Allow ability to select target deployment account(s) per repository/pipeline.

Use-cases:

• Need pipelines which deploy to the cicd account.
• Working on projects that do not need to be deployed to any environment higher than dev.

Future enhancements:

• Prescriptive default targets based on branch naming convention. e.g. branches with feature/ prefix can only be pushed to development and test environments

Consider the following scenario:

1. Merge requested accepted to develop branch
2. The develop branch pipeline gets triggers
3. Pipeline fails due to failed or test

Now, what should the next step be here? Is reverting the code manually from the develop branch the only option as other developers in the team want to push the code and trigger the pipeline?

[Container] 2021/03/13 02:58:08 Waiting for agent ping
2 | [Container] 2021/03/13 02:58:11 Waiting for DOWNLOAD_SOURCE
3 | [Container] 2021/03/13 02:58:12 Phase is DOWNLOAD_SOURCE
4 | [Container] 2021/03/13 02:58:12 CODEBUILD_SRC_DIR=/codebuild/output/src418621371/src
5 | [Container] 2021/03/13 02:58:12 YAML location is /codebuild/readonly/buildspec.yml
6 | [Container] 2021/03/13 02:58:12 No commands found for phase name: install
7 | [Container] 2021/03/13 02:58:12 Processing environment variables
8 | [Container] 2021/03/13 02:58:12 Selecting 'nodejs' runtime version '15' based on manual selections...
9 | [Container] 2021/03/13 02:58:12 Phase complete: DOWNLOAD_SOURCE State: FAILED
10 | [Container] 2021/03/13 02:58:12 Phase context status code: YAML_FILE_ERROR Message: Unknown runtime version named '15' of nodejs. This build image has the following versions: 10, 12

We are using node 15 in our application that will be deployed with the CICD. I tried to set

          install: {
            'runtime-versions': {
              nodejs: '15'
            }
          },

but get the error:
10 | [Container] 2021/03/13 02:58:12 Phase context status code: YAML_FILE_ERROR Message: Unknown runtime version named '15' of nodejs. This build image has the following versions: 10, 12

Why is that? Can we not use node15?

Due to naming convention cloudformation resource ids getting too long. Shorten unique identifiers

This pipeline gets triggered when on "onCommit". How can I trigger static code analysis and run unit tests when the pull request is created?

It leaves the s3 bucket and then fails the deploy command next time erring on the existence of the s3 bucket already

Feature request to integrate AWS config to define rules in the pipeline and track configuration changes

What events in this pipeline should trigger a notification? I added a subscriber through the AWS console. When I publish a message to the topic from the AWS console, I do get a notification. I haven't received any notification from the pipeline though. It seems like there is currently no event in the pipeline that triggers a notification as function send_codebuild_events_to_sns never really gets called.

I would like to trigger the notification:

1. Whenever there is an error anywhere in the pipeline
2. When the master branch pipeline is approved or declined for prod. environment

The send_build_events_to_sns method expects a certain structure:

for ex:

    status = message['detail']['build-status']
    project = message['detail']['project-name']
    build_id = message['detail']['build-id']

3. Does this imply that it's required to create this message structure each time the method is triggered? Would be great to see an example of this.
4. If the subscriber email had to be configured in the ci/cd infrastructure as code instead of configuring it on AWS console, where should that go in this ci/cd implementation? Would be great to see a tiny example f it.

How can CodeCommit be replaced with BitBucket cloud repo for source? What exact changes are required to fit in this pipeline?

In the build phase of the code pipeline, in SemverLambda, on line 119, I get an error "Parameter not found"

[
  | 2020-11-12T14:43:48.264-08:00Copy{'repo': 'test', 'branch': 'master'} | {'repo': 'test', 'branch': 'master'}
-- | -- | --
  | 2020-11-12T14:43:48.407-08:00CopyFunction failed due to exception. | Function failed due to exception.
  | 2020-11-12T14:43:48.407-08:00CopyAn error occurred (ParameterNotFound) when calling the GetParameter operation: | An error occurred (ParameterNotFound) when calling the GetParameter operation:
  | 2020-11-12T14:43:48.407-08:00 | Traceback (most recent call last):
  | 2020-11-12T14:43:48.407-08:00 | File "/var/task/lambda.py", line 119, in semver_handler
  | 2020-11-12T14:43:48.407-08:00 | response = ssm.get_parameter(
  | 2020-11-12T14:43:48.407-08:00 | File "/var/runtime/botocore/client.py", line 316, in _api_call

]

line 118 need to change to

ssm_param = ssm_root + '/' + repo + '/' + branch + '/version'
from

ssm_param = ssm_root + '/codecommit/' + repo + '/' + branch + '/version'

to resolve the issue

In this CI/CD pipeline, What's the best way to control who can trigger pipelines for dev, test, and master branch?

