feat: implement continuous deployment

coderbyheart · coderbyheart · commit fca64e811e67 · 2023-04-09T20:25:20.000+02:00
diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -0,0 +1,64 @@
+name: Continuous Deploy solution
+
+on:
+  push:
+    branches:
+      - saga
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: write
+  issues: write
+
+env:
+  CI: 1
+  FORCE_COLOR: 3
+
+jobs:
+  deploy:
+    runs-on: ubuntu-22.04
+
+    timeout-minutes: 10
+
+    environment:
+      name: production
+      url: ${{ steps.endpoint.outputs.url }}
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "18.x"
+
+      - name: Keep npm cache around to speed up installs
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: build-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install dependencies
+        run: npm ci --no-audit
+
+      - name: Check TypeScript
+        run: npx tsc
+
+      - name: Run Unit Tests
+        run: npm test
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: github-action-public-parameter-registry-cd
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Deploy solution stack
+        run: npx cdk deploy
+
+      - name: Get endpoint URL
+        id: endpoint
+        run: |
+          ENDPOINT=`aws cloudformation describe-stacks --stack-name ${STACK_NAME:-public-parameter-registry} | jq -r '.Stacks[0].Outputs[] | select(.OutputKey == "registryEndpoint") | .OutputValue' | sed -E 's/\/$//g'`
+          echo "url=${ENDPOINT}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/test-and-release.yaml b/.github/workflows/test-and-release.yaml
@@ -19,6 +19,8 @@ jobs:
 
     timeout-minutes: 30
 
+    environment: ci
+
     steps:
       - uses: actions/checkout@v3
 
@@ -46,7 +48,7 @@ jobs:
         with:
           role-to-assume: ${{ secrets.AWS_ROLE }}
           role-session-name: github-action-public-parameter-registry
-          aws-region: ${{ secrets.AWS_REGION }}
+          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Generate Stack ID
         run: |
diff --git a/README.md b/README.md
@@ -53,6 +53,20 @@ aws ssm put-parameter --name /${STACK_NAME:-public-parameter-registry}/public/so
 For parameters to be published, they must be below the path
 `/<stack name>/public/`.
 
+## CD with GitHub Actions
+
+Create a GitHub environment `production`.
+
+<!-- FIXME: add CLI comment -->
+
+Store the role name from the output as a GitHub Action secret:
+
+```bash
+CD_ROLE_ARN=`aws cloudformation describe-stacks --stack-name ${STACK_NAME:-public-parameter-registry} | jq -r '.Stacks[0].Outputs[] | select(.OutputKey == "cdRoleArn") | .OutputValue' | sed -E 's/\/$//g'`
+gh variable set AWS_REGION --env production --body "${AWS_REGION}"
+gh secret set AWS_ROLE --env production --body "${CD_ROLE_ARN}"
+```
+
 ## CI with GitHub Actions
 
 Configure the AWS credentials for an account used for CI, then run
@@ -64,10 +78,14 @@ npx cdk --app 'npx tsx cdk/ci.ts' deploy
 This creates a role with Administrator privileges in that account, and allows
 the GitHub repository of this repo to assume it.
 
+Create a GitHub environment `ci`.
+
+<!-- FIXME: add CLI comment -->
+
 Store the role name from the output as a GitHub Action secret:
 
 ```bash
-ROLE_ARN=`aws cloudformation describe-stacks --stack-name ${STACK_NAME:-public-parameter-registry}-ci | jq -r '.Stacks[0].Outputs[] | select(.OutputKey == "roleArn") | .OutputValue' | sed -E 's/\/$//g'`
-gh secret set AWS_REGION --body "${AWS_REGION}"
-gh secret set AWS_ROLE --body "${ROLE_ARN}"
+CI_ROLE_ARN=`aws cloudformation describe-stacks --stack-name ${STACK_NAME:-public-parameter-registry}-ci | jq -r '.Stacks[0].Outputs[] | select(.OutputKey == "roleArn") | .OutputValue' | sed -E 's/\/$//g'`
+gh variable set AWS_REGION --env ci --body "${AWS_REGION}"
+gh secret set AWS_ROLE --env ci --body "${CI_ROLE_ARN}"
 ```
diff --git a/cdk/CD.ts b/cdk/CD.ts
@@ -0,0 +1,36 @@
+import { Duration, aws_iam as IAM, Stack } from 'aws-cdk-lib'
+import { Construct } from 'constructs'
+
+export class CD extends Construct {
+	public readonly role: IAM.IRole
+	constructor(
+		parent: Stack,
+		{
+			repository: r,
+			gitHubOIDC,
+		}: {
+			repository: Repository
+			gitHubOIDC: IAM.IOpenIdConnectProvider
+		},
+	) {
+		super(parent, 'cd')
+
+		this.role = new IAM.Role(this, 'ghRole', {
+			roleName: `${parent.stackName}-github-actions`,
+			assumedBy: new IAM.WebIdentityPrincipal(
+				gitHubOIDC.openIdConnectProviderArn,
+				{
+					StringEquals: {
+						'token.actions.githubusercontent.com:aud': 'sts.amazonaws.com',
+						'token.actions.githubusercontent.com:sub': `repo:${r.owner}/${r.repo}:environment:production`,
+					},
+				},
+			),
+			description: `This role is used by GitHub Actions for CI of ${r.owner}/${r.repo}`,
+			maxSessionDuration: Duration.hours(1),
+			managedPolicies: [
+				IAM.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
+			],
+		})
+	}
+}
diff --git a/cdk/CIStack.ts b/cdk/CIStack.ts
@@ -6,32 +6,31 @@ export class CIStack extends Stack {
 		parent: App,
 		{
 			repository: r,
+			gitHubOICDProviderArn,
 		}: {
 			repository: {
 				owner: string
 				repo: string
 			}
+			gitHubOICDProviderArn: string
 		},
 	) {
 		super(parent, CI_STACK_NAME)
 
