Skip to content

Commit

Permalink
Add Deploy to Staging
Browse files Browse the repository at this point in the history
  • Loading branch information
@ChrisPates
ChrisPates committed Jun 16, 2022
1 parent e08b317 commit cad1a04
Show file tree
Hide file tree
Showing 12 changed files with 290 additions and 721 deletions.
17 changes: 12 additions & 5 deletions cicd/buildapp.yml → cicd/buildapp/buildspec.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@ phases:
commands:
# Install go.lang
- wget -q https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz
- rm -rf /go
- tar -C / -xzf go${GO_VERSION}.linux-amd64.tar.gz
- export PATH="/go/bin:$PATH" && export GOPATH="/go" && export PATH="$GOPATH/bin:$PATH"
- rm go${GO_VERSION}.linux-amd64.tar.gz
- go version

# Install golint
- go install golang.org/x/lint/golint@latest
Expand Down Expand Up @@ -45,20 +47,25 @@ phases:
build:
commands:
# Make clean
- rm -f ${OUTPUT} ${PACKAGED_TEMPLATE}
- rm -f main packaged.yaml

# Make go-build
- go build -o ${APP_NAME} main.go

# Make main
- goreleaser build --snapshot --rm-dist

# Does it exist?
- ls ${APP_NAME}

# Does it run?
- ./${APP_NAME} --version

post_build:
commands:
# Make main
- goreleaser build --snapshot --rm-dist

- ls -la

artifacts:
files:
- ${APP_NAME}
- dist/**/*
- cmd/**/*
0 cicd/buildimage.yml → cicd/buildimages/buildspec.yml
View file
File renamed without changes.
0 cicd/golang/Dockerfile → cicd/buildimages/golang/Dockerfile
View file
File renamed without changes.
0 cicd/sam/Dockerfile → cicd/buildimages/sam/Dockerfile
View file
File renamed without changes.
63 changes: 44 additions & 19 deletions cicd/cloudformation/production.yaml → cicd/cloudformation/production-account.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ Metadata:
CodeStarConnection:
default: "arn:aws:codestar-connections:<AWS::Region>:<AWS::AccountId>:connection/abcd1234-ab12-ab12--ab12-abcdef123456"

Conditions:
AddCodeBuildResource: !Equals [ !Ref StagingAccount, true ]

Resources:

CodePipelineLogGroup:
Expand Down Expand Up @@ -238,18 +241,16 @@ Resources:
Provider: CodeBuild
OutputArtifacts:
- Name: Built
RunOrder: '2'
RunOrder: '1'
Configuration:
ProjectName: !Ref CodeBuildApp
- Name: Staging
Actions:
- Name: PackageApp
ActionTypeId:
Category: Build
Owner: AWS
Version: 1
Provider: CodeBuild
RunOrder: 1
RunOrder: 2
Configuration:
ProjectName: !Ref CodeBuildPackage
PrimarySource: Source
Expand All @@ -258,13 +259,15 @@ Resources:
InputArtifacts:
- Name: Built
- Name: Source
- Name: PublishStaging
- Name: Staging
Actions:
- Name: ReleaseCandidate
ActionTypeId:
Category: Build
Owner: AWS
Version: 1
Provider: CodeBuild
RunOrder: '2'
RunOrder: '1'
Configuration:
ProjectName: !Ref CodeBuildStaging
PrimarySource: Source
Expand All @@ -273,6 +276,30 @@ Resources:
InputArtifacts:
- Name: Source
- Name: Packaged
- Name: Deploy
ActionTypeId:
Category: Deploy
Owner: AWS
Version: '1'
Provider: CloudFormation
RunOrder: '2'
Configuration:
ActionMode: CREATE_UPDATE
Capabilities: CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND
ChangeSetName: pipeline-changeset
ParameterOverrides: !Sub '{"ApplicationArn": "arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/${ApplicationName}-Staging"}'
RoleArn:
Fn::If:
- AddCodeBuildResource
- !Sub arn:aws:iam::${StagingAccount}:role/ProductionAcctCodePipelineCloudFormationRole
- !Ref AWS::NoValue
StackName: !Sub Deploy-${ApplicationName}
TemplatePath: 'Source::cicd/deploy/stack.yml'
OutputFileName: 'stack-outputs.json'
OutputArtifacts:
- Name: Deployed
InputArtifacts:
- Name: Source
- Name: Approvals
Actions:
- Name: PassedStaging
Expand Down Expand Up @@ -305,7 +332,7 @@ Resources:
ServiceRole: !Ref CodeBuildImagesRole
Source:
Type: CODEPIPELINE
BuildSpec: "cicd/buildimage.yml"
BuildSpec: "cicd/buildimages/buildspec.yml"
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Expand All @@ -315,13 +342,13 @@ Resources:
- Name: ImageRepo
Value: golang
- Name: ImageVersion
Value: "1.18.1"
Value: "1.18.2"
- Name: AccountId
Value: !Ref AWS::AccountId
- Name: Region
Value: !Ref AWS::Region
- Name: DockerPath
Value: 'cicd/golang/'
Value: 'cicd/buildimages/golang/'
Artifacts:
Name: !Ref ApplicationName
Type: CODEPIPELINE
Expand Down Expand Up @@ -360,7 +387,7 @@ Resources:
- Name: Region
Value: !Ref AWS::Region
- Name: DockerPath
Value: 'cicd/sam/'
Value: 'cicd/buildimages/sam/'
Artifacts:
Name: !Ref ApplicationName
Type: CODEPIPELINE
Expand All @@ -384,7 +411,7 @@ Resources:
ServiceRole: !Ref CodeBuildAppRole
Source:
Type: CODEPIPELINE
BuildSpec: "cicd/buildapp.yml"
BuildSpec: "cicd/buildapp/buildspec.yml"
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Expand All @@ -393,7 +420,7 @@ Resources:
- Name: ARTIFACT_S3_BUCKET
Value: !Sub ${ArtifactBucket}
- Name: GO_VERSION
Value: "1.18.1"
Value: "1.18.2"
- Name: OUTPUT
Value: main
- Name: APP_NAME
Expand Down Expand Up @@ -421,7 +448,7 @@ Resources:
ServiceRole: !Ref CodeBuildPackageRole
Source:
Type: CODEPIPELINE
BuildSpec: "cicd/package.yml"
BuildSpec: "cicd/package/buildspec.yml"
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Expand Down Expand Up @@ -456,18 +483,18 @@ Resources:
ServiceRole: !Ref CodeBuildPublishRole
Source:
Type: CODEPIPELINE
BuildSpec: "cicd/publish.yml"
BuildSpec: "cicd/publish/buildspec.yml"
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Type: LINUX_CONTAINER
EnvironmentVariables:
- Name: ARTIFACT_S3_BUCKET
Value: !Sub ${ArtifactBucket}
- Name: SDLC
Value: 'staging'
- Name: ShareWith
Value: !Ref StagingAccount
- Name: AppARN
Value: !Sub "arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/${ApplicationName}-Staging"
Artifacts:
Name: !Ref ApplicationName
Type: CODEPIPELINE
Expand All @@ -492,16 +519,14 @@ Resources:
ServiceRole: !Ref CodeBuildPublishRole
Source:
Type: CODEPIPELINE
BuildSpec: "cicd/publish.yml"
BuildSpec: "cicd/release/buildspec.yml"
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:5.0
Type: LINUX_CONTAINER
EnvironmentVariables:
- Name: ARTIFACT_S3_BUCKET
Value: !Sub ${ArtifactBucket}
- Name: SDLC
Value: release
Artifacts:
Name: !Ref ApplicationName
Type: CODEPIPELINE
Expand Down
143 changes: 143 additions & 0 deletions cicd/cloudformation/staging-account.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
AWSTemplateFormatVersion: '2010-09-09'

