diff --git a/.github/workflows/branch.yaml b/.github/workflows/branch.yaml new file mode 100644 index 0000000..242c26d --- /dev/null +++ b/.github/workflows/branch.yaml @@ -0,0 +1,98 @@ +name: Branches + +on: + workflow_dispatch: + push: + branches-ignore: + - 'main' + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + + steps: + - name: Setup job workspace + uses: ServerlessOpsIO/gha-setup-workspace@v1 + + - name: Assume AWS Credentials + uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 + with: + build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }} + + - name: Install AWS SAM + uses: aws-actions/setup-sam@v2 + + - name: Validate artifact (deploy) + run: sam validate --lint -t stackset-deploy-template.yaml + + - name: Validate artifact (build) + run: sam validate --lint -t stackset-build-template.yaml + + - name: Validate artifact (SAM artifact) + run: sam validate --lint -t stacksets/gha-build/sam-deployment.yaml + + - name: Validate artifact (build stackset) + run: sam validate --lint -t stacksets/gha-build/stackset.yaml + + - name: Validate artifact (deploy stackset) + run: sam validate --lint -t stacksets/gha-deploy/stackset.yaml + + - name: Synethsize StackSet templates + run: | + for _f in $(find . -type f -name 'stackset-*-template.yaml'); do + _dir="$(dirname $_f)/" \ + yq \ + -i \ + '(.. | select(has("localTemplateFile")) | .localTemplateFile) |= load_str(strenv(_dir) + .)' \ + $_f; + done + + - name: Upload SAM artifact (Management Account / GHA Deploy) + id: upload-sam-gha-template + shell: bash + run: | + sam package \ + --template stacksets/gha-deploy/stackset.yaml \ + --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1 \ + --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ + --region us-east-1 \ + --output-template-file packaged-gha-deploy-template.yaml + + - name: Upload SAM artifact (Management Account / CFN CR) + id: upload-sam-cfncr-template + shell: bash + run: | + sam package \ + --template stacksets/cfn-custom-resource-deploy/stackset.yaml \ + --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1 \ + --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ + --region us-east-1 \ + --output-template-file packaged-cfncr-template.yaml + + - name: Upload SAM artifact (Build Account) + id: upload-sam-stackset-build-template + shell: bash + run: | + sam package \ + --template stackset-build-template.yaml \ + --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1 \ + --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ + --region us-east-1 \ + --output-template-file packaged-stackset-build-template.yaml + + - name: Upload SAM artifact (Deploy Account) + id: upload-sam-stackset-deploy-template + shell: bash + run: | + sam package \ + --template stackset-deploy-template.yaml \ + --s3-bucket aws-sam-cli-sourcebucket-225989329251-us-east-1 \ + --s3-prefix ${{ env.GITHUB_REPOSITORY_OWNER_PART_SLUG_URL }}/${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}/${{ env.GITHUB_REF_SLUG_URL }} \ + --region us-east-1 \ + --output-template-file packaged-stackset-deploy-template.yaml + + - name: Store Artifacts + uses: ServerlessOpsIO/gha-store-artifacts@v1 diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 010d3dc..f36def8 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -14,31 +14,8 @@ jobs: contents: read steps: - - name: Set extra GitHub environment variables - id: github-env-vars - uses: rlespinasse/github-slug-action@v4 - - - name: Checkout source - id: checkout-source - uses: actions/checkout@v4 - - - name: Setup Python - id: install-python - uses: actions/setup-python@v3 - with: - python-version: 3.12 - cache: pipenv - - - name: Install pipenv - id: install-pipenv - shell: bash - run: python -m pip install --upgrade pipenv - - - - name: Install dependencies - id: install-python-deps - shell: bash - run: pipenv install --dev + - name: Setup job workspace + uses: ServerlessOpsIO/gha-setup-workspace@v1 - name: Assume AWS Credentials uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 @@ -129,33 +106,10 @@ jobs: contents: read steps: - - name: Set extra GitHub environment variables - id: github-env-vars - uses: rlespinasse/github-slug-action@v4 - - - name: