Calling Synopsys Detect from AWS CodeBuild by using the AWS command-line interface
This page describes how to modify the steps listed in the Calling Synopsys Detect from AWS CodeBuild page to leverage the AWS command-line interface.
Prerequisites:
- Valid Black Duck server instance.
Output S3 bucket configured in AWS.
AWS command line interface (CLI) installed and configured.
Click Installing AWS CLI to learn about installing the AWS CLI.
- Follow the steps referenced in Before You Begin.
- Create a policy file to access the tags created in the previous step, and configure logging with Amazon CloudWatch.
- Create a file named <policy name>.json on the local computer or instance where the AWS CLI is installed.
Copy and paste the following code into the <policy name>.json file.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": "arn:aws:ssm:us-east-1:<account id>:parameter/BLACKDUCK_*" }, { "Effect": "Allow", "Resource": [ "arn:aws:logs:us-east-1:<account id>:log-group:/aws/codebuild/<project name>", "arn:aws:logs:us-east-1:<account id>:log-group:/aws/codebuild/<project name>:*" ], "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:s3:::codepipeline-us-east-1-*" ], "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:s3:::<output bucket name>/*" ], "Action": [ "s3:PutObject" ] } ] }
Verify that the region and account ID are correct in the policy document. Your parameters, buckets, policies, and buildspec.yml file must have the same region configured.
- Create a role AWS CodeBuild service role file.
- Use the same location that you placed the policy file in the previous step, to create a file named <role name>.json.
Copy and paste the following code into the <role name>.json file.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "codebuild.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
- Attach the policy that you created in Step 2 to the service role that you created in Step 3.
- In the directory where you saved the preceding files, run the command aws iam create-role that is shown in the first code block.
In the same directory, run the aws iam put-role-policy that is shown in the second code block.
aws iam create-role --role-name <role name> --assume-role-policy-document file://<role name>.json
aws iam put-role-policy --role-name <role name> --policy-name <policy name> --policy-document file://<policy name>.json
- Create the buildspec.yml file and add it to the root directory of your source code by clicking here and following the instructions.
- Create and Run the AWS CodeBuild project.
If you are using CodeStar, the project is already created, and you can skip to the step (f) to run the build.- Create a file named <project name>.json.
Copy and paste the following code into the <project name>.json file.
{ "name": "<project name>", "source": { "type": "GITHUB", "location": "<HTTPS clone url to source code repository>" }, "artifacts": { "type": "S3", "location": "<output bucket name>" }, "environment": { "type": "LINUX_CONTAINER", "image": "aws/codebuild/java:openjdk-8", "computeType": "BUILD_GENERAL1_SMALL" }, "serviceRole": "arn:aws:iam::<account id>:role/<role name>" }
Detailed explanations on each field, including optional fields are at: http://docs.aws.amazon.com/codebuild/latest/userguide/create-project.html#create-project-cli.
You can also get the service role ARN by running the following command:
aws iam get-role --role-name <role name>
In the same directory containing the <project name>.json, run the following command:
aws codebuild create-project --cli-input-json file://<project name>.json
To update a project that exists already, replace create-project (step d.) with update-project as shown in the following command:
aws codebuild update-project --cli-input-json file://<project name>.json
Use the following command to run the build:
aws codebuild start-build --project-name <project name>
- Check the status of the build by using either of the following methods:
- Go to https://console.aws.amazon.com/codebuild and locate it under the given project name.
or Run the following command:
aws codebuild batch-get-builds --ids <project id>
- Go to https://console.aws.amazon.com/codebuild and locate it under the given project name.
- Click here to see the steps you take to view the Black Duck results.
©2020 Synopsys, Inc. All Rights Reserved