In modern cloud architecture, cross-account pipelines are essential for streamlining the deployment of resources across multiple AWS accounts. This article provides a detailed guide on creating a cross-account pipeline that utilizes AWS CodeCommit from one AWS account (Account A) to deploy resources into both Account A and another AWS account (Account B). This setup ensures efficient deployment while maintaining security and governance across accounts.
The pipeline we discuss here covers the entire process, from source control to production deployment, moving through various stages of development, testing, and production environments.
Overview of the Pipeline:
The cross-account pipeline is based on a repository hosted in AWS CodeCommit, containing essential files such as:
- main. tf, variables. tf and backend. tf (Terraform configuration files)
- buildspec. yml (used for AWS CodeBuild)
- Modules that manage infrastructure resources (e.g., VPCs, subnets)
This pipeline follows a structured flow:
- Source Control: CodeCommit serves as the source repository.
- Development & QA: Resources are deployed in Account A.
- Production: Final resources are deployed into Account B.
Infrastructure Setup:
Key infrastructure components handled by this pipeline include:
- Virtual Private Clouds (VPCs)
- Public and private subnets
- Route tables and network interfaces
Account A hosts the entire pipeline, while Account B is the target environment for production deployments
Key Steps in Creating a Cross-Account Pipeline:
The pipeline setup involves six core steps:
Step 1: Create IAM Users (Accounts A and B)
Setting up dedicated users in both accounts helps secure access and limit privileges. The process includes:
- IAM User Creation: Create users in both Account A and Account B.
- Policy Attachment: Attach administrator access or tailored policies required for pipeline and deployment access.
- Access Keys: Generate and securely store access keys for later use.
Using specific IAM users (rather than root) ensures the security of pipeline operations and reduces the risk of unauthorized access.
Step 2: Create the Pipeline in Account A
Next, create the pipeline in Account A using AWS Code Pipeline:
- Source Stage: Define the AWS CodeCommit repository as the source.
- Service Role: Set up a service role for the pipeline to manage operations.
- Build Stage: Use AWS Code Build for building and packaging resources.
- Environment Variables: Define environment variables such as STAGE=dev, STAGE=qa, and STAGE=prod to distinguish between deployment stages.
- Deploy Stage: Deploy resources in Account A (for dev and QA) and in Account B (for production).
Each pipeline stage is responsible for different environments (development, QA, and production), ensuring an automated flow.
Step 3: Create a KMS Key in Account A
For secure communication and artifact encryption, create a customer-managed KMS key:
- KMS Key Setup: In Account A, create a KMS key to encrypt sensitive resources.
- Cross-Account Permissions: Update the key policy to allow Account B’s resources to use it.
This ensures encrypted communication and artifact management between the two accounts.
Step 4: Create an S3 Bucket in Account A
An S3 bucket is needed to store build artifacts. Ensure proper configuration and permissions:
- S3 Bucket Creation: Set up the S3 bucket in Account A.
- KMS Key Integration: Use the KMS key for encryption of the bucket.
- Bucket Policy Configuration: Grant access to both Account A and Account B by modifying the bucket policy.
The policy must specifically allow users and roles from Account B to access the necessary artifacts stored in this bucket.
Step 5: Create a Cross-Account Role in Account B
To deploy resources into Account B, create an IAM role that trusts Account A:
- IAM Policy in Account B: Create a policy that grants necessary permissions for resource creation (VPC, subnets, etc.).
- Cross-Account Role: Set up a role in Account B with trust relationships that allow Account A’s pipeline to assume the role.
- Role Policies: Attach policies to this role, granting it permissions to deploy the required resources.
The cross-account role is critical for enabling secure and seamless deployment into Account B.
Step 6: Configure S3 Bucket Permissions in Account A
Finally, ensure that the S3 bucket created in Account A can be accessed by the cross-account role from Account B:
- Bucket Policy Update: Modify the bucket’s policy to include permissions for the IAM role from Account B.
- Artifact Sharing: Ensure that the artifacts stored in the S3 bucket are accessible to the production stage in Account B.
This final step ensures that build artifacts created during the dev/QA stages can be securely accessed and used in the production deployment in Account B.
Conclusion:
In summary, this cross-account pipeline setup using AWS CodeCommit and AWS Code Pipeline enables efficient, automated resource deployment across multiple accounts, ensuring secure infrastructure management from development to production. By creating dedicated IAM users with minimal privileges, establishing multi-stage deployment processes with AWS CodeBuild, encrypting S3 buckets with KMS for secure artifact storage, and configuring cross-account roles and permissions, the pipeline fosters seamless collaboration between accounts while maintaining robust security. This approach reduces manual intervention, enhances scalability, and ensures consistent governance across AWS environment