Download artifact - id: download-artifact - uses: actions/download-artifact@v4 - with: - name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} - - - name: Setup Python - id: install-python - uses: actions/setup-python@v3 + - name: Setup job workspace + uses: ServerlessOpsIO/gha-setup-workspace@v1 with: - python-version: 3.12 - cache: pipenv - - - name: Install pipenv - id: install-pipenv - shell: bash - run: python -m pip install --upgrade pipenv - - - - name: Install dependencies - id: install-python-deps - shell: bash - run: pipenv install --dev + checkout_artifact: true - name: Assume AWS Credentials uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 @@ -186,33 +140,10 @@ jobs: contents: read steps: - - name: Set extra GitHub environment variables - id: github-env-vars - uses: rlespinasse/github-slug-action@v4 - - - name: Download artifact - id: download-artifact - uses: actions/download-artifact@v4 + - name: Setup job workspace + uses: ServerlessOpsIO/gha-setup-workspace@v1 with: - name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} - - - name: Setup Python - id: install-python - uses: actions/setup-python@v3 - with: - python-version: 3.12 - cache: pipenv - - - name: Install pipenv - id: install-pipenv - shell: bash - run: python -m pip install --upgrade pipenv - - - - name: Install dependencies - id: install-python-deps - shell: bash - run: pipenv install --dev + checkout_artifact: true - name: Assume AWS Credentials uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 @@ -243,33 +174,10 @@ jobs: contents: read steps: - - name: Set extra GitHub environment variables - id: github-env-vars - uses: rlespinasse/github-slug-action@v4 - - - name: Download artifact - id: download-artifact - uses: actions/download-artifact@v4 + - name: Setup job workspace + uses: ServerlessOpsIO/gha-setup-workspace@v1 with: - name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} - - - name: Setup Python - id: install-python - uses: actions/setup-python@v3 - with: - python-version: 3.12 - cache: pipenv - - - name: Install pipenv - id: install-pipenv - shell: bash - run: python -m pip install --upgrade pipenv - - - - name: Install dependencies - id: install-python-deps - shell: bash - run: pipenv install --dev + checkout_artifact: true - name: Assume AWS Credentials uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 @@ -298,33 +206,10 @@ jobs: contents: read steps: - - name: Set extra GitHub environment variables - id: github-env-vars - uses: rlespinasse/github-slug-action@v4 - - - name: Download artifact - id: download-artifact - uses: actions/download-artifact@v4 - with: - name: ${{ env.GITHUB_REPOSITORY_SLUG }}-${{ env.GITHUB_REF_SLUG_URL }}-${{ github.run_number }}-${{ github.sha }} - - - name: Setup Python - id: install-python - uses: actions/setup-python@v3 + - name: Setup job workspace + uses: ServerlessOpsIO/gha-setup-workspace@v1 with: - python-version: 3.12 - cache: pipenv - - - name: Install pipenv - id: install-pipenv - shell: bash - run: python -m pip install --upgrade pipenv - - - - name: Install dependencies - id: install-python-deps - shell: bash - run: pipenv install --dev + checkout_artifact: true - name: Assume AWS Credentials uses: ServerlessOpsIO/gha-assume-aws-credentials@v1 diff --git a/stacksets/gha-build/stackset.yaml b/stacksets/gha-build/stackset.yaml index 3fe30e7..cd112d2 100644 --- a/stacksets/gha-build/stackset.yaml +++ b/stacksets/gha-build/stackset.yaml @@ -133,14 +133,15 @@ Resources: - Effect: Allow Action: - 'serverlessrepo:CreateApplication' + - 'serverlessrepo:CreateApplicationVersion' + - 'serverlessrepo:CreateCloudFormationTemplate' + - 'serverlessrepo:DeleteApplication' - 'serverlessrepo:GetApplication' - 'serverlessrepo:ListApplications' - - 'serverlessrepo:PublishApplication' - - 'serverlessrepo:UpdateApplication' - - 'serverlessrepo:DeleteApplication' + - 'serverlessrepo:ListApplicationVersions' - 'serverlessrepo:PutApplicationPolicy' - - 'serverlessrepo:CreateApplicationVersion' - - 'serverlessrepo:CreateCloudFormationTemplate' + - 'serverlessrepo:UnshareApplication' + - 'serverlessrepo:UpdateApplication' Resource: '*' - PolicyName: STS PolicyDocument: