CICD deployment in conditions of limited access (Golang)
My HOWTO experience. By Oleg Sydorov
Last updated
My HOWTO experience. By Oleg Sydorov
Last updated
In an environment with increased requirements for information security, a situation is possible when the CICD runner does not have access to external resources: the Docker image repository (for example, public.ecr.aws), external dependency packages, etc. In such conditions, I suggest the following actions (examples of the Golang language):
We create a Docker image that meets our requirements (let it be minimal, golang 1.21 + AWS CDK based on Alpine):
Build your image:
Let's look at the result, and get the ID of the image:
Adding a tag:
Add credentials, if not created (File: ./aws/config):
Login using SSO:
Logging in to the AWS elastic container registry:
Pushing the image:
Thus, at the moment, this Docker image is available within the corporate AWS in conditions of blocked internet. It is possible to use it in the pipeline by adding to .gitlab-ci.yml
For cross-account use, you need to configure additional access rights to the downloaded image.
To work with dependencies, we will use the Golang module vendoring mechanism.
In the CICD config .gitlab-ci.yml we add (in the script section):
Also, we can add here the GOFLAGS=-mod=vendor option, but we can do this in the code as well.
In the root folder of the project we should execute:
The go.mod and go.sum files will be created, as well as the vendor directory with all dependencies. These artifacts should also be included in the git commit.
It seems that everything is ready, but there is one important point related to the options of the AWS CDK Golang itself. If we look at the code of the cdk.json file, which the CDK created automatically, we see the following code:
The code go mod download && go run backend-lambda2.go destroys the scheme and forces work with the internet.
That is, our last action is to change the code to go run backend-lambda2.go, excluding go mod download.
Now, when performing a git push, our pipeline will work even in conditions of limited access.
Congrats, it works!