#release-engineering (2021-08)

jenkins_ci All things CI/CD. Specific emphasis on Codefresh and CodeBuild with CodePipeline.

CI/CD Discussions

Archive: https://archive.sweetops.com/release-engineering/

2021-08-15

msharma24 avatar
msharma24
11:33:59 PM

Hi Any bitbucket cloud users ? How do u manage AWS Multi Account Pipeline deployments ?

I want to avoid adding AWS Keys per repo but we only have 1 workspace in Bitbucket Cloud and I don’t think it will be secure to add AWS Keys which can assume role into other AWS Accounts accessible to all the projects and repo under the workspace umbrella .

Brandon avatar
Brandon
12:03:29 AM

I’m not on bbcloud, but I’m using GH Secrets environments, GH Actions, Terraform, and HashiCorp Vault for all the secrets and short term aws creds for the pipelines. https://www.vaultproject.io/docs/secrets/aws

AWS - Secrets Engines | Vault by HashiCorpattachment image

The AWS secrets engine for Vault generates access keys dynamically based on IAM policies.

1
Mohammed Yahya avatar
Mohammed Yahya
07:06:06 AM

Integrate it with Terraform cloud, add keys there, and only give access to specific people

Mohammed Yahya avatar
Mohammed Yahya
07:06:28 AM

you can control based on branch or folder, which workspace to call in Terraform Cloud

msharma24 avatar
msharma24
08:48:18 AM

We just got rid of Terraform Cloud because it was going to cost 13K Usd per year to run

msharma24 avatar
msharma24
08:49:53 AM

Atlassian has just launched Bitbucket runners, I’m going to try and build ecs containers with Iam role and run pipelines on it with Terraform assume_rolr arns

Mohammed Yahya avatar
Mohammed Yahya
09:19:44 AM

yes good alternative also

1
msharma24 avatar
msharma24
07:54:28 AM

I used the bitbucket open ID connect to configure multiple accounts https://mukeshsharma.dev/2021/09/07/config-bitbucket-cloud-pipelines-aws-openid-connect.html

Configuring Bitbucket Pipelines to connect to AWS with OpenID Connect

BitbucketPipelines provide an easy and integrated way to run CI/CD Pipelines for your projects hosted in the Bitbucket code repositories using a straightforward YAML DSL to CI/CD your applications and other cloud resources to production, however using static AWS IAM keys as secured variables at the individual code repository level or as Bitbucket workspace variables with AWS STS permissions to jump into other AWS accounts can become challenging when operating at a large scale with multiple AWS accounts. Static IAM Keys also introduces the risk of secrets sprawling into other applications and may leak into logs in plain text when using a bad script and there always remain the endless toil of manually rotating and replacing the keys in your CI/CD tool of choice.

Eric Berg avatar
Eric Berg
03:31:26 PM

@msharma24 , with what did you replace TFCloud? We are choosing a platform right now.

msharma24 avatar
msharma24
07:14:57 PM

Bitbucket Cloud Pipelines

Eric Berg avatar
Eric Berg
02:34:49 PM

Thanks.

2021-08-21

2021-08-25

2021-08-29

loren avatar
loren
01:38:16 PM

looks like a nice enhancement… https://github.blog/changelog/2021-08-25-github-actions-reduce-duplication-with-action-composition/

GitHub Actions: Reduce duplication with action compositionattachment image

GitHub Actions: Reduce duplication with action composition

1
Yoni Leitersdorf (Indeni Cloudrail) avatar
Yoni Leitersdorf (Indeni Cloudrail)
05:19:53 PM

I’ve been waiting for this!!!

GitHub Actions: Reduce duplication with action compositionattachment image

GitHub Actions: Reduce duplication with action composition

2021-08-30

    keyboard_arrow_up