search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

Allow customers to specify the CodeBuild container image that AFT uses #380

Open intekaws-axiamed opened 11 months ago

intekaws-axiamed commented 11 months ago

Terraform Version & Prov:

AFT Version: 1.10.3

Terraform Version & Provider Versions Please provide the outputs of terraform version and terraform providers from within your AFT environment

terraform version Terraform v1.3.9


`terraform providers`

AWS



**Bug Description**
The latest OPA version https://github.com/open-policy-agent/opa/releases/tag/v0.54.0 is not supported with docker codebuild image - aws/codebuild/amazonlinux2-x86_64-standard:4.0 which is used in AFT codebuild pipeline e.g  ` https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-customizations/codebuild.tf `

**To Reproduce**
Steps to reproduce the behavior:
1. Run below script as part of build process -

curl -L -o /opt/aft/bin/opa https://github.com/open-policy-agent/opa/releases/download/v0.54.0/opa_linux_amd64
chmod 755 /opt/aft/bin/opa
/opt/aft/bin/opa version

3. See error similar like  ~ /lib64/libc.so.6: version `GLIBC_2.27' ~

**Expected behavior**
OPA should run without any error

**Related Logs**
error - /lib64/libc.so.6: version `GLIBC_2.27' 
**Additional context**
None.
**Suggested Fix**
codebuild docker image needs to be upgraded from aws/codebuild/amazonlinux2-x86_64-standard:4.0 to aws/codebuild/amazonlinux2-x86_64-standard:5.0 . Ref ~ https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
OPA v0.54.0 is supported with aws/codebuild/amazonlinux2-x86_64-standard:5.0 
Please note aws/codebuild/amazonlinux2-x86_64-standard:5.0 has python3.11 which is not supported with Lambda runtime so aft-lambda-layer should run on aws/codebuild/amazonlinux2-x86_64-standard:4.0
adam-daily commented 11 months ago

Hey there, thanks for the report. For our info, a couple questions:

  1. What's the current impact of this? Are you still able to provision accounts and apply customizations?
  2. Where in the code have you added the lines to pull and run OPA?
intekaws-axiamed commented 11 months ago

Hey there, thanks for the report. For our info, a couple questions:

  1. What's the current impact of this? Are you still able to provision accounts and apply customizations?
  2. Where in the code have you added the lines to pull and run OPA? Hi, current impact - I can't validate my IaC against OPA which is a security risk and prevent code promotion to production. I am running in pre_build helper.
adam-daily commented 11 months ago

Got ya, makes sense. We do have a backlog to look at container upgrades, but we need to be careful since the container version is one that all AFT customers consume. We need to ensure that we don't break AFT itself, but also that we don't break customers who have automation that lives within that container. We can understand impacts in the first case; we have integration testing internally that catches issues that would break the AFT framework. But we can't know what software customers run in things like the pre-API helper for example, so it's difficult to understand if a major version increment would break those customers.

In the meantime, my suggestion would be to run validations and testing before modules are committed to AFT repos. AFT was originally conceptualized as a "last step"; the mechanism to apply customizations to accounts rather than being a full-lifecycle CI or change management/approval tool. As such the API helper stages were meant only to establish conditions that would make the application of customizations possible. While customers have expressed interest in things like approval steps and validation gates within AFT itself, currently that isn't in the scope of business problems that AFT seeks to address.

intekaws-axiamed commented 11 months ago

Thanks for your response. The running of OPA requires Terraform plan since it runs against Terraform plan file which can only be accessed within AFT pipeline so I won't be able to run OPA outside of AFT pipeline as part of automation. Running OPA on developer local environment is not recommended as other developers will not have any visibility on the report.

snebhu3 commented 11 months ago

@intekaws-axiamed, we have created a backlog to let customer specify the container to be used in AFT pipelines. Thank you for the context and details for your use case.

intekaws-axiamed commented 10 months ago

Thank you, I have updated the tittle to reflect the enhancement, I am looking forward for this release!

stumins commented 7 months ago

Hi @intekaws-axiamed,

Following up to let you know that AFT 1.11.0 updated the codebuild image to aws/codebuild/amazonlinux2-x86_64-standard:5.0, which I believe resolves your original request to provide an OPA compatible image.

I'm leaving this issue open to track the enhancement request to allow customer-specified container images.