initial creation of github template (#2)

Create a github template to help setup an infrastructure deployment for
a containerized application to AWS ECS.

These files are from the Sage-Bionetworks-IT/agora-infra-v3 repo (commit e17983ab)[1]

[1] https://github.com/Sage-Bionetworks-IT/agora-infra-v3/tree/e17983abd583d0878a1b2482bbf0ab7cd5bc02c5

.devcontainer/devcontainer.json

@@ -0,0 +1,15 @@
+{
+  "name": "AWS CDK & Python Development Environment",
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu-22.04",
+  "features": {
+    "ghcr.io/devcontainers/features/node:1.5.0": {
+      "version": "22.6.0"
+    },
+    "ghcr.io/devcontainers/features/python:1.6.3": {
+      "version": "3.12.0"
+    },
+    "ghcr.io/devcontainers/features/aws-cli:1": {}
+  },
+  "postCreateCommand": "./tools/setup.sh",
+  "shutdownAction": "stopContainer"
+}

.flake8

@@ -0,0 +1,16 @@
+[flake8]
+exclude =
+	.git,
+	__pycache__,
+	build,
+	dist,
+	.tox,
+	venv,
+	.venv,
+	.pytest_cache
+max-complexity = 12
+#per-file-ignores =
+#	docs/_api/conf.py: E265
+#	integration-tests/steps/*: E501,F811,F403,F405
+extend-ignore = E203
+max-line-length = 120

.github/CODEOWNERS

@@ -0,0 +1 @@
+*  @Sage-Bionetworks-IT/sagebio-it @Sage-Bionetworks-IT/infra-oversight-committee

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,7 @@
+DELETE THIS TEMPLATE BEFORE SUBMITTING
+
+PR Checklist:
+[ ] Clearly explain your change with a descriptive commit message
+
+[ ] Setup pre-commit and run the validators (info in README.md)
+    To validate files run: `pre-commit run --all-files`

.github/workflows/aws-deploy.yaml

@@ -0,0 +1,53 @@
+# reusable template for deployments to AWS accounts
+name: aws-deploy
+
+# Ensures that only one deploy task per branch/environment will run at a time.
+concurrency:
+  group: ${{ inputs.environment }}
+  cancel-in-progress: false
+
+on:
+  workflow_call:
+    inputs:
+      aws-region:
+        type: string
+        default: us-east-1
+      role-to-assume:
+        required: true
+        type: string
+      role-session-name:
+        required: true
+        type: string
+      role-duration-seconds:
+        type: number
+        default: 3600
+      environment:
+        required: true
+        type: string
+
+jobs:
+  deploy:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install AWS CLI
+        run: sudo snap install aws-cli --classic
+      - name: Install AWS CDK CLI
+        run: npm install -g aws-cdk
+      - name: Install python dependencies
+        run: pip install -r requirements.txt -r requirements-dev.txt
+      - name: Assume AWS Role
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: ${{ inputs.aws-region }}
+          role-to-assume: ${{ inputs.role-to-assume }}
+          role-session-name: ${{ inputs.role-session-name }}
+          role-duration-seconds: ${{ inputs.role-duration-seconds }}
+      - name: CDK deploy
+        run: cdk deploy --all --concurrency 5 --require-approval never
+        env:
+          ENV: ${{ inputs.environment }}

.github/workflows/check.yml

@@ -0,0 +1,34 @@
+name: check
+
+on:
+  pull_request:
+    branches: ['*']
+  push:
+    branches: ['*']
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install dependencies
+        run: pip install -r requirements.txt -r requirements-dev.txt
+      - name: Run unit tests
+        run: python -m pytest tests/ -s -v
+  synth:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install dependencies
+        run: pip install -r requirements.txt -r requirements-dev.txt
+      - name: Generate cloudformation
+        uses: youyo/aws-cdk-github-actions@v2
+        env:
+          ENV: dev
+        with:
+          cdk_subcommand: 'synth'
+          actions_comment: false
+          debug_log: true
+          cdk_args: '--output ./cdk.out'

.github/workflows/deploy-dev.yaml

@@ -0,0 +1,18 @@
+name: deploy-dev
+
+on:
+  workflow_run:
+    workflows:
+      - check
+    types:
+      - completed
+    branches:
+      - dev
+
+jobs:
+  aws-deploy:
+    uses: "./.github/workflows/aws-deploy.yaml"
+    with:
+      role-to-assume: "arn:aws:iam::XXXXXXXX:role/sagebase-github-oidc-myapp-infra"
+      role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+      environment: dev

.github/workflows/deploy-prod.yaml

@@ -0,0 +1,18 @@
+name: deploy-prod
+
+on:
+  workflow_run:
+    workflows:
+      - check
+    types:
+      - completed
+    branches:
+      - prod
+
+jobs:
+  aws-deploy:
+    uses: "./.github/workflows/aws-deploy.yaml"
+    with:
+      role-to-assume: "arn:aws:iam::XXXXXXXX:role/sagebase-github-oidc-myapp-infra"
+      role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+      environment: prod

.github/workflows/deploy-stage.yaml

@@ -0,0 +1,18 @@
+name: deploy-stage
+
+on:
+  workflow_run:
+    workflows:
+      - check
+    types:
+      - completed
+    branches:
+      - stage
+
+jobs:
+  aws-deploy:
+    uses: "./.github/workflows/aws-deploy.yaml"
+    with:
+      role-to-assume: "arn:aws:iam::XXXXXXXX:role/sagebase-github-oidc-myapp-infra"
+      role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}
+      environment: stage

.gitignore

@@ -159,4 +159,17 @@ cython_debug/
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea/
+
+
+# MAC Crap
+.DS_Store
+
+# temp files
+temp/
+
+# npm
+node_modules/
+
+# AWS CDK
+cdk.out

.pre-commit-config.yaml

@@ -0,0 +1,45 @@
+ci:
+  autoupdate_schedule: monthly
+
+default_language_version:
+  python: python3
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+      - id: trailing-whitespace
+  - repo: https://github.com/PyCQA/flake8
+    rev: 7.1.1
+    hooks:
+      - id: flake8
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.35.1
+    hooks:
+      - id: yamllint
+  - repo: https://github.com/awslabs/cfn-python-lint
+    rev: v1.19.0
+    hooks:
+      - id: cfn-python-lint
+        args:
+          - "-i=E1001"
+        exclude: |
+          (?x)(
+            ^.venv/|
+            ^tests/|
+            ^docker/|
+            ^temp/|
+            ^.github/|
+            ^.pre-commit-config.yaml
+          )
+  - repo: https://github.com/psf/black
+    rev: 24.10.0
+    hooks:
+      - id: black
+  - repo: https://github.com/sirosen/check-jsonschema
+    rev: 0.29.4
+    hooks:
+      - id: check-github-workflows
+      - id: check-github-actions

.yamllint

@@ -0,0 +1,27 @@
+---
+
+extends: default
+
+rules:
+  braces:
+    level: warning
+    max-spaces-inside: 1
+  brackets:
+    level: warning
+    max-spaces-inside: 1
+  commas:
+    level: warning
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    level: warning
+  hyphens:
+    level: warning
+  indentation:
+    level: warning
+    indent-sequences: consistent
+  line-length: disable
+  truthy: disable
+  new-line-at-end-of-file:
+    level: warning