
- ✅ Success indicators
- ❌ Error messages with specific line numbers
- ⚠️ Warnings for non-critical issues
- 📊 Summary of phases and command counts

### Example Output

```
Validating: patterns/pattern-2/buildspec.yml
======================================================================
✅ Valid buildspec file

Summary:
Version: 0.2
Phases: pre_build, build, post_build
- pre_build: 7 commands
- build: 39 commands
- post_build: 8 commands
```

### Example Error Output

```
Validating: patterns/pattern-2/buildspec.yml
======================================================================

❌ ERRORS (1):
- Phase 'post_build', command #5 must be a string, got dict

❌ Invalid buildspec file
```

## Common Issues Detected

### 1. Colons in Command Strings

**Problem**: YAML interprets colons as key-value separators, even in quoted strings in some cases.

```yaml
# ❌ BAD - May be parsed as a dictionary
- echo "Note: This is a message"

# ✅ GOOD - Use single quotes around the entire command
- 'echo "Note: This is a message"'
```

### 2. Missing Required Fields

The validator checks for:
- `version` field (must be 0.1 or 0.2)
- `phases` section (must have at least one phase)

### 3. Invalid Command Types

All commands must be strings:

```yaml
# ❌ BAD - Command is a dictionary
phases:
build:
commands:
- echo: "This is wrong"

# ✅ GOOD - Command is a string
phases:
build:
commands:
- echo "This is correct"
```

## Exit Codes

- `0`: All buildspec files are valid
- `1`: One or more buildspec files have errors

This makes it suitable for use in CI/CD pipelines:

```yaml
- name: Validate Buildspec
run: python3 scripts/validate_buildspec.py patterns/*/buildspec.yml
```

## Limitations

This validator checks for:
- YAML syntax errors
- Required fields and structure
- Data type correctness
- Common mistakes

It does **not** validate:
- AWS-specific runtime environments
- Environment variable references
- S3 artifact paths
- IAM permissions

For complete validation, test your buildspec in an actual CodeBuild environment.

## Integration with CI/CD

### GitHub Actions

Already integrated in `.github/workflows/developer-tests.yml` via the `make lint` command.

### Local Pre-commit Hook

Add to `.git/hooks/pre-commit`:

```bash
#!/bin/bash
python3 scripts/validate_buildspec.py patterns/*/buildspec.yml || exit 1
```

## Troubleshooting

### "ModuleNotFoundError: No module named 'yaml'"

Install PyYAML:
```bash
pip install pyyaml
```

### "externally-managed-environment"

On macOS with Homebrew Python, use a virtual environment:
```bash
python3 -m venv .venv
source .venv/bin/activate
pip install pyyaml
```

## Contributing

When adding new buildspec files to the repository, ensure they pass validation:

```bash
make validate-buildspec
```

This is automatically checked in CI/CD pipelines.
Loading