Can a CDK pipeline stack avoid referring to a specific repo and Github connection?

Question

My CDK pipeline stack has this code:

const pipeline = new CodePipeline(this, id, {
    pipelineName: id,
    synth: new CodeBuildStep("Synth", {
            input: CodePipelineSource.connection("user/example4-be", "main", {
                connectionArn: "arn:aws:codestar-connections:us-east-1:111...1111:connection/1111-1111.....1111",
            }),
            installCommands: [],
            commands: []
        }
    ),
})

which makes the code tightly coupled to the repository it is in (user/example4-be) and the Github connection it's using to access it (arn:aws:codestar-connections:...). This would break if someone forks the repo and wants to have a parallel pipeline. I feel like these two values should be configuration and not part of the code.

Is there a way using CDK and CodePipeline for this to be external variables? I guess the variables should be per-pipeline if possible? I'm not entirely sure.

Answer 1

If you want to keep this information out of the repo, you can create SSM parameters in a separate stack, deploy it and populate the parameters, then do a synth-time lookup in the pipeline.

Here's how it would look in python:

class ParametersStack(cdk.Stack):
    def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs):
        super().__init__(scope, construct_id, **kwargs)
        
        codestar_connection = csc.CfnConnection(
            self, "my_connection", connection_name="my_connection", provider_type="GitHub"
        )

        ssm.StringParameter(
            self,
            "codestar_arn",
            string_value=codestar_connection.ref,
            parameter_name="/codestar/connection_arn",
        )
        
        ssm.StringParameter(
            self,
            "repo_owner",
            string_value="REPO_OWNER",
            parameter_name="/github/repo_owner",
        )
        ssm.StringParameter(
            self,
            "main_repo_name",
            string_value="MAIN_REPO_NAME",
            parameter_name="/github/repo_name",
        )

You'd then deploy this stack, set up the connection, and populate the repo owner and name parameters.

In the pipeline stack:

github_repo_owner = ssm.StringParameter.value_from_lookup(
    self, "/github/repo_owner"
)
github_repo_name = ssm.StringParameter.value_from_lookup(
    self, "/github/repo_name"
)

# The following is needed because during the first synth, the values will be # filled with dummy values that are incompatible, so just replace them with # dummy values that will synth
# See https://github.com/aws/aws-cdk/issues/8699

if "dummy" in github_repo_owner:
    github_repo_owner = "dummy"
if "dummy" in github_repo_name:
    github_repo_name = "dummy"

repo_string = f"{github_repo_owner}/{github_repo_name}"

codestar_connection_arn = ssm.StringParameter.value_from_lookup(
    self, "/codestar/connection_arn"
)

source = pipelines.CodePipelineSource.connection(
    repo_string=repo_string,
    branch=branch_name,
    connection_arn=codestar_connection_arn,
)

You also need to give the pipeline the right to perform the lookups during synth. You do this by allowing the role for the synth action to assume the lookup role

synth_step = pipelines.CodeBuildStep(
    "synth",
    install_commands=[
        "npm install -g aws-cdk",
        "pip install -r requirements.txt",
    ],
    commands=[
        "cdk synth",
    ],
    input=source,
    role_policy_statements=[
        iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=["sts:AssumeRole"],
            resources=["*"],
            conditions={
                "StringEquals": {
                    "iam:ResourceTag/aws-cdk:bootstrap-role": "lookup"
                }
            },
        ),
    ],
)

The looked up values will be saved in cdk.context.json. If you don't commit it to your VCS, the pipeline will do the lookup and fetch the actual values every time.