Skip to content

Commit

Permalink
docs(readme): include deployment instruction for CFN (#81)
Browse files Browse the repository at this point in the history
  • Loading branch information
@richardkeit
richardkeit authored Jul 6, 2023
1 parent 05c7a04 commit 71f61e4
Show file tree
Hide file tree
Showing 3 changed files with 250 additions and 1 deletion.
159 changes: 159 additions & 0 deletions .github/bootstrap.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
# Reference - https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions
AWSTemplateFormatVersion: 2010-09-09
Description: |
Maintainers Only: Used to provision access for Github actions to deploy the serverless application
Transform: AWS::Serverless-2016-10-31

Parameters:
GitHubOrg:
Type: String
Default: "Versent"
RepositoryName:
Type: String
Description: Github Repo name that has permissions to deploy this stack
OIDCProviderArn:
Type: String
Description: arn:aws:for the GitHub OIDC Provider.
Default: ""


Conditions:
CreateOIDCProvider: !Equals
- !Ref OIDCProviderArn
- ""

Resources:

GithubAssumeRole:
Type: AWS::IAM::Role
Properties:
Description: Allow github actions to assume this role to deploy resources to AWS
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !If
- CreateOIDCProvider
- !Ref GithubOidc
- !Ref OIDCProviderArn
Condition:
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
Policies:
- PolicyName: GithubActionsPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- ssm:GetParameter
Resource:
- !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/orchestrator/stax/*
- Effect: Allow
Action:
- lambda:GetFunction
- lambda:CreateFunction
- lambda:DeleteFunction
- lambda:GetFunctionConfiguration
- lambda:AddPermission
- lambda:RemovePermission
- lambda:InvokeFunction
- lambda:UpdateFunctionCode
- lambda:UpdateFunctionConfiguration
- lambda:ListTags
- lambda:TagResource
- lambda:UntagResource
- lambda:PutFunctionEventInvokeConfig
- lambda:DeleteFunctionEventInvokeConfig
Resource:
- !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:orchestrator-stax-*
- Effect: Allow
Action:
- lambda:DeleteLayerVersion
- lambda:GetLayerVersion
- lambda:PublishLayerVersion
Resource:
- !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:orchestrator-stax-*
- !Sub arn:aws:lambda:*:*:layer:orchestrator-stax-*
- Effect: Allow
Action:
- cloudformation:*
Resource:
- !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/orchestrator-stax-*
- !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/*
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject*
- s3:CreateMultipartUpload
Resource:
- !Sub arn:aws:s3:::versent-stax-orchestrator-*
- Effect: Allow
Action:
- iam:PassRole
- iam:AttachRolePolicy
- iam:CreateRole
- iam:GetPolicy
- iam:GetRole
- iam:GetRolePolicy
- iam:CreatePolicy
- iam:DeleteRole
- iam:DetachRolePolicy
- iam:UpdateRole
- iam:DeleteRolePolicy
- iam:PutRolePolicy
- iam:CreatePolicyVersion
- iam:DeletePolicyVersion
- iam:DeletePolicy
- iam:ListPolicyVersions
- iam:TagRole
- iam:UntagRole
Resource:
- !Sub arn:aws:iam::${AWS::AccountId}:role/orchestrator-stax-*
- !Sub arn:aws:iam::${AWS::AccountId}:policy/orchestrator-stax-*
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:DeleteLogGroup
- logs:PutLogEvents
- logs:TagResource
- logs:PutRetentionPolicy
- logs:DeleteRetentionPolicy
Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/orchestrator-stax-*
- Effect: Allow
Action:
- states:DescribeStateMachine
- states:DeleteStateMachine
- states:ListExecutions
- states:UpdateStateMachine
- states:CreateStateMachine
- states:ListTagsForResource
- states:TagResource
- states:UntagResource
- states:StartExecution
Resource:
- arn:aws:states:*:*:stateMachine:orchestrator-stax-*
- Effect: Allow
Action:
- serverlessrepo:CreateApplication
Resource: !Sub arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*
- Effect: Allow
Action:
- serverlessrepo:CreateApplicationVersion
- serverlessrepo:UpdateApplication
Resource: !Sub arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/stax-orchestrator

