Skip to content

Commit

Permalink
BRS-291-1: Convert A&R to use SAM (#346)
Browse files Browse the repository at this point in the history 
* convert AR to use SAM layers and functions

* cleanup lambdas and layers, move lambdas to handlers directory

* convert tests to work with SAM

* remove terraform and old lambda directory, general cleanup, update README

* final cleanup, fix postman typos

* fix exports, update s3 to v3 sdk

* fix v3 for invokables, fix template.yaml typo

* temporarily disable trivy

* fix to ga deployment error, fix to test check path

* the true fix to ga deployment

* fix to ga test check

* the true fix to ga test check

* the true true fix to ga test check, plus debug

* yarn install update

* update to yarn 1.22.22, update cliui through fresh install
  • Loading branch information
@davidclaveau
davidclaveau authored Jul 16, 2024
1 parent 4a17568 commit 475ae2e
Show file tree
Hide file tree
Showing 151 changed files with 5,432 additions and 5,890 deletions.
68 changes: 34 additions & 34 deletions .github/workflows/analysis.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,38 +1,38 @@
name: Analysis
# name: Analysis

on:
push:
branches: [main]
pull_request:
types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
schedule:
- cron: "0 11 * * 0" # 3 AM PST = 12 PM UDT, runs sundays
workflow_dispatch:
# on:
# push:
# branches: [main]
# pull_request:
# types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
# schedule:
# - cron: "0 11 * * 0" # 3 AM PST = 12 PM UDT, runs sundays
# workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# concurrency:
# group: ${{ github.workflow }}-${{ github.ref }}
# cancel-in-progress: true

jobs:
# https://github.com/marketplace/actions/aqua-security-trivy
trivy:
name: Trivy Security Scan
if: ${{ ! github.event.pull_request.draft }}
runs-on: ubuntu-22.04
timeout-minutes: 1
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.22.0
with:
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
scan-type: "fs"
scanners: "vuln,secret,config"
severity: "CRITICAL,HIGH"
# jobs:
# # https://github.com/marketplace/actions/aqua-security-trivy
# trivy:
# name: Trivy Security Scan
# if: ${{ ! github.event.pull_request.draft }}
# runs-on: ubuntu-22.04
# timeout-minutes: 1
# steps:
# - uses: actions/checkout@v4
# - name: Run Trivy vulnerability scanner in repo mode
# uses: aquasecurity/trivy-action@0.22.0
# with:
# format: "sarif"
# output: "trivy-results.sarif"
# ignore-unfixed: true
# scan-type: "fs"
# scanners: "vuln,secret,config"
# severity: "CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: "trivy-results.sarif"
100 changes: 53 additions & 47 deletions .github/workflows/deploy_dev.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,12 @@
name: Deploy Dev

run-name: Deploying ${{ github.ref_name }} to dev

on:
push:
branches: [main]
workflow_dispatch:

env:
TF_VERSION: 0.14.7
TG_VERSION: 0.37.1
TG_SRC_PATH: terraform
TFC_WORKSPACE: dev
TARGET_ENV: dev
GIT_BRANCH: main

permissions:
id-token: write
contents: read
Expand All @@ -26,53 +20,65 @@ jobs:
matrix:
node-version: [18.x]

defaults:
run:
working-directory: "./arSam"
steps:
- name: Checkout
- name: Checkout repo
uses: actions/checkout@v3

### Install if no cache exists ###
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: "yarn"
- run: yarn install --silent --frozen-lockfile

### Build if no cache exists ###
- name: Cache Build
id: cache-build
uses: actions/cache@v3
with:
path: |
**/terraform/src/artifacts
key: ${{ github.sha }}-artifacts
- name: Run Build
if: steps.cache-build.outputs.cache-hit != 'true'
run: yarn build-ci
- shell: bash
env:
WEBHOOK_URL: ${{ secrets.WEBHOOK_URL }}
run: |
curl -X POST -H 'Content-Type: application/json' $WEBHOOK_URL --data '{"text":" A&R API deploy Dev"}'
### Get environment variables from AWS Parameter Store ###
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v3
# Setup AWS SAM
- name: Setup AWS SAM
uses: aws-actions/setup-sam@v2
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ vars.AWS_ROLE_ARN_TO_USE }}
role-duration-seconds: 900
role-session-name: parks-ar-api-sandbox-dev-action
role-skip-session-tagging: true
use-installer: true