Is there any necessary integration required to use this CI/CD pipeline for deploying a Serverless framework-based application? I stumbled on https://serverless-stack.com/chapters/using-aws-cdk-with-serverless-framework.html and wondering if this is relevant here?

To add the pre-build phase, should an additional shell script file be enough in the source codebase directory named as pre-build.sh and following in build-project.ts

      buildSpec: BuildSpec.fromObject({
        version: '0.2',
        phases: {
          install: {
            'runtime-versions': {
              nodejs: '10'
            }
          },
          pre-build: {
            commands: [
              'bash ${CODEBUILD_SRC_DIR}/scripts/pre-build.sh'
            ]
          },
          build: {
            commands: [
              'bash ${CODEBUILD_SRC_DIR}/scripts/build.sh'
            ]
          }
        },

Is there anything else that would be required?

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::9xxxxxxxxxx:assumed-role/AWS-Simple-CICD-TeamOne-vimpsvlncctestpipel-SP8VE3BYU66Q/AWSCodeBuild-c17e5754-c377-41e5-b1ca-7276e582aeee is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0xxxxxxxxxx2:role/admin

We have a landing zone account where my username is let's say "simi". I am able to assume role "admin" in accounts - dev, test, tools, and prod.

As the documentation suggests: https://github.com/awslabs/aws-simple-cicd/blob/master/docs/admin.md#deploy-pipelines

"If the AWS accounts are generated using AWS Landing Zone or Control Tower, then use the cross-account role generated by that service and skip this step.", I have skipped this step.

The only change I have made is replaced ROLE_NAME=role/deployment-role
with

ROLE_NAME=role/admin

in line 19 of https://github.com/awslabs/aws-simple-cicd/blob/master/scripts/assume-cross-account-role.env .

Tried changing it to ROLE_NAME=role/simi as well

Is it required to make any additional changes to be able to resolve this error? How can this be fixed?

1. Update codebuild environment to use bash shell

It will be useful to define a number in the config file for the number of manual approvals required along with IAM usernames/roles that the approval is needed from for deployment to production

sls deploy command that we use to deploy our services asks for MFA code. How should that be handled in this CI/CD pipeline? Different AWS accounts will need to use different profiles and will ask for MFA code each time sls deploy command needs to run.

In project-config.json , we have :

    "Backend": [
      {
        "pipelineName": "backend",
        "ccRepoName": "backend",
        "branch": "master",
        "type": "BitBucket",
        "cron": ""
      }
    ],

Step 1. Pipeline deployed for branch master
Step 2. Edit project-config.json and change branch name:

 "Backend": [
      {
        "pipelineName": "backend",
        "ccRepoName": "backend",
        "branch": "develop",
        "type": "BitBucket",
        "cron": ""
      }
    ],

Step 3. Pipeline deployed for develop branch

At this stage, it deletes the pipeline for the master branch and deploys it for the develop branch. How can we keep the pipeline for multiple branches at the same time?

Currently, deployment happens through deploy.sh file. How can this pipeline be configured to support

1. Orchestration pipeline to decide which modules/services need to be built
2. Canary and linear deployment support

Instead of provisioning stages for all environments (dev, test, prod) only provision stages if the account id for the corresponding environment is present.

This will clean up the pipeline and remove extra stages which cannot run.

I used this CI/CD and tweaked it to connect BitBucket cloud for code source by using BitBucketSourceAction. I think it would be useful to support it as part of this pipeline as well. Will need to store connection ARN as well which could be stored in SSM itself.

   const sourceAction = new BitBucketSourceAction({
        actionName: 'BitbucketSource',
        owner: 'admin',
        repo: repoName,
        output: sourceOutputArtifact,
        connectionArn: 'arn:aws:codestar-connections:us-west-2:blablabla',
    }) 

Also, is it correct to use
import { Repository } from '@aws-cdk/aws-codecommit'

for BitBucket repository as well?

const bitBucketRepo = Repository.fromRepositoryName(
   scope,
   `${repoName}${repoBranch}BitBucketRepo`,
   repoName
 )

Add support for Github

Feature request: I think it would be useful to have some test cases for the pipeline.

