Open h5aaimtron opened 3 years ago
huanjani
commented
3 years ago Hello, @h5aaimtron!
Thanks for your question. We opted to take in the connection name instead of the ARN because some people are uncomfortable having their account-id, which is part of the ARN, exposed.
Unfortunately for your use case, each CodeStar Connections connection is specific to one AWS account. You could have each AWS account connect to the same GitHub repo with a separate CodeStar connection?
Hope that helps!
h5aaimtron
commented
3 years ago Hi @huanjani,
To give context, we have an organization with multiple landing zone accounts within AWS for various dev teams/products. That means each team/product has their own repos/applications/aws accounts/etc. We are encountering an issue where we cannot setup the codestar connections as the dev teams are not org admins in github and even when given org admin access temporarily, every time we setup a connection, it wipes the previous configuration for the app connector within github.
To solve this issue, I suggested we create an account for our ALM team to manage a single codestar connection back to our github organization and share it across to the other LZ accounts for use. I assume this can be done via IAM roles/policies, however; I'm quite certain this connection won't be available via the connection name if it is possible.
*Note: We use arn for secrets manager within our manifest files today, so using an arn for the pipeline.yaml seems reasonable as well.
huanjani
commented
3 years ago Thanks for the context! Let me play around with this and see what I can do.
huanjani
commented
3 years ago Hi @h5aaimtron.
Sorry for the delay. Can you first check to see if your proposed connection-sharing plan would work by trying it manually?
(To specify your CodeStar Connection ARN in the CodePipeline console, do Edit -> Edit Stage -> Edit:Source to change the ARN.)
Let us know how that goes!
h5aaimtron
commented
3 years ago @huanjani I just got back from a trip, but will begin testing this today and get back to you soon. Thanks!
Per the documentation on pipelines found here: https://aws.github.io/copilot-cli/docs/concepts/pipelines/
You can edit your pipeline.yaml and specify it to use an existing connection, however; it only specifies that you provide the connection name. What about the connection ARN? The reason I ask is that we're looking to setup a common github connection across our organization's aws accounts and share it. I'm assuming we could then pass the arn for the connection in the pipeline.yaml and be good to go. I wanted to get thoughts/feedback on if this would be feasible now or possible in a near future release.