-
Notifications
You must be signed in to change notification settings - Fork 0
/
buildspec_docker.signer.yml
40 lines (38 loc) · 1.69 KB
/
buildspec_docker.signer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# See https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html
version: 0.2
env:
parameter-store:
SIGNER_PROFILE_ARN: 'signer-profile-arn'
phases:
install:
runtime-versions:
python: 3.9
pre_build:
commands:
- echo Downloading AWS signer and Notation CLI.
- wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
- echo Installing AWS signer and Notation CLI.
- sudo dpkg -i -E aws-signer-notation-cli_amd64.deb
- notation version
- echo Logging in to Amazon ECR...
- aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $IMAGE_REPO_URI
build:
commands:
- cd ./my-app
- echo Build started on `date`
- echo Building the Docker image...
- docker build -t myapp:$IMAGE_TAG .
- docker tag myapp:$IMAGE_TAG $IMAGE_REPO_URI:$IMAGE_TAG
post_build:
commands:
- echo Build completed on `date`
- echo Getting ECR repository name in which the container image is pushed.
- export REPO_NAME=$(echo $IMAGE_REPO_URI | awk -F'/' '{print $2}')
- echo Pushing the Docker image...
- docker push $IMAGE_REPO_URI:$IMAGE_TAG
- echo Getting SHA digest of the latest image pushed.
- export IMAGE_SHA=$(aws ecr describe-images --repository-name $REPO_NAME --image-ids imageTag=$IMAGE_TAG | jq -r "(.imageDetails[0].imageDigest)")
- echo Signing the latest image pushed to ECR
- export IMAGE_SHA_ARN=$IMAGE_REPO_URI@$IMAGE_SHA
- notation sign $IMAGE_SHA_ARN --plugin com.amazonaws.signer.notation.plugin --id $SIGNER_PROFILE_ARN
- notation inspect $IMAGE_SHA_ARN