Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a GitHub delete action on feature branch delete #42

Merged
merged 2 commits into from
Oct 27, 2021
Merged

Conversation

brianz
Copy link
Contributor

@brianz brianz commented Aug 30, 2021

Why

  • With the GitHub Actions pipeline, feature branch resources are automatically created, but never deleted.
    By expanding the GitHub Actions pipeline to watch for delete events,
    we can automatically delete feature stacks using sam delete when a feature branch is deleted.

How

  • Watch for delete events in GH Pipeline for feature branches
  • Add a step to delete the feature stacks. Note that when a delete
    event occurs, github.ref is set to refs/heads/main. To get the
    branch that was deleted, we need to look at github.event.ref.
  • Only run tests on the push event.

Next Steps

  • Update SAM CLI to add additional Allow permissions to the
    PipelineExecutionRolePolicy. SAM needs S3 DeleteObject and
    CloudFormation GetTemplate/DeleteStack in order for this to work.
    Note: Since thesam delete command will not work until until these permissions
    are added, this shouldn't be merged until aws-sam-cli adds those permissions:

https://github.com/aws/aws-sam-cli/blob/0626f9463f565acebc5b733d16007fd4f666413f/samcli/lib/pipeline/bootstrap/stage_resources.yaml#L211-L273

Fixes #41

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@brianz brianz changed the title Add a delete action on feature branch delete Add a GitHub delete action on feature branch delete Aug 30, 2021
Why
---

- Feature branch resources are automatically created, but never deleted.
By watching expanding the default pipeline to watch for `delete` events,
we can automatically delete feature stacks using `sam delete`.

How
---

- Watch for `delete` events in GH Pipeline
- Add a step to delete the feature stacks. Note that when a `delete`
event occurs, `github.ref` is set to `refs/heads/main`. To get the
branch that was deleted, we need to look at `github.event.ref`.
- Only run tests on the `push` event.

Next Steps
----------

- Update SAM CLI to add additional `Allow` permissions to the
PipelineExecutionRolePolicy. SAM needs S3 DeleteObject and
CloudFormation GetTemplate/DeleteStack in order for this to work.

https://github.com/aws/aws-sam-cli/blob/0626f9463f565acebc5b733d16007fd4f666413f/samcli/lib/pipeline/bootstrap/stage_resources.yaml#L211-L273
Copy link
Contributor

@aahung aahung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this PR!
I have one question (see comments)


- name: Delete feature branch stack
env:
FEATURE_STACK_NAME: {{ '${{ toJSON(github.event.ref) }}' }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have context here, why we need to use toJSON here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch...that cast with toJSON isn't needed. I've removed it.

- The `toJSON` call isn't needed in order to set the branch name
variable.
- Rename variable to be accurate and make it more clear
Copy link
Contributor

@aahung aahung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works great, thanks!
(hold for merge until aws/aws-sam-cli#3213 is merged and released)

aahung pushed a commit to aws/aws-sam-cli that referenced this pull request Oct 7, 2021
* Revert "release: 0.20.0"

* chore: Update version to 0.20.1

* Revert "Revert "release: 0.20.0"" (#1377)

This reverts commit 2090431.

* Add to PipelineExecutionRolePermissions to allow stack deletion

Why
---

The `PipelineExecutionRole` is assumed by the `PipelineUser` when deploying CI/CD pipelines.
This role doesn't have permission to delete stacks via `sam delete`. This means that any stacks
created need to be deleted manually. In order to support automated stack deletions for feature
branches, this role needs a few extra permissions.

This change is needed to support the this PR in the sam pipeline
templates:

aws/aws-sam-cli-pipeline-init-templates#42

How
---

- Add three additional IAM permissions which allow the `sam delete`
command to work as expected in `PipelineExecutionRolePermissions`.

Next Steps
----------

- After this is merged, [this PR in the Pipeline templates for GitHub
Actions](aws/aws-sam-cli-pipeline-init-templates#42)
can be merged.

* Add BatchDeleteImage to PipelineExecutionRolePermissions

Based on PR feedback, allow for this role to delete a list of ImageIds
by adding `ecr:BatchDeleteImage` to the Pipeline role.
@aahung aahung merged commit 70377d4 into aws:main Oct 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

GitHub feature branch stacks are created automatically but never deleted
3 participants