Merge pull request #19 from NASA-IMPACT/feature/deploy-action

Include veda deploy action
NASA-IMPACT · Jan 11, 2024 · ff1bb97 · ff1bb97
2 parents 8fb3513 + b5f5279
commit ff1bb97
Show file tree

Hide file tree

Showing 10 changed files with 214 additions and 97 deletions.
diff --git a/.github/actions/cdk-deploy/action.yml b/.github/actions/cdk-deploy/action.yml
@@ -0,0 +1,59 @@
+name: Deploy
+
+inputs:
+  env_aws_secret_name:
+    required: true
+    type: string
+  dir:
+    required: false
+    type: string
+    default: "."
+  script_path:
+    required: true
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install node and related deps
+      uses: actions/setup-node@v3
+      with:
+        node-version: 17.3.0
+
+    - uses: actions/cache@v3
+      with:
+        path: ~/.npm
+        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
+
+    - name: Install AWS CDK
+      shell: bash
+      run: npm install -g aws-cdk@2
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: "3.10"
+        cache: "pip"
+        cache-dependency-path: |
+          ${{ inputs.dir }}/requirements.txt
+
+    - name: Install python dependencies
+      shell: bash
+      working-directory: ${{ inputs.dir }}
+      run: |
+        pip install \
+          -r requirements.txt \
+
+    - name: Get relevant environment configuration from aws secrets
+      shell: bash
+      working-directory: ${{ inputs.dir }}
+      env:
+        AWS_DEFAULT_REGION: us-west-2
+      run: ./scripts/get-env.sh ${{ inputs.env_aws_secret_name }}
+
+    - name: Deploy
+      id: deploy_auth_stack
+      shell: bash
+      working-directory: ${{ inputs.dir }}
+      run: |
+        cdk deploy --all --require-approval never --outputs-file ${HOME}/cdk-outputs.json
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -7,9 +7,6 @@ permissions:
 on:
   push:
     branches:
-      - main
-      - dev
-      - production
       - make-mcp-ready
 
 jobs:
@@ -22,12 +19,13 @@ jobs:
         run: |
           if [ "${{ github.ref }}" = "refs/heads/main" ]; then
             echo "env_name=staging" >> $GITHUB_OUTPUT
+            echo "secret_name=veda-auth-staging" >> $GITHUB_OUTPUT
           elif [ "${{ github.ref }}" = "refs/heads/dev" ]; then
             echo "env_name=development" >> $GITHUB_OUTPUT
+            echo "secret_name=veda-auth-dev" >> $GITHUB_OUTPUT
           elif [ "${{ github.ref }}" = "refs/heads/production" ]; then
             echo "env_name=production" >> $GITHUB_OUTPUT
-          elif [ "${{ github.ref }}" = "refs/heads/make-mcp-ready" ]; then
-            echo "env_name=mcp-dev" >> $GITHUB_OUTPUT
+            echo "secret_name=veda-auth-production" >> $GITHUB_OUTPUT
           fi
       - name: Print the environment
         run: echo "The environment is ${{ steps.define_environment.outputs.env_name }}"
@@ -50,12 +48,12 @@ jobs:
           lfs: "true"
           submodules: "recursive"
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
+      - name: Configure awscli
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }}
-          role-session-name: "veda-auth-github-${{ needs.define-environment.outputs.env_name }}-deployment"
-          aws-region: "us-west-2"
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
 
       - name: Install node and related deps
         uses: actions/setup-node@v3
@@ -83,11 +81,11 @@ jobs:
           pip install \
             -r requirements.txt \
 
-      - name: Get relevant environment configuration from aws secrets
-        run: ./scripts/sync-env.sh veda-auth-mcp-dev
+      - name: Get environment configuration from aws secrets
+        run: ./scripts/get-env.sh  ${{ needs.define-environment.outputs.secret_name }}
 
       - name: Deploy
         env:
           AWS_DEFAULT_REGION: us-west-2
           CDK_DEFAULT_REGION: us-west-2
-        run: cdk deploy --all --require-approval never --outputs-file ${HOME}/cdk-outputs.json
+        run: cdk deploy --all --require-approval never
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -0,0 +1,50 @@
+name: Pull Request - Preview CDK Diff
+
+on: [pull_request]
+
+jobs:
+  predeploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 17
+
+      - name: Configure awscli
+        uses: aws-actions/configure-aws-credentials@v3
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+
+      - uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
+
+      - name: Install CDK
+        run: npm install -g aws-cdk@2
+
+      - uses: actions/cache@v3
+        with:
+          path: ${{ env.pythonLocation }}
+          key:  ${{ env.pythonLocation }}-${{ hashFiles('setup.py') }}
+
+      - name: Install python dependencies
+        run: |
+            pip install -r requirements.txt
+
+      - name: Get environment configuration for target branch
+        run: |
+          ./scripts/get-env.sh "veda-auth-uah-env"
+      - name: Pre deployment CDK diff
+        run: |
+          echo $STAGE
+          cdk diff --outputs-file ${HOME}/cdk-outputs.json
diff --git a/.gitignore b/.gitignore
@@ -9,3 +9,5 @@ __pycache__
 .cdk.staging
 cdk.out
 *.env
+.ipynb_checkpoints
+
diff --git a/app.py b/app.py
@@ -1,48 +1,33 @@
 #!/usr/bin/env python3
 import subprocess
 
