split pipeline

Due to limitations of cross account execution, have need to split into two codepipeline instances, on in the production account and one in the staging account, building and testing respectively.
fac · Nov 23, 2022 · e2b6810 · e2b6810
1 parent 23db2bd
commit e2b6810
Show file tree

Hide file tree

Showing 27 changed files with 2,116 additions and 306 deletions.
diff --git a/cicd/TEST-RUN/deploy/buildspec.yml b/cicd/TEST-RUN/deploy/buildspec.yml
@@ -0,0 +1,36 @@
+version: 0.2
+
+phases:
+  install:
+    commands:
+      # Update sam to latest version
+      - wget -q https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
+      - unzip -q awscli-exe-linux-x86_64.zip
+      - sudo ./aws/install --update
+      - rm -rf ./aws  awscli-exe-linux-x86_64.zip
+
+  pre_build: 
+    commands:
+      # Print all environment variables (handy for AWS CodeBuild logs)
+      - env
+
+  build:
+    commands:
+      - Parameters="[{\"ParameterKey\":\"AppArn\",\"ParameterValue\":\"${AppArn}\"}, {\"ParameterKey\":\"AppVersion\",\"ParameterValue\":\"${AppVersion}\"}]"
+      - echo ${Parameters}
+
+      - Capabilities="CAPABILITY_IAM CAPABILITY_AUTO_EXPAND"
+
+      # Assume correct role on the staging account
+      - export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role --role-arn "${ProductionAcctCodePipelineCloudFormationRole}" --role-session-name "CloudFormationRole" --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" --output text))
+
+      # Create a changeset for the deployment
+      - echo aws cloudformation create-change-set --stack-name "${StackName}" --template-body "file://${TemplatePath}" --parameters "${Parameters}" --capabilities ${Capabilities} --role-arn "${CloudFormationDeployerRole}" --change-set-name "${ChangeSetName}" --client-token "${ChangeSetName}" --change-set-type "CREATE"
+      - aws cloudformation create-change-set --stack-name "${StackName}" --template-body "file://${TemplatePath}" --parameters "${Parameters}" --capabilities ${Capabilities} --role-arn "${CloudFormationDeployerRole}" --change-set-name "${ChangeSetName}" --client-token "${ChangeSetName}" --change-set-type "CREATE"
+
+      # Wait for the change set to be created
+      - aws cloudformation wait change-set-create-complete --stack-name "${StackName}" --change-set-name "${ChangeSetName}"
+
+      # Deploy the changeset
+      - aws cloudformation execute-change-set --stack-name "${StackName}" --change-set-name "${ChangeSetName}"
+
diff --git a/cicd/TEST-RUN/deploy/params.json b/cicd/TEST-RUN/deploy/params.json
@@ -0,0 +1,14 @@
+{
+	"Parameters": {
+		"AppArn": "arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync-Staging",
+		"AppVersion": "1.0.0-rc.10.23db2bd"
+	},
+	"StackPolicy": {
+		"Statement": [{
+			"Effect": "Allow",
+			"NotAction": "Update:Delete",
+			"Principal": "*",
+			"Resource": "*"
+		}]
+	}
+}
diff --git a/cicd/TEST-RUN/deploy/stack.yml b/cicd/TEST-RUN/deploy/stack.yml
@@ -0,0 +1,54 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: 'AWS::Serverless-2016-10-31'
+
+Description: 
+  This CloudFormation template will deploy an instance of the SSOSync-Staging
+  candidate releases (via privately shared app in the AWS Serverless Application
+  Repository (SAR) within the Staging Account.
+
+Parameters:
+  AppArn:
+    Description: The candidate release in the SAR
+    Default: 'arn:aws:serverlessrepo:<AWS::Region>:<AccountId>:applications/<ApplicationName>'
+    Type: String
+  AppVersion:
+    Description: The version of this build in SAR
+    Default: 'v1.0.0-rc.10'
+    Type: String
+
+Resources:
+  SARApp:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location:
+        ApplicationId: !Ref AppArn
+        SemanticVersion: !Ref AppVersion
+      Parameters:
+        GoogleAdminEmail: '{{resolve:secretsmanager:TestGoogleAdminEmail}}'
+        GoogleCredentials: '{{resolve:secretsmanager:TestGoogleCredentials}}'
+        SCIMEndpointUrl: '{{resolve:secretsmanager:TestSCIMEndpointUrl}}'
+        SCIMEndpointAccessToken: '{{resolve:secretsmanager:TestSCIMAccessToken}}'
+        SyncMethod: groups
+        GoogleUserMatch: 'name:*'
+        GoogleGroupMatch: 'name:AWS*'
+        LogLevel: warn
+        LogFormat: json
+        IgnoreUsers: None
+        IgnoreGroups: None
+        IncludeGroups: None
+        ScheduleExpression: 'rate(1 day)'
+
+  FunctionArnParam:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: "/SSOSync/Staging/FunctionArn"
+      Type: String
+      Value: !GetAtt SARApp.Outputs.FunctionArn
+      Description: The Arn of the lambda function ssosync
+
+Outputs:
+  FunctionArn:
+    Description: "The Arn of the deployed lambda function"
+    Value: !GetAtt SARApp.Outputs.FunctionArn
+    Export:
+      Name: FunctionArn
diff --git a/cicd/TEST-RUN/smoke/cli/buildspec.yml b/cicd/TEST-RUN/smoke/cli/buildspec.yml
@@ -0,0 +1,22 @@
+version: 0.2
+
+env:
+  secrets-manager:
+    GoogleAdminEmail: TestGoogleAdminEmail
+    SCIMEndpointUrl: TestSCIMEndpointUrl
+    SCIMAccessToken: TestSCIMAccessToken
+
+phases:
+  pre_build: 
+    commands:
+      # Print all environment variables (handy for AWS CodeBuild logs)
+      - env
+
+  build:
+    commands:
+      - ls -la
+      - ./ssosync --version
+      - aws secretsmanager  get-secret-value --secret-id=TestGoogleCredentials --query SecretString --output text | jq '.' > credentials.json
+      - cat credentials.json
+
+      - ./ssosync -t "${SCIMAccessToken}" -e "${SCIMEndpointUrl}" -u "${GoogleAdminEmail}" -s "groups" -g "name:AWS*" 
diff --git a/cicd/TEST-RUN/smoke/lambda/buildspec.yml b/cicd/TEST-RUN/smoke/lambda/buildspec.yml
@@ -0,0 +1,16 @@
+version: 0.2
+
+phases:
+  pre_build: 
+    commands:
+      # Print all environment variables (handy for AWS CodeBuild logs)
+      - env
+
+  build:
+    commands:
+      # Create a changeset for the deployment
+      - aws lambda invoke --function-name "SSOSyncFunction" response.json
+
+artifacts:
+  files:
+    - response.json
diff --git a/cicd/cloudformation/dev-account.yaml b/cicd/cloudformation/dev-account.yaml
@@ -885,7 +885,6 @@ Resources:
               Effect: Allow
             - Action:
               - 'lambda:invoke'
-              - 'lambda:UpdateFunctionConfiguration'
               Effect: Allow
               Resource: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:SSOSyncFunction
 

