Hello folks,
this is the third and final step in migrating the beiartf artifactory to tvlk-build, which is changing the beiartf url in all repositories to use the new one. We plan to delete the tvlk-dev beiartf at June 22nd. Don’t worry, every artifact that currently exists in the tvlk-dev beiartf are already replicated in the tvlk-build beiartf. This step has two preconditions, in that every developer in your team must already have access to do Google SSO and can login from command line. Please refer to
How to assume role in CLI using Google SSO for this precondition. The previous step, about migrating the authentication method, should also already been done. Please refer to Migrating Beiartf Authentication Method from Beiartf-Refresh for this.
beiartf-maven-artifacts-517530806209-5a48cdbd0210491c to beiartf-maven-artifacts-015110552125-aeb600c7e0343453.
arn:aws:iam::517530806209:role/beiartf-reader-ff59caa9b4b093d9 to arn:aws:iam::015110552125:role/BeiartfReader.
For example, please follow PR #268 in the bei-common-libraries repository. For build.sh clean up, please follow this commit in bei-application-template.
In general, update the pre-build step from"./scripts/assume_role.sh -r arn:aws:iam::517530806209:role/BeiartfWriter_${local.product_domain}",
to"./scripts/assume_role.sh -r arn:aws:iam::015110552125:role/BeiartfWriter_${local.product_domain}"
There are a few exceptions for product domains with unclear status though:
bxt doesn’t have their own writer role anymore, please use BeiartfWriter_txt.
cob and rps are currently not created yet since we are still unclear whether this is used or not. Please contact @christianto.handojo if you feel you need these roles in the new beiartf.
For example, please refer to PR #839 in the tvlk-build-terraform-aws repository.
Add the new writer role to the list of roles allowed to be assumed by your codebuild java build role. It should be in your java-build-shared-resources folder. Modify your Codebuild IAM role policy to allow assuming role arn:aws:iam::015110552125:role/BeiartfWriter_<product_domain> (it is usually define in data.tf file) from
statement {
effect = "Allow"
actions = [
"sts:AssumeRole",
]
resources = [
"arn:aws:iam::517530806209:role/BeiartfWriter_${local.product_domain}",
]
}
to
statement {
effect = "Allow"
actions = [
"sts:AssumeRole",
]
resources = [
"arn:aws:iam::517530806209:role/BeiartfWriter_${local.product_domain}",
"arn:aws:iam::015110552125:role/BeiartfWriter_${local.product_domain}",
]
}
Since this codebuild role is used by many codebuilds, you should remove the old tvlk-dev role only after we delete the tvlk-dev beiartf. Otherwise you might cause other pipelines build to fail.
We plan to apply the repository changes mentioned above to the old-monorepo and tv-sql-product on June 10th 18.00 UTC+7. As for the pipelines that fetch from those two repositories, only the phabricator codereview pipeline will be updated by us, the rest must be done by teams. For those still using jenkins, you can change the assumed role to arn:aws:iam::015110552125:role/BeiartfWriter_jenkins.
For tv-sql-product pipelines, you have to use your team’s writer role instead of relying on the old default. You can use jarGroup inside the build.gradle of your module to change the published postgres proxy’s group to the correct group for your team instead of relying on folder name.
For this step, the deadline is June 19th. We plan to delete the old artifactory on June 22nd, the next working day after the deadline is passed. Please inform us if you find any problem before the deadline, like the SSO is still not enabled or you found some libraries are missing.
This post is a copy of https://29022131.atlassian.net/wiki/spaces/BEI/blog/2020/06/08/1395721824/Changing+Beiartf+URL+and+Writer+Role+in+Repositories+to+use+the+New+Beiartf+in+tvlk-build