diff --git a/.github/bootstrap.yaml b/.github/bootstrap.yaml new file mode 100644 index 0000000..c4d8b71 --- /dev/null +++ b/.github/bootstrap.yaml @@ -0,0 +1,159 @@ +# Reference - https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Maintainers Only: Used to provision access for Github actions to deploy the serverless application +Transform: AWS::Serverless-2016-10-31 + +Parameters: + GitHubOrg: + Type: String + Default: "Versent" + RepositoryName: + Type: String + Description: Github Repo name that has permissions to deploy this stack + OIDCProviderArn: + Type: String + Description: arn:aws:for the GitHub OIDC Provider. + Default: "" + + +Conditions: + CreateOIDCProvider: !Equals + - !Ref OIDCProviderArn + - "" + +Resources: + + GithubAssumeRole: + Type: AWS::IAM::Role + Properties: + Description: Allow github actions to assume this role to deploy resources to AWS + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRoleWithWebIdentity + Principal: + Federated: !If + - CreateOIDCProvider + - !Ref GithubOidc + - !Ref OIDCProviderArn + Condition: + StringLike: + token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:* + Policies: + - PolicyName: GithubActionsPolicy + PolicyDocument: + Statement: + - Effect: Allow + Action: + - ssm:GetParameter + Resource: + - !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/orchestrator/stax/* + - Effect: Allow + Action: + - lambda:GetFunction + - lambda:CreateFunction + - lambda:DeleteFunction + - lambda:GetFunctionConfiguration + - lambda:AddPermission + - lambda:RemovePermission + - lambda:InvokeFunction + - lambda:UpdateFunctionCode + - lambda:UpdateFunctionConfiguration + - lambda:ListTags + - lambda:TagResource + - lambda:UntagResource + - lambda:PutFunctionEventInvokeConfig + - lambda:DeleteFunctionEventInvokeConfig + Resource: + - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:orchestrator-stax-* + - Effect: Allow + Action: + - lambda:DeleteLayerVersion + - lambda:GetLayerVersion + - lambda:PublishLayerVersion + Resource: + - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:orchestrator-stax-* + - !Sub arn:aws:lambda:*:*:layer:orchestrator-stax-* + - Effect: Allow + Action: + - cloudformation:* + Resource: + - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/orchestrator-stax-* + - !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/* + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject* + - s3:CreateMultipartUpload + Resource: + - !Sub arn:aws:s3:::versent-stax-orchestrator-* + - Effect: Allow + Action: + - iam:PassRole + - iam:AttachRolePolicy + - iam:CreateRole + - iam:GetPolicy + - iam:GetRole + - iam:GetRolePolicy + - iam:CreatePolicy + - iam:DeleteRole + - iam:DetachRolePolicy + - iam:UpdateRole + - iam:DeleteRolePolicy + - iam:PutRolePolicy + - iam:CreatePolicyVersion + - iam:DeletePolicyVersion + - iam:DeletePolicy + - iam:ListPolicyVersions + - iam:TagRole + - iam:UntagRole + Resource: + - !Sub arn:aws:iam::${AWS::AccountId}:role/orchestrator-stax-* + - !Sub arn:aws:iam::${AWS::AccountId}:policy/orchestrator-stax-* + - Effect: Allow + Action: + - logs:CreateLogGroup + - logs:DeleteLogGroup + - logs:PutLogEvents + - logs:TagResource + - logs:PutRetentionPolicy + - logs:DeleteRetentionPolicy + Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/orchestrator-stax-* + - Effect: Allow + Action: + - states:DescribeStateMachine + - states:DeleteStateMachine + - states:ListExecutions + - states:UpdateStateMachine + - states:CreateStateMachine + - states:ListTagsForResource + - states:TagResource + - states:UntagResource + - states:StartExecution + Resource: + - arn:aws:states:*:*:stateMachine:orchestrator-stax-* + - Effect: Allow + Action: + - serverlessrepo:CreateApplication + Resource: !Sub arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/* + - Effect: Allow + Action: + - serverlessrepo:CreateApplicationVersion + - serverlessrepo:UpdateApplication + Resource: !Sub