As the Dev Ops Coordinator, I need to set up our git repo into several branches with the appropriate permissions for each one

Part of the CI/CD Development Series

The core of every CI/CD process is the code repository whether it be Git, Mercurial, SVN or whatever. The general idea is that it allows multiple developers (or whomever) to access your code in the appropriate way in the appropriate level. This can either be the ability for anyone to pull an open source project but not write to the repo directly or full access to a developer on your team to create branches, push to master or anything that needs doing.

For our project, we're using git although the hosting provider was up for discussion between Github, Bitbucket by Atlassian or CodeCommit on AWS. We decided to go with AWS for two reasons.
1. We are going use other tools in AWS as part of the build so we decided to keep it all together.
2. We needed to solidify the ins and outs of using IAM for the process.

Basic Steps

1. Create the Repo
2. Create the branches we need
3. Use IAM to apply the appropriate permissions to each branch and to set up access for our developers and for our other processes.
1. groups
2. policies
3. users
4. Create any approval templates required (optional)

Specific Steps

1. Create the Repo

1. To do any of this, you will need an AWS account which you can get for free (although most of the services are indeed, paid. 
2. Click on Services and choose CodeCommit under Developer Tools
3. Click on Create Repository in the upper right hand corner.  Name and give it a description.
4. The next screen tells about how to access the repo via https,ssh and the AWS CLI. Scroll down and you will see the empty repo itself.
5. Create a file and add a Readme.md just to have something in there. Enter the other info you wish and then create it. 

2. Create the branches we need

1. We know we're going to want at least one more branch so click on Branches on the left hand menu. 
2. Click on Create Branch in the upper right hand corner and then name the new branch, "Development".
3. Since we typically are going to want new developers to create their branches off of Development, not Master, let's change the default repo to Development. 
4. Click on Settings in the left menu. Change the Default Branch to Development and click Save. 

3. Setting up IAM

Before we create any groups or permissions, we need to map out exactly what we want to create. We have two repos and three permission states for each branch: Write, Read, Both. Below are a few of the roles which will need to perform these operations.

	Master	Development
Write Only
Read Only	Production Build Process	Test Server Build Process
Read & Write	Dev Ops Coordinator Development Lead	Developers

There is not much need for a "Write only" permission but the other 4 cells seem prime candidates to seperate out the permissions. Additional there would need to be permissions for routine items such as creating and deleting branches. A few other protections should be in place such as not allowing Master nor Development to be deleted.

A. Creating the groups

1. From the Services menu, Choose IAM under Security, Identity and Compliance.
2. Click on Groups under IAM Resources
3. Click on Create New Group
4. Name the group something clear such as "BlogMasterReadOnly". We'll use that one to set up read only access to the master branch.
5. For ease, we'll use the visual editor to create the rules so click Next then Create Group.
6. Repeat those steps for BlogDevReadOnly, BlogMasterReadWrite, BlogDevReadWrite, and BlogRepoFullAccess
7. Under Settings, copy the ARN and paste it into a text file for reference in the next section.
8. Also under settings, copy the exact names of the branches and paste them into the text file as well. 

B. Creating Policies

We're going to create 6 policies

- Full Access to Master

- Full Access to Development

- Deny Write Permissions to Master

- Deny Write Permissions to Development

- Deny Delete Master

- Deny Delete Development

In IAM, any DENY policy overrides an ALLOW policy so the full access + a deny write = list, read.

To Create the policy

1. Click on Policies in the left hand menu
2. Click on Create Policy in the top left corner of the main pane. 
3. Choose the Visual Editor Tab
4. Choose CodeCommit from the Service Node
5. Choose the actions desired or change to Deny and choose the actions desired. 
6. Choose Resource and reference the ARN copied from the last section to select the repository desired. Enter the region, the account, and the name of the repo.
7. Expand Request Conditions and click on "Add antother condition" and enter
1. Condition key: codecommit:References
2. Qualifier: Default
3. Operator: StringEquals (check if exists)
4. Value: refs/heads/master (or refs/heads/WhatEverTheBanchIs)
5. Save Changes

Continue to name and save the policies.

Repeat this for each of the 6 policies above.

Applying Policies to Groups

1. Select a group
2. Click on the Permissions tab
3. Click on Attach Policy and choose the policies needed. For Example
1. BlogDevReadOnly would receive FullAccessDevelopment, DenyWriteDEvelopment, DenyDeleteDevelopment

Creating Users

There are several users we need to create but by attaching all of our policies to groups, we have made the individual users access as simple as adding them to groups. There are a few things we need to know, however, about users and how the access AWS.

There are several sets of credentials which each user can create. These include

• A set of credentials to access the AWS Console via a browser
• A set of credentials to access AWS APIs using the AWS CLI. This is in the form of keys and secret keys. 
• A set of credentials to access CodeCommit via HTTPS 
• A set of credentials to access CodeCommit via SSH

For our purposes we are going to simply use https to access the repo unless it becomes necessary to change to SSH later. 

Step by Step

1. Click on Users from the left hand menu.
2. Click on Add User
3. Enter a name for the account such as "SampleRepoMasterBuild"
4. Since this is an automated account who will never need to log into the AWS console, click on Programmatic Access Only.
5. Click on Permissions and add this user to the BlogMasterReadOnly group. 
6. Add any tags needed. 
7. Review the user and then create it. 
8. IMPORTANT: DOWNLOAD THE CREDENTIALS CREATED. THIS IS THE LAST TIME YOU ARE ABLE TO DO SO although you can recreate them anytime. 

To Obtain the CodeCommit Credentials

1. Click on Users in the left menu and choose the user you just made. 
2. Click on the Security Credentials Tab
3. Scroll down to the "HTTPS Git Credentials for AWS CodeCommit"
4. Click on Generate Credentials
5. Download the credentials (make sure you name the file appropriately)

Repeat this for all of the users needed such as the DevBuild, Developers, and anyone else. If they need console access, make sure that that is appropriately checked. 

That should do it. The best way to test this is to simply try to clone, push, push to remote and repeat with each of the accounts made to make sure they do what is expected. Once that is set and we've established that each of the groups do what we think they should, it is only a matter of adding the right people to the appropriate group.