-		const githubDomain = 'token.actions.githubusercontent.com'
-		const ghProvider = new IAM.OpenIdConnectProvider(this, 'githubProvider', {
-			url: `https://${githubDomain}`,
-			clientIds: ['sts.amazonaws.com'],
-			thumbprints: ['6938fd4d98bab03faadb97b34396831e3780aea1'],
-		})
+		const gitHubOIDC = IAM.OpenIdConnectProvider.fromOpenIdConnectProviderArn(
+			this,
+			'gitHubOICDProvider',
+			gitHubOICDProviderArn,
+		)
 
 		const ghRole = new IAM.Role(this, 'ghRole', {
 			roleName: `${CI_STACK_NAME}-github-actions`,
 			assumedBy: new IAM.WebIdentityPrincipal(
-				ghProvider.openIdConnectProviderArn,
+				gitHubOIDC.openIdConnectProviderArn,
 				{
 					StringEquals: {
 						'token.actions.githubusercontent.com:aud': 'sts.amazonaws.com',
-					},
-					StringLike: {
-						[`${githubDomain}:sub`]: `repo:${r.owner}/${r.repo}:ref:refs/heads/*`,
+						'token.actions.githubusercontent.com:sub': `repo:${r.owner}/${r.repo}:environment:ci`,
 					},
 				},
 			),
diff --git a/cdk/RegistryApp.ts b/cdk/RegistryApp.ts
@@ -3,11 +3,21 @@ import type { RegistryLambdas } from './RegistryLambdas.js'
 import { RegistryStack } from './RegistryStack.js'
 
 export class RegistryApp extends App {
-	public constructor({ lambdaSources }: { lambdaSources: RegistryLambdas }) {
+	public constructor({
+		lambdaSources,
+		repository,
+		gitHubOICDProviderArn,
+	}: {
+		lambdaSources: RegistryLambdas
+		repository: Repository
+		gitHubOICDProviderArn: string
+	}) {
 		super()
 
 		new RegistryStack(this, {
 			lambdaSources,
+			repository,
+			gitHubOICDProviderArn,
 		})
 	}
 }
diff --git a/cdk/RegistryStack.ts b/cdk/RegistryStack.ts
@@ -10,6 +10,7 @@ import {
 	aws_s3 as S3,
 	Stack,
 } from 'aws-cdk-lib'
+import { CD } from './CD.js'
 import type { RegistryLambdas } from './RegistryLambdas.js'
 import { STACK_NAME } from './stackConfig.js'
 
@@ -18,8 +19,12 @@ export class RegistryStack extends Stack {
 		parent: App,
 		{
 			lambdaSources,
+			repository,
+			gitHubOICDProviderArn,
 		}: {
 			lambdaSources: RegistryLambdas
+			repository: Repository
+			gitHubOICDProviderArn: string
 		},
 	) {
 		super(parent, STACK_NAME)
@@ -79,6 +84,20 @@ export class RegistryStack extends Stack {
 			sourceArn: publishToS3Rule.ruleArn,
 		})
 