diff --git a/cicd/cloudformation/production-account.yaml b/cicd/cloudformation/production-account.yaml
@@ -290,18 +290,48 @@ Resources:
                 - Name: ChangeSet
               InputArtifacts:
                 - Name: Source
-            - Name: End2EndTest
+        - Name: Test
+          Actions:
+            - Name: TestLambda
               ActionTypeId:
-                Category: Build
+                Category: Test
                 Owner: AWS
                 Version: 1
                 Provider: CodeBuild
-              RunOrder: 3
+              RunOrder: 1
+              Configuration:
+                ProjectName: !Ref CodeBuildTestLambda
+                PrimarySource: Source
+              OutputArtifacts:
+                - Name: TestLambda
+              InputArtifacts:
+                - Name: Source
+            - Name: TestContainer
+              ActionTypeId:
+                Category: Test
+                Owner: AWS
+                Version: 1
+                Provider: CodeBuild
+              RunOrder: 2
               Configuration:
-                ProjectName: !Ref CodeBuildE2ETest
+                ProjectName: !Ref CodeBuildTestContainer
                 PrimarySource: Source
               OutputArtifacts:
-                - Name: E2ETest
+                - Name: TestContainer
+              InputArtifacts:
+                - Name: Source
+                - Name: Built
+            - Name: TestCodePipeline
+              ActionTypeId:
+                Category: Invoke
+                Owner: AWS
+                Version: 1
+                Provider: Lambda
+              RunOrder: 3
+              Configuration:
+                FunctionName: SSOSyncFunction 
+              OutputArtifacts:
+                - Name: TestCodePipeline
               InputArtifacts:
                 - Name: Source
             - Name: CleanUp
@@ -535,15 +565,43 @@ Resources:
       LogGroupName: !Ref CodePipelineLogGroup
       LogStreamName: !Sub "${ApplicationName}-Deploy"
 