1. How do we deploy feature branches in this pipeline?
2. According to this pipeline, when will the pull requests be accepted and merged?

I see that we now have a test stage in the CI/CD pipeline. Thank you so much for adding it. I plan to run unit and integration tests before deployment, smoke tests in the dev account only, when smoke tests are positive, promote to QA env. If regression tests in QA env. are positive, promote to production.

To work those steps with this CI/CD, how can these phases run stage-specific tests be added here? Would be great to see it in this pipeline or an example for the same.

Referring to https://aws.amazon.com/blogs/devops/multi-branch-codepipeline-strategy-with-event-driven-architecture/, It shows the approach we discussed in another issue to trigger a pipeline for every new branch based on events/lambda functions.

It should be useful to have a pipeline automatically created for new branches and automatically deleted after.

I needed the pipeline to use node runtime 15, so I had added following in

1.test-project.js
2. deploy-project.ts
3. build-project.ts

          install: {
            commands: [
              'npm install npm@latest -g',
              'npm install lerna@latest -g'
            ]
          },

and removed:

        phases: {
          install: {
            'runtime-versions': {
              nodejs: '10'
            }
          },

I am getting the following error in Codebuild

> [email protected] deploy:cicd
--
50 | > lerna run deploy --since HEAD~1 --stream
51 |  
52 | internal/modules/cjs/loader.js:834
53 | throw err;
54 | ^
55 |  
56 | Error: Cannot find module '.'
57 | Require stack:
58 | - /codebuild/output/src956778402/src/node_modules/.bin/lerna
59 | at Function.Module._resolveFilename (internal/modules/cjs/loader.js:831:15)
60 | at Function.Module._load (internal/modules/cjs/loader.js:687:27)
61 | at Module.require (internal/modules/cjs/loader.js:903:19)
62 | at require (internal/modules/cjs/helpers.js:74:18)
63 | at Object.<anonymous> (/codebuild/output/src956778402/src/node_modules/.bin/lerna:11:3)
64 | at Module._compile (internal/modules/cjs/loader.js:1015:30)
65 | at Object.Module._extensions..js (internal/modules/cjs/loader.js:1035:10)
66 | at Module.load (internal/modules/cjs/loader.js:879:32)
67 | at Function.Module._load (internal/modules/cjs/loader.js:724:14)
68 | at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12) {
69 | code: 'MODULE_NOT_FOUND',
70 | requireStack: [ '/codebuild/output/src956778402/src/node_modules/.bin/lerna' ]
71 | }
72 | npm ERR! code 1
73 | npm ERR! path /codebuild/output/src956778402/src
74 | npm ERR! command failed
75 | npm ERR! command sh -c  lerna run deploy --since HEAD~1 --stream

I get this error on running the test command:

lerna run --stream test --parallel
Also, tried with

lerna run --stream test --parallel --scope registration-service
In the services, test script looks like,

"test": "serverless-bundle test --verbose --coverage",

I installed Lerna globally in the pipeline and in build.sh, deploy.sh and test.sh, but I get this error anytime I try to run a lerna command in "test.sh" or "deploy.sh".

seems to be running okay in build.sh but not in test.sh and deploy.sh

npm install command fails in my pipeline written using aws-cdk with the following error:

npm ERR! code ENOTFOUND 33 npm ERR! syscall getaddrinfo 34 npm ERR! errno ENOTFOUND 35 npm ERR! network request to http://nexus.company.com:8081/nexus/repository/npm-group/zip-stream/-/zip-stream-4.1.0.tgz failed, reason: getaddrinfo ENOTFOUND nexus.company.com

How can this be fixed? npm run command works okay in my local system,

.npmrc file looks as follows:
registry="http://nexus.company.com:8081/nexus/repository/npm-group/"
How to whitelist access to private registry from the pipeline?

