💾 Archived View for capsule.adrianhesketh.com › 2018 › 05 › 02 › go-private-repositories-and-aws-cod… captured on 2021-11-30 at 20:18:30. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
I've gotten used to the luxury of CircleCI, but I thought I'd have a go at AWS CodeBuild to bring the build pipeline inside AWS to reduce the attack surface area.
AWS Code Pipeline supports triggering builds from Github source code repositories, so I was able to get the project's source code from Github without issues. However, when you run `go get` to fetch dependencies, if any of them are private, then the build server needs to be able to authenticate against Github too as part of the build process.
At first, I created a "Deploy Key" for the project I wanted the build server to build, but Deploy Keys aren't a good match for projects which require access to multiple private repositories, so I had to setup a Github user just for the build server and setup an SSH key for it. [0]
Next, I needed to run `ssh-keygen` to create a new key, then put that into the AWS SSM parameter store so that I could get it from within a CodeBuild build step and add it to the list of SSH identities.
aws ssm put-parameter --name build_ssh_key --type String --value "$(cat build_ssh_key.pem)"
Once I'd added the parameter, I then needed to give the AWS-CodeBuild-Role permission to read that key.
Once that was done, I could configure the `buildspec.yml` to get the SSM parameter, add it as an environment variable, then configure the build to be able to authenticate against Github. [1]
The setup for Go on CodeBuild requires a few extra stages [2] Most important was to copy the code from the CODEBUILD_SRC_DIR into the GOPATH and then to remember to change directory into the GOPATH copy, not where the source code started out. CodeBuild lacks the feature to checkout to a specific checkout directory.
{{< gist a-h 02b883108d8322f7d4aedee55910890c >}}
Locally, I could replicate what I expected the build server to do by running Docker and then executing commands at the terminal.
$ docker run -v `pwd`:/codebuild/output/src223872387/src -e "CODEBUILD_SRC_DIR=/codebuild/output/src223872387/src" -e build_ssh_key="$build_ssh_key" --rm -it xxxxxxx/golang-build:latest /bin/bash
However, when trying to get it to work as part of CodeBuild, I got messages in the logs from unexpected directories and the GOPATH had an extra colon after it.
make[1]: Entering directory '/go:/codebuild/output/src823267486/src/github.com ...
Unlike CircleCI, there's no way to SSH into a broken build and attempt to fix it, so the troubleshooting workflow was tortuous - basically putting `echo` statements into some YAML and running it again.
Given that I was unable to easily replicate the problem using the same Docker container locally, I gave up after wasting a few hours fiddling with it. I might give it another try in the future.
Exporting CloudWatch logs for analysis using AWS Athena