-import aws_cdk as cdk
+from aws_cdk import App, Tags, DefaultStackSynthesizer
 
 from infra.stack import AuthStack, BucketPermissions
 
 from config import app_settings
 
-git_sha = subprocess.check_output(["git", "rev-parse", "HEAD"]).decode().strip()
-try:
-    git_tag = subprocess.check_output(["git", "describe", "--tags"]).decode().strip()
-except subprocess.CalledProcessError:
-    git_tag = "no-tag"
-
-tags = {
-    "Project": "veda",
-    "Owner": app_settings.owner,
-    "Client": "nasa-impact",
-    "Stack": app_settings.stage,
-    "GitCommit": git_sha,
-    "GitTag": git_tag,
-}
+app = App()
 
-app = cdk.App()
-stack = AuthStack(app, f"veda-auth-stack-{app_settings.stage}", app_settings)
+stack = AuthStack(
+    app, 
+    f"veda-auth-stack-{app_settings.stage}", 
+    app_settings,
+    synthesizer=DefaultStackSynthesizer(
+        qualifier=app_settings.bootstrap_qualifier
+    )
+)
 
 # Create an data managers group in user pool if data managers role is provided (legacy stack support)
-if data_managers_role_arn := app_settings.data_managers_role_arn:
+if app_settings.data_managers_group and app_settings.data_managers_role_arn:
     stack.add_cognito_group_with_existing_role(
         "veda-data-store-managers",
         "Authenticated users assume read write veda data access role",
-        role_arn=data_managers_role_arn,
+        role_arn=app_settings.data_managers_role_arn,
     )
 
-# Create Groups
+# Create Groups if Configured
 if app_settings.cognito_groups:
-    # Create a data managers group in user pool if data managers role is provided
-    if data_managers_role_arn := app_settings.data_managers_role_arn:
-        stack.add_cognito_group_with_existing_role(
-            "veda-data-store-managers",
-            "Authenticated users assume read write veda data access role",
-            role_arn=data_managers_role_arn,
-        )
-
     stack.add_cognito_group(
         "veda-staging-writers",
         "Users that have read/write-access to the VEDA store and staging datastore",
@@ -118,7 +103,22 @@
 # Frontend Clients
 # stack.add_frontend_client('veda-dashboard')
 
+git_sha = subprocess.check_output(["git", "rev-parse", "HEAD"]).decode().strip()
+try:
+    git_tag = subprocess.check_output(["git", "describe", "--tags"]).decode().strip()
+except subprocess.CalledProcessError:
+    git_tag = "no-tag"
+
+tags = {
+    "Project": "veda",
+    "Owner": app_settings.owner,
+    "Client": "nasa-impact",
+    "Stack": app_settings.stage,
+    "GitCommit": git_sha,
+    "GitTag": git_tag,
+}
+
 for key, value in tags.items():
-    cdk.Tags.of(stack).add(key, value)
+    Tags.of(stack).add(key, value)
 
 app.synth()
diff --git a/cdk.json b/cdk.json
@@ -1,31 +1,3 @@
 {
-  "app": "python3 app.py",
-  "watch": {
-    "include": [
-      "**"
-    ],
-    "exclude": [
-      "README.md",
-      "cdk*.json",
-      "requirements*.txt",
-      "source.bat",
-      "**/*.pyc",
-      "**/*.tmp",
-      "**/__pycache__",
-      "tests",
-      "scripts"
-    ]
-  },
-  "context": {
-    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
-    "@aws-cdk/core:stackRelativeExports": true,
-    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
-    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
-    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
-    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
-    "@aws-cdk/core:target-partitions": [
-      "aws",
-      "aws-cn"
-    ]
-  }
+  "app": "python3 app.py"
 }
diff --git a/config.py b/config.py
@@ -32,6 +32,11 @@ class Config(pydantic.BaseSettings):
         description="ARN of role to be assumed by authenticated users in data managers group.",
     )
 
+    data_managers_group: bool = pydantic.Field(
+        False,
+        description="When true create data managers group (mcp-deploy refactor now requires additional control setting to enable creating this group).",
+    )
+
     oidc_provider_url: Optional[str] = pydantic.Field(
         None,
         description="URL of OIDC provider to use for CI workers.",
@@ -49,7 +54,7 @@ class Config(pydantic.BaseSettings):
 
     # Since MCP doesn't allow creating identity pools, setting this as optional
     cognito_groups: Optional[bool] = pydantic.Field(
-        True,
+        False,
         description="whether to create cognito groups with bucket access permissions",
     )
 
@@ -62,5 +67,10 @@ class Config(pydantic.BaseSettings):
         "", description="The user pool id to use for user management"
     )
 
+    bootstrap_qualifier: Optional[str] = pydantic.Field(
+        None,
+        description="Custom bootstrap qualifier override if not using a default installation of AWS CDK Toolkit to synthesize app.",
+    )
+
 
 app_settings = Config(_env_file=os.environ.get("ENV_FILE", ".env"))
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,3 +9,5 @@ __pycache__ @@
     .cdk.staging
     cdk.out
     *.env
+    .ipynb_checkpoints