-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathorb.yml
78 lines (69 loc) · 2.66 KB
/
orb.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
version: 2.1
description: "Opinionated commands for releasing OOT projects on AWS EKS via ECR. This orb uses the circle ci oidc provider instead of an aws iam user."
orbs:
aws-cli: circleci/[email protected]
aws-ecr: circleci/[email protected]
snyk: snyk/[email protected]
commands:
push-image:
description: "Builds, scans and pushes a new service to ECR."
parameters:
service:
description: "The name of the service that will be deployed. This will be used to build up the image name."
type: string
aws-deploy-role-arn:
description: "Terraformed role arn for AWS access. Can be found from oot-infra terraform state."
type: string
default: ${AWS_DEPLOY_ROLE_ARN}
account:
description: "The numeric identifier for the AWS account on which the operation will be run."
type: string
default: ${AWS_ACCOUNT}
region:
description: "The AWS region on which the operation will be run."
type: string
default: ${AWS_REGION}
extra-build-args:
description: "Extra arguments to pass when running docker build"
type: string
default: ""
image-tag:
description: "Tag to push the image with"
type: string
default: ${CIRCLE_SHA1}
extra-image-tags:
description: "Extra tags to push the image with, these will not be snyk scanned"
type: string
default: latest
steps:
- attach_workspace:
at: .
- run:
command: |
echo "export AWS_DEFAULT_REGION=<< parameters.region >>" >> $BASH_ENV
echo "export AWS_ECR_ACCOUNT_URL=<< parameters.account >>.dkr.ecr.<< parameters.region >>.amazonaws.com" >> $BASH_ENV
- aws-cli/install
- aws-cli/setup:
role-arn: << parameters.aws-deploy-role-arn >>
- aws-ecr/ecr-login:
role-arn: << parameters.aws-deploy-role-arn >>
registry-id: AWS_ACCOUNT_ID
- aws-ecr/build-image:
repo: << parameters.service >>
tag: << parameters.image-tag >>,<< parameters.extra-image-tags >>
extra-build-args: << parameters.extra-build-args >>
registry-id: AWS_ACCOUNT_ID
- snyk/scan:
monitor-on-build: true
severity-threshold: high
fail-on-issues: false
target-file: Dockerfile
docker-image-name: $AWS_ECR_ACCOUNT_URL/<< parameters.service >>:<< parameters.image-tag >>
- aws-ecr/push-image:
repo: << parameters.service >>
tag: << parameters.image-tag >>,<< parameters.extra-image-tags >>
registry-id: AWS_ACCOUNT_ID
executors:
aws:
machine:
image: ubuntu-2004:202201-02