Upload initial files (WIP)

san99tiago · Mar 13, 2024 · 2cfda9d · 2cfda9d
1 parent 1815ee1
commit 2cfda9d
Show file tree

Hide file tree

Showing 20 changed files with 1,358 additions and 0 deletions.
diff --git a/.github/prerequisites/README.md b/.github/prerequisites/README.md
@@ -0,0 +1,14 @@
+# AWS PREREQUISITES FOR THE GITHUB ACTIONS CI/CD PIPELINE
+
+Inspired on:
+
+- https://github.com/aws-actions/configure-aws-credentials/tree/main/examples
+
+The CI/CD uses aws-action `configure-aws-credentials` with OIDC federation. Prior to using this example project, the user needs to deploy the [github-actions-oidc-federation-and-role](github-actions-oidc-federation-and-role.yml) CloudFormation template in the AWS account they want to deploy the solution. Specify the GitHub Organization name, repository name, and the specific branch you want to deploy on.
+
+To use the example you will need to set the following GitHub Action Secrets:
+
+| Secret Key      | Used With                 | Description              |
+| --------------- | ------------------------- | ------------------------ |
+| AWS_ACCOUNT_ID  | configure-aws-credentials | The AWS account ID       |
+| AWS_DEPLOY_ROLE | configure-aws-credentials | The name of the IAM role |
diff --git a/.github/prerequisites/github-actions-oidc-federation-and-role.yml b/.github/prerequisites/github-actions-oidc-federation-and-role.yml
@@ -0,0 +1,95 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Github Actions configuration - OIDC IAM IdP and associated role CI/CD
+
+Parameters:
+
+  GitHubOrganization:
+    Type: String
+    Description: This is the root organization or personal account where repos are stored (Case Sensitive)
+
+  RepositoryName:
+    Type: String
+    Description: The repo(s) these roles will have access to. (Use * for all org or personal repos)
+    Default: "*"
+
+  BranchName:
+    Type: String
+    Description: Name of the git branch to to trust. (Use * for all branches)
+    Default: "*"
+
+  RoleName:
+    Type: String
+    Description: Name the Role
+
+  UseExistingProvider:
+    Type: String
+    Description: "Only one GitHub Provider can exists. Choose yes if one is already present in account"
+    Default: "no"
+    AllowedValues:
+      - "yes"
+      - "no"
+
+Conditions:
+
+  CreateProvider: !Equals ["no", !Ref UseExistingProvider]
+
+Resources:
+
+  IdpGitHubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Condition: CreateProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+        - !Sub https://github.com/${GitHubOrganization}/${RepositoryName}
+      ThumbprintList:
+        - 6938fd4d98bab03faadb97b34396831e3780aea1
+      Tags:
+        - Key: Name
+          Value: !Sub ${RoleName}-OIDC-Provider
+
+  RoleGithubActions:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Ref RoleName
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !If
+                - CreateProvider
+                - !Ref IdpGitHubOidc
+                - !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
+            Condition:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/${RepositoryName}:ref:refs/heads/${BranchName}
+      # ManagedPolicyArns:
+      #   ## edit the managed policy to give least privileges
+      #   - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess
+
+  RoleGithubActionsPolicies:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: !Sub ${RoleName}-Policy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action: "sts:AssumeRole"
+            Resource: "arn:aws:iam::*:role/cdk-*"
+      Roles:
+        - !Ref RoleGithubActions
+
+Outputs:
+
+  IdpGitHubOidc:
+    Condition: CreateProvider
+    Description: "ARN of Github OIDC Provider"
+    Value: !GetAtt IdpGitHubOidc.Arn
+
+  RoleGithubActionsARN:
+    Description: "CICD Role for GitHub Actions"
+    Value: !GetAtt RoleGithubActions.Arn
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,165 @@
+name: deploy
+
+on:
+  push:
+    branches: ["main", "feature/**"]
+env:
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_DEFAULT_OUTPUT: json
+
+jobs:
+  code-quality:
+    name: Check coding standards
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: echo "Job triggered by ${{ github.event_name }} event."
+      - run: echo "Job running on a ${{ runner.os }} server hosted by GitHub."
+      - run: echo "Branch name is ${{ github.ref }} and repository is ${{ github.repository }}."
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+      - name: Install Poetry dependencies
+        run: poetry install --no-interaction
+      - name: Check code formatting
+        run: poetry run poe black-check
+
+  cdk-synth:
+    name: CDK Synth
+    runs-on: ubuntu-latest
+    needs: code-quality
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+
+      - name: Install Poetry dependencies
+        run: poetry install --no-interaction
+
+      - name: Set up NodeJs
+        uses: actions/setup-node@v3
+        with:
+          node-version: "20"
+
+      - name: Install CDK
+        run: |
+          npm install -g aws-cdk
+
+      # # MY OLD AUTH CONFIG (NOW WITH GITHUB OIDC TOKEN)
+      # - name: Configure AWS credentials
+      #   uses: aws-actions/configure-aws-credentials@master
+      #   with:
+      #     aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
+      #     aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
+      #     aws-region: "us-east-1"
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
+          role-session-name: myGitHubActions
+
+      - name: Synth CDK to CloudFormation Template
+        run: |
+          source .venv/bin/activate
+          cdk synth
+
+      - name: Archive CDK Synth results (no assets)
+        uses: actions/upload-artifact@v3
+        with:
+          name: cdk-synth-folder
+          path: |
+            ./cdk.out
+            !./cdk.out/asset.*
+          retention-days: 1
+
+  iac-checkov:
+    name: IaC Checkov Validations
+    runs-on: ubuntu-latest
+    needs: cdk-synth
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Dowload CDK Synth results
+        uses: actions/download-artifact@v3
+        with:
+          name: cdk-synth-folder
+          path: ./cdk-synth-output-folder
+
+      - name: Display files in the output folder
+        run: ls -lrta
+        working-directory: ./cdk-synth-output-folder
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: cdk-synth-output-folder/
+          framework: cloudformation
+          soft_fail: true # optional: do not return an error code if there are failed checks
+          skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
+          quiet: true # optional: display only failed checks
+          log_level: WARNING # optional: set log level. Default WARNING
+
+  cdk-deploy:
+    name: Deploy CDK
+    runs-on: ubuntu-latest
+    needs: iac-checkov
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.11
+
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+          installer-parallel: true
+
+      - name: Install Poetry dependencies
+        run: poetry install --no-interaction
+
+      - name: Set up NodeJs
+        uses: actions/setup-node@v3
+        with:
+          node-version: "20"
+
+      - name: Install CDK
+        run: npm install -g aws-cdk
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
+          role-session-name: myGitHubActions
+
+      # NOTE: for now no manual approvals are required
+      - name: Deploy to AWS
+        run: |
+          source .venv/bin/activate
+          cdk deploy --require-approval=never