added waves and second deployment region

.gitignore

@@ -8,4 +8,7 @@ node_modules
 cdk.out
 build/
 .env
-api/node_modules
+api/node_modules
+
+
+cdk.context.json

README.md

@@ -40,4 +40,8 @@ export GITHUB_REPO=YOUR_GITHUB_BRANCH
 
 *Note:* To deploy application without pipeline locally, change `cdk.json` line 2 from `"app": "npx ts-node --prefer-ts-exts cdk/bin/pipeline.ts",` to `"app": "npx ts-node --prefer-ts-exts cdk/bin/api.ts",` 
 
-Deploy pipeline manually one time: `cdk deploy`
+Deploy pipeline manually one time: `cdk deploy`
+
+
+`aws iam attach-role-policy --role-name $PIPELINE_ROLE  --policy-arn $POLICY_ARN`
+`cdk bootstrap --trust $PIPELINE_ACCOUNT_ID --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess aws://$SECONDRY_ACCOUNT_ID/us-west-2`

cdk/lib/cdk-pipeline-stack.ts

@@ -1,5 +1,6 @@
-import { CfnOutput, Construct, Stage, StageProps, Stack, StackProps, Aws, } from "@aws-cdk/core";
+import { CfnOutput, Construct, Stage, StageProps, Stack, StackProps, Aws } from "@aws-cdk/core";
 import { CodePipeline, CodePipelineSource, ShellStep } from "@aws-cdk/pipelines";
+import { PolicyDocument, PolicyStatement, Effect, Policy } from "@aws-cdk/aws-iam";
 import { GraphqlApiStack } from "./api-stack";
 import { VpcStack } from "./vpc-stack";
 import { RDSStack } from "./rds-stack";
@@ -42,35 +43,70 @@ export class CdkPipelineStack extends Stack {
   public readonly rdsEndpoint: CfnOutput;
   public readonly rdsUsername: CfnOutput;
   public readonly rdsDatabase: CfnOutput;
+  public readonly pipelineRole: CfnOutput;
 
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
 
     const githubOrg = process.env.GITHUB_ORG || "kevasync";
     const githubRepo = process.env.GITHUB_REPO || "awsmug-serverless-graphql-api";
     const githubBranch = process.env.GITHUB_REPO || "master";
+    // const crossAccountRole = process.env.CROSS_ACCOUNT_PIPELINE_ROLE || "OrganizationAccountAccessRole";
+    const crossAccountId = process.env.SECONDARY_ACCOUNT_ID;
 
     const pipeline = new CodePipeline(this, "Pipeline", {
+      crossAccountKeys: true,
       pipelineName: "AWSMugPipeline",
       synth: new ShellStep("deploy", {
         input: CodePipelineSource.gitHub(`${githubOrg}/${githubRepo}`, githubBranch),
-        commands: [
+        commands: [ 
           "npm ci",
           "npm run build",
           "npx cdk synth"
         ]
       }),
     });
 
-    const stage = new AppStage(this, "demo", {
+
+
+    // const policy = new Policy(this, "crossAccountPolicy");
+    // policy.addStatements(new PolicyStatement({
+    //   effect: Effect.ALLOW,
+    //   actions: ["sts:AssumeRole"],
+    //   resources: [`arn:aws:iam::${crossAccountId}:role/${crossAccountRole}`]
+    // }));
+    // pipeline.pipeline.role.attachInlinePolicy(policy);
+
+    // pipeline.pipeline.addToRolePolicy(new PolicyStatement({
+    //   effect: Effect.ALLOW,
+    //   actions: ["sts:AssumeRole"],
+    //   resources: [`arn:aws:iam::${crossAccountRole}:role/${crossAccountRole}`]
+    // }));
+
+    const devStage = new AppStage(this, "dev", {
       env: { account: Aws.ACCOUNT_ID, region: Aws.REGION },
       rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn"
     });
-    pipeline.addStage(stage);
+    const devWave = pipeline.addWave("devWave");
+    devWave.addStage(devStage);
+
+    const prdStage = new AppStage(this, "prd", {
+      env: { account: crossAccountId, region: "us-west-2" },
+      rdsPasswordSecretArnSsmParamName: "rds-password-secret-arn"
+    });
+    const prdWave = pipeline.addWave("prdWave");
+    prdWave.addStage(prdStage);
 
-    this.apiPath = stage.apiStack.apiPathOutput;
-    this.rdsEndpoint = stage.rdsStack.rdsEndpointOutput;
-    this.rdsUsername = stage.rdsStack.rdsUsernameOutput;
-    this.rdsDatabase = stage.rdsStack.rdsDatabaseOutput;
+
+
+
+    this.apiPath = devStage.apiStack.apiPathOutput;
+    this.rdsEndpoint = devStage.rdsStack.rdsEndpointOutput;
+    this.rdsUsername = devStage.rdsStack.rdsUsernameOutput;
+    this.rdsDatabase = devStage.rdsStack.rdsDatabaseOutput;
+    // this.pipelineRole = new CfnOutput(this, "pipelineRole", {
+    //   value: pipeline.pipeline.role.roleName,
+    //   description: "Name of IAM Role assumed by pipeline"
+    // });
   }
 }