Basic

  • AWS 的 Git Version Control 服務,像是 Github
  • 可以跟 CodeBuild 、 Jenkins 或者其他 CI 整合
  • 可以透過 HTTPS or SSH connect,可以建立 IAM User 並在裡面設定
    • ssh key
    • https git credential (user name and password)
  • 可以透過 CloudTail 監控哪個 IAM User 在操作什麼

Repository

  • 每個 Repository 沒有 Size 限制
  • 可以建立 Notification Rule ,根據設定的 Event 發出 SNS
    • SNS 必須跟 CodeCommit 在同一個 Region
  • 可以建立 Event Trigger 觸發 SNS 或 Lambda
  • 可以給予其他 AWS Account User 讀取權限
  • 可以透過 KMS 加密 Repository 裡面的 File

Pull Request

  • 可以整合 CodeGuru Review,在 pull request 建立時,可以透過 CodeGuru 去分析 Code 並抓出常見問題。
  • 建立 approval rules ,指定的 User 才可以 Merge pull request
1aws codecommit create-pull-request-approval-rule \
2--pull-request-id 27 \
3--approval-rule-name "Require two approved approvers" \
4--approval-rule-content "{\"Version\": \"2018-11-08\",\"Statements\": [{\"Type\": \"Approvers\",\"NumberOfApprovalsNeeded\": 2,\"ApprovalPoolMembers\": [\"CodeCommitApprovers:123456789012:Nikhil_Jayashankar\", \"arn:aws:sts::123456789012:assumed-role/CodeCommitReview/*\"]}]}"
  • 也可以建立 approval rules template 並重複使用,綁定在不同 repository 上
1aws codecommit create-approval-rule-template \
2--approval-rule-template-name 2-approver-rule-for-main \
3--approval-rule-template-description "Requires two developers from the team to approve the pull request if the destination branch is main" \
4--approval-rule-template-content "{\"Version\": \"2018-11-08\",\"DestinationReferences\": [\"refs/heads/main\"],\"Statements\": [{\"Type\": \"Approvers\",\"NumberOfApprovalsNeeded\": 2,\"ApprovalPoolMembers\": [\"arn:aws:sts::123456789012:assumed-role/CodeCommitReview/*\"]}]}"

透過 IAM 限制 Push & Merge Master

 1{
 2    "Version": "2012-10-17",
 3    "Statement": [
 4        {
 5            "Effect": "Deny",
 6            "Action": [
 7                "codecommit:GitPush",
 8                "codecommit:DeleteBranch",
 9                "codecommit:PutFile",
10                "codecommit:MergeBranchesByFastForward",
11                "codecommit:MergeBranchesBySquash",
12                "codecommit:MergeBranchesByThreeWay",
13                "codecommit:MergePullRequestByFastForward",
14                "codecommit:MergePullRequestBySquash",
15                "codecommit:MergePullRequestByThreeWay"
16            ],
17            "Resource": "arn:aws:codecommit:us-east-2:111111111111:MyDemoRepo",
18            "Condition": {
19                "StringEqualsIfExists": {
20                    "codecommit:References": [
21                        "refs/heads/main", 
22                     ]
23                },
24                "Null": {
25                    "codecommit:References": "false"
26                }
27            }
28        }
29    ]
30}

IAM Policy

  • AWSCodeCommitFullAccess : Admin 權限
  • AwSCodeCommitPowerUser: 不可以建立和刪除 repository
  • AWSCodeCommitReadOnly: 只可以讀資訊