2.3 Configure cfn_nag to run from CodePipeline

Review and ensure that you have setup your development environment before going through the steps below.

Review Files

• buildspec.yml - Build specification that runs from an AWS CodeBuild action in AWS CodePipeline.
• ccoa-2-cfn-nag-pipeline.yml - CloudFormation template that provisions AWS CodePipeline and associated resources to run the cfn_nag security static analysis tool as part of the deployment pipeline.
• volume-encrypted.yml - CloudFormation template that provisions an encrypted EBS Volume.
• volume.yml - CloudFormation template that provisions an unencrypted EBS Volume.

Sync the files with your S3 bucket

From your AWS Cloud9 terminal, type the following to setup your directory structure:

mkdir ~/environment/ccoa/lesson2
aws s3 mb s3://ccoa-2-$(aws sts get-caller-identity --output text --query 'Account')
cd ~/environment/ccoa/lesson2

Create empty source files:

touch buildspec.yml
touch ccoa-2-cfn-nag-pipeline.yml
touch volume-encrypted.yml
touch volume.yml

Save the files.

1. Copy the contents from buildspec.yml to your local buildspec.yml file in Cloud9 and save it.
2. Copy the contents from volume.yml to your local volume.yml file in Cloud9 and save it.
3. Copy the contents from volume-encrypted.yml to your local volume-encrypted.yml file in Cloud9 and save it.
4. Copy the source contents from the ccoa-2-cfn-nag-pipeline.yml file and save it to your local file in your Cloud9 environment called ccoa-2-cfn-nag-pipeline.yml. This CloudFormation template provisions a deployment pipeline that runs preventive checks via cfn_nag.

Launch the CloudFormation stack from the CLI

cd ~/environment/ccoa/lesson2
zip ccoa-lesson2-examples.zip *.*
aws s3 sync ~/environment/ccoa/lesson2 s3://ccoa-2-$(aws sts get-caller-identity --output text --query 'Account')

From your Cloud9 terminal, type the following (replacing [email protected]):

aws cloudformation create-stack --stack-name ccoa-2-cfn-nag-pipeline --template-body file:///home/ec2-user/environment/ccoa/lesson2/ccoa-2-cfn-nag-pipeline.yml --parameters ParameterKey=EmailAddress,[email protected] --capabilities CAPABILITY_NAMED_IAM --disable-rollback

Check the status

From your Cloud9 terminal, type the following:

aws cloudformation describe-stacks --stack-name ccoa-2-cfn-nag-pipeline

View the CodeCommit repo

Launch Pipeline

1. Go to the CloudFormation console to see the stack being launched.
2. Once the CloudFormation stack is successful, select the checkbox next to the stack and click the Outputs tab.
3. From Outputs, click on the PipelineUrl output to open the pipeline in AWS CodePipeline

Fix the build

1. Go to the CodeCommit repo.
2. Open buildspec.yml and change from volume.yml to volume-encrypted.yml and commit the changes.
3. Go back to the pipeline you created and watch the change.

Additional Resources

• lesson2-preventive
• https://github.com/stelligent/cfn_nag_examples

Cleanup

Go to Cleanup to remove any resources you created in this sublesson.