buildspec_publish_ecr.yml

version: 0.2
phases:
  install:
    runtime-versions:
      golang: 1.13
      python: 3.x
  pre_build:
    commands:
      - echo Publish the image to ECR
  build:
    commands:
      # Enforce STS regional endpoints
      - export AWS_STS_REGIONAL_ENDPOINTS=regional
      # Pull the image that we built and pushed in the `Build` stage
      - aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"amd64"
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"arm64"
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"amd64-debug"
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"arm64-debug"
      # Image with Init Process
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-amd64"
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-arm64"
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-amd64-debug"
      - docker pull ${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com/amazon/aws-for-fluent-bit-test:"init-arm64-debug"

      # List the docker images
      - docker images

      # Assume role to publish, get the credentials, and set them as environment variables
      - |
        if [ "${PUBLISH_ROLE_ARN}" != "" ]; then
          CREDS=`aws sts assume-role --role-arn ${PUBLISH_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}`
          export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
          export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
          export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`
        fi

      # Push the image to ECR
      - './scripts/publish.sh cicd-publish ${REGION_TO_PUSH}'

      # Nullify the temporary credentials for the assumed role to publish
      - |
        if [ "${PUBLISH_ROLE_ARN}" != "" ]; then
          export AWS_ACCESS_KEY_ID=
          export AWS_SECRET_ACCESS_KEY=
          export AWS_SESSION_TOKEN=
        fi

      # Assume role to verify, get the credentials, and set them as environment variables.
      # Verification should be done using the credentials from a different account. It ensures that
      # the images we published are public and accessible from any account.
      - CREDS=`aws sts assume-role --role-arn ${VERIFY_ROLE_ARN} --role-session-name ${REGION_TO_PUSH} --region ${REGION_TO_PUSH}`
      - export AWS_ACCESS_KEY_ID=`echo $CREDS | jq -r .Credentials.AccessKeyId`
      - export AWS_SECRET_ACCESS_KEY=`echo $CREDS | jq -r .Credentials.SecretAccessKey`
      - export AWS_SESSION_TOKEN=`echo $CREDS | jq -r .Credentials.SessionToken`

      # Verify from the verification account
      - './scripts/publish.sh cicd-verify ${REGION_TO_PUSH}'
artifacts:
  files:
    - '**/*'