### Run Terragrunt ###
- name: Setup terraform
uses: hashicorp/setup-terraform@v2
# Assume AWS IAM Role
- name: Get AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
terraform_version: ${{ env.TF_VERSION }}
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.AWS_REGION }}

- name: Setup Terragrunt
uses: autero1/action-terragrunt@v1.3.0
# SAM Build
- name: Cache SAM Build
id: cache-sam-build
uses: actions/cache@v3
with:
terragrunt_version: ${{ env.TG_VERSION }}
path: |
**/.aws-sam
key: ${{ github.sha }}-ar-api-sam-cache
- name: Run sam build
if: steps.cache-sam-build.outputs.cache-hit != 'true'
run: |
sam build --cached
# Prevent prompts and failure when the stack is unchanged
- name: SAM deploy
env:
STAGE: ${{ vars.AR_API_STAGE }}
STACK_NAME: ${{ vars.AR_API_STACK_NAME }}
ACCOUNT_ID: ${{ vars.ACCOUNT_ID }}
AWS_ACCOUNT_LIST: ${{ vars.AWS_ACCOUNT_LIST }}
SSO_ISSUER: ${{ vars.SSO_ISSUER }}
SSO_JWKSURI: ${{ vars.SSO_JWKSURI }}
SSO_CLIENT_ID: ${{ secrets.SSO_CLIENT_ID }}
SSO_ORIGIN: ${{ vars.SSO_ORIGIN }}
S3_BUCKET_DATA: ${{ vars.S3_BUCKET_DATA }}
DATA_REGISTER_NAME_ENDPOINT: ${{ secrets.DATA_REGISTER_NAME_ENDPOINT }}
DATA_REGISTER_NAME_API_KEY: ${{ secrets.DATA_REGISTER_NAME_API_KEY }}
run: |
sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AccountId=$ACCOUNT_ID" "Stage=$STAGE" "SSOIssuerUrl=$SSO_ISSUER" "SSOJWKSUri=$SSO_JWKSURI" "SSOClientId=$SSO_CLIENT_ID" "SSOOrigin=$SSO_ORIGIN" "AWSAccountList=$AWS_ACCOUNT_LIST" "S3BucketData=$S3_BUCKET_DATA" "DataRegisterNameEndpoint=$DATA_REGISTER_NAME_ENDPOINT" "DataRegisterNameApiKey=$DATA_REGISTER_NAME_API_KEY"
- name: Terragrunt Apply
working-directory: ${{ env.TG_SRC_PATH }}/${{ env.TARGET_ENV }}
- shell: bash
env:
aws_region: ${{ secrets.AWS_REGION }}
run: terragrunt apply -auto-approve --terragrunt-non-interactive -var target_aws_account_id=${{ vars.ACCOUNT_ID }} -var target_env=dev
WEBHOOK_URL: ${{ secrets.WEBHOOK_URL }}
run: |
curl -X POST -H 'Content-Type: application/json' $WEBHOOK_URL --data '{"text":" A&R API - Deploy Dev Complete"}'
113 changes: 54 additions & 59 deletions .github/workflows/deploy_prod.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,100 +1,95 @@
name: Deploy Prod

run-name: Deploying ${{ github.event.inputs.releaseTag }} to prod
run-name: Deploying ${{ github.ref_name }} to prod

on:
workflow_dispatch:
inputs:
releaseTag:
description: 'Tag of version to be promoted to prod'
description: "Tag of version to be promoted to prod"
required: true

env:
TF_VERSION: 0.14.7
TG_VERSION: 0.37.1
TG_SRC_PATH: terraform
TFC_WORKSPACE: prod
TARGET_ENV: prod
GIT_BRANCH: main

permissions:
id-token: write
contents: read

jobs:
ci:
name: Push to AWS Lambda
name: Build and Deploy
runs-on: ubuntu-latest
environment: prod
strategy:
matrix:
node-version: [18.x]

defaults:
run:
working-directory: "./arSam"
steps:
- name: Attempt to checkout tag
- name: Checkout repo
uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.releaseTag }}

- shell: bash
env:
WEBHOOK_URL: ${{ secrets.WEBHOOK_URL }}
run: |
curl -X POST -H 'Content-Type: application/json' $WEBHOOK_URL --data '{"text":"A&R API API Prod"}'
# Tag not found
- name: Tag not found
if: ${{ failure() }}
run: |
echo "::error::Git Tag not found, please double check input"
exit 1
### Install if no cache exists ###
- name: Setup node
uses: actions/setup-node@v3
# Setup AWS SAM
- name: Setup AWS SAM
uses: aws-actions/setup-sam@v2
with:
node-version: ${{ matrix.node-version }}
cache: 'yarn'
- run: yarn install --silent --frozen-lockfile
use-installer: true