GithubOidc:
Type: AWS::IAM::OIDCProvider
Condition: CreateOIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- 6938fd4d98bab03faadb97b34396831e3780aea1
- 1c58a3a8518e8759bf075b76b750d4f2df264fcd

Outputs:
GithubAssumeRoleArn:
Value: !GetAtt GithubAssumeRole.Arn
63 changes: 63 additions & 0 deletions .github/bucket.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
AWSTemplateFormatVersion: '2010-09-09'

Description: |
Maintainers Only: Create a S3 bucket used for hosting the artifacts in the AWS SAM package process
Resources:
ArtifactBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: Private
LifecycleConfiguration:
Rules:
- Id: BasicLifeCycle
Status: Enabled
Transitions:
- TransitionInDays: 1
StorageClass: INTELLIGENT_TIERING

ArtifactBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ArtifactBucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: serverlessrepo.amazonaws.com
Action: s3:GetObject
Resource: !Sub arn:aws:s3:::${ArtifactBucket}/*
Condition:
StringEquals:
aws:SourceAccount: !Ref AWS::AccountId

-
Sid: AllowSSLRequestsOnly
Action: s3:*
Effect: Deny
Resource:
- !Sub ${ArtifactBucket.Arn}
- !Sub ${ArtifactBucket.Arn}/*
Condition:
Bool:
aws:SecureTransport: false
Principal: "*"


ArtifactBucketArn:
Type: AWS::SSM::Parameter
Properties:
Name: /orchestrator/stax/artifact/bucket/name
Description: Bucket name used for artifact storage
Type: String
Value: !Ref ArtifactBucket
29 changes: 28 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,34 @@ Follow this guide [here](docs/direct_deployment.md) to deploy directly.
Deployment of the stax-orchestrator can be completed by the AWS Console, AWS CLI or AWS Cloudformation.
Please following [Deploying Applications](https://docs.aws.amazon.com/serverlessrepo/latest/devguide/serverlessrepo-consuming-applications.html) to use th AWS Console or AWS CLI.

To deploy using AWS Cloudformation, find the serverless application in the AWS Serverless Repository in your AWS account and click "copy Cloudformation template".
To deploy using AWS Cloudformation, find the serverless application (name: `stax-orchestrator`) in the AWS Serverless Repository in your AWS account and click "copy Cloudformation template".

Example:
~~~yaml
Resources:
staxorchestrator:
Type: AWS::Serverless::Application
Properties:
Location:
ApplicationId: arn:aws:serverlessrepo:ap-southeast-2:754868638956:applications/stax-orchestrator
SemanticVersion: 0.1.7 # any specific version required
Parameters:
# Deploy workload cloudwatch dashboard to view stax orchestrator step function metrics and logs.
# DeployTaskWatcherCloudwatchDashboard: 'false' # Uncomment to override default value
# Deploy workload cloudwatch dashboard to view stax orchestrator step function metrics and logs.
# DeployWorkloadCloudwatchDashboard: 'false' # Uncomment to override default value
# Deploy workload state machine to CUD (create-update-delete) workloads.
# DeployWorkloadStateMachine: 'false' # Uncomment to override default value
# Enable X-Ray tracing for lambda functions
# EnableLambdaTracing: 'false' # Uncomment to override default value
# Enable X-Ray tracing for state machines
# EnableStateMachineTracing: 'false' # Uncomment to override default value
# Number of days to retain lambda function logs; applies to all lambda functions in this template
# LambdaLogGroupRetentionInDays: '60' # Uncomment to override default value
# Python logging level for Lambda functions
# PythonLoggingLevel: 'INFO' # Uncomment to override default value

~~~

### Using the Stax Orchestrator

Expand Down

0 comments on commit 71f61e4

Please sign in to comment.