The deployment seems to be failing with the following error:

334 | vlncc-sns: Serverless: Packaging service...
335 | vlncc-sns:
336 | vlncc-sns:  Serverless Error ----------------------------------------
337 | vlncc-sns:
338 | vlncc-sns:   AWS profile "sandbox" doesn't seem to be configured
339 | vlncc-sns:
340 | vlncc-sns:   Get Support --------------------------------------------
341 | vlncc-sns:      Docs:          docs.serverless.com
342 | vlncc-sns:      Bugs:          github.com/serverless/serverless/issues
343 | vlncc-sns:      Issues:        forum.serverless.com
344 | vlncc-sns:
345 | vlncc-sns:   Your Environment Information ---------------------------
346 | vlncc-sns:      Operating System:          linux
347 | vlncc-sns:      Node Version:              12.19.1
348 | vlncc-sns:      Framework Version:         2.29.0
349 | vlncc-sns:      Plugin Version:            4.5.0
350 | vlncc-sns:      SDK Version:               n/a
351 | vlncc-sns:      Components Version:        3.7.3
352 | vlncc-sns:
353 | vlncc-sns: npm ERR! code 1
354 | vlncc-sns: npm ERR! path /codebuild/output/src627196871/src/resources/sns
355 | vlncc-sns: npm ERR! command failed
356 | vlncc-sns: npm ERR! command sh -c sls deploy -v
357 | vlncc-sns: npm ERR! A complete log of this run can be found in:
358 | vlncc-sns: npm ERR!     /root/.npm/_logs/2021-03-16T00_43_50_269Z-debug.log
359 | lerna ERR! npm run deploy exited 1 in 'vlncc-sns'
360 | lerna WARN complete Waiting for 2 child processes to exit. CTRL-C to exit immediately.
361 | npm ERR! code 1
362 | npm ERR! path /codebuild/output/src627196871/src
363 | npm ERR! command failed
364 | npm ERR! command sh -c  lerna run deploy --stream
365 |  
366 | npm ERR! A complete log of this run can be found in:
367 | npm ERR!     /root/.npm/_logs/2021-03-16T00_43_50_322Z-debug.log
368

The application is configured to fallback on the profile named sandbox if not passing a profile name at all. How should this be resolved? Do we need to pass the name of the profile when running through CI/CD?

The assume-cross-account-role.env file should be maintained by the administrators only and auto-injected into the deployment stage. This does not need to be exposed to developers.

In serverless.yml file, we default to the sandbox for the stage name

stage: ${opt:stage, 'sandbox'}

How to get this stage name from the CI-CD pipeline instead?

Feature request: The pipeline can use an additional stage for test cases along with a few test cases for the pipeline and security scans

I would like to know how can single service deployments be done with this CI/CD.

Also, really like CDK and this CI/CD so far :)

Edit: So if I do not run npm install in build.sh, and run it directly in test.sh then, npm run test command runs okay. but If I run npm run install first in build.sh and then in test.sh, it fails at npm run test with module not found error.

What is the relation between build.sh, test.sh and deploy.sh. If npm install command is run in build.sh, then commands in test.sh and deploy.sh fail including the npm install command itself.

Why is that?

@srijitm scripts in package.json at the root of the application looks as follows:

  "scripts": {
    "preinstall": "npm i -g serverless && npm i -g lerna",
    "postinstall": "lerna bootstrap",
    "test": "lerna run --stream test --parallel",
    "deploy": "eval \"`aws-auth-helper lerna-deploy` lerna run deploy --since HEAD~1 --stream\"",
    "deploy:cicd": " lerna run deploy --stream",
  },

My build.sh file looks as follows and it runs OK (ONLY because it is the first file being run)

#! /bin/bash

set -e
set -u
set -o pipefail

echo "Building services..................!"
npm install
npm run test
echo "Build completed..................!"
```

My deploy.sh file looks as follows and it FAILS (**if run after the commands in build.sh, if npm install is not run in build.sh, then in runs okay**)

```
#! /bin/bash

set -e
set -u
set -o pipefail

echo "Running Deployment...........................!"
npm install
npm run deploy:cicd
echo "Deployment Completed.........................!"

```

The error when it fails is:

```

Running Deployment...........................!
--
48 |  
49 | > [email protected] preinstall
50 | > npm i -g serverless && npm i -g lerna
51 |  
52 | npm WARN deprecated [email protected]: this library is no longer supported
53 | npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
54 | npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
55 |  
56 | added 670 packages, and audited 671 packages in 26s
57 |  
58 | 37 packages are looking for funding
59 | run `npm fund` for details
60 |  
61 | found 0 vulnerabilities
62 | npm WARN deprecated [email protected]: this library is no longer supported
63 | npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
64 |  
65 | changed 632 packages, and audited 633 packages in 13s
66 |  
67 | 62 packages are looking for funding
68 | run `npm fund` for details
69 |  
70 | found 0 vulnerabilities
71 |  
72 | > [email protected] postinstall
73 | > lerna bootstrap
74 |  
75 | internal/modules/cjs/loader.js:834
76 | throw err;
77 | ^
78 |  
79 | Error: Cannot find module '.'
80 | Require stack:
81 | - /codebuild/output/src883388911/src/node_modules/.bin/lerna
82 | at Function.Module._resolveFilename (internal/modules/cjs/loader.js:831:15)
83 | at Function.Module._load (internal/modules/cjs/loader.js:687:27)
84 | at Module.require (internal/modules/cjs/loader.js:903:19)
85 | at require (internal/modules/cjs/helpers.js:74:18)
86 | at Object.<anonymous> (/codebuild/output/src883388911/src/node_modules/.bin/lerna:11:3)
87 | at Module._compile (internal/modules/cjs/loader.js:1015:30)
88 | at Object.Module._extensions..js (internal/modules/cjs/loader.js:1035:10)
89 | at Module.load (internal/modules/cjs/loader.js:879:32)
90 | at Function.Module._load (internal/modules/cjs/loader.js:724:14)
91 | at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12) {
92 | code: 'MODULE_NOT_FOUND',
93 | requireStack: [ '/codebuild/output/src883388911/src/node_modules/.bin/lerna' ]
94 | }
95 | npm ERR! code 1
96 | npm ERR! path /codebuild/output/src883388911/src
97 | npm ERR! command failed
98 | npm ERR! command sh -c lerna bootstrap
99 |  
100 | npm ERR! A complete log of this run can be found in:
101 | npm ERR!     /root/.npm/_logs/2021-03-15T23_48_04_960Z-debug.log
102 |  
103 | [Container] 2021/03/15 23:48:04 Command did not exit successfully bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh exit status 1
104 | [Container] 2021/03/15 23:48:04 Phase complete: BUILD State: FAILED
105 | [Container] 2021/03/15 23:48:04 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: bash ${CODEBUILD_SRC_DIR}/scripts/deploy.sh. Reason: exit status 1
106 | [Container] 2021/03/15 23:48:05 Entering phase POST_BUILD
107 | [Container] 2021/03/15 23:48:05 Phase complete: POST_BUILD State: SUCCEEDED
108 | [Container] 2021/03/15 23:48:05 Phase context status code:  Message:
109 |  


```


**Similarly, test.sh fails.**


I needed to have runtime env of node15, therefore, in the CI-CD pipelie, made the following change for build-project.ts, deploy-project.ts and test-project.ts
```

 buildSpec: BuildSpec.fromObject({
        version: '0.2',
        phases: {
          install: {
            commands: [
              'npm install npm@latest -g',
              'npm install lerna@latest -g'
            ]
          },
```

instead of 
```

        phases: {
          install: {
            'runtime-versions': {
              nodejs: '10'
            }
          },
```

How do I fix this? What is exactly going wrong here? @srijitm 

build, test, deploy scripts are missing.

If the end to end tests/system tests are stored in a separate repo, how to modify this pipeline to run end to end tests on every deployment?

2.Feature request to trigger an alarm when a test fails and fail the deployment

I would like to understand what should be the branching strategy to align well with this CI/CD pipeline. I have previously used Github flow with Feature branch, development branch, and master branch. Since we are promoting a branch to production from the dev environment, I imagine we don't want to have dev and master as separate branches? That will also need us to approve multiple PR's for the same feature branch.

What branching strategy works best for this CI/CD pipeline?

It takes a fairly long time (About 6-8 minutes( to deploy on making a change of 1 line of code as well. Is there a way around it?

There are pipelines deployed for the following branches: development, master. The respective pipeline is triggered onCommit event (codeCommitRepo.onCommit('OnCommit', {}) so whenever there is any code push to the branch. We are planning to use git-flow as the branching strategy but don't exactly see the advantages of having another branch called staging, in addition to development, master.

1. Is there a use of having a third branch like "staging" when using CI/CD?
2. At what stage should the PR from the feature branch be created?
3. At what stage should the PR be merged into the development branch?
4. At what stage should the PR from the development branch to master be created?
5. At what stage should the PR be merged into the master branch?
6. What if the development pipeline fails? Should the code be manually unmerged to get development back in the stable condition?
7. What if the master pipeline fails?

I would like to understand what the flow should look like starting from a feature branch. (Also, Not looking to use Trunk based branching strategy)

It would be useful to create subscriptions to the topic through the code itself instead of doing it through the dashboard every time the pipeline is created

The Github integration is using v1 today. We should move to the more secure v2 implementation.

Waiting for upstream fix: aws/aws-cdk#10632

The pipeline is currently deployed with the stacks that come defined at part of this CI-CD in cicd.ts file. I need to introduce a new stack that will be linked to a different repository.

In config/config.ts, I have added

Tests: Array<ProjectRepo>

In project-config.json, I have added:

    "Tests": [
      {
        "pipelineName": "tests",
        "ccRepoName": "tests",
        "branch": "master",
        "type": "BitBucket",
        "cron": ""
      },
      {
        "pipelineName": "tests",
        "ccRepoName": "tests",
        "branch": "develop",
        "type": "BitBucket",
        "cron": ""
      }
    ],

In cicd.ts, I have added:

new CicdStack(app, 'QARepo', { prefix, ssmRoot, cicdRoleName, repos: config.Tests})
In package.json, I have changed the synth command to include the new stack:

"synth": "npm run build && npm run cdk -- synth VLNCC-CICD-BackendRepo &&  npm run cdk -- synth QARepo"

When I try to run:

cdk deploy --all --profile cicd

I get:

Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment.

I did also try running the command

npm run synth
before the cdk deploy --all --profile cicd command.

How do I deploy the new stack?

If the new branch is named master, then a stack should be created containing CI+CD pipelines, with deploy stages in the dev, test, and production environments.
If the new branch is named develop, then a stack should be created containing CI+CD pipelines, with a deploy stage in the Dev and test environment.
If the new branch has any other name, then the stack should be created with only a CI pipeline.

Should be useful to have this behaviour in the CI/CD pipeline. This is coming from an AWS blog for the event-driven multi-branch pipeline.

    // SourceAction
    const sourceAction = new BitBucketSourceAction({
        actionName: 'BitbucketSource',
        owner: 'ownername',
        repo: repoName,
        output: sourceOutputArtifact,
        connectionArn: SecretValue.secretsManager('BBCloudConnection').toString(),
    })

This is what the source action looks like. I need it to be able to access connectionArn from SecretValue. It fails due to lack of permissions at the moment. Where should the resource permission be added?

Action in deploymentPolicy looks as follows:

        Action:
            - 'cloudformation:*'
            - 'iam:*'
            - 'lambda:*'
            - 'ecs:*'
            - 'ecr:*'
            - 'logs:*'
            - 'ec2:*'
            - 'ssm:*'
            - 'secretsmanager:*'

i.e have added 'secretsmanager:*' at the bottom

As of now, I get the following error if I use secretsManager:

