-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a GitHub delete action on feature branch delete #42
Conversation
Why --- - Feature branch resources are automatically created, but never deleted. By watching expanding the default pipeline to watch for `delete` events, we can automatically delete feature stacks using `sam delete`. How --- - Watch for `delete` events in GH Pipeline - Add a step to delete the feature stacks. Note that when a `delete` event occurs, `github.ref` is set to `refs/heads/main`. To get the branch that was deleted, we need to look at `github.event.ref`. - Only run tests on the `push` event. Next Steps ---------- - Update SAM CLI to add additional `Allow` permissions to the PipelineExecutionRolePolicy. SAM needs S3 DeleteObject and CloudFormation GetTemplate/DeleteStack in order for this to work. https://github.com/aws/aws-sam-cli/blob/0626f9463f565acebc5b733d16007fd4f666413f/samcli/lib/pipeline/bootstrap/stage_resources.yaml#L211-L273
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this PR!
I have one question (see comments)
|
||
- name: Delete feature branch stack | ||
env: | ||
FEATURE_STACK_NAME: {{ '${{ toJSON(github.event.ref) }}' }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have context here, why we need to use toJSON
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch...that cast with toJSON
isn't needed. I've removed it.
- The `toJSON` call isn't needed in order to set the branch name variable. - Rename variable to be accurate and make it more clear
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works great, thanks!
(hold for merge until aws/aws-sam-cli#3213 is merged and released)
* Revert "release: 0.20.0" * chore: Update version to 0.20.1 * Revert "Revert "release: 0.20.0"" (#1377) This reverts commit 2090431. * Add to PipelineExecutionRolePermissions to allow stack deletion Why --- The `PipelineExecutionRole` is assumed by the `PipelineUser` when deploying CI/CD pipelines. This role doesn't have permission to delete stacks via `sam delete`. This means that any stacks created need to be deleted manually. In order to support automated stack deletions for feature branches, this role needs a few extra permissions. This change is needed to support the this PR in the sam pipeline templates: aws/aws-sam-cli-pipeline-init-templates#42 How --- - Add three additional IAM permissions which allow the `sam delete` command to work as expected in `PipelineExecutionRolePermissions`. Next Steps ---------- - After this is merged, [this PR in the Pipeline templates for GitHub Actions](aws/aws-sam-cli-pipeline-init-templates#42) can be merged. * Add BatchDeleteImage to PipelineExecutionRolePermissions Based on PR feedback, allow for this role to delete a list of ImageIds by adding `ecr:BatchDeleteImage` to the Pipeline role.
Why
By expanding the GitHub Actions pipeline to watch for
delete
events,we can automatically delete feature stacks using
sam delete
when a feature branch is deleted.How
delete
events in GH Pipeline for feature branchesdelete
event occurs,
github.ref
is set torefs/heads/main
. To get thebranch that was deleted, we need to look at
github.event.ref
.push
event.Next Steps
Allow
permissions to thePipelineExecutionRolePolicy. SAM needs S3 DeleteObject and
CloudFormation GetTemplate/DeleteStack in order for this to work.
Note: Since the
sam delete
command will not work until until these permissionsare added, this shouldn't be merged until aws-sam-cli adds those permissions:
https://github.com/aws/aws-sam-cli/blob/0626f9463f565acebc5b733d16007fd4f666413f/samcli/lib/pipeline/bootstrap/stage_resources.yaml#L211-L273
Fixes #41
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.