diff --git a/.github/aws/README.md b/.github/aws/README.md new file mode 100644 index 0000000..9154161 --- /dev/null +++ b/.github/aws/README.md @@ -0,0 +1,9 @@ +This folder contains the SAM template that is used to bootstrap the necessary infrastructure and integration between GitHub and AWS. + +This is intended to be a one off operation to he deployed manually. Once deployed, the GitHub repository will be able to perform certain operations against the given AWS account (e.g. publish files in a bucket or publish to the Serverless Application Repository). + +Deploy with: + +```bash +sam deploy +``` \ No newline at end of file diff --git a/.github/aws/samconfig.toml b/.github/aws/samconfig.toml new file mode 100644 index 0000000..5616968 --- /dev/null +++ b/.github/aws/samconfig.toml @@ -0,0 +1,14 @@ +version = 0.1 +[default.deploy.parameters] +stack_name = "lmammino-oidc-authorized-github-actions" +resolve_s3 = true +s3_prefix = "lmammino-oidc-authorized-github-actions" +region = "eu-west-1" +confirm_changeset = true +capabilities = [ + "CAPABILITY_AUTO_EXPAND", + "CAPABILITY_NAMED_IAM", + "CAPABILITY_IAM", +] +parameter_overrides = "GitHubThumbprint=\"1b511abead59c6ce207077c0bf0e0043b1382612\" GitHubRepoName=\"lmammino/oidc-authorizer\"" +image_repositories = [] diff --git a/.github/aws/template.yml b/.github/aws/template.yml new file mode 100644 index 0000000..bc4e233 --- /dev/null +++ b/.github/aws/template.yml @@ -0,0 +1,76 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: "Provision the services required to setup the CI/CD using GitHub actions for lmammino/oidc-authorizer" + +Parameters: + GitHubThumbprint: + Type: String + Description: The thumbprint of the GitHub TLS certificate + Default: "1b511abead59c6ce207077c0bf0e0043b1382612" # Might need to be refreshed when the cert is rotated + GitHubRepoName: + Type: String + Description: The name of the repository + Default: "lmammino/oidc-authorizer" + +Resources: + SarArtifactsBucket: + Type: AWS::S3::Bucket + + SarArtifactBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref SarArtifactsBucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: serverlessrepo.amazonaws.com + Action: s3:GetObject + Resource: !Sub arn:aws:s3:::${SarArtifactsBucket}/* + Condition: + StringEquals: + aws:SourceAccount: !Ref "AWS::AccountId" + + GitHubOIDCProvider: + Type: AWS::IAM::OIDCProvider + Properties: + Url: "https://token.actions.githubusercontent.com" + ClientIdList: + - "sts.amazonaws.com" + ThumbprintList: + - !Ref GitHubThumbprint + + GitHubIAMRole: + Type: AWS::IAM::Role + Properties: + Path: "/" + RoleName: GitHubActionLmamminoOidcProvider + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRoleWithWebIdentity + Principal: + Federated: !Ref GitHubOIDCProvider + Condition: + StringLike: + token.actions.githubusercontent.com:sub: !Sub repo:${GitHubRepoName}:* + MaxSessionDuration: 3600 + Description: !Sub "Github Actions role for ${GitHubRepoName}" + Policies: + - PolicyName: "AllowWriteToSarArtifactsBucket" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "s3:PutObject*" + Resource: + - !Sub "arn:aws:s3:::${SarArtifactsBucket}/*" + +Outputs: + SarArtifactsBucket: + Description: The name of the generated SAR artifacts bucket + Value: !Ref SarArtifactsBucket + GitHubIamRoleArn: + Description: The ARN of the role that needs to be assumed by GitHub + Value: !GetAtt GitHubIAMRole.Arn diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..7bbf762 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,59 @@ +name: Release + +on: + # TODO: add on release creation + workflow_dispatch: {} + +env: + AWS_REGION: eu-west-1 + SAR_ARTIFACT_BUCKET: ${{ secrets.SAR_ARTIFACT_BUCKET }} + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v3 + + - uses: aws-actions/setup-sam@v2 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_REPO_ROLE_ARN }} + aws-region: eu-west-1 + + - name: Install rust + uses: dtolnay/rust-toolchain@master + with: + toolchain: stable + + - name: Install zig + uses: goto-bus-stop/setup-zig@v2 + + - uses: actions/cache@v3 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + ~/.cargo/bin + target + key: ${{ runner.os }}-release-${{ hashFiles('**/Cargo.lock') }} + + - name: Install cargo lambda + run: | + if [ ! -f ~/.cargo/bin/cargo-lambda ] + then + cargo install --locked cargo-lambda + else + echo "Cargo Lambda already installed" + fi + + - name: Sam build + run: | + sam build + sam package --output-template-file .aws-sam/packaged.yml --s3-bucket ${{ secrets.SAR_ARTIFACT_BUCKET }} + + - name: Sam publish + run: sam publish --template .aws-sam/packaged.yml --region eu-west-1