17/49 | 2:14:10 a.m. | CREATE_FAILED | AWS::IAM::Policy | backend--854-pipeline-backend-setup-pipeline/Source/BitbucketSource/CodePipelineActionRole/DefaultPolicy (backendVLNCC854pipelinebackendsetuppipelineSourceBitbucketSourceCodePipelineActionRoleDefaultPolicy41F7C61D) Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 62b6fb1c-77b0-432c-b907-2e409ff7c538; Proxy: null)

The secret manager was created manually on console and has the following resource permissions:

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::1111111111:role/deployment-role"
    },
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*"
  } ]
}

In serverless.yml file, the default profile name is 'sandbox'.

When running sls deploy command and not passing --profile argument, it automatically tries to use the sandbox profile.

profile: ${opt:profile, 'sandbox'}

Now, In package.json at the root of the application folder that the CI/CD pipeline needs to deploy, we have,

"deploy:cicd": " lerna run deploy --stream",

This will run the deploy command in all of the serverless services.

In package.json of each of the services, I have:
"deploy": "sls deploy -v",

When the command, npm run deploy:cicd is run, it throws

1. profile not found error when I run deploy command from build.sh
2. If I add deploy in deploy.sh, I instead get

lerna run deploy --stream
--
51 |  
52 | internal/modules/cjs/loader.js:834
53 | throw err;
54 | ^
55 |  
56 | Error: Cannot find module '.'
57 | Require stack:
58 | - /codebuild/output/src163111865/src/node_modules/.bin/lerna
59 | at Function.Module._resolveFilename (internal/modules/cjs/loader.js:831:15)
60 | at Function.Module._load (internal/modules/cjs/loader.js:687:27)
61 | at Module.require (internal/modules/cjs/loader.js:903:19)
62 | at require (internal/modules/cjs/helpers.js:74:18)
63 | at Object. (/codebuild/output/src163111865/src/node_modules/.bin/lerna:11:3)
64 | at Module._compile (internal/modules/cjs/loader.js:1015:30)
65 | at Object.Module._extensions..js (internal/modules/cjs/loader.js:1035:10)
66 | at Module.load (internal/modules/cjs/loader.js:879:32)
67 | at Function.Module._load (internal/modules/cjs/loader.js:724:14)
68 | at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12) {
69 | code: 'MODULE_NOT_FOUND',
70 | requireStack: [ '/codebuild/output/src163111865/src/node_modules/.bin/lerna' ]
71 | }
72 | npm ERR! code 1
73 | npm ERR! path /codebuild/output/src163111865/src
74 | npm ERR! command failed
75 | npm ERR! command sh -c lerna run deploy --stream
76 |  
77 | npm ERR! A complete log of this run can be found in:
78 | npm ERR! /root/.npm/_logs/2021-03-15T23_30_13_216Z-debug.log

This is what the logs look like if I do not have assume-role-cross-account-role.env in the repo.

[Container] 2020/12/04 21:38:09 Running command if [ ! -f "${CODEBUILD_SRC_DIR}/scripts/assume-cross-account-role.env" ]; then echo "assume-cross-account-this.role.env not found in repo" && aws s3 cp s3://${ARTIFACTS_BUCKET_NAME}/admin/cross-account/assume-cross-account-role.env ${CODEBUILD_SRC_DIR}/scripts/; else echo "Overriding assume-cross-account-role.env from repo"; fi
--
30 | assume-cross-account-this.role.env not found in repo
31 | Completed 1.7 KiB/1.7 KiB (23.2 KiB/s) with 1 file(s) remaining
32 | download: s3://vaisala-vimps-vlncc-cicd/admin/cross-account/assume-cross-account-role.env to scripts/assume-cross-account-role.env
33 |  
34 | [Container] 2020/12/04 21:38:16 Running command . ${CODEBUILD_SRC_DIR}/scripts/assume-cross-account-role.env
35 | /codebuild/output/tmp/script.sh: 18: /codebuild/output/src075076344/src/scripts/assume-cross-account-role.env:
36 | : not found
37 | /codebuild/output/tmp/script.sh: 20: /codebuild/output/src075076344/src/scripts/assume-cross-account-role.env:
38 | : not found
39 | Assuming role role/deployment-role
40 | in account 074808352032 with session name dev-Deploy
41 |  
42 | /codebuild/output/tmp/script.sh: 24: /codebuild/output/src075076344/src/scripts/assume-cross-account-role.env:
43 | : not found
44 | /codebuild/output/tmp/script.sh: 34: /codebuild/output/src075076344/src/scripts/assume-cross-account-role.env: Syntax error: end of file unexpected (expecting "then")
45 |  
46 | [Container] 2020/12/04 21:38:16 Command did not exit successfully . ${CODEBUILD_SRC_DIR}/scripts/assume-cross-account-role.env exit status 2
47 | [Container] 2020/12/04 21:38:16 Phase complete: BUILD State: FAILED
48 | [Container] 2020/12/04 21:38:16 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: . ${CODEBUILD_SRC_DIR}/scripts/assume-cross-account-role.env. Reason: exit status 2
49 | [Container] 2020/12/04 21:38:16 Entering phase POST_BUILD
50 | [Container] 2020/12/04 21:38:16 Phase complete: POST_BUILD State: SUCCEEDED
51 | [Container] 2020/12/04 21:38:16 Phase context status code:  Message:

If I add the file in repo, It works okay

Codesuite needs to be authorized against the Github organization/owner before webhooks can be generated.

How can this pipeline be adopted for multi-region deployments? The reason for adopting multi-region deployment is both compliance and fail-over

trying to push my changes to my cloned repo and noticing it’s trying to synth:

"synth": "npm run build && npm run cdk -- synth AWS-Simple-CICD-TeamOne"

AWS-Simple-CICD-TeamOne may not be defined.