Calling Synopsys Detect from AWS CodeBuild by using the AWS command-line interface

This page describes how to modify the steps listed in the Calling Synopsys Detect from AWS CodeBuild page to leverage the AWS command-line interface.

Prerequisites:

  • Valid Black Duck server instance.
  • Output S3 bucket configured in AWS.

  • AWS command line interface (CLI) installed and configured.  

    Click Installing AWS CLI to learn about installing the AWS CLI.

  1. Follow the steps referenced in Before You Begin
  2. Create a policy file to access the tags created in the previous step, and configure logging with Amazon CloudWatch.
    1. Create a file named <policy name>.json on the local computer or instance where the AWS CLI is installed.
    2. Copy and paste the following code into the <policy name>.json file.

      {
        "Version": "2012-10-17",
        "Statement": [
          {
             "Effect": "Allow", 
              "Action": [ 
                  "ssm:GetParameters"
                  ],
                  "Resource": "arn:aws:ssm:us-east-1:<account id>:parameter/BLACKDUCK_*"
          },        
          {            
                  "Effect": "Allow",            
                  "Resource": [                
                      "arn:aws:logs:us-east-1:<account id>:log-group:/aws/codebuild/<project name>",                 
                      "arn:aws:logs:us-east-1:<account id>:log-group:/aws/codebuild/<project name>:*"            
                  ],            
                  "Action": [                
                      "logs:CreateLogGroup",                
                      "logs:CreateLogStream",                
                      "logs:PutLogEvents"            
                  ]        
          },        
          {            
                  "Effect": "Allow",            
                  "Resource": [                
                      "arn:aws:s3:::codepipeline-us-east-1-*"            
                  ],            
                  "Action": [                
                      "s3:PutObject",                
                      "s3:GetObject",                
                      "s3:GetObjectVersion"            
                  ]        
          },        
          {       "Effect": "Allow",            
                  "Resource": [                
                      "arn:aws:s3:::<output bucket name>/*"            
                  ],            
                  "Action": [                
                      "s3:PutObject"            
                  ]        
          }    
        ]
      }

      Verify that the region and account ID are correct in the policy document. Your parameters, buckets, policies, and buildspec.yml file must have the same region configured.

  3. Create a role AWS CodeBuild service role file.
    1. Use the same location that you placed the policy file in the previous step, to create a file named <role name>.json.
    2. Copy and paste the following code into the <role name>.json file.

      {  
        "Version": "2012-10-17",
        "Statement": [    
          {      
            "Effect": "Allow",      
            "Principal": {        
              "Service": "codebuild.amazonaws.com"
            },      
            "Action": "sts:AssumeRole"    
          }  
        ]
      }
  4. Attach the policy that you created in Step 2 to the service role that you created in Step 3.
    1. In the directory where you saved the preceding files, run the command aws iam create-role that is shown in the first code block.
    2. In the same directory, run the aws iam put-role-policy that is shown in the second code block.

      aws iam create-role --role-name <role name> --assume-role-policy-document file://<role name>.json
      aws iam put-role-policy --role-name <role name> --policy-name <policy name> --policy-document file://<policy name>.json
  5. Create the buildspec.yml file and add it to the root directory of your source code by clicking here and following the instructions.
  6. Create and Run the AWS CodeBuild project. 
    If you are using CodeStar, the project is already created, and you can skip to the step (f) to run the build.
    1. Create a file named <project name>.json.
    2. Copy and paste the following code into the <project name>.json file.

      {  
        "name": "<project name>",  
        "source": {    
          "type": "GITHUB",    
          "location": "<HTTPS clone url to source code repository>"  
        },  
        "artifacts": {
          "type": "S3",    
          "location": "<output bucket name>"  
        },  
        "environment": {
          "type": "LINUX_CONTAINER",    
          "image": "aws/codebuild/java:openjdk-8",    
          "computeType": "BUILD_GENERAL1_SMALL"  
        },  
          "serviceRole": "arn:aws:iam::<account id>:role/<role name>"
      }

      Detailed explanations on each field, including optional fields are at: http://docs.aws.amazon.com/codebuild/latest/userguide/create-project.html#create-project-cli.

    3. You can also get the service role ARN by running the following command:

      aws iam get-role --role-name <role name>
    4. In the same directory containing the <project name>.json, run the following command:

      aws codebuild create-project --cli-input-json file://<project name>.json
    5.  To update a project that exists already, replace create-project (step d.) with update-project as shown in the following command:

      aws codebuild update-project --cli-input-json file://<project name>.json


    6. Use the following command to run the build:

      aws codebuild start-build --project-name <project name>
  7. Check the status of the build by using either of the following methods:
    1. Go to https://console.aws.amazon.com/codebuild and locate it under the given project name.
      or
    2. Run the following command:

      aws codebuild batch-get-builds --ids <project id>



  8. Click here to see the steps you take to view the Black Duck results.





©2020 Synopsys, Inc. All Rights Reserved