diff --git a/.aws-sam/pipeline/pipelineconfig.toml b/.aws-sam/pipeline/pipelineconfig.toml new file mode 100644 index 0000000..d5057cb --- /dev/null +++ b/.aws-sam/pipeline/pipelineconfig.toml @@ -0,0 +1,23 @@ +version = 0.1 +[default.pipeline_bootstrap.parameters] +oidc_provider_url = "https://token.actions.githubusercontent.com" +oidc_client_id = "sts.amazonaws.com" +github_org = "maahdisrostampoor" +github_repo = "MovieLens" +deployment_branch = "main" +oidc_provider = "github-actions" +permissions_provider = "OpenID Connect (OIDC)" + +[dev.pipeline_bootstrap.parameters] +pipeline_execution_role = "arn:aws:iam::381492285923:role/aws-sam-cli-managed-dev-pipel-PipelineExecutionRole-XM0aJ7MjPelh" +cloudformation_execution_role = "arn:aws:iam::381492285923:role/aws-sam-cli-managed-dev-p-CloudFormationExecutionRo-aXboLQAtpP21" +artifacts_bucket = "aws-sam-cli-managed-dev-pipeline-r-artifactsbucket-xdic9oh3ats9" +image_repository = "" +region = "us-east-1" + +[prod.pipeline_bootstrap.parameters] +pipeline_execution_role = "arn:aws:iam::381492285923:role/aws-sam-cli-managed-prod-pipe-PipelineExecutionRole-xyqGyrFe5XEP" +cloudformation_execution_role = "arn:aws:iam::381492285923:role/aws-sam-cli-managed-prod--CloudFormationExecutionRo-WiqrgKgftpTn" +artifacts_bucket = "aws-sam-cli-managed-prod-pipeline--artifactsbucket-y1a99wc8nefw" +image_repository = "" +region = "us-east-1" diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml new file mode 100644 index 0000000..4fac08b --- /dev/null +++ b/.github/workflows/pipeline.yaml @@ -0,0 +1,235 @@ +name: Pipeline + +on: + push: + branches: + - 'main' + - 'feature**' + delete: + branches: + - 'feature**' + +env: + SAM_TEMPLATE: template.yaml + TESTING_STACK_NAME: sam-app + TESTING_PIPELINE_EXECUTION_ROLE: arn:aws:iam::381492285923:role/aws-sam-cli-managed-dev-pipel-PipelineExecutionRole-XM0aJ7MjPelh + TESTING_CLOUDFORMATION_EXECUTION_ROLE: arn:aws:iam::381492285923:role/aws-sam-cli-managed-dev-p-CloudFormationExecutionRo-aXboLQAtpP21 + TESTING_ARTIFACTS_BUCKET: aws-sam-cli-managed-dev-pipeline-r-artifactsbucket-xdic9oh3ats9 + # If there are functions with "Image" PackageType in your template, + # uncomment the line below and add "--image-repository ${TESTING_IMAGE_REPOSITORY}" to + # testing "sam package" and "sam deploy" commands. + # TESTING_IMAGE_REPOSITORY = '0123456789.dkr.ecr.region.amazonaws.com/repository-name' + TESTING_REGION: us-east-1 + PROD_STACK_NAME: prod-sam-app + PROD_PIPELINE_EXECUTION_ROLE: arn:aws:iam::381492285923:role/aws-sam-cli-managed-prod-pipe-PipelineExecutionRole-xyqGyrFe5XEP + PROD_CLOUDFORMATION_EXECUTION_ROLE: arn:aws:iam::381492285923:role/aws-sam-cli-managed-prod--CloudFormationExecutionRo-WiqrgKgftpTn + PROD_ARTIFACTS_BUCKET: aws-sam-cli-managed-prod-pipeline--artifactsbucket-y1a99wc8nefw + # If there are functions with "Image" PackageType in your template, + # uncomment the line below and add "--image-repository ${PROD_IMAGE_REPOSITORY}" to + # prod "sam package" and "sam deploy" commands. + # PROD_IMAGE_REPOSITORY = '0123456789.dkr.ecr.region.amazonaws.com/repository-name' + PROD_REGION: us-east-1 + +permissions: + id-token: write + contents: read +jobs: + test: + if: github.event_name == 'push' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - run: | + # trigger the tests here + + delete-feature: + if: startsWith(github.event.ref, 'feature') && github.event_name == 'delete' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: aws-actions/setup-sam@v2 + with: + use-installer: true + + - name: Assume the testing pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ${{ env.TESTING_REGION }} + role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }} + role-session-name: testing-packaging + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - name: Delete feature branch stack + env: + FEATURE_BRANCH_NAME: ${{ github.event.ref }} + run: | + sam delete \ + --stack-name $(echo ${FEATURE_BRANCH_NAME##*/} | tr -cd '[a-zA-Z0-9-]') \ + --region ${TESTING_REGION} \ + --no-prompts + + build-and-deploy-feature: + # this stage is triggered only for feature branches (feature*), + # which will build the stack and deploy to a stack named with branch name. + # https://github.com/actions/setup-python + # https://github.com/aws-actions/configure-aws-credentials#notice-node12-deprecation-warning + if: startsWith(github.ref, 