Description:
This CloudFormation template will deploy a an IAM role and some Secrets to
allow the CI/CD pipeline in the production account to deploy candidate releases
(via privately shared app in the AWS Serverless Application Repository (SAR).

Parameters:
ProductionAccount:
Description: AWS Account permited to depoy into this account
Type: String
AllowedPattern: '[0-9]+'
GoogleCredentials:
Description: Credentials to log into Google (content of credentials.json)
Type: String
NoEcho: true
GoogleAdminEmail:
Description: Google Admin email
Type: String
NoEcho: true
SCIMEndpointUrl:
Description: AWS SSO SCIM Endpoint Url
Type: String
NoEcho: true
SCIMEndpointAccessToken:
Description: AWS SSO SCIM AccessToken
Type: String
NoEcho: true

Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Pipeline
Parameters:
- ProductionAccount
- Label:
default: Google Workspace
Parameters:
- GoogleAdminEmail
- GoogleCredentials
- Label:
default: AWS SSO
Parameters:
- SCIMEndpointUrl
- SCIMEndpointAccessToken

ParameterLabels:
ProductionAccount:
default: "123456789012"
GoogleCredentials:
default: "contents of credentials.json"
GoogleAdminEmail:
default: "admin@WorkspaceDomain"
SCIMEndpointUrl:
default: "https://scim.<region>.amazonaws.com/<instance id>/scim/v2/"
SCIMEndpointAccessToken:
default: "AWS SSO SCIM Access Token"

Resources:

GoogleCredentialSecret:
Type: "AWS::SecretsManager::Secret"
DeletionPolicy: Retain
UpdateReplacePolicy: Delete
Properties:
Name: E2ETestGoogleCredentials
SecretString: !Ref GoogleCredentials

GoogleAdminEmailSecret:
Type: "AWS::SecretsManager::Secret"
DeletionPolicy: Retain
UpdateReplacePolicy: Delete
Properties:
Name: E2ETestGoogleAdminEmail
SecretString: !Ref GoogleAdminEmail

SSoSCIMUrlSecret: # This can be moved to custom provider
Type: "AWS::SecretsManager::Secret"
DeletionPolicy: Retain
UpdateReplacePolicy: Delete
Properties:
Name: E2ETestSCIMEndpointUrl
SecretString: !Ref SCIMEndpointUrl

SSoSSCIMAccessTokenSecret: # This can be moved to custom provider
Type: "AWS::SecretsManager::Secret"
DeletionPolicy: Retain
UpdateReplacePolicy: Delete
Properties:
Name: E2ETestSCIMAccessToken
SecretString: !Ref SCIMEndpointAccessToken

ProductionAccountCloudformationRole:
Type: AWS::IAM::Role
Properties:
RoleName: ProductionAcctCodePipelineCloudFormationRole
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
AWS: !Ref ProductionAccount
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: ProductionAcctCodePipelineCloudFormation-Policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'iam:PassRole'
- 'cloudformation:*'
Effect: Allow
Resource: '*'

CFDeployerRole:
Type: AWS::IAM::Role
Properties:
RoleName: CloudFormationDeployerRole
AssumeRolePolicyDocument:
Statement:
- Action: ['sts:AssumeRole']
Effect: Allow
Principal:
Service: 'cloudformation.amazonaws.com'
Version: '2012-10-17'
Path: /
Policies:
- PolicyName: CloudFormation-Deployer-Policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: '*'
Effect: Allow
Resource: '*'

Outputs:

ProductionAccountCloudformationRoleArn:
Description: The Role available to the Production account for deployment
Value: !GetAtt ProductionAccountCloudformationRole.Arn

Loading

0 comments on commit cad1a04

Please sign in to comment.