### Build if no cache exists ###
- name: Cache Build
id: cache-build
uses: actions/cache@v3
# Assume AWS IAM Role
- name: Get AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
path: |
**/terraform/src/artifacts
key: ${{ github.sha }}-artifacts
- name: Run Build
if: steps.cache-build.outputs.cache-hit != 'true'
run: yarn build-ci

### Get environment variables from AWS Parameter Store ###
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v3
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ vars.AWS_ROLE_ARN_TO_USE }}
role-duration-seconds: 900
role-session-name: parks-ar-api-sandbox-gh-action
role-skip-session-tagging: true
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.AWS_REGION }}

### Run Terragrunt ###
- name: Setup terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.TF_VERSION }}

- name: Setup Terragrunt
uses: autero1/action-terragrunt@v1.3.0
# SAM Build
- name: Cache SAM Build
id: cache-sam-build
uses: actions/cache@v3
with:
terragrunt_version: ${{ env.TG_VERSION }}
path: |
**/.aws-sam
key: ${{ github.sha }}-ar-api-sam-cache
- name: Run sam build
if: steps.cache-sam-build.outputs.cache-hit != 'true'
run: |
sam build --cached
- name: Terragrunt Apply
working-directory: ${{ env.TG_SRC_PATH }}/${{ env.TFC_WORKSPACE }}
# Prevent prompts and failure when the stack is unchanged
- name: SAM deploy
env:
aws_region: ${{ secrets.AWS_REGION }}
run: terragrunt apply -auto-approve --terragrunt-non-interactive -var target_aws_account_id=${{ vars.ACCOUNT_ID }} -var target_env=prod
STAGE: ${{ vars.AR_API_STAGE }}
STACK_NAME: ${{ vars.AR_API_STACK_NAME }}
ACCOUNT_ID: ${{ vars.ACCOUNT_ID }}
AWS_ACCOUNT_LIST: ${{ vars.AWS_ACCOUNT_LIST }}
SSO_ISSUER: ${{ vars.SSO_ISSUER }}
SSO_JWKSURI: ${{ vars.SSO_JWKSURI }}
SSO_CLIENT_ID: ${{ secrets.SSO_CLIENT_ID }}
SSO_ORIGIN: ${{ vars.SSO_ORIGIN }}
S3_BUCKET_DATA: ${{ vars.S3_BUCKET_DATA }}
DATA_REGISTER_NAME_ENDPOINT: ${{ secrets.DATA_REGISTER_NAME_ENDPOINT }}
DATA_REGISTER_NAME_API_KEY: ${{ secrets.DATA_REGISTER_NAME_API_KEY }}
run: |
sam deploy --stack-name $STACK_NAME --no-confirm-changeset --no-fail-on-empty-changeset --parameter-overrides "AccountId=$ACCOUNT_ID" "Stage=$STAGE" "SSOIssuerUrl=$SSO_ISSUER" "SSOJWKSUri=$SSO_JWKSURI" "SSOClientId=$SSO_CLIENT_ID" "SSOOrigin=$SSO_ORIGIN" "AWSAccountList=$AWS_ACCOUNT_LIST" "S3BucketData=$S3_BUCKET_DATA" "DataRegisterNameEndpoint=$DATA_REGISTER_NAME_ENDPOINT" "DataRegisterNameApiKey=$DATA_REGISTER_NAME_API_KEY"
alert-if-failure:
if: ${{ always() && (needs.ci.result=='failure')}}
runs-on: ubuntu-latest
needs: [ci]
steps:
- name: Send alert if building api-prod fails.
id: failure_alert
- shell: bash
env:
WEBHOOK_URL: ${{ secrets.WEBHOOK_URL }}
run: |
curl -X POST -H 'Content-Type: application/json' --data '{"text": "Prod Deployment Failed for AR-API"}' ${{ secrets.WEBHOOK_URL }}
curl -X POST -H 'Content-Type: application/json' $WEBHOOK_URL --data '{"text":"A&R API - Deploy Prod Complete"}'
Loading

0 comments on commit 475ae2e

Please sign in to comment.