+		// Set up role for CD
+		const gitHubOIDC = IAM.OpenIdConnectProvider.fromOpenIdConnectProviderArn(
+			this,
+			'gitHubOICDProvider',
+			gitHubOICDProviderArn,
+		)
+		const cd = new CD(this, { repository, gitHubOIDC })
+
+		new CfnOutput(this, 'cdRoleArn', {
+			exportName: `${this.stackName}:cdRoleArn`,
+			description: 'Role to use in GitHub Actions',
+			value: cd.role.roleArn,
+		})
+
 		new CfnOutput(this, 'registryEndpoint', {
 			exportName: `${this.stackName}:registryEndpoint`,
 			description: 'Endpoint used for fetch the parameters',
diff --git a/cdk/ci.ts b/cdk/ci.ts
@@ -1,5 +1,7 @@
+import { IAMClient } from '@aws-sdk/client-iam'
 import pJSON from '../package.json'
 import { CIApp } from './CIApp.js'
+import { ensureGitHubOIDCProvider } from './ensureGitHubOIDCProvider'
 
 const repoUrl = new URL(pJSON.repository.url)
 const repository = {
@@ -8,4 +10,9 @@ const repository = {
 		repoUrl.pathname.split('/')[2]?.replace(/\.git$/, '') ??
 		'public-parameter-registry-aws-js',
 }
-new CIApp({ repository })
+new CIApp({
+	repository,
+	gitHubOICDProviderArn: await ensureGitHubOIDCProvider({
+		iam: new IAMClient({}),
+	}),
+})
diff --git a/cdk/ensureGitHubOIDCProvider.ts b/cdk/ensureGitHubOIDCProvider.ts
@@ -0,0 +1,62 @@
+import {
+	CreateOpenIDConnectProviderCommand,
+	GetOpenIDConnectProviderCommand,
+	IAMClient,
+	ListOpenIDConnectProvidersCommand,
+} from '@aws-sdk/client-iam'
+import chalk from 'chalk'
+
+/**
+ * Returns the ARN of the OpenID Connect provider for GitHub of the account.
+ */
+export const ensureGitHubOIDCProvider = async ({
+	iam,
+}: {
+	iam: IAMClient
+}): Promise<string> => {
+	const { OpenIDConnectProviderList } = await iam.send(
+		new ListOpenIDConnectProvidersCommand({}),
+	)
+
+	const maybeGithubProvider = (
+		await Promise.all(
+			OpenIDConnectProviderList?.map(async ({ Arn }) =>
+				iam
+					.send(
+						new GetOpenIDConnectProviderCommand({
+							OpenIDConnectProviderArn: Arn,
+						}),
+					)
+					.then((provider) => ({ Arn, provider })),
+			) ?? [],
+		)
+	).find(
+		({ provider: { Url } }) => Url === 'token.actions.githubusercontent.com',
+	)
+
+	if (maybeGithubProvider?.Arn !== undefined) {
+		console.debug(
+			chalk.green(
+				`OIDC provider for GitHub exists: ${maybeGithubProvider.Arn}`,
+			),
+		)
+		return maybeGithubProvider.Arn
+	}
+
+	console.log(
+		chalk.yellow(`OIDC provider for GitHub does not exist. Creating ...`),
+	)
+
+	const provider = await iam.send(
+		new CreateOpenIDConnectProviderCommand({
+			Url: `https://token.actions.githubusercontent.com`,
+			ClientIDList: ['sts.amazonaws.com'],
+			ThumbprintList: ['6938fd4d98bab03faadb97b34396831e3780aea1'],
+		}),
+	)
+
+	if (provider.OpenIDConnectProviderArn === undefined)
+		throw new Error(`Failed to create OpenID Connect Provider for GitHub!`)
+
+	return provider.OpenIDConnectProviderArn
+}
diff --git a/cdk/registry.ts b/cdk/registry.ts
@@ -1,8 +1,19 @@
+import { IAMClient } from '@aws-sdk/client-iam'
 import { mkdir } from 'node:fs/promises'
 import path from 'node:path'
+import pJSON from '../package.json'
 import { RegistryApp } from './RegistryApp.js'
+import { ensureGitHubOIDCProvider } from './ensureGitHubOIDCProvider.js'
 import { packLambda } from './packLambda.js'
 
+const repoUrl = new URL(pJSON.repository.url)
+const repository = {
+	owner: repoUrl.pathname.split('/')[1] ?? 'bifravst',
+	repo:
+		repoUrl.pathname.split('/')[2]?.replace(/\.git$/, '') ??
+		'public-parameter-registry-aws-js',
+}
+
 export type PackedLambda = { lambdaZipFile: string; handler: string }
 
 const pack = async (id: string, handler = 'handler'): Promise<PackedLambda> => {
@@ -28,4 +39,8 @@ new RegistryApp({
 	lambdaSources: {
 		publishToS3: await pack('publishToS3'),
 	},
+	repository,
+	gitHubOICDProviderArn: await ensureGitHubOIDCProvider({
+		iam: new IAMClient({}),
+	}),
 })
diff --git a/cdk/repository.d.ts b/cdk/repository.d.ts
@@ -0,0 +1,4 @@
+type Repository = {
+	owner: string
+	repo: string
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
