search

aws-amplify / amplify-hosting

AWS Amplify Hosting provides a Git-based workflow for deploying and hosting fullstack serverless web applications.
https://aws.amazon.com/amplify/hosting/
Apache License 2.0
456 stars 115 forks source link

Usage with CloudFormation and CodeCommit #34

Closed kay-is closed 5 years ago

kay-is commented 5 years ago

I've created a CodeCommit repository with CFN and committed my Expo/Amplify project into it.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Creates a CodeCommit repository'

Parameters: 
  UserNameParam: 
    Type: String

Resources:
  Repository:
    Type: AWS::CodeCommit::Repository
    Properties: 
      RepositoryName: xyz

  Group:
    Type: AWS::IAM::Group
    Properties : 
      GroupName : xyz-devs
      Policies:
        - PolicyName: xyz-repository-access
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Resource: !GetAtt Repository.Arn
                Action:
                  - "codecommit:*"

  UserToGroupAddition:
    Type: AWS::IAM::UserToGroupAddition
    Properties: 
      GroupName: !Ref Group
      Users: 
        - !Ref UserNameParam

Outputs:
  CloneUrl:
    Description: The URL where the created repository is available.
    Value: !GetAtt Repository.CloneUrlSsh

Then I wanted to connect the Amplify Console to this repository, also with CFN.

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Connects a CodeCommit repository to the Amplify Console'

Resources:

  DevBranch:
    Type: AWS::Amplify::Branch
    Properties: 
      BranchName: master
      AppId: !GetAtt App.AppId
      EnableAutoBuild: yes
      EnvironmentVariables:
        - Name: USER_BRANCH
          Value: dev

  App:
    Type: AWS::Amplify::App
    Properties:
      Name: Xyz
      Repository: https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/xyz
      BuildSpec: |
        version: 0.1
        backend:
          phases:
            build:
              commands:
                - amplifyPush --simple
        frontend:
          phases:
            preBuild:
              commands:
                - nvm use 10
                - npm ci
            build:
              commands:
                - npm run build
          artifacts:
            baseDirectory: web-build
            files:
              - '**/*'
          cache:
            paths:
              - node_modules/**/*
              - $(npm root --global)/**/*

But when I run a deploy I get the following error:

2019-08-06T12:21:20.686Z [INFO]: fatal: unable to access 'https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/xyz/': The requested URL returned error: 403
2019-08-06T12:21:20.692Z [ERROR]: !!! Unable to clone repository.

I guess the Amplify backend service role that was created for me is used to do the checkout? But it has Admin rights, so it should be able to access the repository, right?

garyleefight commented 5 years ago

Hi, you have to define the IAM role Arn in the App template to ensure that you have permission for CodeCommit. You should set something like IAMServiceRole: !Ref ${Your code commit repository}.Arn https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-app.html

kay-is commented 5 years ago

Thanks for the quick reply!

Wouldn't !Ref ${Your code commit repository}.Arn the ARN of the a repo and not of a role?

Anyway, I will try to do both in one template with a service role and see if this works.

kay-is commented 5 years ago

Got it running by creating everything with one template.

Is using the admin policy for the service role necessary?

garyleefight commented 5 years ago

@kay-is Hi, if you are using Amplify framework, then the answer is yes. CodeCommit read-only permission is enough if you only want to use codecommit

kay-is commented 5 years ago

Thank you very much!

github-actions[bot] commented 1 year ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.