'refs/heads/feature') + needs: [test] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: aws-actions/setup-sam@v2 + with: + use-installer: true + - run: sam build --template ${SAM_TEMPLATE} --use-container + + - name: Assume the testing pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ${{ env.TESTING_REGION }} + role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }} + role-session-name: feature-deployment + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - name: Deploy to feature stack in the testing account + shell: bash + run: | + sam deploy --stack-name $(echo ${GITHUB_REF##*/} | tr -cd '[a-zA-Z0-9-]') \ + --capabilities CAPABILITY_IAM \ + --region ${TESTING_REGION} \ + --s3-bucket ${TESTING_ARTIFACTS_BUCKET} \ + --no-fail-on-empty-changeset \ + --role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE} + + build-and-package: + if: github.ref == 'refs/heads/main' + needs: [test] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: aws-actions/setup-sam@v2 + with: + use-installer: true + + - name: Build resources + run: sam build --template ${SAM_TEMPLATE} --use-container + + - name: Assume the testing pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ${{ env.TESTING_REGION }} + role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }} + role-session-name: testing-packaging + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - name: Upload artifacts to testing artifact buckets + run: | + sam package \ + --s3-bucket ${TESTING_ARTIFACTS_BUCKET} \ + --region ${TESTING_REGION} \ + --output-template-file packaged-testing.yaml + + - uses: actions/upload-artifact@v3 + with: + name: packaged-testing.yaml + path: packaged-testing.yaml + + - name: Assume the prod pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ${{ env.PROD_REGION }} + role-to-assume: ${{ env.PROD_PIPELINE_EXECUTION_ROLE }} + role-session-name: prod-packaging + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - name: Upload artifacts to production artifact buckets + run: | + sam package \ + --s3-bucket ${PROD_ARTIFACTS_BUCKET} \ + --region ${PROD_REGION} \ + --output-template-file packaged-prod.yaml + + - uses: actions/upload-artifact@v3 + with: + name: packaged-prod.yaml + path: packaged-prod.yaml + + deploy-testing: + if: github.ref == 'refs/heads/main' + needs: [build-and-package] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: aws-actions/setup-sam@v2 + with: + use-installer: true + - uses: actions/download-artifact@v3 + with: + name: packaged-testing.yaml + + - name: Assume the testing pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ${{ env.TESTING_REGION }} + role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }} + role-session-name: testing-deployment + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - name: Deploy to testing account + run: | + sam deploy --stack-name ${TESTING_STACK_NAME} \ + --template packaged-testing.yaml \ + --capabilities CAPABILITY_IAM \ + --region ${TESTING_REGION} \ + --s3-bucket ${TESTING_ARTIFACTS_BUCKET} \ + --no-fail-on-empty-changeset \ + --role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE} + + integration-test: + if: github.ref == 'refs/heads/main' + needs: [deploy-testing] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - run: | + # trigger the integration tests here + + deploy-prod: + if: github.ref == 'refs/heads/main' + needs: [integration-test] + runs-on: ubuntu-latest + # Configure GitHub Action Environment to have a manual approval step before deployment to production + # https://docs.github.com/en/actions/reference/environments + # environment: + steps: + - uses: actions/checkout@v3 + - uses: aws-actions/setup-sam@v2 + with: + use-installer: true + - uses: actions/download-artifact@v3 + with: + name: packaged-prod.yaml + + - name: Assume the prod pipeline user role + uses: aws-actions/configure-aws-credentials@v1-node16 + with: + aws-region: ${{ env.PROD_REGION }} + role-to-assume: ${{ env.PROD_PIPELINE_EXECUTION_ROLE }} + role-session-name: prod-deployment + role-duration-seconds: 3600 + role-skip-session-tagging: true + + - name: Deploy to production account + run: | + sam deploy --stack-name ${PROD_STACK_NAME} \ + --template packaged-prod.yaml \ + --capabilities CAPABILITY_IAM \ + --region ${PROD_REGION} \ + --s3-bucket ${PROD_ARTIFACTS_BUCKET} \ + --no-fail-on-empty-changeset \ + --role-arn ${PROD_CLOUDFORMATION_EXECUTION_ROLE}