arn:aws:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/stax-orchestrator + + GithubOidc: + Type: AWS::IAM::OIDCProvider + Condition: CreateOIDCProvider + Properties: + Url: https://token.actions.githubusercontent.com + ClientIdList: + - sts.amazonaws.com + ThumbprintList: + - 6938fd4d98bab03faadb97b34396831e3780aea1 + - 1c58a3a8518e8759bf075b76b750d4f2df264fcd + +Outputs: + GithubAssumeRoleArn: + Value: !GetAtt GithubAssumeRole.Arn diff --git a/.github/bucket.yaml b/.github/bucket.yaml new file mode 100644 index 0000000..5b51fa8 --- /dev/null +++ b/.github/bucket.yaml @@ -0,0 +1,63 @@ +AWSTemplateFormatVersion: '2010-09-09' + +Description: | + Maintainers Only: Create a S3 bucket used for hosting the artifacts in the AWS SAM package process + + +Resources: + ArtifactBucket: + Type: AWS::S3::Bucket + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + AccessControl: Private + LifecycleConfiguration: + Rules: + - Id: BasicLifeCycle + Status: Enabled + Transitions: + - TransitionInDays: 1 + StorageClass: INTELLIGENT_TIERING + + ArtifactBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref ArtifactBucket + PolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: serverlessrepo.amazonaws.com + Action: s3:GetObject + Resource: !Sub arn:aws:s3:::${ArtifactBucket}/* + Condition: + StringEquals: + aws:SourceAccount: !Ref AWS::AccountId + + - + Sid: AllowSSLRequestsOnly + Action: s3:* + Effect: Deny + Resource: + - !Sub ${ArtifactBucket.Arn} + - !Sub ${ArtifactBucket.Arn}/* + Condition: + Bool: + aws:SecureTransport: false + Principal: "*" + + + ArtifactBucketArn: + Type: AWS::SSM::Parameter + Properties: + Name: /orchestrator/stax/artifact/bucket/name + Description: Bucket name used for artifact storage + Type: String + Value: !Ref ArtifactBucket diff --git a/README.md b/README.md index d8033df..bade5b5 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,34 @@ Follow this guide [here](docs/direct_deployment.md) to deploy directly. Deployment of the stax-orchestrator can be completed by the AWS Console, AWS CLI or AWS Cloudformation. Please following [Deploying Applications](https://docs.aws.amazon.com/serverlessrepo/latest/devguide/serverlessrepo-consuming-applications.html) to use th AWS Console or AWS CLI. -To deploy using AWS Cloudformation, find the serverless application in the AWS Serverless Repository in your AWS account and click "copy Cloudformation template". +To deploy using AWS Cloudformation, find the serverless application (name: `stax-orchestrator`) in the AWS Serverless Repository in your AWS account and click "copy Cloudformation template". + +Example: +~~~yaml +Resources: + staxorchestrator: + Type: AWS::Serverless::Application + Properties: + Location: + ApplicationId: arn:aws:serverlessrepo:ap-southeast-2:754868638956:applications/stax-orchestrator + SemanticVersion: 0.1.7 # any specific version required + Parameters: + # Deploy workload cloudwatch dashboard to view stax orchestrator step function metrics and logs. + # DeployTaskWatcherCloudwatchDashboard: 'false' # Uncomment to override default value + # Deploy workload cloudwatch dashboard to view stax orchestrator step function metrics and logs. + # DeployWorkloadCloudwatchDashboard: 'false' # Uncomment to override default value + # Deploy workload state machine to CUD (create-update-delete) workloads. + # DeployWorkloadStateMachine: 'false' # Uncomment to override default value + # Enable X-Ray tracing for lambda functions + # EnableLambdaTracing: 'false' # Uncomment to override default value + # Enable X-Ray tracing for state machines + # EnableStateMachineTracing: 'false' # Uncomment to override default value + # Number of days to retain lambda function logs; applies to all lambda functions in this template + # LambdaLogGroupRetentionInDays: '60' # Uncomment to override default value + # Python logging level for Lambda functions + # PythonLoggingLevel: 'INFO' # Uncomment to override default value + +~~~ ### Using the Stax Orchestrator