-  CodeBuildE2ETest:
+  CodeBuildTestContainer:
     Type: AWS::CodeBuild::Project
     Properties:
-      Name: !Sub "${ApplicationName}-Test-End2End"
-      Description: !Sub Use the GitHub metadata to determine whether this commit is a release
+      Name: !Sub "${ApplicationName}-Test-Container"
+      Description: "Execute within a container on the cli to prove cli invokation"
+      ServiceRole: !Ref CodeBuildTestRole
+      Source:
+        Type: CODEPIPELINE
+        BuildSpec: "cicd/test-container/buildspec.yml"
+      Environment:
+        ComputeType: BUILD_GENERAL1_SMALL
+        Image: aws/codebuild/standard:5.0
+        Type: LINUX_CONTAINER
+      Artifacts:
+        Name: !Ref ApplicationName
+        Type: CODEPIPELINE
+      LogsConfig:
+        CloudWatchLogs:
+          GroupName: !Ref CodePipelineLogGroup
+          StreamName: !Ref CodeBuildTestContainerLogs
+          Status: ENABLED
+
+  CodeBuildTestContainerLogs:
+    Type: AWS::Logs::LogStream
+    Properties:
+      LogGroupName: !Ref CodePipelineLogGroup
+      LogStreamName: !Sub "${ApplicationName}-TestContainer"
+
+  CodeBuildTestLambda:
+    Type: AWS::CodeBuild::Project
+    Properties:
+      Name: !Sub "${ApplicationName}-Test-Lambda"
+      Description: "Execute Lambda from within a container, to test invokation without codepipeline event handling"
       ServiceRole: !Ref CodeBuildTestRole
       Source:
         Type: CODEPIPELINE
-        BuildSpec: "cicd/test-end2end/buildspec.yml"
+        BuildSpec: "cicd/test-lambda/buildspec.yml"
       Environment:
         ComputeType: BUILD_GENERAL1_SMALL
         Image: aws/codebuild/standard:5.0
@@ -552,23 +610,24 @@ Resources:
           - Name: ARTIFACT_S3_BUCKET
             Value: !Sub ${ArtifactBucket}
           - Name: CloudFormationDeployerRole
-            Value: !Sub arn:aws:iam::${StagingAccount}:role/CloudFormationDeployerRole
+            Value: !Sub arn:aws:iam::${AWS::AccountId}:role/CloudFormationDeployerRole
           - Name: ProductionAcctCodePipelineCloudFormationRole
-            Value: !Sub arn:aws:iam::${StagingAccount}:role/ProductionAcctCodePipelineCloudFormationRole
+            Value: !Sub arn:aws:iam::${AWS::AccountId}:role/CodePipelineCloudFormationRole
       Artifacts:
         Name: !Ref ApplicationName
         Type: CODEPIPELINE
       LogsConfig:
         CloudWatchLogs:
           GroupName: !Ref CodePipelineLogGroup
-          StreamName: !Ref CodeBuildE2ETestLogs
+          StreamName: !Sub "${ApplicationName}-CodeBuildTestLambda"
           Status: ENABLED
 
-  CodeBuildE2ETestLogs:
+  CodeBuildTestLambdaLogs:
     Type: AWS::Logs::LogStream
     Properties:
       LogGroupName: !Ref CodePipelineLogGroup
-      LogStreamName: !Sub "${ApplicationName}-E2ETest"
+      LogStreamName: !Sub "${ApplicationName}-TestLambda"
+
 
   CodeBuildApproveRelease:
     Type: AWS::CodeBuild::Project
@@ -670,7 +729,8 @@ Resources:
               - !Sub ${CodeBuildPackage.Arn}
               - !Sub ${CodeBuildDeploy.Arn}
               - !Sub ${CodeBuildStaging.Arn}
-              - !Sub ${CodeBuildE2ETest.Arn}
+              - !Sub ${CodeBuildTestContainer.Arn}
+              - !Sub ${CodeBuildTestLambda.Arn}
               - !Sub ${CodeBuildApproveRelease.Arn}
               - !Sub ${CodeBuildRelease.Arn}
               Effect: Allow
@@ -699,6 +759,11 @@ Resources:
               Resource:
               - !Sub arn:aws:iam::${StagingAccount}:role/ProductionAcctCodePipelineCloudFormationRole
               Effect: Allow
+            - Action:
+              - 'lambda:InvokeFunction'
+              Resource:
+              - !Sub arn:aws:lambda:${AWS::Region}:${StagingAccount}:function:SSOSyncFunction
+              Effect: Allow
 
   CodeBuildAppRole:
     Type: AWS::IAM::Role